Die gestiegenen Anforderungen haben eine lähmende Wirkung auf Security-Manager. Wie können Security-Manager wieder handlungsfähig werden? Relevant sind hierbei insbesondere folgende Fragen: Was besitzt Priorität? Auf welche Herausforderung könnte man stoßen? Was ist machbar?
»Schon wenige Key-Practices können dazu beitragen, Herausforderungen zu meistern,« erklärt Katell Thielmann, Research Vice President bei Gartner. »Zuerst ist es wichtig, dass Verantwortlichkeiten geschaffen werden und Aufgaben und Zuständigkeiten klar geregelt sind. Zudem sollte das Unternehmen auflisten, welches die größten Bedrohungen für das Unternehmen sowie für sämtliche Geschäftsbereiche des Unternehmens sind. Abschließend sollten diese Bedrohungen direkt und eindeutig den Unternehmenszielen zugeordnet und abschließend beurteilt werden.«
Gartner Identifies How Security Leaders Can Be Empowered to Drive Results
The overwhelming demands on security leaders today can have a paralysing effect. During the opening keynote address yesterday at the Gartner Security and Risk Management Summit, Gartner analysts provided insight to empower these security leaders to take action.
Gartner analysts addressed an audience of more than 3,400 security and risk leaders and practitioners on how to be empowered to adapt their people, processes and technologies to address the old and the new; empowered to transform their approach to risk governance to be more continuous and inclusive; and empowered to scale their security capabilities in other ways than by hiring more people.
Much of this empowerment can come from addressing three simple questions: What’s important? What’s dangerous? What’s real? Gartner analysts took the attendees through a series of scenarios to show how these questions can provide clarity, and in each scenario, the intersection of the questions changed a perception and led to action (see Table 1).
|What’s Important||What’s Dangerous||What’s Real|
|Innovating for Value||Start from an organisation-wide Risk perspective||Adopt Integrated Risk Management (IRM) Practices||Build a strong foundation of communication|
|Urgent Crisis and Threat||Create visibility into assets and ecosystems||Design for resilience at Multiple Levels||Use analytics and automation as a force multiplier|
|Technology Transformation||Empower others to be part of risk management||Challenge conventional wisdom on risks and controls||Select adaptable and adaptive risk controls|
Source: Gartner (June 2018)
Take an Organisation-Wide Risk Perspective
Gartner analysts recommended that security leaders start any initiative from an organisation-wide risk perspective. Historically, risks have been viewed through a narrow lens, typically that of the risk owner.
»A few key practices will greatly help you overcome this obstacle,« said Katell Thielmann, research vice president at Gartner. »First, create and support a culture of accountability with well-established risk ownership and responsibilities. »Next, build an organisation-wide risk register that accounts for the top risks across all risk domains. Finally, map risk directly, clearly, and defensibly to business goals and objectives.«
The danger can come from cyber risk, which represents an increasingly critical part of the risk puzzle. This is where integrated risk management (IRM) become so important.
»IRM allows for easy and simple risk prioritisation and linkages to risk treatment plans. We recommend you integrate cybersecurity and technology risks with broader operational risk to ensure that risk oversight is forward thinking,« Ms Thielmann said. »Define and measure risk indicators and identify those that serve as early warnings.«
Creating Visibility into Assets and Ecosystems
As an organisation’s ecosystem grows, it becomes nearly impossible to understand the interconnectedness of it all. When a problem ripples through an ecosystem, unexpected consequences are likely, but Gartner analysts said overreactions can do more harm than good.
»Last year, more than 15,000 vulnerabilities were disclosed publicly. A small portion of those were rated as a critical severity and posed an urgent threat,« said Craig Lawson, research vice president at Gartner. »Often there is still some time to assess the situation and respond with care. But sometimes these threats are immediately elevated to critical importance because of the hype they receive in the mainstream media.«
For example, while there are security risks constantly gaining attention, Mr Lawson said that the data clearly shows now that over the last decade only a small number of vulnerabilities actually go on to be exploited, in fact, he said it’s only about one-eighth.
When responding to security threats, often the focus is on fixing a trust-related issue. However, in doing so, security leaders must make sure they do not violate their resilience goals. They have to design for resilience at multiple levels, from organisational to technical.
»Take an organisation-wide view of resilience, and work with business and IT partners to set resilience goals,« Mr Lawson said. »Second, create crisis management and communication plans to reduce the risk of conditioned or habitual responses. Third, design technologies and processes that don’t just plan for high availability, but also for recovery and continuity. Lastly, ensure that these recovery and continuity plans are tested often enough to prove that they work.«
Empower others to be part of risk management
Security leaders need controls that are appropriate for the environment and risk. They need controls that are applicable to more than just a single vendor or technology, and can change as risk and compliance landscapes evolve.
»Adaptable controls are what turn security into a technology enabler,« said Ramon Krikken, research vice president at Gartner.
Mr Krikken said it’s important to empower others in the organisation to greatly increase the chances of success.
»Business process owners and IT teams must provide domain knowledge for effective risk management,« Mr Krikken said. »This is to ensure that risk professionals understand the changing technology and business realities. In return, we should encourage other roles to take guidance and advice from risk professionals, so that they can incorporate risk-based thinking into their responsibilities. Transforming and scaling security this way is a win-win for everyone involved.«
More information on security & risk management is available in the Gartner Special Report »The Resilience Premium of Digital Business: A Gartner Trend Insight Report.« This collection of research focuses on how committing to resilience will equip a digital business with the mindset, resources and planning to recover from inevitable disruptions.