Monday and Tuesday of this week I spent 2 days at the Gartner Security & Risk Summit in Sydney, milling around checking out the latest buzzwords and thought leadership around Information Security and Risk. I had a fantastic opportunity to participate in a panel slot with representatives from SkyHigh Networks and Airwatch (vmware). It really was a cross section across mobility, cloud and security. It will become a little more obvious why that was an important spread, in a second. There were 6 key principles, or recommendations, that Gartner were suggesting were important drivers towards a great cyber resiliency posture. I commented more than once during the conference that many of these things were not new. They are all important recommendations that are best when placed together and given to senior management and the board - a critical element of organisations that desperately need to "get it". These 6 recommendations were part of a document called Use Six Principles of Resilience to Address Digital Business Risk and Security, and published on 31st of July 2015. Let's take a look: "Stop focusing on check box compliance, and shift to risk-based decision making." How often has this been the case? For all the token talking of "proactive security" by end user organisations, and the marketing materials that respond in kind by industry, there is a certain level of apathy and least-effort thinking by many organisations. I've heard it said way too often that some C-level executives are more interested in loosely following what their competitors are doing as if that is somehow the best measuring stick. If you follow a check-box compliance method sure... because it's driven out of some standard or best practice guidance... those things are absolutely important however, if you are driven by risk-based decision making - you'll find what's important to your organisation and respond with the things that matter most. Sounds so simple, and it's not new - but now is the time to really heed a risk-management approach to your information security investments. ISACA released a paper this August 2015, called The Cyber-resilient Enterprise: What the Board of Directors Needs to Ask which goes onto reinforce the need for greater risk management representation at the senior management and board executive levels, while the Harvard Business Review in the August 2015 article on Strategic Risk, states that not only will international risk functions need a reorganisation or restructure in the next 3 years, but that dashboards like a well-adjusted IT Risk Management platform will become critical in the decision making processes of an organisation as they define and respond to risk. "Stop solely protecting infrastructure, and begin supporting business outcomes." Again, not new. But Gartner has done a great job in their document of crystalizing the main themes... something that should be easily digestible by the C-level executive. Anyone that has been in the Information Technology industry for at least a small amount of time would know that ITIL and COBIT5 although sourced from two different organisations, have effectively been talking about aligning IT objectives with business objectives for years. But now, at the dawn of a philosophical mind shift from heavy protective controls, to an accurate balance of controls that enable a mature incident response strategy that can withstand attack, respond to it, and allow the organisation to adapt to a similar threat in the future. Without the response and adapting parts, it would just be called cyber apathy. We need less of that. Information Security / Cyber Resiliency investments should be in areas that a) help provide risk-based guidance on the asset risk and people risk that matters in your organisation that b) help drive the prioritisation and selection of any number and variety of security investments needed. "Stop being a defender, and become a facilitator." I'm going to get tired of saying "this is not new" but we wouldn't have to say it, if it wasn't still true. There's a lot of folk out there stuck in the 1990s when firewalls were king. They are still an important part of information security, absolutely vital. But the one dimensional view of being a gatekeeper is getting old and tiresome. More cyber security professionals need to adopt an enabler spirit. Look for ways to see risk in terms of both potential for loss, and potential for opportunity. Look closely, these are already captured in ISO2700x, ITIL and COBIT5 - but once again Gartner make a great point that security "facilitators" will partner with the business to explore technologies and approaches that enable the business to thrive, but factor in security and risk considerations early on in the process. It's a true collaborative. Cloud and Mobility are two such disruptions to traditional organisation's information technology infrastructure that have only become more and more important. The business can not be told by Security or Risk that they should not adopt these technologies, because they are crucial to the survival or thriving in a new world. So the quicker that Risk and Security help facilitate these applying due diligence and process, the better. Or risk being replaced by those that will. "Stop trying to control information; instead, determine how it flows." Information is key. The perimeter is no longer viable in a castle & moat design. The perimeter is elastic and permeable. So information flows are going to be more important to understand so that security can be applied appropriately. "Accept the limits of technology, and become people-centric." AXELOS suggest in their book called Cyber Resilience Best Practices published in June 2015, that one of the key aspects of Management of Risk will be understanding and having visibility of your assets, threats, vulnerabilities and risk. Why? Because the right questions you need to ask about WHO uses those assets and HOW can only be contextualised once you have a firm grip that fundamental foundation of information! And who uses technology anyway? People. By making the organisation more people-centric you can incorporate good security practices that are easy to digest and still appropriate, rather than imposing 100 page security processes that no one reads and worse - people do not abide by. While least privilege and "default deny" may be important areas of an information security strategy, it is a good point out that these technologies need to allow freer more productive access. Selection of these technologies themselves should facilitate great workflow that encourages productivity rather than out-right block. "Stop focusing efforts solely on prevention, and balance investments across protection, detection and response." We would be silly to think that we can mitigate risk through prevention and risk transference alone. These two strategies are filled with pot holes. Rather, excel at detection countermeasures that are better suited to the evolving threats and risks, so even if prevention is not immediately available in standard preventative controls.... you can be made aware of those risks and form an appropriate response. It's the combination and balance of ALL those types of controls, which will provide a very appropriate cyber resiliency posture. Summary Gartner's 6 Principles of Cyber Resiliency ARE my 6 things that I liked about Gartner this year. While it feels like I've been bangin' on about this with my customers for quite some time, it was really great to hear Gartner articulate it in a way that senior management and the board could understand, and I will certainly be talking to my customers in these terms for a little while to come. Author: Nigel Hedges | BeyondTrust Regional Manager - Australia & New Zealand | CISA, CISM, CISSP, CGEIT, CCSK ITIL-F, COBIT-F, MBA ISO27001 LI & LA