It's up to you to protect your data, not the CISO

Thomas Scholtz, Gartner.
Thomas Scholtz, Gartner.

Cyber security is not the sole responsibility of the CIO or the chief information security officer (CISO).

Seven steps of CARTA

According to Gartner, security experts must apply continuous adaptive risk and trust assessment (CARTA) philosophy across the business, from DevOps to external partners. Scholtz shared the seven steps to apply CARTA with the Symposium delegates:

  1. Replace one-time security gates with context aware, adaptive, and programmable security platforms.
  2. Continuously monitor, discover, assess and prioritise risk.
  3. Perform risk and trust assessments early in digital business initiatives.
  4. Instrument infrastructure for comprehensive, full stack visibility, including sensitive data handling.
  5. Use analytics, AI, automation and orchestration to reduce time to detect and respond to threats.
  6. Architect security as an integrated, adaptive programmable system, as opposed to in silos.
  7. Introduce continuous data driven risk decision making and risk ownership into business units and products owners.

So said Thomas Scholtz, Gartner's chief of research for security and risk management, who was speaking at Gartner's Symposium/ITxpo in Cape Town yesterday.

He said in any organisation it should rest with the owner of the information, suggesting that enterprises adopt the principle of what he called 'owner accountability'.

Shaking the foundations of security

He said the trend of digitalisation in businesses and all that it brings, more data and devices, was shaking the foundations of how business has traditionally dealt with cyber security.

"Who gets to decide who has access to data and systems, and what they can do when they access those systems?"

The users are not dumb anymore. They are the ones who are driving digital innovation.

Thomas Scholtz, Gartner

The owners of information, while driving innovation, also needed to understand 'that if things go pear shaped, they own the data and they're accountable'.

These innovative projects are being driven by 'citizen IT', which he said is the politically correct term for what used to be known as 'shadow IT'.

On the other hand, if a CISO is responsible for all the risks of an organisation, they would often tend to overreact, over-engineer, and over-control, he added.

Not going away any time soon

Gartner asked 2 800 people in its annual CIO Survey if they thought that security threats would increase, to which 95% replied in the affirmative. Four percent said it would stay the same, and the outliers (1%) reckoned they would decrease.

"What I find interesting is the 28 or 29 people who say that security threats will decrease over the next three to five years. I'd certainly like to meet some of them," said Scholtz.

Given these results, it's no surprise that companies are spending more on security.

Scholtz recounted a conversation he had had with a chief security at a multinational mining group, who told him he was firstly concerned by his remote control systems that were cut off from the mining operations, as well as how his legacy systems were interfacing with newer infrastructure. And he was concerned by the ventilation systems, which were visible on the public facing Internet.

"If someone switches of the ventilation system if you have 3 000 people underground, we have a problem. A major problem. We need to focus on improving the resilience of an organisation. We want to improve the resistance of the enterprise against attack."

Scholtz said while providing 100% security coverage is no longer possible, it became more important for enterprises to invest in the ability to detect and respond to threats. "It's not 'if', but 'when' the matter happens. And then we can recover as fast as possible, and you can limit the damage as far as possible."

Protect the data

He suggested that enterprises needed to focus less on protecting infrastructure, and focus more on protecting business outcomes. "We're responsible for protecting the data, and how the data is being used."

He also said it was time to retire the narrative of the 'dumb user'. "The users are not dumb anymore. They are the ones who are driving digital innovation. If we try and knock them down, they'll leave and work elsewhere, probably for your competition. We need to start focussing on enabling the users. They need to become aware of the (security) risks, without becoming petrified."

Have your say
Facebook icon
Youtube play icon