How to secure against evolved threat landscape
As digital becomes intrinsic to an organization, position security and risk as a core business value
Days before this year’s Prime Day, one of Amazon’s highest-performing global shopping sales, customers in the U.S. and Japan experienced a malicious phishing attack. They received a pdf file that redirected them to a phishing site, tricking users into sharing personal data — including payment and contact details. The incident stirred new conversations around cybersecurity and how chief information security officers (CISOs) can combat cyberattacks.
Ahead of Gartner Security and Risk Management Summit in Dubai, Smarter With Gartner reached out to analysts presenting at the event to ask how security and its position in the business has evolved in light of the vehemence of malicious attacks.
Complexity of projects and new talent
Nader Henein, Senior Director Analyst
The complexity of security projects is increasing across all markets due to the mature nature of security threats and the risks involved. Because traditional organizations are not accustomed to investing in people and skills development in the information security process, investments in developing expertise in security and risk management continue to be inadequate.
Security leaders should focus on hiring new talent to fill the existing skills gap or invest robustly in development on junior resources toward specialization. Security generalists cannot address the wide spectrum of risks efficiently in the current risk landscape. Today’s threat environment calls for dedicated and focused experts who can tackle specific attacks in time and minimize the risks.
Another thing that security leaders must consider is that investment in talent is not a one-off initiative. It is a continuing process and must be followed through periodical trainings and live workshops.
Reduce risks and improve business agility
Brian Reed, Senior Director Analyst
Risk management leaders should focus on security projects that optimize business operations and reduce risk in a measurable and meaningful way. They should also work toward establishing and maintaining strong lines of communication with business leaders to validate risk appetite and risk tolerance.
One common mistake that security and risk management leaders have been making is to focus only on risk reduction. However, Gartner advises that they should broaden their focus and explore how security projects contribute to business process optimization. Security can become an integral part of the organization’s culture only when it contributes to business growth and is not an impediment to business agility.
Fill the skills gap and foster private-public partnerships to strengthen privacy laws
Sam Olyaei, Director Analyst
Issues like lack of basic controls, lack of informal security processes and broken accountabilities, to name a few, continue to contribute to augmenting risks. More evolved and efficient security solutions exist; however, they have failed to deliver.
The changing landscape of cloud should be on the CISO’s radar. The move to cloud keeps rising, which brings opportunities and challenges. CISOs in the Gulf Cooperation Council (GCC) were hesitant to adopt a cloud-first strategy due to privacy and security concerns. Although Tier 1 CSPs have addressed these arguments, visibility of cloud security is still a major concern.
“The frequency of executive reporting has doubled in the past year, and regulatory agencies are continuing to push executive management to be held liable.”
Skills shortage continues to be a problem for global CISOs as well as GCC CISOs. Security leaders will need to be more proactive in that area through training, development, taking advantage of gamification and alternative means to upskilling their function.
Additionally, the visibility of senior security and risk management roles are at an all-time high, particularly in the GCC. In the GCC, the frequency of executive reporting has doubled in the past year, and regulatory agencies are continuing to push executive management to be held liable for incidents. This is forcing many CISOs to improve their communication with the board of directors to foster a culture of security.
Lastly, privacy continues to spur a strong debate between public and private sectors in the GCC. GDPR has opened the GCC up to scrutiny. More GCC governments have started to adopt data protection laws that seek to protect consumer information and other personally identifiable information. This presents large capacity and resource challenges to organizations as they begin to understand the complex landscape of privacy