ONOX HILL, Md. -- The time is now for enterprises to plan for the rapid innovation in digital business caused largely by an avalanche of non-traditional Internet-connected devices and advanced threats.
That was the key theme in the opening session of the 2014 Gartner Inc. Security and Risk Management Summit, during which a trio of the research behemoth's top analysts opened the record 3,500-attendee event by highlighting how three key business titles -- CISO, CIO and ultimately CEO -- must change their approaches to information security to ensure their businesses succeed.
The Internet of Things is up there near the top of our security risks, but for us it's still going to be about compliance.
CISO, Transaction Network Services
"Digital business will impact your professional life more than the emergence of the Internet," said John Girard, research vice president and Gartner distinguished analyst.
Girard said, according to Gartner research, 22% of businesses rank the risk of new Internet-connected devices, otherwise known as the Internet of Things (IoT), as their top business concern. Additionally, by 2020, 60% of digital businesses will suffer a major service failure because of the inability of IT security teams to manage digital risk in new technology and new use cases.
Highlighting earth-shattering security storylines like the Edward Snowden NSA surveillance disclosures, numerous high-profile retail data breaches like Target, and the discovery of the widespread encryption vulnerability Heartbleed, Girard said CISOs must resist the urge to fall into a reactive mode, yet acknowledged few organizations have the luxury of ignoring industry-wide events.
"Our problems are caused by overreacting on one hand, and failing to stay the course on the other," Girard said. "To thrive in this new arena, we need to understand how problems change, and how they stay the same."
The best approach, Girard said, is to take "smart actions" that can be leveraged across a security program, including limiting authentication risks and getting business managers to accept accountability for users' risky behavior, relentlessly using event management technology to drive down the number of actionable security events, and applying other industry best practices to improve security.
Security vs. compliance
Speaking specifically about the role of the CIO in information security, Andrew Walls, Gartner research vice president and conference chair, said focusing on the threat du jour, audit findings and compliance regulations are all bad ways to prioritize security programs.
The right way, Walls said, is to do the basics well: the combination of prompt patching, sound fundamental policies, security education, encryption where warranted, perimeter protection and identity and access management technology will address 80% of most organizations' risks. From there, he advised using a formal risk assessment to drive security planning while constantly assessing abilities, prioritizing gaps and identifying opportunities for improvement.
In his talk about the CEO mindset, Paul Proctor, Gartner research vice president and distinguished analyst, agreed with Walls' assessment, noting that too many enterprises stick with the "typical and sad" approach of information security based on compliance.
"Many people say, 'If we are compliant, we are protected.' Tell that to any number of retailers who thought PCI was a good benchmark of protection," Proctor said.
"I know he said compliance is not security, but it drives our business, unfortunately," Kling said. "We're in the payments industry. We have to meet those compliance and regulatory requirements. The Internet of Things is up there near the top of our security risks, but for us it's still going to be about compliance."
Above-the-line security strategy
Proctor-implored CISOs to learn how to communicate with CEOs and other "above the line" executives by developing an intimate knowledge of business operations, specifically those organizations rely on to achieve their desired outcomes, and outline the way security supports the IT and operational dependencies.
"It's ultimately trying to figure out what's important to above-the-line executives so you can deliver information that influences their decisions. This is the mythical creature we call 'business alignment,'" Proctor said. "This model and processes are very easy to understand, but many clients struggle to implement it."
In the same vein, Walls said CIOs are increasingly being rewarded based on enterprise performance, meaning they "make more money when the enterprise makes more money." Risk management is one the tools that CIOs can utilize to maximize profitability, he noted.
To that end, Walls said CIOs must support CISOs in driving employees to take more control of and responsibility for the organization's security and risk management. Admitting how daunting that task is when employees often fail to adhere to lessons from basic security awareness training, he said the change will require CISOs to become marketers, selling rank-and-file staff on the key concepts of security and risk management.
"Our job is to make good decisions more attractive than bad decisions. Examine the enterprise and change anything that drives bad choices," Walls said. "Stop rewarding people for unacceptable behavior. Use culture to drive good behavior through advertising, storytelling, peer pressure, peer recognition, and most importantly, leadership; executives and IT personnel must consistently demonstrate good security decisions."
Proctor also warned of the coming emergence of the role he called a "digital risk officer" (DRO) -- someone who oversees technology risk in the IT domain, with operational or mechanical technology like SCADA systems, physical security and the IoT security.
Gartner predicted one-third of enterprises engaging in digital business will have a digital risk officer, or the equivalent, by 2017, and according to Proctor, CISOs should use the Stamford, Connecticut-based research firm's forecast to begin defining the DRO role in their organizations.
Kling, however, was skeptical of whether digital risk officers will ultimately materialize.
"I say that's just another responsibility of the CISO," Kling said. "Over time, you might see that [role emerge] with more funding for the security or the risk management departments, but for now, it's just another title."
Despite the challenges the speakers highlighted, Kling said one key change that helps his cause is the growing importance of security in the minds of both business leaders and customers.
"I think the awareness [is] out there now with the public -- everything in the media. They now have an understanding that security can affect them personally and at work," Kling said. "Even for our business, we've been getting more and more customers coming to us asking about how we're covering security for them. That's been a change for us."