News / Security /

Rethinking risk management in a digital world

Conventional methods of protecting information resources aren’t going to cut it in a world of IoT and AI. A Gartner expert explains why we need to rethink our approach to security and risk management, and how to create a more resilient digital business infrastructure.

Share this article:

A friend recently told me he still doesn’t own a smartphone because he doesn’t want to be tethered to technology 24×7. But he spends an awful lot of time using his wife’s smartphone (to her annoyance) to Google things and order Ubers and check the weather.

It goes to show, even if we try to resist, technology is permeating almost every area of our lives … and it’s not going to slow down any time soon. A funny — yet thought-provoking — example is in the latest season of HBO’s hit series Silicon Valley, where (spoiler alert!) the guys inadvertently save the day by storing their data across smart fridges in 30,000 American households.

Funny, yes — but it’s an example of how the Internet of Things (IoT) will turn simple appliances into smart ones. Add machine learning and artificial intelligence into the mix, and it poses an almost incomprehensible array of new security threats that were once the domain of futuristic sci-fi flicks. What it boils down to is this: the old way of doing things isn’t going to cut it anymore.

In a recent Gartner webinar, vice-president and Gartner fellow Tom Scholtz explained how digital business challenges the basic principles of information risk and security management — and how organizations will need to balance protection with the need to adopt to innovative technology approaches.

“Digital business provides a lot of opportunities, but we also have to realize digital business has certain characteristics which does impact the risk associated with adopting these capabilities,” said Scholtz.

This includes the sheer volume of data we’ll be required to manage. “In a conventional environment, we might have to manage 10,000 or 100,000 end points,” he said. “In a digital business, you can interconnect just about anything [with] intelligence; we can potentially end up with having to manage hundreds of thousands or even millions of components in our computing environment.”

Clearly, conventional methods of managing and securing infrastructure won’t scale to millions of components. But the issue is much bigger than that. In a digital world, the cost of a data breach is higher — much higher. And I’m not talking about dollars and cents.

A data breach typically results in lost revenue and/or damage to the company’s reputation. Scholtz argues that the increasing integration of operations technology and IoT into our computing environment will also affect human safety.

Security and risk programs should focus
less on protecting infrastructure and more
on protecting business outcomes: Gartner

“Potentially if something goes wrong from a cyber-security perspective, it could actually result in physical harm to individuals,” he said, citing a recent meeting he had with the CISO of a global mining company. The CISO was concerned — and rightly so — about the implications of integrating ventilation control systems with conventional IT systems above ground that could be hacked, shutting off ventilation to hundreds of miners below ground.

And that’s just one example. Given this new paradigm, Scholtz says we need to start rethinking risk management, including the creation of a resilient digital business infrastructure.

This requires a change in mindset. Security and risk programs should focus less on protecting infrastructure and more on protecting business outcomes, said Scholtz. Most security programs are based on selective access, meaning you only have access to the minimum amount of data you need to do your job.

“In a digital business world, that is probably increasingly unsustainable,” said Scholtz. The sheer volume of data is growing faster than our ability to classify it and protect it, he added, so organizations are starting to adopt a principle of ‘default to allow.’ That means users have access to all data, unless it’s been classified from a confidentiality, safety or regulatory perspective.

By now, most people realize 100 per cent data security is not realistic or achievable. It makes far more sense to invest in the ability to monitor, detect and respond to incidents that will, inevitably, happen at some point or another. The key is bouncing back from incidents as quickly as possible, rather than aiming to eliminate them completely.

Whether you manage your own security or work with a trusted partner, adapting your security and risk management strategy could help you become more predictive, and more proactive, in this new digital business paradigm.

Image: iStock

Share this article:
Comments are closed.