Gartner Security and Risk Summit 2015: Resilience is vital when dealing with risk

Despite some financial professionals attempting to deny it, digital business is here and it is here to stay. This was the inherent message that was put across at the Gartner Security and Risk Summit in London this week. As the digital is increasingly becoming a part of our lives, it is important to mitigate those security risks that come alongside the development of new technology and in turn, build resilient organisations.

Peter Firstbrook, research vice president at Gartner, highlighted in the Summit Chair Welcome that when managing risk and delivering security, technology must be used “to build a better world.” Firstbrook commented on how there is a blurring of the digital and physical world and a step back from perceiving newer technology as an e-model of traditional systems. Whilst using examples such as Airbnb and Uber, he iterated that this does not just apply to start-ups, but there is a need for pre-existing companies to improve and reinvent. “Every company is becoming a digital business and should drive transformation”, Firstbrook said.

With the emergence of automation, the cloud and the Internet of Things, it questions how much IT activity is happening without the involvement of IT. Firstbrook presented a statistic that showed that by 2017, “50% of a company’s IT spending will come from outside the IT department’s budget.” Despite this data predicting what will happen in 2017, Firstbrook make it clear that time is of the essence when it comes to digital risk as the “floodgates are wide open”.

Criminality and exploitation will never disappear and the “bad guys” will continue to innovate at a rapid rate. Firstbrook rightly explores how news reports data breaches that involve organisations such as Carphone Warehouse and Ashley Madison this week, but those names will change and new stories will be published. However, Gartner views regulation as “far too reactive and far too prescriptive” and are just “temporary roadblocks for rogue hackers.”

Instead of regulation, Firstbrook believes that timing should be a focus and with security professionals now being in the spotlight, it gives employees an opportunity to approach their board or CEO about how secure the company is. The budget is there but it shouldn’t be spent on the latest product, because these have not been tried and tested. Importance should be placed on being resilient because not every threat can be protected against; Firstbrook’s advice is to “bounce back and absorb the punches to focus on business success.”

Dionisio Zumerle and Ant Allan joined Peter Firstbrook in explaining six principles that Gartner have consolidated in order to maintain a secure digital business. The first is to transform checkbox compliance to risk-based thinking which will ensure that major risks are understood and those that need to be combatted first, are. The others concentrate on improving connections, elevating security strategy and focusing on people rather the technology as a lot can be achieved from merely motivating people to do the right thing, according to Firstbrook.

Alongside this, knowing when to respond effectively can propel an organisation to successful digital business future. Zumerle explained the significance of security not only being handled in the IT department and in the past two years, CEOs have been addressing cybersecurity at high levels in the organisation. Picking up on the first principle, he made it clear that regulators are still struggling with the transition from old to new, but hackers will always continue to surpass authorisation barriers because users are human and will continue to forget passwords and security questions.

Zumerle expresses the message that “perfect protection is an impossible goal”, but again resilience was the key word. This communication of making something happen was synonymous with the discussion about women in security and risk management, led by Roberta Witty and Debra Logan. It is evident that stereotypes about women in technical roles still exist but matters surrounding pay have somewhat resolved. In this day and age, communication between businesses and departments is important and women having this quality naturally plays in their favour, as Witty and Logan mentioned. Witty also provided an insight into why resilience matters and that the reason why digital business sometimes fails, is because it is complex and there is a lot to understand and put in place if different parts of the process break.

In an industry panel about security trends, Jennifer Byrne, Microsoft, Charlie Howe, Skyhigh and Raimund Genes, Trend Micro, were questioned whether European companies should be vary of using US owned cloud services, because of the potential US government access to data. The general consensus was that this concern should not be focused on US companies, but understanding where your information is would be important regardless of where the service was created.

The audience were also able to answer questions using an online poll and for an issue that is debated on a wide scale: by being more permissive, can we actually increase the level of security, 64% answered yes. However, Howe disagreed and explained that education of services and devices is important and putting policy in place encourages the wrong behaviour. This is a very timely and significant question which was alluded to in the guest keynote speech by Captain James Lovell, NASA legend and Apollo 13 Commander.

Lovell advised the audience with a famous saying: “There are three types of people in this world: those who make things happen, those who watch things happen, and those who wonder what happened.”


Related reading