During a business strategy meeting, the CISO of a national transportation system presented a slide with a proposed risk appetite statement for the organization:
This organization has no appetite for safety risk exposure that could result in injury or loss of life to the public, passengers or the workforce. All safety targets are met and improved year over year. We are willing to accept risks that may result in financial loss. The company will only tolerate low to moderate gross risk exposure in the delivery of operational performance network reliability and capacity and asset condition.
The CISO had been struggling to articulate the importance of risk-based decision making and found creating a risk appetite statement for the organization to be the most effective tool in aligning IT risk management with business goals. Creating simple, practical and pragmatic risk appetite statements enabled this CISO to break down the cultural disconnect that existed between the security team and the different business units. This is one of seven security and risk management trends that Gartner expects to impact CISOs in 2019.
Leading SRM leaders are creating pragmatic risk appetite
“These top trends highlight ongoing strategic shifts in the security ecosystem that aren’t yet widely recognized, but are expected to have broad industry impact and significant potential for disruption,” says Peter Firstbrook, VP Analyst. “Reacting to these developments provide opportunity for security and risk management leaders (SRMs) to improve resilience, better support business objectives and elevate their standing in the organization.”
Trend No. 1: Leading SRM leaders are creating pragmatic risk appetite statements linked to business outcomes to engage their stakeholders more effectively.
Gartner client inquiries have shown that one of the most serious challenges for SRM leaders is the inability to effectively communicate with business leaders. Despite CISOs being more involved in strategic meetings, business leaders often are unable to gauge if a technology or project is creating too much risk and exposure or if the organization is missing opportunities by being too risk-averse.
Risk appetite statements link business goals and risk treatment plans to inform stakeholders and partners of the organization’s intentions when taking on risk. When it comes to risk appetite statements, be clear, consistent and relevant, and make sure to choose the right delivery method for the organization.
Trend No. 2: There is renewed interest in implementing or maturing security operations centers (SOCs) with a focus on threat detection and response.
Given the increasing complexity and impact of cybersecurity attacks, and the increasing complexity of security tools generating alerts, organizations are looking to build or revitalize SOCs or outsource this function. By 2022, 50% of all SOCs will transform into modern SOCs with integrated incident response, threat intelligence and threat hunting capabilities, up from less than 10% in 2015.
Organizations are now investing in tools that are more sensitive and are focusing on a balance between response and detection versus prevention. The rise in more sophisticated alerts and tools has led to an increased need to centralize and optimize operations, which means SOCs are now a business asset.
Trend No. 3: Leading organizations are utilizing a data security governance framework to prioritize data security investments.
Data security is not simply a technology issue. Effective data security may require a data security governance framework to provide a data-centric blueprint that identifies and classifies structured and unstructured datasets across all enterprise computing assets and defines data security policies. Once SRMs have addressed the business strategy and risk tolerance, the framework can be used as a guide to prioritize technology investments.
Trend No. 4: “Passwordless” authentication is achieving market traction, driven by demand and the availability of biometrics and strong hardware-based authentication methods.
Eliminating passwords has been a longstanding goal, but is only now starting to achieve real market traction. Passwords are a magnet for attackers and are susceptible to a variety of attacks such as social engineering, phishing, credential stuffing and malware.
Emerging passwordless standards and the increased availability of devices that support passwordless authentication methods are driving increased adoption. Biometrics have become increasingly popular as a “passwordless” method for stronger identification, but other options include hardware tokens, phone as a token, fast IDentity Online and analytics based on passive behaviors.
Trend No. 5: Security product vendors are increasingly offering premium services to help customers get more immediate value and to assist in skills training.
The number of unfilled cybersecurity roles globally is expected to grow from 1 million in 2018 to reach 1.5 million by the end of 2020. Organizations are struggling to fill roles and may find it challenging to retain current employees. At the same time, the proliferation and complexity of security software is increasing. Some technologies, especially those using AI, require constant monitoring or investigation by a human security expert.
It’s possible that soon there won’t be enough skilled people to use the products. As a result, vendors are increasingly offering premium services that combine products with implementation, configuration and ongoing operational services. This means vendors can help customers gain more immediate value from the tools and organizations can upskill administrators.
Trend No. 6: Leading organizations are investing in and maturing their cloud security competency as it becomes the mainstream computing platform.
As organizations engage more and more cloud-based platforms, security teams will see increasing variety and complexity when it comes to cloud security. Leading organizations are establishing a cloud center of excellence team and investing in people, processes and tools to master this rapidly changing environment. Tools such as cloud access security brokers (CASBs), cloud security posture management (CSPM) and cloud workload protection platforms (CWPPs) offer overlapping cloud security capabilities to address risks, but organizations must also invest in people and process, such as by adopting a SecDevOps workstyle.
Trend No. 7: The strategic CARTA approach to security is starting to appear in more traditional security markets.
Continuous adaptive risk and trust assessment (CARTA) is a strategic approach to security that acknowledges there is no perfect protection and security needs to be adaptive, everywhere, all the time. Traditional LAN network security and email security are two markets that are beginning to adopt a CARTA mindset by focusing on inside the perimeter detection and detection and response capabilities.