Organizations are becoming increasingly dependent on digital technology, and the Internet of Things (IoT) has made security more complex. Security and risk management leaders now need to develop resilient security programs based on digital trust.
Tom Scholtz, vice president and Gartner Fellow, and conference chair for Gartner Security & Risk Management Summit 2017, discusses how security and risk management leaders are developing security programs for digital business and the challenges they should be prepared to meet.
Q: How has security and risk management evolved to support digital business?
A: Digital business is about access and collaboration — organizations have to let external partners and customers in to participate. The end user has typically been deemed the weakest link in the security chain. In a digital world, end users are part of the security function and a people-centric solution. Therefore, security and risk management leaders are developing programs based on trust. Instead of a default-deny approach to security, we are now seeing a default-allow approach. This is a fundamental change in how security programs are developed.
Q: Which technologies should be on security and risk management leaders’ radars?
A: User and entity behavior analytics (UEBA) are important, as is understanding and institutionalizing adaptive security architecture. Artificial intelligence (AI) can deliver context-based situational intelligence to improve security decision making. Blockchain is transforming digital commerce and has potential value for security as a means of supporting more distributed trust.
New technologies create new risks. AI generates intellectual property that must be protected, like algorithms and institutionalized knowledge that defines what is normal for an organization’s systems. The right hack could have catastrophic effects on an organization’s production system. AI opens the door to more subtle forms of disruption, too. For instance, a hacker may just make tweaks that do not bring an entire system down so that small failures go unnoticed.
Security teams have to stay current and proactive. They need to be aware of new technologies and the vendor landscape to determine what to adopt into their security programs.
Q: What are the biggest challenges security and risk management leaders face today?
A: Chief information security officers (CISOs) are tasked with strategic planning in a digital business environment where agile and bimodal are critical to success. They also need to acquire talent to manage the IoT and integration of operational technology.
Security teams have to stay current and proactive. They need to be aware of new technologies and the vendor landscape to determine what to adopt into their security programs. They also need to understand the latest security threats because the threat landscape is evolving rapidly and becoming more complex.
The General Data Protection Regulation (GDPR), the new EU privacy and personal data protection law going into effect in 2018, presents a challenge to risk and compliance leaders because they need to make sure their organizations are compliant. Risk and compliance leaders also need to evolve and shift their focus on compliance to managing risk effectively to protect the organization. Risk and compliance leaders must make sure their organizations understand the risks and accountability associated with new technologies as they invest in digital business initiatives.
Business continuity management (BCM) leaders must continue building IT and business operations while facing threats that are more serious, as well as frequent disruptions. They have to protect against disruptions, but also plan for how their organizations overcome them and minimize their impact. Resilience, not just recovery, has to be engineered into digital business systems. Critical infrastructure must be resilient enough to withstand a cyberattack and recover from a major disaster, ideally without interruption.