NATIONAL HARBOR, Md. — A security paradox is afoot.
Industry pressures are speeding adoption of new technologies. After all, 90% of corporate leaders say "digitizing" is an imperative, said Beth Schumaecker, director, advisory at Gartner, speaking Monday at the Gartner Security and Risk Management Summit.
New technologies create new risks. New risks put pressure on the security organization. And the security organization, in a competitive threat and talent landscape, is asked to meet demands while proving its worth.
It is not enough to make a business secure. Enterprise leaders are calling on security teams to contribute value as well.
Adding to complexity, business units make daily technology choices without realizing the consequences, Schumaecker said.
Those decisions can have a direct impact on security operations and the risk profile of a company.
So where is security to begin? As it turns out, new tool adoption is the likely answer.
Security teams can deliver value such as growing revenue or improving efficiency outcomes by adopting automation, Katell Thielemann, research vice president at Gartner, said at the summit. Automation can improve situational awareness and increase a CISO's ability to make decisions.
Automation can take different forms, Gartner says:
- Rethinking access: By aggregating data and analyzing user behavior, companies can introduce an adaptive identity and access management approach where users are only prompted for login information when needed. If a user is in a known, secure location, no prompts are required.
- DevSecOps to the rescue: Companies can embed automation and security into product development, making security teams a part of DevOps through a DevSecOps approach. Liaisons between development and operations save time and possible interruption from security teams mandating compliance.
- Data and the cloud: Companies can introduce automation in data access for infrastructure and software as a service tools. Using a tool to scan all new data, systems can flag what should remain open or private, eliminating human error and saving companies from open cloud database gaffes.
In each case, value is derived from reducing human interaction and creating a more fluid process. If a company successfully revamped its approach to access and passwords, it would pass time and money savings to teams normally dedicated to resetting accounts.
Technical security professionals are on the front line of threats, but businesses can shift and put employees at the center of the conversation so they too are focused on value protection and creation.
Value, meet the board
The end goal for a security group — or any tech unit, really — is mitigating risk and keeping in-house technology operational. Value is difficult to quantify compared to, for example, sales.
If a sales department doubles a company's revenue, its contributions are clear. If a security team deters one threat, it's doing its job.
As security leaders are asked to deliver more business value, they have to rethink how they are communicating to the board.
The goal is to bring it back to simple, said Steve Williams, CISO of NTT DATA Services, speaking at the symposium. NTT DATA is a subsidiary of NTT, which has more than 900 operating companies.
To illustrate security threats to business stakeholders, Williams presents a motto: "see it, manage it, secure it."
The motto offers the board a barometer of the businesses' without "geek speak," Williams said. Boards just want a thumbs up or down if a threat is worth responding to.
The same is true of security investments. Boards are interested in return on investment (ROI) without security leaders overburdening them with details. The easiest way to communicate value is to simplify the message.
At Dimension Data, another NTT brand, CISO Darren O'Loughlin has a quarterly scorecard about how investments and initiatives play out. He can then address questions about ROI and whether an investment has reduced the risk threshold in simple terms.
His team is even working with marketing to illustrate what the department is doing from a people, process and technology perspective to create assurances for customers.