Digital business will impact security challenges as much – if not more – than the emergence of the internet, Gartner's research vice-president, John Girard, has said.
“Digital businesses that come from new business models, such as Uber, are taking the digital economy to a new level,” he told the opening of the Gartner Security and Risk Management Summit 2014 in London.
Girard called on information security professionals to seize the latest technology reset as an opportunity to restart their approach to information security and avoid past mistakes.
“With each leap forward in technology innovation, security has become further and further degraded because many organisations have held on to security models of the past,” he said.
Instead, Girard said Gartner recommends companies fully implement the successful best practices that have emerged through all the technological twists and turns of the past.
“Simple smart practices, such as patching systems and keeping software up to date, can vastly improve defences,” he said.
Other examples of smart best practices include introducing alert-filtering rules and preventing users logging into systems with full user privileges.
“Limiting full administrative privileges can eliminate 90% of vulnerabilities on Windows systems and alert filtering can reduce millions of alerts to a handful of relevant actionable ones,” said Girard.
The role of the CIO must also change to influence the whole enterprise to make decisions that balance risk with opportunity, said Andrew Walls, Gartner's research vice-president.
More on risk management
- Report says app risk management should fall to business stakeholders
- Enterprise risk management strategy: A planning guide for CIOs
- How small tech firms can reduce cyber risk
- Business realities force converged take on managing information risk
In the past, he said, business executives have been driven away from IT security because they have tended to perceive it as a useless nuisance and consequently ignored or worked against it.
“This needs to change by ensuring IT security provides real support for business through engaging business executives as partners,” said Walls.
He also said information security professionals should learn their business well enough to anticipate the future innovation needs of firms.
“By anticipating those needs, information security professionals will not be caught by surprise and will be able to move from just managing operational controls to an advisory role,” said Walls.
Increasingly, he said, CIOs are being rewarded based on the enterprise’s performance. “And risk management is the tool CIOs can use to maximise business profitability.”
In another break from the past, enterprises are requiring employees to take more control and responsibility for risk management to support innovation in digital business, said Walls.
This in itself requires changes to the way security education is approached in the corporate environment.
Look at the desired outcome of your business, identify what business processes are critical to that outcome
Paul Proctor, Gartner
“The focus is shifting to risky behaviour that has a real impact on the business and enabling employees to be able to make the right security choices in fluid situations,” said Walls.
This is also an opportunity for CIOs to promote the concept of security through risk management, eliminate all drivers of risky behaviour and encourage good behaviour through peer recognition, he said.
Lastly, the latest technology reset provides an opportunity for enterprise security professionals to align security with the business, according to Gartner's chief of research, Paul Proctor.
“This can be achieved by adopting a model that seeks to balance the needs of protecting and running a business,” he said.
Like Girard, Proctor emphasised the importance of information security professionals developing an understanding of the businesses they support.
“Look at the desired outcome of your business, identify what business processes are critical to that outcome, then look at the underlying IT to identify the relevant IT security risks,” he said.
Lastly, Proctor said businesses should identify and use relevant key risk indicators linked directly to outcomes to measure success and progress.
Girard said that, while there is no such thing as perfect security, there is a logic to adopting a new model that balances risk and opportunity, and following tried and tested best practices and ensuring that companies really are doing the basic well.
Gartner predicts that building a digital business risk management strategy will be essential to IT security in future.
By 2017, a third of large businesses engaging in digital business are expected to have appointed a digital risk officer.