Analysts Discuss Key Issues Facing Security Leaders during the
Gartner Security and Risk Management Summit,
NATIONAL HARBOR, Md.--(BUSINESS WIRE)--Jun. 4, 2018--
The overwhelming demands on security leaders today can have a paralyzing
effect. During the opening keynote address today at the
Much of this empowerment can come from addressing three simple
questions: What’s important? What’s dangerous? What’s real?
|What’s Important||What’s Dangerous||What’s Real|
|Innovating for Value||Start from an Enterprise-Wide Risk perspective||Adopt Integrated Risk Management (IRM) Practices||Build a strong foundation of communication|
|Urgent Crisis and Threat||Create visibility into assets and ecosystems||Design for resilience at Multiple Levels||Use analytics and automation as a force multiplier|
|Technology Transformation||Empower others to be part of risk management||Challenge conventional wisdom on risks and controls||Select adaptable and adaptive risk controls|
Source: Gartner (June 2018)
Take an Enterprise-Wide Risk Perspective
“A few key practices will greatly help you overcome this obstacle,” said
The danger can come from cyber risk, which represents an increasingly critical part of the risk puzzle. This is where integrated risk management (IRM) becomes so important.
“IRM allows for easy and simple risk prioritization and linkages to risk treatment plans. We recommend you integrate cybersecurity and technology risks with broader operational risk to ensure that risk oversight is forward thinking,” Ms. Thielmann said. “Define and measure risk indicators and identify those that serve as early warnings.”
Creating Visibility into Assets and Ecosystems
As an enterprise ecosystem grows, it becomes nearly impossible to
understand the interconnectedness of it all. When a problem ripples
through an ecosystem, unexpected consequences are likely, but
“Last year, more than 15,000 vulnerabilities were disclosed publicly. A
small portion of those were rated as a critical severity and posed an
urgent threat,” said
For example, while there are security risks constantly gaining attention, Mr. Lawson said that the data clearly shows now that over the last decade only a small number of vulnerabilities actually go on to be exploited, in fact, he said it’s only about one-eighth.
When responding to security threats, often the focus is on fixing a trust-related issue. However, in doing so, security leaders must make sure they do not violate their resilience goals. They have to design for resilience at multiple levels, from organizational to technical.
“Take an enterprise-wide view of resilience, and work with business and IT partners to set resilience goals,” Mr. Lawson said. “Second, create crisis management and communication plans to reduce the risk of conditioned or habitual responses. Third, design technologies and processes that don’t just plan for high availability, but also for recovery and continuity. Lastly, ensure that these recovery and continuity plans are tested often enough to prove that they work.”
Empower others to be part of risk management
Security leaders need controls that are appropriate for the environment and risk. They need controls that are applicable to more than just a single vendor or technology, and can change as risk and compliance landscapes evolve.
“Adaptable controls are what turn security into a technology enabler,”
Mr. Krikken said it’s important to empower others in the organization to greatly increase the chances of success.
“Business process owners and IT teams must provide domain knowledge for effective risk management,” Mr. Krikken said. “This is to ensure that risk professionals understand the changing technology and business realities. In return, we should encourage other roles to take guidance and advice from risk professionals, so that they can incorporate risk-based thinking into their responsibilities. Transforming and scaling security this way is a win-win for everyone involved.”
More information on security & risk management is available in the Gartner Special Report “The Resilience Premium of Digital Business: A Gartner Trend Insight Report.” This collection of research focuses on how committing to resilience will equip a digital business with the mindset, resources and planning to recover from inevitable disruptions.
About Gartner Security & Risk Management Summit
Upcoming dates and locations for the Gartner Security & Risk Management
Follow news and updates from the events on Twitter at #GartnerSEC.
Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We're trusted as an objective resource and critical partner by more than 15,000 organizations in more than 100 countries — across all major functions, in every industry and enterprise size.
To learn more about how we help decision makers fuel the future of business, visit www.gartner.com.
Tom McCall, + 1 408-709-8096
"Safe Harbor" Statement under the Private Securities Litigation Reform Act of 1995: Statements in this press release regarding Gartner's business which are not historical facts are "forward-looking statements" that involve risks and uncertainties. For a discussion of such risks and uncertainties, which could cause actual results to differ from those contained in the forward-looking statements, see "Risk Factors" in the Company's Annual Report or Form 10-K for the most recently ended fiscal year.