As I was sitting in the Gartner Keynote session here at Gartner's Security & Risk Management Summit, listening to the analysts speak about what's necessary for greater enterprise security, it became clear that one word was ever-present in each of the Gartner analyst’s speeches. That word was resiliency. The analysts made a point that the ability to absorb hits and accept risk while focusing on the overall success of the company, was a must for all organizations in today’s breach prone world.
They spoke about the need to move from prevention to detection and response. They called for security professionals to stop thinking as pure defenders and start thinking like business facilitators. Most importantly, how IT security leaders must “seize the opportunity” given to them by the massive headline breaches we see each week. As perverse as that may sound.
One analyst, used Netherlands' water control system as a prime example of resiliency. Citing how the system opens and closes based on the level of the water. Allowing ships to pass through once they were safely able to do so, while also providing safe water levels, and controlling the currents as the water nears the shores of the Netherlands. In short, the technology is resilient. Enterprises must also be able to do the same.
He mentioned how access control and authentication, if not used properly, can cause extra steps for employees, slowing down core business functions in the process. At the same time, only a minor set-back for cyber criminals attempting to steal corporate data. Companies must be able to roll with the punches, and accept risk as a part of the security landscape.
The analyst then went on to speak about each of the 6 core principles of resiliency that all enterprise securers should abide by in order to gain the trust of the c-suite. Here's the breakdown of each principle he mentioned during his presentation:
- Don’t just go for the checked boxes, think in terms of risk-based
- Move from a technology focus to an outcome-driven focus
- Shift from the defender of data to the facilitator of core business functions
- Don’t just control information, understand its flow in order to secure it more effiectively
- Drift from a pure technology focus to more of a people -purpose and work to gain trust
- Move from prevention to detection & respond so that you can react faster and limit damage
It was refreshing to hear the analyst speak about the need for resiliency, and break down the 6 core principles and what they mean to enterprise security teams. These principles can now act as the guide for all enterprises still questioning the need for a new approach to security. Something some securers just haven't seemed to evolve to yet, being stuck in the more traditional security mindset.
IT securers now have unprecedented power within their organizations. The massive breaches we have all grown too familiar with continue to pile up, forcing security to now become a board room level discussion. The C-suite is now turning to the IT security team for the answer to the question of how to protect data, while also enabling the business to function and grow. You, as the securer must be prepared for the task. You must be able to speak in terms that the C-suite is familiar with, and is willing to listen to with an open mind.
Keep these 6 principles in mind, and seize the opportunity.
Product Marketing Manager | Bitglass