CISOs need to take on new security thinking, warns Gartner

When it comes to information security in the digital age, the binary world view of good or bad no longer matters. The  executives responsible for the  security  of information,  the Chief Information Security Officers ( CISOs ),  should focus on implementing the new approach called Charter (Continuous Adaptive Risk and Trust Assessment or analysis continues and adaptable risk and trust), emphasizes the Gartner report, released on Tuesday, 8, at the Gartner Conference Security & Risk Management 2017, which takes place in São Paulo.

“The truth is that we are not sure at any extreme, whether black or white, whether good or bad. It could be both, “said Claudio Neiva, vice president of research at Gartner, during a conference keynote. “Adopt the gray. The reality is that business leaders are moving at full speed forward, with or without you, “he said.

The Charter approach, according to the report, must be applied throughout the business, from DevOps to external partners. “We need to focus on applying the Charter not only to products already implemented, but to new services and resources as they are built,” said Agusto Barros, director of research at Gartner.

According to the study, organizations should apply the Charter in all three phases of risk management and information security: execute (protection against threats and access during execution); building (development and ecosystem partners); and planning (adaptive security governance and evaluation of new suppliers).

The paper emphasizes that when applying the Charter methodology, data analytics needs to be a standard part of the arsenal. In this way companies can, even from the expectations of large data involvement, obtain real value with the learning of the machines. “Anomaly detection and machine learning are helping us find the villains who would otherwise go through our rules-based prevention systems,” said Felix Gaehtgens, director of research at Gartner. “That’s why analytics is so relevant to security operations today. The process is good for finding the villains in the data that other systems do not find. ”

Cost of failures

The report points out that the average time to detect a fault in the Americas is 99 days and the average cost is $ 4 million. Analytics will accelerate detection and automation will streamline response time by acting as a multiplier force for the team without having to add people. According to the study, analytics and automation ensure that companies focus their limited resources on events with greater risk, in a confident way.

For access protection in the digital world, companies should be monitored constantly. Making only one authentication is fundamentally flawed when the threat passes from the gate. For example, if a user is downloading sensitive data to a device, the information must be encrypted with digital rights management before it can be downloaded, and then the user should be monitored. If it starts to do many downloads, it should restrict access or activate an alert for investigation.

“Writing the Letter”

As for DevOps, the Gartner report emphasizes that security needs to start early in development and identify issues that pose a risk to the organization before being sent to production. For proprietary codes, one must balance the need for speed with the need for safety.

According to Gartner, ecosystem partners include new business capabilities and new security complexities. “Risk management is no longer the domain of a single company and should be considered at the ecosystem level,” says Gaehtgens. “The success of my product or service is now directly linked to others. My risk is their risk. Their risk is my risk. ”

With the Charter methodology, organizations must continually assess the risk of the ecosystem and adapt as needed. Partners should also analyze their company, infrastructure, control and digital reputation of the brand, says Gartner. For ecosystems with a dominant provider, the only way for a company to enter the ecosystem is after a risk and safety assessment. If the company is very insecure, it can be removed from the ecosystem. Therefore, continuous monitoring and risk assessment and reputation of large digital partners are essential, stresses the report.