STRATFORD, Ont. — Business leaders are finally getting the importance cyber security, but that doesn’t mean working with management is any easier for infosec pros, says a Gartner consultant.
Greg Loos, an Ottawa-based Gartner executive partner told a conference of municipal infosec workers that senior business executives are now aware that cyber security has a significant impact on the ability to achieve business goals and protect corporate reputation.
But, he added, “security and risk managers, you now have to step up your game and create security programs that can connect and interact with business if you’re going to take advantage of this change in perception.”
According to a Gartner survey of 220 non-IT executives, 71 per cent said they have a fear of technology risk in cyber security that is materially impacting innovation in their organization. “So part of the challenge for all of you is to turn that fear into action.”
Until four months ago Loos was a major general in the Canadian Armed Forces who was the chief of staff of the information management group and head of the new Cyber Force, was the final keynote speaker here at last week’s annual cyber security conference of the Ontario branch of the Municipal Information Systems Association (MISA).
The awareness of business leaders is one of five emerging trends in cyber security that Gartner sees, he said.
“The good news is you have – or should have– the attention of your municipal leadership. The bad news we continue to speak a different language [to leadership]. As a result, as security and risk management leaders we’re not necessarily getting the clear mandate from your leadership.”
While having that discussion is complex, he acknowledged, it’s important to understand the business tolerance to risk. Your job isn’t necessarily to protect the business from itself – you don’t want to make it so secure that you can’t do business — but to make sure the leadership understand the risks and has the information and options to make the best decisions,” Loos said..
“You have to talk to them in ways that say ‘We need to do this, at this level, or the business will see this impact’ … in very simple terms it draws clear lines along your value chains in what your municipal-political leadership cares about. Speaking the language of the business is going to enable your leaders to respond with a clear security mandate to you in terms of what you have to put in your program”
Even the military until recently saw cyber security as a cost, he admitted. Now the Defence department’s program board understands it determine risk and what to spend on.
The other top trends Gartner sees are
–Data protection is king
–New legal and regulatory mandates – like mandatory breach reporting and the European Union’s General Data Protection Regulation (GDPR) “are forcing massive changes on how business have to handles data security and privacy.”
Not only does the GDPR carry hefty fines, he noted, it also expands the rights of people in the EU to view and restrict the usage of personal data held by businesses.
Strategies may include anonymizing data, deleting data after it’s no longer needed and possibly handing data to cloud providers who can better secure it than you can.
“You may have to reduce growth plans or you may have to abandon initiatives because if you can’t afford to properly protected the data you may not be able to afford the initiative at all,” Loos warned.
“It will be up to you and your leadership to find the right balance between the advantages data offers and the risks you can afford to mitigate.”
–Get ready for the cloud
Security products are rapidly exploiting cloud delivery to provide more agile solutions, he said. In fact, some Gartner analysts think that in three to five years years developers will only be building applications for cloud. “It’s not a question of if you’re moving to cloud, but when.”
On the other hand don’t assume your vendors will be able to successfully move to cloud delivery, he cautioned. “In fact it’s more likely your incumbent providers will downplay the advantages of cloud until it’s too late.”
Some security vendors will push hybrid solutions, but he suggested infosec pros look for pure cloud services that take full advantage of the technology. This includes taking away the load of product maintenance, letting CISOs focus more on risk reduction strategies including threat hunting and incident response. Cloud providers also offer greater data telemetry, granularity and visibility.
However, he admitted that the concentration of data in cloud means it’s a bigger target.
Look for vendors who say ‘cloud first’ with a cloud intelligent architecture,” he advised. If they propose an on-prem solution, ask why. Make sure you make a fully informed decision.
A cloud service provider should have data management and machine learning competency. Confirm it can protect your data at least as well as you can.
– Machine learning
Increasingly this is providing value in simple tasks like adaptive authentication and malware analysis, and elevating suspicious events for human analysis.
By 2025, Gartner believes, machine learning for all aspects of security will be normal and will start to offset some shortfalls in IT skills and staff.
Today Loos said, machine learning is good at addressing narrow and well defined problems, but its best value is when its output is interpreted by humans and enhancing operator awareness.
Machine learning and artificial intelligence “are a little bit over-hyped,” he warned, which is why people are still needed to interpret output and tune the models.
To avoid being taken in by marketing bunf when buying products with machine learning, ask vendors how it makes their product better than competitors’ more superior, what skills and time are needed to get the business metrics their product claims to offer, and insist on a demonstration that uses datasets similar to yours.
“Machine learning reaches out to humans for assistance to address intent and uncertainty, and it aids humans by supporting administrator awareness and assistance to the high level security ops centre analysts,” Loos said.
–Security buying decisions are increasingly based on geopolitical factors.
Some countries are refusing to buy products from certain nations (for example the U.S. government has banned federal departments from buying products from Moscow-based Kaspersky, won’t allow the private sector to buy 5G products from China’s Huawei).
Pay attention. Hold your supply chain to account for cyber security, and take geopolitical risk into consideration when buying hardware and software. Consider following advice of your major business providers in terms of risk of what products to avoid. And when issuing requests for proposals/information, include questions about supply chain sources.
“Cyber security is a team sport,” Loos added, so its vital infosec pros share tools, threat and mitigation information not only within their organizations but also with partners.
Finally, he said, infosec pros need to make sure their incident response plans are up to date and practised.