As the digital society evolves, security and risk management can keep up if they have a suitable vision.
Speaking at the Gartner Security and Risk Management Summit in London, Tom Scholtz, distinguished VP analyst at Gartner, said that while “digital society is evolving” it is “adding complexity to challenges.” Scholtz added that those organizations that differentiate will be those that innovate.
While he admitted that “no one has all of the answers” on how to deal with the challenging digital environment, good practices have evolved and the implications are now around: pervasive connectivity, critical context, variable trust and reputable identity in the digital era.
Scholtz said that those companies who are succeeding are those “who have a view of where they are going” and have both adaptive governance and infrastructure.
He argued that the most important part of effective governance in the digital world is to establish the path of accountability, and to determine who is responsible for protecting resources. “It doesn’t rest with the CISO,” he said, “but it may rest with the CIO and most organizations will have a shared infrastructure and information, and if you cannot identify the business owner, the CIO becomes the proxy owner of the business.”
In order to establish governance, Scholtz said that this comes down to deciding your acceptable risk, enabling risk control and assuring control effectiveness to define your risk appetite. “This is about owning accountability,” he said. “In the digital world, focus less on policies and more on principles to guide controls and to be more effective.”
He recommended anticipating the disruptors of:
- AI and machine learning
- Hybrid delivery models
- Skills shortage
- IoT and OT
- Quantum computing
- Robotic process automation
“Adopt the drivers that are right for your organization, and [know] the main threats and vulnerabilities to your infrastructure,” he said. He added that if you know what your business is doing and what the CIO is doing, this will influence your vision and enable you to identify your current state.
“At a minimum, do a vulnerability assessment and maturity assessment, and prioritize the gaps and analyze and execute on it,” he concluded.