Gartner Summit 2016

Gartner: How to make a digital risk plan and sell it to the board

Collaborate with business units when writing the plan, write a pitch in the board’s own language

061416gartner keynote photo

Gartner analyst Felix Gaehtgens, who spoke in person yesterday at the consultancy’s Security and Risk Management Summit, is shown here hovering over the crowd on a large screen.

Credit: Tim Greene

It’s not enough for security pros to figure out how to protect digital enterprises from risks that can ruin the business, they must effectively sell it to corporate boards whose blessing is needed to authorize the plan, Gartner analysts told attendees at their Security and Risk Management Summit.

With that in mind, three Gartner security specialists walked the roughly 3,400-person audience through how to create a plan to manage risk and minimize damage when – not if – an attack succeeds, and the strategy for buy-in from the board of directors.

“One hundred percent protection should not be the goal,” Gartner analyst Peter Firstbrook told the gathering. “The goal should be resilience.”

That means figuring out how to quickly detect attacks, then respond as fast as possible, he says.

The plan should find the top half-dozen risks that threaten the business, and those are not necessarily the same as the ones that affect IT, says Garner analyst Jeff Wheatman. The question to address is, “What are top IT related risks that could lead to business risks becoming real?” he says. That’s what the corporate decision makers care about.

Security executives have to create controls that balance the need to protect the business with the need of to keep it running efficiently. To do that the security experts have to talk to the business leaders while they are creating the plan, he says. That acts as a trial run of what might fly when the plan is presented to the board.

Reactions from business group leaders can go three ways:  We never thought of that; we worry about something else that’s not on your list; your list has items we don’t care about.

All of these answers are helpful because they focus IT’s security plan on what’s important to the business stakeholders, he says. “They all give you a better idea of what matters,” Wheatman says.

Digital businesses rely on complex combinations of machines, technology, partners and service providers, many of which are out of direct corporate control, so it’s important to work trust into the calculus, he says. Will the company be held liable for damages stemming from a breach of a digital business even though the element that was exploited was not directly controlled by the company?

Risk of fraud being carried out against the digital business is a top concern, he says. Fraud and legal liability can both be addressed by establishing an effective trust scheme that helps thwart attackers, he says.

What’s needed is a decentralized, distributed trust platform to establish trust between two platforms that have never met before, says Gartner analyst Felix Gaehtgens. The architecture should accommodate approaches to trust that range from trust everything until it proves itself untrustworthy to trust nothing until it proves itself trustworthy. He calls this adaptive trust.

It’s a sliding scale that businesses must adjust so the level of trust is equal to or greater than the risk to the business. If not, the business needs to either adjust trust or risk, he says.

Context is important in determining trust, he says. The machine connecting to a network, who the user is, how the connection is made, the user’s role and where data comes from are all examples of trust attributes that can be weighed in making trust decisions. Identity federation, attribute access control, standards and methodologies for demonstrating trust all contribute to assigning appropriate levels of trust, he says.

This must be balanced with concerns about privacy of personal and corporate data. That can be aided with encryption that is underpinned by blockchain technology like that used to verify Bitcoin transactions. He says startups are working on adapting this to delivering secure transactions and insuring privacy by enabling the sharing of identity attributes without over-exposing them.

Tools that can help include trusted hypervisors and containerization on untrusted devices, filtering with security gateways, and pervasive use of encryption with trusted key management.

IT needs to bridge the gap with software developers to encourage building security into the software development life cycle, Gaehtgens says. “We need to be involved at every phase of SDLC,” he says to encourage use of security APIs in applications and then protect them with API gateways.

Despite the best effort, security will likely be breached and a plan for detecting and quickly responding to these incursions must be in place, Firstbrook says.

Tools to do this include behavior analytics of both users and devices using machine learning to spot changes in behavior that could indicate trouble. Deception tools can trap attackers and reveal their goals, he says.

Businesses need to find security hunters to digest this information to pick up on security incidents quickly, he says. When these are spotted, businesses need to isolate suspect devices and users and put a hold on transactions pending investigation, he says.

A crisis management team that spans legal, HR, IT, PR and business units needs to be created, trained and practiced so it can act quickly together when incidents arise, he says.

Once that is all in place, the plan has to be sold to the board using this template: 

  • Show the board you understand its business goals and objectives.
  • List the risks you can control or manage in order to help meet business goals.
  • Specify the technical steps you will take to address risks and meet business goals.
To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.