Strategic planning is the only option if risk and security leaders want to succeed in a rapidly changing world, the opening session of the Gartner Security & Risk Management Summit 2012 heard in London.
According to Gartner, the biggest drivers of change are mobile, social, cloud and big data, making it challenging to enable business transformations while managing uncertainty.
The ability of security and risk managers to deal with change will determine their ability to survive and thrive in uncertain times, said Andrew Walls, research director at Gartner.
“This means not only surviving change, but taking advantage of it to prosper,” he said.
To achieve this, Gartner believes security and risk professionals need to set up, grow, and continually transform a strategic plan to deliver appropriate protection where the business requires it.
To do this, said Walls, security and risk managers need to understand the four forces that are driving change because the combination of these is what is redefining security and risk.
But this strategy cannot operate independently of the business strategy; they have to be integrated, said Paul Proctor, vice-president and distinguished analyst at Gartner.
Read more about Gartner
- Gartner warns enterprises against jailbroken device security risks
- Gartner IAM summit: Identity and access management in flux but progressing
- Gartner's Greg Young on enterprise IPv6 security issues
- Gartner: Prepare for context-aware security
“Security and risk managers need to support business goals but they can’t simply align with the business; they must be one with the business, which means they can no longer be ignorant of what the business does,” he said.
To set up and run a security and risk strategy involves setting a budget and establishing metrics, governance and compliance policies, said Proctor.
Growing that strategy involves analysing the plan to identify and fill in the gaps, while transformation is all about erasing the cultural barrier between the two.
This can be achieved, said Proctor, by defining the business objectives and processes, and then look for the dependencies on IT and security.
“By mapping leading risk indicators into performance indicators and enabling businesses to make better decisions, security and risk managers can ensure themselves a seat at the table in discussions about growth and profitability,” he said.
However, Proctor said success is not only about managing a strategic planning programme – it is also about security infrastructure, services and identity management.
An important aspect of security enabling business objectives is providing strong, transparent controls and ensuring the right people have access to the right resources at the right time, said Carsten Casper, research vice-president at Gartner.
But, he said, the nexus of the four driving forces of change challenges traditional approaches to security and risk management – particularly access management.
Security and risk managers need to support business goals; they must be one with the business
Paul Proctor, vice-president and distinguished analyst, Gartner
“This collision of forces not only creates new challenges, which some companies are seeking to solve by pushing things like access management into the cloud, but also creates opportunities,” said Casper.
While the mission of providing appropriate levels of security has not changed, he said, it is no longer IT’s job to decide how much protection is necessary.
“A growing number of companies are taking a much more integrated approach to determining what level of protection is appropriate,” said Casper.
Security Information and Event Management (SIEM) systems are core to this approach, he said. “For many organisations, they are no longer a luxury, but a necessity because they help build company-wide situational awareness and security intelligence.”
Security and risk managers need to evolve to be able to protect users of corporate IT systems wherever and whenever they require. They are turning to the rich palette of tools and services that are available, with 52% of large enterprises already using security services, said Casper.
“Security and risk professionals need to adapt constantly to ensure they are able to provide the risk services and security technologies the business requires to enable growth, and, for this reason, strategic planning is the only option,” he said.