The age of digital presents new security threats to organisations. It calls for new skills to manage these risks and that poses a challenge, since security skills are in short supply.
Brian Pereira from BW CIO World met Tom Scholtz, VP and Gartner Fellow on the side lines of the Gartner Security & Risk Management Summit in Mumbai. Tom tells us how organisations around the world are coping with this challenge, by outsourcing their security to managed security service providers. Tom also talks about the new risks that digitally enabled businesses will need to check.
BW: What are the new risks that Digital poses to businesses?
Tom Scholtz: It is predominantly in terms of the sheer number of things. The volume of things and the changes in governance. It is the complexity of this environment and also the lack of knowledge. If you do not understand how the technology and the interconnections work you have that uncertainty, and all this needs to be treated as a risk.
The actual threats stay the same. The threat actors are the same.
BW: How has Security and Risk Management evolved to support Digital Business?
Tom Scholtz: The main focus in the past year or two was on the Data Layer -- making sure that people understand how the data is used and where it flows. It was also about moving digital security away from fault to deny, towards fault to allow. It is not practical to protect all the data all the time.
The second one is the ability to shift the investment to detect & respond relative to preventive controls.
The third one is understanding the role of humans and investing heavily in them (training and awareness).
In the medium to longer term, it is all about using the technology so that the potential of things like machine learning and artificial intelligence -- using that to have more continuous assessment, and enabling the technology to really make context-aware, trust-based decisions, in real-time. That's where we need to go in the medium to longer term.
BW: What are the biggest challenges that business leaders face today in handling security and risk management?
Tom Scholtz: The challenge is no longer about shortage of budgets (for security). The biggest challenge is shortage of skills. This is predominant in the US and Europe.
There are some workarounds to this challenge. One, work with HR to ensure that the typically young (25 - 30 years) are not the only ones hired. They should look for someone more experienced (may be 50 - 55 years old). Secondly, do invest in the training of people. The worry is that trained people leave -- my argument is that you then have a bigger problem. Your organisation has a cultural problem. Rather than looking for people who have security expertise in IoT or operations technology, start hiring IoT or operations technology engineers, and teach them the security side.
BW: What about outsourcing security to a managed security services provider? Is that a workaround or are there risks associated with that?
Tom Scholtz: Using managed security services is a good alternative and many organisations are considering it. It would not be feasible for some to have a 24/7 SOC, as organisations would not be able to hire people for it. From a scalability and leverage perspective it makes sense to go for managed services.
The risks with managed security services usually comes down to the contract. The way of dealing with it is focus on the relationship side with the service provider on a day-by-day basis.