I recently attended a Gartner event on security and risk management. There were many high-level sessions that talked about risk management and security strategy - good guidance when you are focused at that level. I always feel that is the easy part - we are still stuck trying to turn the conceptual into reality!
Here are my key takeaways from the event. I plan to write a blog post to explore each of these in more detail.
Software supply chain risk; can you trust your supplier?
The software lifecycle is now a complex supply chain. This has long been true of the physical infrastructure and now also true on the software side due to the use of packaged applications. How can you trust your suppliers? How can you ensure they are managing their sub-contractors effectively? Gartner introduced the challenges and started a conversation about supply chain management. These challenges are at the heart of managing components, especially open source components sourced externally – that’s the motivation behind Sonatype CLM.
IT risk management must be tied to the business.
There were numerous sessions about how IT risk management has to be tied to the business. Strategy, reporting, communication, policy, and risk thresholds – all of these topics need to be done in the context of the business. Although it seems obvious, many organizations have CISOs that manage and communicate from a technical perspective – an approach that doesn’t cut it with other execs or the board.
Tools or Process… it’s not an either or choice.
Gartner tried to stir up some controversy with a debate about whether security and risk should be managed with tools or with process. It was an “either or” discussion meant to stimulate thought. My personal thought was that the best strategy uses a combination of both – and more important that the process is built into the tools, the tools that developers use today. What our CSO calls ‘delivering solutions that fit the “practice of the practitioner”’
Big surprise: It’s about social, big data, mobile and cloud.
What IT related conference would be complete without these topics? Gartner managed to hit them all by relating information security to the nexus of forces – not surprisingly those forces are social, mobile, information (big data), and cloud. One can argue these trends are overhyped, but that doesn't discount the security and risk management impact.
We need to shift up the stack to protect information.
In the context of security trends and risk management maturity – Gartner advised security professionals to shift their focus to the application. Applications are the window to the information – focusing on the basics or taking a perimeter approach is no longer good enough. This message is perfectly in line with our strategy at Sonatype – to protect the new world of component-based applications.
Use smart people to define policies, use machines to do the automation.
You can attribute this quote to Wayne Jackson, our Sonatype CEO. In a spirited session with Curtis Yanko, Architecture Manager – Clinical IT / DevOps from Cigna, Wayne and Curtis addressed the fact that policy enforcement has to be automated and integrated. Given the speed of development, and the number of moving parts in the software supply chain, any other approach will fail.
Policy is a set of guidelines, vs. policy as a set of firewall rules.
Although there were technical sessions that were dedicated infrastructure and network security. The theme of the conference was more focused on risk management, business factors, and strategy. One statement that stuck for me was the need to think about policy more strategically, vs. thinking about policy in the context of technology.
It’s not about technology control… we need a security reset.
The initial keynote presenters lamented how security professionals were viewed in most companies. They also spoke about how the security function can be overwhelmed by the pace of change. But there is a light at the end of the tunnel – just like we responded to the move from the mainframe to distributed computing, we’ll reset and respond to mobile, cloud, big data, etc. We just can’t do it by focusing on technology and control.
We can’t tell people how to operate… risk posture is a choice.
As security professionals, we need to move from an attitude that we own the risk. We can’t dismiss people with the message that “you hired us, we’ll do the job”. We have to inform the business and help them make decisions about the level of acceptable risk. That will drive strategy, budgets, etc. We have to increase our relevance to the business – we can’t just be focused on rule following, we have to become risk leaders.
It’s not a software game of who can out-patch whom!
Admiral Mike Mullen presented a keynote that focused on leadership and national security concerns. He noted that we have to move from a patch contest to a more strategic plan. From a leadership perspective, he emphasized the need for accountability, which can be applied to many things including your security and risk management strategy.
Level 4: IT Risk Manager parallel to the CIO.
Several sessions focused on the maturity of an organization's security strategy and provided recommendations about how to “move up the curve”. According to Gartner, one indicator of security maturity is organizational structure. In more mature organizations, the security leader is elevated outside of the CIO so that he or she is parallel to the CIO. Among other things, this indicates the security is a high priority and is a primary concern of the business.
Balanced score cards are hard!
I attended a working session on designing a balanced scorecard to measure and report on risk. Gartner walks you through a process – Company goal or destination statement; business objections tied to financial, customer, operational and learning and growth; defining linkages (what we do to achieve objectives) and risks (things that can stop you from achieving objectives). All good so far – but we ran out of time translating that to measures and targets for the scorecard! But the intent of managing risk with a balanced score card tied to the business is spot on.
As a security professional which take away resonates with you? Was Gartner spot on in addressing the right topics for security professionals? What do you consider the must-have discussions around security and risk management?