Gartner urges investment in 'risk principles' for heightened security
Companies must change their approach to IT risk and cyber security Gartner says, with digital businesses presenting an increasing level of complexity and new threats.
David Willis, Gartner vice president and distinguished analyst, says we are at ‘the intersection of two major macro trends’.
“The first is the transformation to a digital business,” Willis says. “The second is the growing capacity and sophistication of digital adversaries to breach our defences and cause major business disruptions in business operations.”
Gartner’s recent CIO survey showed 89% of CIOs surveyed felt digital business created new types and levels of risk.
“Inside and out, organisations are architected for agility and convenience, not resilience,” Willis says.
However, the architectures that offer agility and convenience to enterprises and their customers are the same ones attackers use to gain comprehensive access to enterprise systems once they get a foothold anywhere in the extended value chain.
“Regulatory compliance is insufficient to protect the business and its customers,” Willis says.
He says the emerging standard is resilience, meaning the ability to recover rapidly from unforeseen circumstances.
The analyst firm says companies must invest in Reachitecting the foundation to make people processes and technology more resilient, increasing awareness to build trust and resilience, and extending governance to build trust and resilience throughout the ecosystem.
Gartner says the transformation to full-scale digital business extends well beyond the IT organisation, impacting the design and staffing of nearly every business function and requiring rearchitecting of the foundation.
“It’s sheer scale underscores the importance of applying resilience to people, processes and technologies,” Gartner says. “In the next decade, trade-offs between convenience and resilience will be driven by increasing resilience. Significant investment will be required throughout the organisation to meet the challenge of resilience, a much higher bar than regulatory compliance.”
On the increased awareness front, Gartner points out that most high-profile cyberattacks on organisations in recent memory began with a phishing attack – meaning a psychological manipulation – on a single employee.
“Only awareness on the part of the employee could have prevented the consequences,” Gartner says. Adds Willis: “Technology alone cannot and will not protect the individual and the enterprise from carelessness or malicious actors.”
Personal awareness and responsibility with respect to safety and propriety must become priorities for businesses, Gartner says. It is advocating businesses moving from once-a-year compliance oriented training to ongoing awareness campaigns.
“In addition, as the lines between personal and business technology are blurring, organisations should also consider extending protections to employees at home,” Willis says.
The final risk principle Gartner says companies must invest in, extended governance, comes as risks to digital businesses go far beyond the walls of the enterprise ‘and governance processes must follow’ Willis says.
“Organisations must broaden and deepen internal governance, look to their ecosystems for additional support and lend their influence to the creation of common defences,” he says.
Trading security in favour of convenience for employees and customers is routine in this era. “Now the scale and ferocity of assaults on businesses – and the underlying interdependent complexities of digital business – should signal organisations to shift trade-offs toward resilience in both business and IT operations,” Gartner says.
“Within a few years, regulation will speed that shift and organisations should expect the risks of digital business to increase in the meantime and plan accordingly,” adds Willis.