Jeffrey Wheatman

Director, Gartner Research, and Conference Chair

Question 1: Massive cyberattacks are making the front pages on a regular basis. What does this climate of continuous exposure mean for security leaders?

Organizations have tended to focus on stopping data breaches, despite the fact that it’s a losing battle. Leaders need to focus on supporting business resiliency and responding to cyberattacks, including ransomware, denial of service outages and other types of attacks. So it’s important to craft and implement strategic plans that balance prevention, detection, response and recovery.

Cyberattacks can be extremely costly, with significant consequences for businesses and security leaders. Top global companies have been reporting sales and revenue impacts as high as $300 million due to malware-based cyberattacks. Insurance companies are insisting on high deductibles when these attacks occur, to encourage businesses to make appropriate investments in security. Senior executives — not just CIOs — are losing their jobs over data breaches, and there’s an increasing impact on intangibles, such as brand reputation, that can be difficult to quantify.

Question 2: As digital business ecosystems expand, so does risk exposure. How can organizations secure the entire digital supply chain?

New tools are emerging to help enterprises better understand their risk exposure throughout multilayered risk environments. One important step is to implement a strategy called CARTA (Continuous Adaptive Risk and Trust Assessment). This is a strategic, continuous, and proactive approach to help you better manage the risks associated with digital business ecosystems. It means identifying issues early, stopping what you should, and responding to what cannot be prevented.

Levels of trust and risk associated with digital business entities and their actions are dynamic, and need to be assessed continuously as interactions happen and context changes. CARTA, together with investments in people, process, and tools, can help you keep up with complex ecosystems and continuous change.

Question 3: New challenges around compliance are emerging. What’s driving these changes?

The regulatory landscape is always changing with new regulations and interpretations of existing regulations. Organizations need to develop new capabilities for detailed forensic analyses of cyberattacks and their consequences, and they need to balance real risks with legal and regulatory requirements — compliance does not equal security.

Thanks to the recent wave of high-profile breaches and attacks, governments around the world are beginning to pay attention. Europe’s new privacy regulations, particular GDPR, are going into effect this year, and there will be more. More detailed reporting of breaches will become mandatory at some point. Whether in-house or through partnerships, organizations will have to develop the capacity to track and report incursions at a detailed level.

Question 4: What other trends are impacting security and risk management strategies this year?

Data protection is evolving to include emerging technologies such as artificial intelligence and machine learning, blockchain, OT-IT convergence, advanced analytics, and the pervasive presence of mobile, cloud and the Internet of Things. These technologies are bringing new opportunities, as well as new risks and challenges. For example, the highly skilled talent that’s needed to support these new technologies is becoming very scarce. There are ways to do more with existing resources, which is a key topic we’ll discuss at the upcoming summit in June.

Cloud security has evolved in a positive direction. Cloud solutions are now at a point where it’s time to dive in and start investing. Subscription and pay-as-you-go security technologies let you skip the long and costly RFP process, and give you more options for meeting the needs of expanding digital businesses.

Question 5: All eyes are on security, but budget can be another story. What’s the best way to get business leaders and the board to support security initiatives?

You have to think about business objectives first and make your security story speak to those points. These might be priorities such as revenue, market share, business risk, customer sentiment and brand reputation. The most difficult challenge to overcome when creating security and risk management metrics is closing the gap between what security does and how the business benefits. It’s not about security goals and objectives. It’s about the ways security and risk management support the business’s values and objectives.