It’s not enough for security pros to figure out how to protect digital enterprises from risks that can ruin the business, they must effectively sell it to corporate boards whose blessing is needed to authorize the plan, Gartner analysts told attendees at their Security and Risk Management Summit.
With that in mind, three Gartner security specialists walked the roughly 3,400-person audience through how to create a plan to manage risk and minimize damage when – not if – an attack succeeds, and the strategy for buy-in from the board of directors.
“One hundred percent protection should not be the goal,” Gartner analyst Peter Firstbrook told the gathering. “The goal should be resilience.”
That means figuring out how to quickly detect attacks, then respond as fast as possible, he says.
The plan should find the top half-dozen risks that threaten the business, and those are not necessarily the same as the ones that affect IT, says Garner analyst Jeff Wheatman. The question to address is, “What are top IT related risks that could lead to business risks becoming real?” he says. That’s what the corporate decision makers care about.
Security executives have to create controls that balance the need to protect the business with the need of to keep it running efficiently. To do that the security experts have to talk to the business leaders while they are creating the plan, he says. That acts as a trial run of what might fly when the plan is presented to the board.
Reactions from business group leaders can go three ways: We never thought of that; we worry about something else that’s not on your list; your list has items we don’t care about.
All of these answers are helpful because they focus IT’s security plan on what’s important to the business stakeholders, he says. “They all give you a better idea of what matters,” Wheatman says.
Digital businesses rely on complex combinations of machines, technology, partners and service providers, many of which are out of direct corporate control, so it’s important to work trust into the calculus, he says. Will the company be held liable for damages stemming from a breach of a digital business even though the element that was exploited was not directly controlled by the company?
Risk of fraud being carried out against the digital business is a top concern, he says. Fraud and legal liability can both be addressed by establishing an effective trust scheme that helps thwart attackers, he says.
What’s needed is a decentralized, distributed trust platform to establish trust between two platforms that have never met before, says Gartner analyst Felix Gaehtgens. The architecture should accommodate approaches to trust that range from trust everything until it proves itself untrustworthy to trust nothing until it proves itself trustworthy. He calls this adaptive trust.
Sign up for CIO Asia eNewsletters.