Security professionals need to protect their enterprise by building resilience. Speaking in the opening keynote at the Gartner Security & Risk Management Summit in National Harbor, MD, Peter Firstbrook, research director at Gartner, says it’s important to first understand the intersection of two macro trends impacting enterprise security.
Trend 1: Transformation of Digital Business
The convergence of people, business and things creates digital forces that will transform business models. With much IT activity now happening outside the IT department, organizations face critical issues regarding privacy, security, safety, and risk. Gartner predicts that by 2017, 50% of IT spending will be outside traditional IT departmental control. This creates profound new challenges for IT and security leaders.
Trend 2: Growing capacity and sophistication of digital adversaries
The digital crime rate continues to climb as the bad guys innovate quickly and siphon massive amounts of private information out of enterprises via their infrastructure. Traditional defenses such as antivirus and network firewalls have failed to stop the continuous stream of breaches. Furthermore, regulatory and compliance standards are reactive and too prescriptive. To combat these dark forces, organizations need to consider the digital risk officer role as the future of IT risk and security management.
Build resilience as your north star
Resilience, according to Firstbrook, is the best approach to address both catastrophic and daily threats. “Resilience is our North Star,” he says. “And resilience isn’t only about catastrophic threats, it’s also about everyday and continuous threats.” Consider cities, for example, that have crime, fire and disease as well as police and fire departments, and hospitals. An attempt to prevent every fire would be prohibitively expensive and impact the quality of life for citizens. Instead, cities have certain controls to prevent fires, but they also have detection and emergency response. “It’s about absorbing the punches and bouncing back from the big things while accepting certain risks for the achievement of success,” Firstbrook says.
To manage digital security, organizations should adapt six principles of resilience:
- Move from check box compliance to risk-based thinking
Following a regulation, or a framework, or just doing what your auditors tell you to do, has never resulted in appropriate or sufficient protection for an organization. “Risk-based thinking” is about understanding the major risks your business will face and prioritizing controls and investments in security to achieve business outcomes.
- Move from protecting the infrastructure to supporting organizational outcomes
You still have to protect your infrastructure but you also have to elevate your security strategy to protect the things the business actually cares about such as business performance, public service delivery, or a military mission.
- Move from being the righteous defenders of the organization to acting as the facilitators of balance
Resist the temptation to tell the business what to do and decide how much risk is good for the organization. Instead of pushing back on business requests to move workloads to the cloud, for example, work effectively with your business counterparts to negotiate appropriate levels of security.
- Move from controlling the flow of information to understanding how information flows
Digital business will introduce massive new volumes and types of information that must be understood and appropriately protected. You cannot apply appropriate controls to protect information when you don’t know where it is.
- Move from a technology focus to a people focus
Security technology has its limits and, therefore, it’s necessary to shape behavior and motivate people to do the right thing, not just try to force people to do what we want. Gartner’s strategic approach to information security called, “People-centric security,” emphasizes individual accountability and trust, and de-emphasizes restrictive, preventative security controls.
For example, phishing is the initial infection vector of 80% of breaches. However, there are no totally effective technical controls to this problem. When employees are motivated and understand the limitations of trust, the click through rate on phishing emails dramatically drops.
- Move from protection only, to detect and respond
The disparity between the speed of compromise and the speed of detection is one of the starkest failures discovered in breach investigations. In the digital world the pace of change will be too fast to anticipate and defend against every type of attack. Security professionals should acknowledge that compromise is inevitable. Ultimately, it’s time to invest in technical, procedural and human capabilities to detect when a compromise occurs.