The Gartner Security and Risk Management Summit, taking place this week in National Harbor, Maryland, is a large event with many analyst presentations taking place at the same time. With this said, I wanted to provide a quick daily report of things that I learned on the first day that could be of use to CIOs, CISOs, and other IT leaders. I will do this in the form of a top 9 list. So, without further ado, let me share the highlights from day 1:
Keith O’Sullivan, global VP and CISO at Time Inc., said the information security insurance business grew 64 percent last year and that total spend here is nearly equivalent to what companies spend for their entire infosec program.
Gartner analyst Neil MacDonald said enterprises need to balance risk and trust because digital business stops for no one.
Paul Proctor, another Gartner analyst, said there is no such thing as perfect risk protection. The goal should be to set a sustainable set of controls that balance the need to protect against the need to run the business. Doing this means establishing a dialog with the business about risk. Ann Cavoukian, the author of privacy design responded to my tweet on this topic by saying she starts her talks with, “The Myth of Zero Risk.” She said, however, that doesn’t mean you can’t reduce the risk dramatically by embedding privacy by design.
Proctor said we have gone from security to technology risk to business outcome risk. This latest step of course means codifying risk in terms of how risk impacts the business. He suggests one way of putting this together involves communicating risk in terms of the corporate value chain. In other words, what risk points exist for each element of the value change? He said this is how the business will understand.
Gartner’s Proctor said the required skillset of security people is changing—today we need people who can talk about the business outcomes of the security process.
Gartner’s MacDonald asks how do you know if someone with credentials is a hacker? This person clearly better not have privileged credentials or you give up almost everything in a very short time.
Jeffrey Wheatman said Gartner’s research shows that those not doing cloud indicate that they aren’t doing it because of data security challenges but those doing that say they are doing it for to improve their data security capabilities.
Wheatman said that as more sensitive data goes to the cloud, we must share with regulators why we did it and how we are controlling it.
Another Gartner analyst, Bart Willemsen, says that only 3 percent of companies had a definite strategy ready for GDPR as of October 2016.
Clearly, there are a lot of interesting thoughts here for IT leaders. As folks indicated, business alignment of security requires that IT understand the risk profile that is acceptable to the enterprise regardless of whether it be for on-premise, private cloud, hybrid cloud, or public cloud. And finally, there is recognition that relying just on access control and encryption is not enough. Today, it’s all about protecting data.
Follow me on Twitter for live updates from the Gartner Security & Risk Management Summit.