Ahead of the Gartner Security & Risk Management Summit in Sydney later this month, we asked research director and conference chair Rob McMillan about how Australian businesses are responding to the rapidly evolving security and risk challenges driven by digital business and the profoundly different environment it is creating.
Are Australian IT security budgets increasing in 2015?
The Australian security technology and services market is forecast to reach almost A$2.36 billion in 2015, up 24.8% from A$1.89 billion in 2014, according to a new Gartner forecast. The increase appears larger due to currency fluctuation against the U.S. dollar. Mobile and cloud security remain the two most important areas that businesses are investing in, particularly increasing adoption of cloud computing by SMBs, cloud specific attacks, proliferation of handheld devices, along with the rise in bring your own device (BYOD) and choose your own device (CYOD) programs.
What are the major trends influencing security and risk management in Australia for 2015?
We are on the cusp of a new era – the convergence of IT, OT and Internet of Things (IoT). While IoT is relatively new, the biggest challenge for security and risk professionals to figure out how to bring OT into the fold in a broader security management program, which was traditionally managed by engineers. These roles are expanding and getting more complex.
Security has historically being about confidentiality, integrity and availability, but cybersecurity – where IT, OT and IoT come into play – is bringing safety to the forefront as the fourth element. As digital blurs with physical, it becomes possible for digital means to effect kinetic changes, for the technology and automation of devices, people and physical environments to be used to cause injury or loss. Security is no longer just about information; we are now controlling real physical devices, making safety a real issue that is forcing security professionals to expand their thinking.
What security impact is digital business having on Australian businesses in 2015?
Digital business has far-reaching implications for identity and access management, IT security and risk management practices. One of the big challenges it generates is that effectively every business is an IT business, every budget is an IT budget and every department is buying IT. Security and risk teams don’t always have the visibility that they need, but are still accountable for the overall security and risk posture throughout the organization. How do you ensure a sound security and risk posture when there is less control and visibility than ever before?
Digital business also requires organizations to engage in risk to facilitate success. This forces a different approach to risk and security that creates opportunity. However, businesses are not free to do whatever they want. Accepting risk is fine, but it is also necessary for organizations to balance the need to protect against the need to run their business.
As the relative complexity of the digital infrastructure grows, so does the surface of threat that surrounds it. The IoT, for example, inserts literally thousands if not millions of new vectors of threat simply by increasing the number of networked points in that infrastructure, with varying degrees of compromising capabilities. As any system increases in complexity, not only does the threat surface grow, but also the overall requirement to stabilize systems with effective design and operations.
Is digital business creating new dimensions for the way organizations need to operate?
There are two emerging dimensions that will have a major impact on security and risk strategies:
1) Open systems vs closed systems – Moving from traditional, very closed systems to open systems that enable businesses to interoperate with partners and customers more effectively, which requires a new level of openness and transparency. Transparency comes with profound implications to cybersecurity practice, a rethinking of just how far businesses are willing to go to do business while managing risk in the new decade.
2) Value at the core vs. the edge – Value generation is shifting from the core to the edge in an attempt to make work more efficient and less expensive. People are doing more businesses on devices outside of the office now, which is where the value is being generated. The locus of value determines just how far businesses will be willing to push their technology and the points where they collect value to the edge while managing risk. Going to edge also has profound implications to cybersecurity and requires rethinking how it can be applied to maintain the business need for protection, while realizing the openness the edge requires.
Mr. McMillan and other Gartner analysts will examine the latest security, privacy and risk issues in more detail at the upcoming Gartner Security & Risk Management Summit in Sydney, 24-25 August 2015.