The Gartner IT Security Approach for the Digital Age

June 12, 2017

Contributor: Kasey Panetta

Combat security risks with an adaptive approach to risk management.

The reality of digital business means that businesses must innovate or die. But security is an integral part of the digital business equation when it comes to technologies like cloud services and big data, mobile and IT devices, rapid DevOps, and technologies such as blockchain. Security experts must adapt security techniques for the digital age.

“The truth is we’ve had a binary view of the world that no longer exists. Black or white, good or bad the answer is we don’t really have certainty in either extreme. It could be either. It can be both,” says Neil MacDonald, vice president and distinguished analyst, during the opening keynote for the Gartner Security & Risk Management Summit 2017 in National Harbor, MD. “Ambiguity is the new reality. Embrace the grey.”

“The reality is business leaders are moving full speed ahead, with or without you,” he said.

A New Security and Risk Mindset

In 2014, Gartner introduced Adaptive Security Architecture but organizations now need to evolve past that.

Now, security experts must apply a new approach: CARTA--continuous adaptive risk and trust assessment. This to stay competitive with emerging business opportunities. The key is to apply the philosophy across the business from DevOps to external partners.

“We need security that is adaptive everywhere -- to embrace the opportunity --- and manage the risks  --- that come with this new digital world, delivering security that moves at the speed of digital business,” says MacDonald.

Run, Build, Plan

Mr. MacDonald, along with Eric Ahlm, research director, and Ramon Krikken, research vice president, explores how to apply CARTA across three phases of information security and risk management.

Run: Runtime threat protections and access protection

Build: Development and ecosystem partners

Planning: Adaptive security governance and evaluating new vendors

Ramon Krikken, research vice president, presents on the idea of CARTA at the Gartner Security & Risk Management Summit 2017.  


When it comes to CARTA, data analytics need to be a standard part of the arsenal. Companies can--despite the hype about big data--derive real value from machine learning.

“Anomaly detection and machine learning are helping us to find bad guys that have otherwise bypassed our rules-based prevention systems,” says Ahlm. “That’s why analytics are so relevant to security operations today, they are good at finding bad guys in the data that other systems missed.”

The average time to detect a breach in the Americas is 99 days and the average cost is $4 million. Analytics will speed up detection and automation will speed up response time, acting as a force multiplier to scale the team without adding people. Analytics and automation ensure enterprises focus limited resources on events with the highest risk and the most confidence.

For access protection in the digital world, companies must be constantly monitoring. One time authentication is fundamentally flawed when the threat is past the gate. For example, if a user is downloading sensitive data to a device. The data should be encrypted with digital rights management before it’s downloaded, and then the user should be monitored. If he starts to download too much, throttle access or raise an alert for investigation.


When it comes to DevOps, security needs to start early in development and identify issues that represent a risk to the organization before they’re released into production. Modern applications are not developed, but rather assembled from libraries and components. Scan the libraries for known vulnerabilities  and eliminate the majority of the risk. For custom code, balance the need for speed with the need for security.

Ecosystem partners add new business capabilities, and new security complexities.

“Risk management is no longer the domain of a single enterprise and it must be considered at ecosystem level,” says Ahlm. “The success of my product or service is now fundamentally intertwined with others. My risk is their risk. Their risk is my risk. It’s one in the same.”

With the CARTA mindset, organizations must continuously assess the ecosystem risk and adapt as necessary. Your partners should also be assessing your enterprise, infrastructure, control and digital brand reputation. For ecosystems with a dominant anchor provider, the only way a company will be allowed in is after a security and risk assessment. If your company is too risky, the organization might be removed from the ecosystem. Continuous monitoring and assessing of the risk and reputation of major digital partners is essential.

Planning CARTA

Assess compliance and governance at an enterprise level. What level of risk is acceptable to business leaders? Analytics will provide modeling and predictions about areas of risk and what opportunities are available if the business is willing to accept more risk. Continuous monitoring of analytics will allow you to explain risk in business terms. The business will need support in setting priorities, security experts must do their best to build reasonable guardrails and help define acceptable levels of trust and risk.

CARTA should also be used to evaluate vendors to ensure they offer five criteria: Open APIs, support of modern IT practices such as cloud and containers, support adaptive policies such as being able to change security postures based on context, full access to data without penalties and multiple detection methods.

“A CARTA strategic approach enables us to say yes more often. With a traditional binary allow/deny approach we had no choice but to be conservative and say no,” says MacDonald. “With a CARTA strategic approach, we can say yes, and we will monitor and assess it to be sure allowing us to embrace opportunities that were considered too risky in the past.”

Experience Information Technology conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.

Drive stronger performance on your mission-critical priorities.