Story image

Gartner urges investment in 'risk principles' for heightened security

29 Sep 15

Companies must change their approach to IT risk and cyber security Gartner says, with digital businesses presenting an increasing level of complexity and new threats.

David Willis, Gartner vice president and distinguished analyst, says we are at ‘the intersection of two major macro trends’.

“The first is the transformation to a digital business,” Willis says. “The second is the growing capacity and sophistication of digital adversaries to breach our defences and cause major business disruptions in business operations.”

Gartner’s recent CIO survey showed 89% of CIOs surveyed felt digital business created new types and levels of risk.

“Inside and out, organisations are architected for agility and convenience, not resilience,” Willis says.

However, the architectures that offer agility and convenience to enterprises and their customers are the same ones attackers use to gain comprehensive access to enterprise systems once they get a foothold anywhere in the extended value chain.

“Regulatory compliance is insufficient to protect the business and its customers,” Willis says.

He says the emerging standard is resilience, meaning the ability to recover rapidly from unforeseen circumstances.

The analyst firm says companies must invest in Reachitecting the foundation to make people processes and technology more resilient, increasing awareness to build trust and resilience, and extending governance to build trust and resilience throughout the ecosystem.

Gartner says the transformation to full-scale digital business extends well beyond the IT organisation, impacting the design and staffing of nearly every business function and requiring rearchitecting of the foundation.

“It’s sheer scale underscores the importance of applying resilience to people, processes and technologies,” Gartner says. “In the next decade, trade-offs between convenience and resilience will be driven by increasing resilience. Significant investment will be required throughout the organisation to meet the challenge of resilience, a much higher bar than regulatory compliance.”

On the increased awareness front, Gartner points out that most high-profile cyberattacks on organisations in recent memory began with a phishing attack – meaning a psychological manipulation – on a single employee.

“Only awareness on the part of the employee could have prevented the consequences,” Gartner says. Adds Willis: “Technology alone cannot and will not protect the individual and the enterprise from carelessness or malicious actors.”

Personal awareness and responsibility with respect to safety and propriety must become priorities for businesses, Gartner says. It is advocating businesses moving from once-a-year compliance oriented training to ongoing awareness campaigns.

“In addition, as the lines between personal and business technology are blurring, organisations should also consider extending protections to employees at home,” Willis says.

The final risk principle Gartner says companies must invest in, extended governance, comes as risks to digital businesses go far beyond the walls of the enterprise ‘and governance processes must follow’ Willis says.

“Organisations must broaden and deepen internal governance, look to their ecosystems for additional support and lend their influence to the creation of common defences,” he says.

Trading security in favour of convenience for employees and customers is routine in this era. “Now the scale and ferocity of assaults on businesses – and the underlying interdependent complexities of digital business – should signal organisations to shift trade-offs toward resilience in both business and IT operations,” Gartner says.

“Within a few years, regulation will speed that shift and organisations should expect the risks of digital business to increase in the meantime and plan accordingly,” adds Willis.

NZ Internet Task Force joins iSANZ Hall of Fame
NZITF chair Barry Brailey and former chairs Mike Seddon and Paul McKitrick received the award in Auckland last week.
Quantum computing: The double-edged sword for cybersecurity
Quantum computing is quickly moving from science fiction to reality.
Three ways to achieve data security whilst enabling BYOD
"A mobility strategy is now more important than ever before, that said, selecting the right one is often no small task."
How IoT and hybrid cloud will change in 2019
"Traditional VPN software solutions are obsolete for the new IT reality of hybrid and multi-cloud."
WatchGuard’s eight (terrifying) 2019 security predictions
The next evolution of ransomware, escalating nation-state attacks, biometric hacking, Wi-Fi protocol security, and Die Hard fiction becomes reality.
GCSB's CORTEX project scoops iSANZ Award
“I believe this award is particularly significant as it is acknowledgement from our peers in the information security industry and from across the private sector."
NZ firms lack cybersecurity confidence, HP survey says
Out of 434 of New Zealand’s small and large businesses, only half (50%) feel confident that they would be able to cope if they experienced a significant cybersecurity breach.
SonicWall secures hybrid clouds by simplifying firewall deployment
Once new products are brought online in remote locations, administrators can manage local and distributed networks.