Security professionals should hold off on buying big-box appliances and talk to upper-level executives about making security decisions based on carefully assessing the risk to the data being protected, rather than blindly defending against attacks.
That was the core message of the opening keynote at the 2013 Gartner Security and Risk Management Summit on Monday. Security is not addressed with technology alone, said Paul Proctor, a research vice president at the Stamford, Conn.-based research firm. Business professionals want to know how a security decision impacts the bottom line. Security is about making sound decision-making that has an impact on the entire business.
"We no longer seek to prevent every single threat," Proctor said. "We make conscious choices in what will and will not be done to address business threats."
For example, Gartner estimates that only 8 percent of organizations are running next-generation firewalls. And the organizations that purchased next-generation firewalls are not properly configuring them or using them to their fullest extent. Chief information security officers may be better off addressing attack preparation, Proctor said. Prepare for an attack by training against an incident response plan since it is clear that every organization will have an incident, he said.
"Risk posture is a choice; spend more money and you'll have less risk, spend less money and you'll have more risk," Proctor said. "We are facilitators of the balance between the needs to protect the organization and the needs to run the business."
Information security professionals don't need to have a business degree to effectively communicate to upper-level executives, Proctor said.
Far too many security professionals are relying on attack data and information about the latest security threats and failing to describe the business impact to upper-level decision-makers, according to a study conducted by the Ponemon Institute. In the United States, about half of 750 IT security and IT operations professionals said security is an art and not a science, a finding that shows that some IT teams are constantly wrangling with business executives about security issues, said Dwayne Melancon, chief technology officer of Portland, Ore.-based security firm Tripwire, which sponsored the study. Melancon told CRN that upper management wants to know how their decision will impact the bottom line, he said.
"There's a tendency of security pros to present a whole bunch of data with the hope that the executive leadership comes to the right conclusion," Melancon said. "Security professionals need to translate the decision-making process into how the business is directly impacted."
Organizations looking to improve their security program shouldn't be blindly following the 20 Security Controls, a document maintained by the SANS Institute, a security education firm, Proctor said. Instead they should apply a risk assessment and then identify and address gaps between the chosen security controls that are essential, and external regulations and frameworks, he said.
Proctor estimates that by 2014, 80 percent of information security professionals in the Global 2000 will be required to report the company's security posture to a review board annually. More security professionals will be required to present to boards of directors, he said.
Proctor warned to not dwell on security attacks and other high-profile attacks. Lose the focus on security technology he said. Instead, use the time with the board to focus on bridging the cultural disconnect between the business executives and the security team overseeing the security functions. Finally, relate security and risk to the business impact that the board cares about the most.
Proctor pointed to several success stories. Providence Health & Services, a Renton, Was.-based health-care firm that operates 27 hospitals and dozens of other clinics, invested in people before technology. After a careful risk assessment, the firm decided more bodies manning the security appliances and devices offered the best opportunity for improvements. The firm went from five to 32 employees in security organization to boost the company's monitoring and compliance initiatives.
"Effective security is no longer about threat prevention, but about managing how much risk the business is willing to accept," Proctor said.
PUBLISHED ON JUNE 10, 2013