What We Learned at Gartner Information Security & Risk Management Summit 2018 in Maryland

June 14, 2018 | By Kim Crawley
1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, 4.00 / 5
Loading...

 Information Security & Risk Management Summit 2018 in Maryland

The Gartner Information Security & Risk Management Summit at National Harbor, Maryland ran from June 3rd to 7th. Gartner’s event is a great opportunity for cybersecurity professionals to network with each other and attend panels on topics ranging from CISO responsibilities to cloud security, from intrusion detection to risk assessment, from endpoint protection to compliance. Fortunate attendees got to gleam knowledge from industry stars like IBM Security’s Bob Kalka, Cisco’s Gil Zimmermann, Microsoft’s Michael McLoughlin, Herjavec Group’s Robert Herjavec, and Gartner’s own Augusto Barros, Earl Perkins, and Roberta Witty.

If you couldn’t attend this year, here’s your opportunity to enjoy what I believe to be the highlights of the event.

Talking to Business Executives is a Key Corporate Cybersecurity Skill

We know how enterprises can maintain and improve their security stance. But money makes the world go ‘round, and if you want good cybersecurity practices to be implemented, you have to convince the non-technical executives.

Security is often a hassle for the non-tech C-suite. You must treat them like customers that you have something to sell to. When you sell security effectively, customers feel satisfied that you’re solving their problems.

Gartner’s Leigh McMullen said:

“Today, the battle ground for the digital industrial revolution is the customer experience. It’s not about cost; it’s not about efficiency; it’s not even about product. It’s about experience.

We as security people want things to be controlled. We want them stable, but people’s expectations are being set by forces outside our control, which means we need to change how we engage if we want to be successful. We have to give up control to gain influence.

Security should not wreck the customer experience, but it often does. Customers, and that is everyone in your enterprise, want the effort they put in to match the value they expect to get. If you deliver the wrong experience, they’ll just tune you out.”

As much as possible, you should translate how you speak about technological realities and solutions into business-speak. Less cybersecurity jargon, more Fortune Magazine.

Gartner’s Paul Proctor said:

“When we talk about technology risk and security, primarily in technology terms, stakeholders treat us like wizards who cast spells and protect the organization. Making risk and security more transparent and business-aligned is an absolute requirement to get you out of the wizarding world.”

If you’re going to cast “wingardium leviosa,” just explain that it’s a levitation spell.

Executives often get blamed after a significant cyber-attack. You need to sell them defensibility.

Gartner’s Leigh McMullen said:

“We have treated security like a dark art for so long that when an organization gets hacked, people don’t understand. So, the primary question is, ‘Who screwed up?’ You can’t guarantee the organization won’t get hacked, so stop selling your executives protection, and start selling something they truly need, defensibility.”

The risk assessment process must include any applicable non-technical executives in order to be conducted properly.

Gartner’s Paul Proctor said:

“Offering executives decision-making in the context of operational outcomes makes these engagements more than interesting to them. It directly impacts the decisions they make. You are now helping them do their job.”

Your customers naturally fear risk. That fear has had a negative effect on security innovation – an absolute must as cyber threats evolve.

Proctor said:

“Organizations are slowing down because they fear this issue. If you can improve their comfort and understanding of risk and security, you can help your company move faster. That is truly a business value of security.”

Better Security Through Proper DevOps

Cloud researcher Mark Nunnikhoven discussed the importance of good DevOps. The phrase is often misapplied. Essentially, DevOps is all about striking an effective balance between development and operations. It’s that simple.

Properly implemented DevOps features increasingly efficient delivery pipelines, due to constant feedback loops. DevOps can create “a culture of collaboration that reduces risk by decreasing the size of changes to production environments,” featuring people, process, and products.

In order to reduce risk when implementing DevOps improvements, make lots of smaller changes rather than making fewer larger changes. If you try to deploy a very large quantity of new code all at once, it can be more challenging to fix new bugs and vulnerabilities.

Good cybersecurity starts at the development stage, rather than as an auditing step, which results in more outdated perimeter approaches to security hardening.

If proper DevOps security means that the development process takes more time, then so be it. All stages of development must be designed with security in mind. The earlier a bug is found, the easier it is to fix.

“Soft skills” such as social ease and being able to communicate effectively are key to getting development and operations to work together successfully. Few security professionals can excel with “hard skills” alone.

Be Sociable, Share!

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    X

    What Hidden Threats LurkOn Your Endpoints?

    Get complete security from known and unknown threats from Comodo Endpoint Protection

    free threat scan