subscribe: Daily Newsletter


Six principles of resilience to manage security


Security professionals in South Africa need to protect their enterprise by building resilience.
Speaking ahead of the Gartner Symposium/ITxpo 2016 in Cape Town, Tom Scholtz vice president & Gartner Fellow, says resilience is the best approach to address both catastrophic and daily threats.
“Resilience is our North Star,” Scholtz says. “And resilience isn’t only about catastrophic threats, it’s also about every day and continuous threats.”
In South Africa although companies have excellent network security, they’re highly vulnerable with regard to applications. “To manage digital security, organisations should adapt six principles of resilience,” he adds.
* Move from check box compliance to risk-based thinking – Following a regulation, or a framework, or just doing what your auditors tell you to do, has never resulted in appropriate or sufficient protection for an organisation. “Risk-based thinking” is about understanding the major risks your business will face and prioritising controls and investments in security to achieve business outcomes.
* Move from protecting the infrastructure to supporting organisational outcomes – You still have to protect your infrastructure, but you also have to elevate your security strategy in order to protect the things the business actually cares about such as business performance, public service delivery, or a military mission.
* Move from being the righteous defenders of the organisation to acting as the facilitators of balance – Resist the temptation to tell the business what to do and decide how much risk is good for the organisation. Instead of pushing back on business requests to move workloads to the cloud, for example, work effectively with your business counterparts to negotiate appropriate levels of security.
* Move from controlling the flow of information to understanding how information flows – Digital business will introduce massive new volumes and types of information that must be understood and appropriately protected. You cannot apply appropriate controls to protect information when you don’t know where it is.
* Move from a technology focus to a people focus – Security technology has its limits and, therefore, it’s necessary to shape behaviour and motivate people to do the right thing, not just try to force people to do what we want. For example, phishing is the initial infection vector of 80% of breaches. However, there are no totally effective technical controls to this problem. When employees are motivated and understand the limitations of trust, the click through rate on phishing emails dramatically drops.
* Move from protection only, to detect and respond – The disparity between the speed of compromise and the speed of detection is one of the starkest failures discovered in breach investigations. In the digital world the pace of change will be too fast to anticipate and defend against every type of attack. Security professionals should acknowledge that compromise is inevitable. Ultimately, it’s time to invest in technical, procedural and human capabilities to detect when a compromise occurs.