Six principles of resilience to manage digital security

August 2016 Information Security, Security Services & Risk Management

Security professionals in South Africa need to protect their enterprise by building resilience. Speaking ahead of the Gartner Symposium/ITxpo 2016 in Cape Town, Tom Scholtz vice president & Gartner Fellow, said resilience is the best approach to address both catastrophic and daily threats.

“Resilience is our North Star,” Scholtz said. “And resilience isn’t only about catastrophic threats, it’s also about everyday and continuous threats.”

In South Africa although companies have excellent network security, they’re highly vulnerable with regard to applications. “To manage digital security, organisations should adapt six principles of resilience.”

1. Move from check box compliance to risk-based thinking

Following a regulation or a framework, or just doing what your auditors tell you to do, has never resulted in appropriate or sufficient protection for an organisation. Risk-based thinking is about understanding the major risks your business will face and prioritising controls and investments in security to achieve business outcomes.

2. Move from protecting the infrastructure to supporting organisational outcomes

You still have to protect your infrastructure, but you also have to elevate your security strategy in order to protect the things the business actually cares about, such as business performance, public service delivery, or a military mission.

3. Move from being the righteous defenders of the organisation to acting as the facilitators of balance

Resist the temptation to tell the business what to do and decide how much risk is good for the organisation. Instead of pushing back on business requests to move workloads to the cloud, for example, work effectively with your business counterparts to negotiate appropriate levels of security.

4. Move from controlling the flow of information to understanding how information flows

Digital business will introduce massive new volumes and types of information that must be understood and appropriately protected. You cannot apply appropriate controls to protect information when you don’t know where it is.

5. Move from a technology focus to a people focus

Security technology has its limits and, therefore, it’s necessary to shape behaviour and motivate people to do the right thing, not just try to force people to do what we want. For example, phishing is the initial infection vector of 80 percent of breaches. However, there are no totally effective technical controls to this problem. When employees are motivated and understand the limitations of trust, the click through rate on phishing e-mails dramatically drops.

6. Move from protection only, to detect and respond

The disparity between the speed of compromise and the speed of detection is one of the starkest failures discovered in breach investigations. In the digital world, the pace of change will be too fast to anticipate and defend against every type of attack. Security professionals should acknowledge that compromise is inevitable. Ultimately, it’s time to invest in technical, procedural and human capabilities to detect when a compromise occurs.

Scholtz will cover this topic in his presentation entitled “Managing Risk and Security at the Speed of Digital Business” at the Gartner Symposium/ITxpo 2016 in Cape Town, 26-28 September, South Africa.

For more information go to http://www.gartner.co.za.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Deception technology crucial to unmasking data theft
Information Security Risk Management & Resilience
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Risk Management & Resilience Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Navigating South Africa's cybersecurity regulations
Sophos Information Security Infrastructure
[Sponsored] Data privacy and compliance are not just buzzwords; they are essential components of a robust cybersecurity strategy that cannot be ignored. Understanding and adhering to local data protection laws and regulations becomes paramount.

Read more...
AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Milestone Systems joins CVE programme
Milestone Systems News & Events Information Security
Milestone Systems has partnered with the Common Vulnerability and Exposures (CVE) Programme as a CVE Numbering Authority (CNA), to assist the programme to find, describe, and catalogue known cybersecurity issues.

Read more...
Understanding the power of digital identity
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
The way we perceive business flourishing is undergoing a paradigm shift, as digital identity and consumer consent redefine the dynamics of transactions, says Shanaaz Trethewey.

Read more...
Access & identity expectations for 2024
Technews Publishing IDEMIA ZKTeco Gallagher Salto Systems Africa Regal Distributors SA Reditron Editor's Choice Access Control & Identity Management Information Security AI & Data Analytics
What does 2024 have in store for the access and identity industry? SMART Security Solutions asked several industry players for their brief thoughts on what they expect this year.

Read more...
What you can expect from digital identity in 2024
Access Control & Identity Management Security Services & Risk Management
As biometric identity becomes a central tenet in secure access to finance, government, telecommunications, healthcare services and more, 2024 is expected to be a year where biometrics evolve and important regulatory conversations occur.

Read more...