One of the hot topics at Gartner Symposium/ITxpo in Barcelona was security. Bodil Josefsson shares insights on how the six principles for trust and resilience need to fundamentally change in line with the explosion of digital business. Some areas to explore include PCS (people-centric security) and the rise of the DRO (Digital Risk Officer), as well as advanced persistent threats and security in the mobile workplace.
With the increase in connected things and digital business, the traditional principles of risk and security management are being challenged. What we see is a shift along a whole range of areas:
- from check-box to risk-based compliance
- from protecting infrastructure to business outcomes
- from defender to facilitator
- from technology centric to people centric
- from information control to information flow
- from prevent to detect and respond
The CIO’s role is changing from only being responsible for the IT infrastructure to becoming more supportive of business goals and having an impact within the security field. Security and safety requirements are going to be so integrated with digital business decisions that it will not be possible to tell where business ends and cybersecurity begins.
One of the most important points above is the increased importance of people-centric security, which puts people at the center of the security strategy. The recommendation from Gartner is to move away from regarding people as the weakest link, but rather treat people as intelligent human beings.
This means that individuals should be trusted to make security decisions though they must also be held accountable for their actions. This shift requires significant changes in company culture, as well as focus on education. As a CIO, it means moving from being a defender who imposes control to someone who facilitates allowing people to reach their business goals.
Adding safety to the equation
When everything gets connected, digital attacks with physical impacts are becoming more and more common, such as the blackouts in Ukraine in 2016. This will lead to more pressure on governments to regulate , and it means that the classic security model of CIA (Confidentiality, Integrity and Availability) needs to be complemented by Safety – for both people and the environment.
The rise of the DRO
Leadership roles will change as the physical and digital world merge. The rise of the Internet of Things (IoT) means that more or less everything will be connected, which will lead to a dramatic increase in threat vectors. From a leadership point of view, there will be a need to handle security and risk for both physical (traditional COO responsibility) and digital systems (traditional CIO responsibility). By 2020, Gartner estimates that 30 percent of large enterprises will have a DRO (Digital Risk Officer) who addresses IT, operational technology, Internet of Things and technology-related safety risks.
The word on everybody’s lips this year is blockchain. It is still hype and there are many trials ongoing, across industries. Gartner counted 42 different blockchain providers worldwide. The technology is fascinating, but the business challenges cannot be neglected, - including how to treat varying tax and legislation rules between countries.
Another concern is to find the right use cases for blockchain; some are excellent such as crowd-researching within the pharmaceutical industry or to maintain land registries. Other use cases might not benefit from blockchain to the same extent, and this makes it important to evaluate when blockchain makes sense and when it might not, and also to choose the right implementation of it.
Advanced persistent threats
There is a new form of security threat that is conducted over a longer period of time and therefore difficult to recover from. One example is ransomware, in which data is taken hostage in exchange for money.
Many organizations try to recreate their data by calling on previous backups, but the ransomware might have been injected several weeks before it exposes itself, which means the backup data is also compromised.
To be protected from this kind of threat requires the ability to identify the intruders as soon as they try to enter the system by, for example, “emulating” a received file and to spot any anomalies in behavior before they are allowed to be stored, accessed and executed in an operational and critical business system. In order to speed up the protection, “shared knowledge” is required to quickly spread information how a certain threat behaves, as well as storing event data and using advanced analytics to track down the root cause of the threat.
Security in a mobile workplace
Turning to the actual workplace, let’s address three different perspectives:
- As the enterprise workplace turns mobile, there is a need to implement the same type of security solutions on the mobile device as is currently the case with enterprise laptops, ensuring that the latest versions of virus protection and VPN software is always refreshed into the mobile device of an employee and is addressed from a corporate security policy perspective
- Securing the handset to protect it from security vulnerabilities from downloaded apps shold be addressed from a handset-centric perspective.
- Mobile WiFi access and network need to be secure as well. With the introduction of IoT sensors, new threats are being introduced in which networks (especially WiFi hotspots) can be compromised by criminals who are exploring the fact that many IoT sensors use factory-based passwords, which are easy entrance points. This requires a much better segmentation of networks so that someone getting in does not gain access throughout the full network and system.
We ran two great webinars related to blockchain, IoT and integrity assurance. You can also explore our ideas on blockchain more in our recent e-book:
A post discussing deeper technical insights on blockchain is availabe on our research blog.