After 30 years, it is time to kick security and risk evolution into high gear, says Gartner vice-president and distinguished analyst Paul Proctor.
“We have the tools and understanding, so now is the time to change, now is the time to reset,” he told the opening session of the Gartner Security and Risk Management Summit 2013 in London.
“Security and risk professionals need to roll with the changes; adaptation is always going to be a reality,” he said.
In the light of these forces, Gartner believes it “might be the end of security as we know it”, which means there is a “raft of work” to be done to adapt and update the current security model.
Evidence of this is to be found already in the development of cloud contracts that include security and projects to revisit data classification to ensure businesses know exactly where critical data resides.
Some companies are already learning to align data sensitivity with risk, and supplement traditional security with new context-based access tools to improve mobile security, said Proctor.
Risk posture involves a conscious choice to spend more and reduce risk or spend less and accept more risk
Bringing business and security together
But in many companies more work has to be done to turn lip service to risk-based security strategies into a reality, where risk includes all risks based on business objectives and not just those of IT, he said.
The way to link risk and security to business outcomes, said Proctor, is to begin with the business objectives and link them back to the business processes required and the associated IT dependencies.
The risks associated with each of these then become the risks for that particular business objective.
This is a key part of security and risk engaging with business, and Gartner predicts that by 2014, 80% of the world’s top 2,000 companies will be required to report their security and risk posture to the board at least once a year.
To improve the quality of engagement, Proctor advised that security and risk professionals should dispense with the fear, uncertainty and doubt (FUD).
“FUD makes up around 75% of presentations to boards, but that has limited value so don’t dwell on that because you don’t control threats. Talk about what you do control – the response,” he said.
“Strip out all the technology. Use the time to bridge the gap between the business and security. Make them understand there is no perfect security and that risk posture involves a conscious choice to spend more and reduce risk or spend less and accept more risk,” said Proctor.
More on risk management
- Cybersecurity: Global risk management moves beyond regulations
- How to build a risk threat model
- Embrace BYOD and manage the risks
- Risk assessment key to cloud adoption, says Isaca
- Communication key to risk management in security, says CISO
- Closing the gap between IT security risk management and business risk
By understanding the business, security and risk professionals will know how to express risk in terms of things the board understands, such as lost production, he said.
“By understanding the decisions your target audience is making on a daily basis, you will know what you need to tell them that will influence their decisions,” he added.
According to Proctor, security and risk professionals need to ensure the business understands that it is the business that owns the risk, not IT.
The role of security and risk professionals, he said, is to help stakeholders balance the need to protect the business from threats against enabling the business to be productive and agile.
“Use the power of risk management to influence business decision-making. You have the tools and understanding to do that well. Now is the time to change, now is the time to reset,” he said.