As was the case during the first two days of the Gartner Security and Risk Management Summit, the last two days remained both hot and humid here in National Harbor, Maryland. And like the first two days, the last two days offered a wealth of information to help IT leaders and security professionals benchmark themselves against their peers, understand the latest trends, and develop actions to improve the security posture of their organizations. As with my previous reports from day one and day two, I will do this in the form of a top 10 list format. So, without further ado, let me share the highlights from days three and four:
Gartner analyst John Wheeler said that organizations need a strategic risk management approach to technology risk. He suggested that CIOs and CISOs need to move the conversation from low and high risks to good and bad risks. He suggested as well that we can no longer have just an internal view of risk. Risk exists across an internal/external ecosystem.
Sid Deshpande from Gartner said security turns out to be the number one driver and inhibitor of cloud adoption. I can confirm from the #CIOChat on Twitter that it is an inhibitor, especially for industries that are regulated and have significant sensitive data (PHI or PII).
Deshpande said don’t consider cloud security separate from everything else you do. It needs to be a part of your entire security plan. He also said that there was some belief early on in cloud that traditional vendors were not competent to do cloud security. This was not true but it explains the reason why many cloud vendors have developed their own security offerings. In the process of saying this, he said that public cloud users today must accept that if there is a hack their keys are exposed. He said that most users of cloud are accepting of this, but security vendors with differentiated offerings should put their offerings in the cloud marketplaces.
Manuel Maisog, a Beijing-based partner in the law firm of Hunton & Williams, said China’s Cybersecurity Regulation requires all information from doing business in China has to stay in China. Amazingly, this regulation is a result of the Edward Snowden incident.
Kevin Nesbitt, unit chief of the FBI’s Enterprise Security Operations Center, said that CISOs need to enable users to do what they want to do. He said amazingly the FBI gives users a gun but not the ability to use a thumb drive. To deal with the security issue there, they have them register those thumb drives.
Gartner analyst Katell Thielemann said that FedRAMP, an assessment and authorization process which U.S. federal agencies use to ensure security is in place when accessing cloud computing products and services, was started because of an initial pushback to doing public cloud. She said unfortunately it did not increase cloud adoption.
Gartner’s Paul Proctor offered recommendations on how CISOs can use governance to drive alignment between IT and the business. He said that security professionals need to treat security as a business service, offering different levels of service depending upon the different needs and risk levels of various business units.
Proctor also talked about the levels of risk that develop as a business grows. As an organization grows, it must continuously reassess how much risk is appropriate.
Gartner analyst Jeremy D’Hoinne offered an interesting talk on balancing the need for speed and the need for risk management. He said there’s a natural tension between the two modes of Bimodal IT – Mode 1 being focused on the predictable, improving and renovating in more well-understood areas vs. Mode 2 that is more exploratory and innovative in solving new problems.
D’Hoinne also said that CISOs need to become more aware of the Biomodal IT goals of CIOs. In a survey conducted by Gartner, 43 percent of CIOs have implemented bimodal IT, yet only 1 percent of 3,000 Gartner client inquiries on bimodal IT came from security and risk professionals.
Thank you for following my blog posts here and my real-time Twitter updates from the Summit all this week. If you also attending this event, I would love to hear what your key takeaways were or what actions you will be taking when you get back to work tomorrow. Feel free to post a comment here or tweet at me @MylesSuer.