Gartner cybersecurity principles highlight need for risk-based security and the evolving role of the CISO
Earlier this month, the analyst firm, Gartner, held their annual Security and Risk Management Summit at the National Harbor, just outside of the nation’s capital in Fort Washington, MD.
This week-long cybersecurity-focused events brought together senior decision makers within large enterprises that are tasked with securing their organizations’ data and networks, analysts and experts in the security space and companies that are creating the next generation cybersecurity solutions that are revolutionizing the way that enterprises think about information security. Together, these individuals got to discuss, “the latest threats, flexible new security architectures, governance strategies, the CISO role and more.”
I had the opportunity to attend this year’s event and have multiple enlightening conversations with the attendees. I also had the opportunity to learn about Gartner’s six security principles, guidance that the analyst firm released to help companies wrap their collective heads around the significant and constantly evolving threat landscape that they’re facing, and the ways to meet those challenges head-on.
Here are the first three of the six principals that Gartner outlined for attendees, some commentary on why they’re so essential for companies to embrace and insight into how today’s network generation of security and authentication solutions are helping make these priorities possible within the enterprise.
Embrace a risk-based approach to security – Historically, enterprises have taken a somewhat simple and blunt approach to cybersecurity – build a huge wall around what’s most important, keep as many people out as possible and ultimately limit and restrict access in hopes that threats would be kept out. Unfortunately, this also had the side-effect of hampering or complicating access to those within the organization that required access.
By embracing the next generation of risk-based cybersecurity and authentication solutions that are more dynamic and rely on data to determine a threat, companies can actually better protect their networks while increasing access and ease of use.
Risk-based approaches look at role based “analytics” and use information from all source areas within the business to determine the ultimate risk level – or score – of the person trying to gain access. These solutions enable security personnel to more effectively place security where it counts, and do so dynamically. This keeps management and costs low, while increasing convenience to the user.
This is a more elegant, more intelligent and more effective approach to security than simply building a great big wall around the perimeter.
Prioritize and measure based on enterprise business outcomes – There are many different ways and places within the network where senior IT decision makers and security personnel can put their focus, attention and budgets. But not all of them are created equal.
When identifying where to focus the bulk of their IT and cybersecurity spend, these decision makers need to first identify the data at rest and in motion that is most essential for business outcomes. In this case, business outcomes are defined as the net effect to the business – positive or negative.
When that data is identified, it should then become the priority for security programs and budget expenditures. This ensures that the most effective and expensive security systems are placed where they belong – in front of the most sensitive and essential company information and networks. This includes the company’s money, intellectual property and customer data.
Be a facilitator of the business – Traditionally, CISOs and other security decision makers had a bit of a reputation as “no” men. They were seen as the individuals that stood up in the midst of an electric and exciting brainstorming session to detail all of the reasons why an idea can’t be executed on because it would leave the company exposed or be impossible to secure. This is truly changing is very exciting ways.
Today, the role of the CISO and security department is no longer to tell internal audiences, “no.” Instead, these security professionals are expected to know what the business is looking to accomplish, understand the underlying business strategy and then work tirelessly to facilitate it – not set up barriers.
Today’s effective CISOs are the ones getting involved in projects from the get-go, not coming in and raining on parades after they’ve started. By getting involved early in programs and projects, the CISO and security departments can work to bake security in, rather than try to just tack it on at the end. This is often cheaper and easier – not to mention stronger and more secure.
In my next article on the Access Granted, I’ll lay out the next three principals established by Gartner, and discuss why they’re essential for enterprises today.
Are you currently embracing these first three principals in your organization? Do you agree with Gartner that these are important requirements for enterprises today? Do you think they’re flat wrong about them? Drop us a comment and let us know what you think!