Security professional must lead their business colleagues to understand and mitigate digital business risks.
Picture the scene: a car accident on a long country road. In the mock television advertisement for the fictitious “Connected Insurance” company that opened the keynote at Gartner Security and Risk Management Summit 2016 in National Harbor, MD, the driver was assisted by an interconnected mesh of services thanks to digital business. Her car alerted emergency personnel, towing services, her family and coworkers. Yet, how can these systems be trusted and will the driver’s data be secure?
“When a company promises to deliver the value of digital business to consumers, security professionals may be absent from critical conversations about protecting the enterprise and its customers,” notes Peter Firstbrook, research vice president at Gartner.
“Will you be in the boardroom and at the table when the tricky risk decisions are made?” he asks.
“Digital business” is defined as the creation of new business designs by blurring the physical and digital world. In previous business models, including e-commerce, people were the primary driver of transactions. But, In the future, “things” will be transaction drivers. Sensors and actuators will interact with people and other things creating meshed relationships.
By 2020, 60% of digital businesses will suffer major service failures due to the inability of security teams to manage digital risk.
Moving forward, numerous enterprises across industries will need to integrate into a digital business system. Those that don’t build their own system may get pulled into a system by one of their partners.
Gartner predicts that by 2020, 60% of digital businesses will suffer major service failures due to the inability of security teams to manage digital risk.
For Connected Insurance, that could result in brand and reputation damage, fraud and legal liability.
To mitigate these risks, security professionals must add value to the digital business planning team to help them build resilience. This begins an assessment of the business risk and the technical and procedural controls to minimize that risk.
Read related article: The Six Principles of Resilience to Manage Digital Security
Help the business mitigate risk
Keep in mind that the business needs a prioritized discussion of risk that highlights those areas that are mission critical and the range of impact they might have on business objectives. “We need to show them big ticket items and not a laundry list in a teeny tiny font,” says Jeffrey Wheatman, research director at Gartner.
“Simply stated, business leaders have a language with which they are comfortable and if we want to persuade them we need to use their language, not ours,” he says. In other words, use lexicon that is more familiar to the business around concepts such as brand, customer safety, liability, compliance, financial, and strategy.
To do that, security professionals must:
- Understand the organization’s goals,
- Identify the risk within those goals,
- Quantify/qualify those risks,
- Communicate them to internal “customers” in terms they understand and
- Help them make decisions about how to treat the risks in an appropriate manner.
The new microtrust platform
As organizations bring multiple parties together into a networked ecosystem, how can they determine the trustworthiness of new providers? Each of the entities in the Connected Insurance example (emergency services, police, auto repair shop, etc.) acts as its own microtrust platform and must establish trust through its behavior and context relative to the other providers. The towing truck needs geolocation to know where to go, as will the cab or the rental car that is to be delivered.
We need a standardized way for one party to access data on behalf of another party in a controlled and secure manner.
“We need a standardized way for one party to access data on behalf of another party – in a controlled and secure manner,” says Felix Gaehtgens, research director at Gartner. He noted the need to broker trust in a digital business mesh and allow others to broker their own digital mesh. Trust requires adaptive access control in which business moments, such as a car accident, require exchange of data on a temporary, need-to-know basis.
Gaehtgens describes the Trustable Application Overlay architecture or TAO strategy, which assumes a level of distrust in infrastructure but still securely delivers digital services.
“Security teams need to collaborate with developers to embed security functions into digital business,” he says.