Adjusting to new realities has been a hallmark for information security professionals over the past few decades, and it’s a lesson that will serve them well going forward explained VP and senior analyst, Paul Proctor, during the opening keynote at this week’s Gartner Security and Risk Management Summit in National Harbor, Maryland. The “adapt or die” mantra is hardly a new recommendation, but it still applies in a world of rapidly changing technology.
Proctor, who is the chief of security and risk management research for the analyst firm, was joined by fellow Gartner analysts Christian Byrnes, John Wheeler, and Andrew Walls, as they walked the audience through security and risk management’s past, present, and future. The real-time collection of information, and the pervasiveness of continuous analytics, are both the present and future of information management – and the problems these pose to information security professionals will only expand as this process accelerates, Proctor noted.
“A past that demonstrates adaptability. A present that challenges. A future that defies any reasonable expectation of managed risk”. This is how Proctor characterized the current challenges facing security practitioners. “What we’ve learned from the past is that our profession has always had to adapt – and we have.”
The Gartner analyst then listed four scenarios, based on the firm’s insights, that organizations will experience over the next decade: regulated risk (governments leveraging regulation to protect enterprises and itself); coalition rule (continued attacker focus on the enterprise, with de-emphasis on central authority as rules and regulations are seen as ineffective); the controlling parent (the government will step in to protect the individual); and the ‘neighborhood watch’ – or anarchy (decreasing regulation signals that government intervention will not materially impact the targeting of individuals).
“If these scenarios seem extreme”, Proctor continued, “we have evidence that each and every one of them is happening right now”. He said organizations need to take pause and consider the combinations that affect them.
“There is no such thing as perfect security”, he added. “Risk posture is a choice – you can either spend more money and experience less risk, or spend less money and experience more risk”. Each choice influences organizations’ plot on the “four points” continuum and depends on these money vs. risk assessments.
“Choosing to save some money and incur more risk is a legitimate business choice”, Proctor said. “CISOs are their own worst enemy when they position themselves as the defenders of the organization because it lets executives escape accountability. The failure is allowing the executives to live there without making a conscience choice.”
The solution to this common problem, he asserted, is for CISOs to stop begging for additional budgets, and instead to explain the risks clearly, and require that their executives make these risk-reward decisions based on the information provided. “Explain this reality to the decision makers, and ask them to commit to their choices about where they want to live on this continuum”, he implored. “CISOs must have the ability to translate [these risks] into reality”.
Proctor reiterated that the role of a CISO is not to defend an organization, nor did he claim that CISOs and their equivalents should take a passive role in the decision-making process. “We are the facilitators of a balance”, he said, “between the needs to protect an organization and the needs to run the business”. It is through this strategy that CISOs and risk management professionals can be viewed in a more productive light, rather than as convenient scapegoats when a security incident occurs.
The Gartner VP also touched upon a common refrain often found at such industry events: the need for CISOs to understand business requirements and become enablers. “You don’t have to go to business school”, Proctor told the audience, “but you need to understand your own business”. And because there is “no such thing as perfect security”, he reiterated, it is the job of the CISO to convey this to their board.
“You don’t control the threat”, he concluded, “but you do control the organization’s readiness”.