Q&A with Gartner expert Jeffrey Wheatman

Jeffrey Wheatman, VP Analyst, Gartner Research & Advisory, and Conference Chair 


What’s different about security today versus a year or two ago?

Increased complexity and gravity — there are more tools, threats and attacks out there. There was a time when you could really know everything about security, but not anymore. Now everyone has to be a generalist with some deep areas of knowledge. There’s also much more malice in the attack landscape now. Years ago, hacking was more about learning and doing cool stuff. Now it’s about doing damage and making money. You’re not defending yourself against a kid sitting in his parents’ basement anymore. Now it’s organized crime, it’s governments.


Back To Top


As a security leader, what’s top of mind for 2019? What issues should be on my radar?

New and different kinds of attacks have been emerging since late 2017. We’re seeing more financial attacks and a big uptick in damaging ransomware. Security leaders recognize that the current tools in place are not enough anymore. They spent a lot of money, but people are still getting victimized. Big breaches continue to be hugely problematic. It’s largely the same problems, but with higher stakes. Solutions have advanced as well. AI and machine learning are offering promising new tools, for example, but in many cases have not lived up to the hype.


In terms of changes to the security landscape, quantum computing is closer to becoming reality, and you have the rise of blockchain. The transition to cloud continues, bringing its opportunities and challenges. The labor shortage continues to be a problem. Leaders are working on strategies to bridge the talent gaps in the organization, and CISOs will need to be proactive in that area through 2019.


Meanwhile, the visibility of senior security roles continues to increase, particularly in the U.S., where the Securities and Exchange Commission issued a guidance letter on cybersecurity in February 2018, raising the profile of security and risk at the board level and among the C-suite roles. Many CISOs are focused on doing a better job of communicating with the board this year. And we’re seeing more regulation, big challenges around privacy, security impacts from fast-moving trends such as the Internet of Things — I could go on.


Back To Top


Despite all the emerging technologies and new threats, you say security is still largely about the same problems. How so?

Security needs to focus more on business problems and be part of the conversation earlier in the strategic planning process. The business is still running ahead of security. Until security becomes more effective at communicating with their business stakeholders — until the organizational culture changes so that security is a fundamental consideration — you’re going to continue to struggle to keep up.


Security is often still playing catch up, working to solve yesterday’s problems instead of laying the groundwork to secure the next digital initiative that’s still in the planning stages. It’s not about being an alarmist or putting the breaks on innovation, but about improving communication between the business and security and risk leaders. It’s about shifting organizational culture to make security and risk core values.


In the digital age, security is everybody’s responsibility. Security and risk must become part of the organizational DNA, integral and pervasive. Another key piece is effective governance to define strategy. That’s part of how you make these changes flow through the organization. Organizational culture can become a security asset and business accelerator.


Back To Top


Risk management is suddenly a business buzz word. How is risk management strategy changing?

Digital business creates risk. As we become more digital, the business is exposed to all kinds of new risks inherent to the endeavor. Digital ecosystems, emerging technologies and disruption all bring risk, in addition to opportunity. The business will forge ahead to seize that opportunity, and they must deal with the risk and not just throw it over the fence to IT and security.


People’s perspective on risk is broadening. We used to treat different types of risk in silos. Technology risk. Compliance risk. Audit risk. Operations risk. Now we’re seeing a desire on the part of business leaders to take a more holistic approach to managing risk. The idea is to clearly and defensively connect those risks to business challenges, and do so in a practical way.


You also have the ongoing transition from the goal of business continuity to the goal of greater business resilience. Like the willow tree that bends but doesn’t break, organizations need more of an ability to bend under pressure and not have everything fall apart because there was a ransomware attack. Today’s businesses need to be able to bounce back.


You need to look at the enterprisewide landscape of risk and the solutions available to address it in order to improve business resilience, enable greater freedom to innovate, and facilitate aggressive business stances. Security and risk needs to communicate this message to business leaders. Being prepared lets you do more, not less. There are also many new risk and resilience technologies out there.


Back To Top


How can security and risk teams keep up with emerging technologies and digital business transformation?

It comes down to embedding security and risk awareness in the organizational culture so that it permeates strategies and technologies throughout the business. Today, speed and agility are critical. Organizations that take a holistic approach to security and risk are more adaptable and able to seize new opportunities. It improves organizational dynamism, what Gartner has found to be one of the strongest determinants of success.


You can get a comprehensive update on security and risk strategies, tactics and technologies at Gartner Security & Risk Management Summit 2019, June 17 – 20, in National Harbor, MD. We’ll be presenting the latest independent research and bias-free recommendations to help you accelerate progress on all your security and risk initiatives and enable a more secure and resilient digital future.


Back To Top

Get the right answers to your most pressing questions.