Digital transformation is the dream of every CIO. It shifts the role of the CIO from being just a service provider to a strategic revenue partner.
However, digital transformation also brings with it a fair share of anxieties. While digital transformation promises tremendous revenue and social transformation opportunities, it also demands speed and agility in the way business value is created and delivered. With digital, organizations have to move at supersonic speed, and Agile and DevOps are frequently leveraged. With these accelerated processes on board, the margin of error becomes a critical factor, as the band narrows down rather significantly.
Although digital opportunities have motivated CIOs to jump in with both feet, the risk profile has held them back. CIOs are slowly accepting the fact that ambiguity is the new reality. The partnership between the CIO and chief information security offices (CISO) is growing stronger than ever because, like digital, security now is both an opportunity and a risk. When CISOs are anchoring on the policy of Zero Trust (a.k.a. super conservative), it’s quickly translating to Zero Opportunity. The winners are the ones who figure how to balance the risk and opportunity appropriately. In a typical security framework, this means it’s about putting the focus not just on protection, but equally or even a bit more heavily on detection and response with a solid recovery framework.
Recently I had an opportunity to attend the 2017 Gartner Security and Risk Management Summit in National Harbor, MD. Two items from the conference struck a chord for me. First was Gartner’s introduction of a new framework for approaching security. This provides a framework that IT, Business and Security leaders can anchor on to ingest and manage risk in the digital world. The second was the overwhelming number of data points from the conference enforcing the importance of the “Human Factor” and its relevance to security in the digital world, and its convergence with the physical world.
Let’s first take a look at the new anagram CARTA (Continuous Adaptive Risk and Trust Assessment), which Gartner introduced at the summit:
- Continuous: Just as continuous integration and continuous delivery became the pillar of delivery velocity, continuous security should become the pillar of risk management. Put the Sec in middle of the DevOps, and embrace the new method of working - DevSecOps.
- Adaptive: The black and white, allow and deny of security will slowly disappear. With Cloud and digital, there are more shades of gray. The adaptive approach should be a continuous learning approach, with the ability for “normal” to shift based on the context. The emphasis should be on monitoring and management in the adaptive approach.
- Risk: The risk needs to be continuous and adaptive. The value of the asset defines the risk. However, the risk itself should be determined based on the sequence of events rather than a single event. For example, a person copying a single sensitive file on a remote device may not be a risk by itself, but combine that with the recent download of sensitive data in the cloud, moving a few files to Box, or trying to purge an abnormal number of files on their laptop, and that should trigger a higher risk.
- Trust: Like risk, trust needs to be adaptive and continuous as well. There should be more than one entry point check. While we prefer the continuous access management, the challenge for solution providers should be on how to make it non-intrusive to ensure it’s not impacting the user experience. In Forcepoint, we call this stopping the bad and freeing the good.
- Assessment: This is the final, decision-making engine that digests the data points from the prior steps, and the key here is REAL TIME. Speed is the name of the game in security, which demands significant automation. SOC can’t scale the number of events by just adding more staff to improve Mean Time To Detect and Mean Time To Respond.
Human- and Behavior-Centricity
Though Gartner promotes security as a big data problem, in my opinion, the true issue is context. Solution providers who will win in the market are the ones with the ability to provide that context, which quickly eliminates the problem of searching for a needle in a haystack. Humans bring context to big data, and the behavior centricity zooms-in to identify the anomalies.
At the Summit, Dr. Richard Ford and I had an opportunity to share our views on Data Protection and Insider Threat. We consider the data spill/breach from insiders along the Cyber Continuum of Intent: the accidental insider, compromised insider, and malicious insider. We believe The Human Point is the anchor and context when it comes to security, and this message truly resonated with the audience.
While it’s true that not all the pieces are ready today nor they are integrated into these models, the future is coming into focus. The gray cloud is slowly clearing, exposing the beautiful blue sky for security!