Planned Site Maintenance
Due to scheduled maintenance, account creation for new Community users will be unavailable 11 a.m. Eastern October 23, 2020 – October 24, 2020. We apologize for any inconvenience.
You're probably asking a couple of different questions:
1. What are the current inherent InfoSec risks that your organisation is facing and are the existing controls in place effective countermeasures?
2. What will be newly emerging in the threat landscape over the next 4 year time horizon?
To answer the first you'd need to update your existing infosec risk assessment taking into account the effectiveness and cost of current controls versus your organisation risk appetite.
The answer the second you need to look for likely trends in the external threat landscape, plus your organisation's intended business and technology strategy over the time horizon you're looking at. You can find data on emerging threats in sources such as the Verizon DBR, Mandiant reports etc. Most of the larger security companies issue some sort of report and have previous years available.
What you need to keep in mind is that risks tend to be additive; the older risks don't disappear quickly, whilst there are new risks appearing every year.
----------------------------------------------------------- Steve Wilme CISSP-ISSAP, ISSMP MCIIS
> Peacon (Viewer) posted a new topic in Industry News on 06-06-2019 04:28 AM
> Hi Everyone I'm looking at creating a forecast for IT Security department in > my organisation and recommend controls to be put in place to meet up with the > forecast. Will need your kind input into what we should be looking out for in > the next four years and what we should put in place.
Calling upon decades of experience, and using the best historical data, as well as reasonable predictions for advances over the next four years, I would suggest that:
Things will be bad.
Then they will get worse.
............ This message may or may not be governed by the terms of http://www.noticebored.com/html/cisspforumfaq.html#Friday or https://blogs.securiteam.com/index.php/archives/1468
I'm looking at creating a forecast for IT Security department in my organisation and recommend controls to be put in place to meet up with the forecast.
Will need your kind input into what we should be looking out for in the next four years and what we should put in place.
As Steve has pointed out, you need to first understand your current posture and then the risk appetite of your organisation. Once you understand these two things, you will need to look at technologies/techniques/policies/data classification that can fill the gap.
I found this on the internet and believe it is a good pictorial for folks to look at when the understand their environment. And before anyone says anything, no I am not recommending that you implement everything here......the cost would be excessive however, it will show you options that you might be able to use.
Again, understand your current situation, do a risk assessment, and then beg for budget although some things can be done on the cheap or little to no cost.
As an example, Security Awareness training which has a higher pay back and can be done for zero dollars.
You can Data Classification using information that you find on the Internet....you will need to decide how many levels / classes that you need.