Recently I had the opportunity to interact with industry thought leaders, analysts, practitioners and solution providers during the Gartner Security & Risk Management Summit.
I decided to approach the discussions as a student, with the objective of unlearning and learning. After more than two decades in the information security industry, it was a refreshing change to listen and learn without the "baggage” of pre-existing opinions.
(Image credits: cmodigitalforum.com)
This series of blog posts, is an attempt to share the learnings and interpretations of few important areas, we security professionals will have to deal with in the near future.
The evolution of Digital business model is causing a major shift in information risk management strategies and actions. The industry is adopting digital business at a rapid pace due to its obvious business benefits and the fact that not all of it is new. Many technology applications over the past few years also fall into the digital business definition.
The easy to understand definition for me is “Digital business is modification or creation of new business designs by using combination of logical and physical technologies, supported by changing user behavior and regulation support”.
Needless to say, risk management needs to evolve to support this business transformation. The keyword for risk management has to change from “risk” to “yes”.
Our job now is to “enable digital business” not just secure it. The bad news is that cybercrime is also now a digital business and the bad actors have access and use the same disruptive technologies and models.
This post summarizes, what to me are five areas of focus in the near future. I will detail my thoughts on each in subsequent posts.
1. Securing Bi-Modal IT
Gartner talks about two modes in which information technology would evolve. Mode1, the traditional model focusing on reliability and mode 2, the new age focus on agility and speed. Risk management needs to focus on both modes and its success will depend on an effective and efficient integrated control framework.
2. Confidential, Integrity, Availability & Safety
The merging of the logical and physical technology domains is leading to the addition of “safety” to our traditional CIA (confidentiality, integrity & availability) triad. Safety will be the controls specifically needed for people and environments.
3. DevOps & Agile Secure Development
Digital business is causing software and application development models to evolve. For securing software, there are two primary impacts. One, most digital business applications and platforms are in the commercial validation phase, so their focus on security is low and second the speed of development demands the use of DevOps and Agile models. So the traditional software security models of finding vulnerabilities and then fixing them won’t work.
4. Intelligence Driven Security Operations
Our industry has come to terms with the fact that prevention only is not the best security posture. Compromise will happen, but treating them as exceptions and then mitigating their impact will put us way behind. The solution is to create a security operations posture which is smart, context aware and adaptable.
5. Security Analytics Models
The current buzz word is “security analytics”, we hear the same jokes about it as they were used for cloud several years ago. The solution landscape is muddy, with multiple overlapping solutions like log management tools, SIEM’s, UEBA, in-house developed tools etc. The benefits of analytics for risk management decisions is a no brainer, but organizations will need to work on what model is the best fit.
Please stay tuned for the details in the coming days.
You could subscribe to our blog, if you would like to be email notified.