Kathy Gibson reports from Gartner Symposium in Cape Town – As the number and severity of treats is increasing, organisations have to move away from preventing attacks to figuring out how to respond to them with the least impact on the business.
“But CEOs do see that bigger risks coming,” says David Willis, vice-president and distinguished analyst at Gartner. “Research shows that 77% are concerned about new risk and higher levels of risk; 65% are concerned about the risk management of falling behind; and 83% feel that agility is increasingly important – so regardless of operational risk it is imperative for them to move into the digital world.”
Not only have 71% of organisations gone into IT disaster recovery; but they have also reported numerous incidents, Willis adds. “Very few have not had to go into some sort of disaster recovery. These things happen on a daily basis and organisations need to get better at responding.”
The journey to digital business thus demands trust and resilience, he says. “In the digital business, organisations have to focus around people, business and things – there is a convergence of the physical and virtual worlds.”
In this world, compliance with regulation is no longer sufficient; and the emerging standard is resilience.
To achieve a resilience posture, Willis advises organisations to balance three elements:
- Establish a basic foundation – this is the things companies are expected to do and include firewalls, antivirus, device management and other foundational technologies;
- Data governance – figure out how to classify data with a strong governance model;
- Best practices – focus on awareness and having employees recognise the critical importance of protecting sensitive data.
“It can be hard to get these in balance, but you need to try get them all in the mix,” Willis says.
“In the bimodal organisation there are often separate departments with new people, and they require a new foundation. They may have their own platform and infrastructure, so people, process and technology all need to need considered.
“The more gradual transitions to digital business pose resource risks, so staff up if necessary throughout the enterprise – make the new people aware, give them relaxed awareness, to speak up when they see things going on.”
When moving to the new model, trade-offs are going to be required, he adds, and convenience is going to be in conflict with resilience. “Architecting for resilience will reduce convenience for employees and customers. Most enterprises now choose the direct value of convenience over the indirect value of resilience, but regulation will eventually change this trade-off.”
To be successful at managing their risks, organisations should increase awareness to increase trust and resilience.
“More than 95% of the malware that happens to enterprises is from threats and exploits that we already know about,” Willis points out. “They need to build trust by creating a culture of relaxed awareness.”
To do this, he recommends sensitising employees to risks when they are onboarded to the company. Quarterly refreshes can keep workers updated on new risks. There should be signs posted throughout the organisation directing employees where to get help if needed – and then the help must be forthcoming. He suggests that employees can be taught the dangers of things like phishing by having it done to them in a non-malicious environment.
Organisations are also encouraged to extend awareness and protection to the home for employees and their families, much like some companies assist with medical insurance.
Finally, extending governance will increase resilience and trust in the ecosystem, Willis says.
This needs to be with a governance model that is relevant to your organisation and industry, and internal risk governance that is wider and deeper than expected today.
“One of things we are seeing in the move to digital is that the horizons are very long. We believe it will take about eight years for a digital organisation to come to fruition. But typical planning is year to year, maybe two years ahead. We think you need to extend security and risk planning to two-, three- or four-year plans.”
Gartner’s recommendation is to consolidate risk governance. “Recognise that there are different operating models, including standardised, integrated and entrepreneurial,” says Willis.
“In the integrated and entrepreneurial models, local variations in capability can produce enterprise wide impacts. Meanwhile, centralised security management, or security standards for operations, can reduce local variations in security capability.”
This applies to large, complex governments and private sector companies of all sizes, he points out.