Today’s security and risk management leaders have reason to celebrate. Thanks to them, organizations are now able to identify and detect an onslaught of threats and attacks — and better respond to and recover from incidents. That’s a noteworthy accomplishment given the pace of change, scale of digital initiatives and increase in threats.
“Without these remarkable efforts over the last 20-plus years, things might be in very bad shape indeed,” said Gartner research vice president Katell Thielemann, during the keynote at the Gartner Security and Risk Management Summit. “And you deserve a lot of credit for that.”
What’s important? What’s dangerous? What’s real? These 3 questions lead to clarity, and in each scenario the intersection of the questions changed a perception and led to action. #GartnerSEC pic.twitter.com/I4EQ3GiokI
— Gartner Events (@Gartner_Events) June 4, 2018
“But we should take note that the spotlight you are all in is not going to fade any time soon,” she added. According to the World Economic Forum’s 2018 Global Risks Report, cyber risk is as a much of a systemic risk as environmental degradation, economic strains and geopolitical tensions. It also tops the U.S. list of national security threats.
Add to that the fact that privacy and cyber security have become more visible and subject to public opinion, it’s no surprise that security and risk management leaders — despite their many successes — are feeling overwhelmed. The answer: Become empowered to take action.
“To help you become empowered, we are going to frame our advice with three simple questions,” said Craig Lawson, research vice president at Gartner.
- What’s important?
- What’s dangerous?
- What’s real?
“By finding and combining the answers, you can cut through the noise,” said Lawson. Security and risk leaders will be empowered to adapt their people, processes and technologies to address old and new security challenges.
To prioritize activities or investments, first understand what is important and to whom. Oftentimes, there is a lack of agreement on what’s important to stakeholders. For example, Sam, the information security officer at a midsize bank, strongly opposes the way in which his peer Susan, the digital transformation officer, wants to reverse market share decline. Susan’s team has built a new application and login flow that allows Google sign-in and Facebook connect.
Sam believes these logon methods will make the bank more vulnerable to fraud. It is not until he layers “what is dangerous?” and “what is real?” over the question of “what is important?” that Sam gains a broader perspective. He realizes the bank’s existing, 10-year old login process isn’t as secure as he thought. The risk of fraud is real, regardless of enrollment and login methods. When all stakeholders apply the three questions of empowerment, they are able to come to solution that works for all.
Last year, over 15,000 vulnerabilities were disclosed publicly. Only a small portion of those were rated as a critical severity and posed an urgent threat. However, sometimes such threats are immediately viewed as critical because of media hype. The question then becomes, what is dangerous? Take for instance, the Spectre and Meltdown vulnerabilities. They had a wide-ranging impact on nearly everything — from Linux to Windows and Apple and Android phones and even some appliances and gadgets. Organizations came up with a flurry of patches to prevent potentially negatives consequences.
“But unfortunately, sometimes the cure is worse than the disease,” said Lawson. He noted that some patches caused stability issues, while others introduced their own set of new exploitable vulnerabilities — resulting in yet another set of emergency patches that needed to be applied. “We were all lost in a sea of danger and overreaction,” Lawson explained. “And we should have been asking, what is real?”
Security teams were laser focused on the perceived danger. Their conditioned response overshadowed the need to determine what’s important and what’s real. If you respond to a crisis with “What is dangerous?” watch out not to violate your resilience goals. Design for resilience at multiple levels. Designing for resilience and for trust is only possible if you know what you are protecting. In other words, be able to answer the question of what’s important and then move to what is real.
When organizations have controls appropriate for the environment and risk, they are better able to determine what is real.
“Controls should also be adaptable,” said Ramon Krikken, research vice president at Gartner. “Meaning that they are applicable to more than just a single vendor or technology and can change as risk and compliance landscapes evolve.”
In instances where the underlying technology cannot be changed, look for controls that can be applied or retrofitted to legacy systems and applications. “Not everyone however is going to be on board with these types of controls and approaches,” said Krikken. “Challenge conventional wisdom.”
Security and risk leaders should also aim to drive change by establishing and contributing to industry dialogue and doing proofs-of-concept on new security technologies. And, empower others in the organization to greatly increase the chance of success.
“We suggest that next time you face a challenge, be it a major project or a single audit finding, you apply the three questions,” said Thielemann. “They are equally powerful whether you’re facing an individual, organizational, or global scenario.”