It's up to you to protect your data, not the CISO
Cyber security is not the sole responsibility of the CIO or the chief information security officer (CISO).
So said Thomas Scholtz, Gartner's chief of research for security and risk management, who was speaking at Gartner's Symposium/ITxpo in Cape Town yesterday.
He said in any organisation it should rest with the owner of the information, suggesting that enterprises adopt the principle of what he called 'owner accountability'.
Shaking the foundations of security
He said the trend of digitalisation in businesses and all that it brings, more data and devices, was shaking the foundations of how business has traditionally dealt with cyber security.
"Who gets to decide who has access to data and systems, and what they can do when they access those systems?"
The users are not dumb anymore. They are the ones who are driving digital innovation.Thomas Scholtz, Gartner
The owners of information, while driving innovation, also needed to understand 'that if things go pear shaped, they own the data and they're accountable'.
These innovative projects are being driven by 'citizen IT', which he said is the politically correct term for what used to be known as 'shadow IT'.
On the other hand, if a CISO is responsible for all the risks of an organisation, they would often tend to overreact, over-engineer, and over-control, he added.
Not going away any time soon
Gartner asked 2 800 people in its annual CIO Survey if they thought that security threats would increase, to which 95% replied in the affirmative. Four percent said it would stay the same, and the outliers (1%) reckoned they would decrease.
"What I find interesting is the 28 or 29 people who say that security threats will decrease over the next three to five years. I'd certainly like to meet some of them," said Scholtz.
Given these results, it's no surprise that companies are spending more on security.
Scholtz recounted a conversation he had had with a chief security at a multinational mining group, who told him he was firstly concerned by his remote control systems that were cut off from the mining operations, as well as how his legacy systems were interfacing with newer infrastructure. And he was concerned by the ventilation systems, which were visible on the public facing Internet.
"If someone switches of the ventilation system if you have 3 000 people underground, we have a problem. A major problem. We need to focus on improving the resilience of an organisation. We want to improve the resistance of the enterprise against attack."
Scholtz said while providing 100% security coverage is no longer possible, it became more important for enterprises to invest in the ability to detect and respond to threats. "It's not 'if', but 'when' the matter happens. And then we can recover as fast as possible, and you can limit the damage as far as possible."
He suggested that enterprises needed to focus less on protecting infrastructure, and focus more on protecting business outcomes. "We're responsible for protecting the data, and how the data is being used."
He also said it was time to retire the narrative of the 'dumb user'. "The users are not dumb anymore. They are the ones who are driving digital innovation. If we try and knock them down, they'll leave and work elsewhere, probably for your competition. We need to start focussing on enabling the users. They need to become aware of the (security) risks, without becoming petrified."