Security has long been considered a 'catch up' game, and the question of how security professionals in SA can protect their organisations is not a new one.
Hackers always seem one step ahead beating two-person authentication methods, hijacking authenticated sessions, and finding increasingly sophisticated ways to slip through even the tightest security nets.
Security professionals in South Africa need to protect their enterprise by building resilience, says Tom Scholtz, research vice president and Gartner Fellow at Gartner, speaking ahead of the Gartner Symposium/ITxpo 2016 in Cape Town.
"Resilience is our North Star," Scholtz said. "And resilience isn't only about catastrophic threats, it's also about everyday and continuous threats."
He says in SA, while companies have excellent network security solutions in place, they are highly vulnerable when it comes to application security. "To manage digital security, organisations should adapt six principles of resilience," he continued.
Six steps
Firstly, he cites moving from checkbox compliance to risk-based thinking. "Following a regulation, or a framework, or just doing what your auditors tell you to do, has never resulted in appropriate or sufficient protection for an organisation. Risk-based thinking is about understanding the major risks your business will face and prioritising controls and investments in security to achieve business outcomes."
Next, he says to move from protecting the infrastructure to supporting organisational outcomes. The infrastructure still needs to be protected, but the security strategy should be elevated in order to protect the assets that are most important to the business, such as business performance, public service delivery, or a military mission.
He also advises to move from being the righteous defenders of the organisation to acting as the facilitators of balance. "Resist the temptation to tell the business what to do and decide how much risk is good for the organisation. Instead of pushing back on business requests to move workloads to the cloud, for example, work effectively with your business counterparts to negotiate appropriate levels of security."
Point number four is moving from controlling the flow of information to understanding how it flows. Digital business are continually introducing huge volumes of different types of data, all of which needs to be understood and protected. Knowing where this data is, means that appropriate controls can be applied to protect it.
The fifth step is moving from a technology focus to a people focus. As with all technologies, security solutions have limitations, making it necessary to involve a human element, and try to get users to adjust their behaviour, motivating them to do the right thing, as opposed to forcing them to do what the business wants. Phishing is a good example, being the primary infection vector in some 80% of breaches. "There are no totally effective technical controls to this problem. When employees are motivated and understand the limitations of trust, the click through rate on phishing e-mails dramatically drops."
Finally, Scholtz says to move from protection only, to detect and respond. There is a huge disparity between the speed of compromise and the speed of detection. Threats can remain undiscovered on networks for months, moving laterally and exfiltrating vital information.
An inevitability
Today's pace of change is too rapid to anticipate and defend against every type of attack. Security practitioners need to understand that breaches are an inevitability of doing business today. "Ultimately, it's time to invest in technical, procedural and human capabilities to detect when a compromise occurs."
Scholtz will cover this topic in his presentation entitled "Managing Risk and Security at the Speed of Digital Business" at the Gartner Symposium/ITxpo 2016 in Cape Town, 26-28 September, South Africa.
Share