Gartner’s security and risk management trends for 2019 demonstrate CEOs’ growing awareness of risk
It is not uncommon for CEOs and other board members to talk a good game when it comes to cyber security. They discuss in public the seriousness with which they approach managing cyber security, and talk internally about the need for vigilance and for all employees to be mindful and smart on matters relating to security.
But the reality can be very different. Many CEOs are often just paying lip service to cyber security, without allocating the required investment in staff and infrastructure that modern security and risk management requires.
But the latest report from industry analyst group Gartner identifies seven key sector trends and it would seem that finally CEOs are starting to show more interest in addressing cyber security and taking it as seriously as they need to.
Taking cyber security seriously
It sounds almost strange to think that CEOs wouldn’t take cyber security seriously. Cyber attacks are commonplace in 2019 and we have seen over the past 18 months a number of high profile instances of ransomware. For example, 2017’s WannaCry worm made its way to around 150 countries and caused enormous disruption.
What CEO would choose to not defend their company against such an attack? Some CEOs have an eye on the immediate bottom line. Defending against cyber attack is a major challenge that requires the right tools and trained staff – both of these require investment and there is a tendency to cross fingers and hope that what they have in place will be ok.
‘Lightning won’t strike twice’ and ‘it won’t happen it us’ are common refrains, but they are both untrue. Without proper protection, there is no reason why an organisation couldn’t be vulnerable to several cyber attacks, and just because an organisation has remained safe to this point, that doesn’t mean it will always be the case.
That’s why the Gartner report was especially interesting, in terms of bringing security and risk management to the boardroom agenda. Gartner’s report identifies the top seven security and risk management trends for 2019:
- Risk appetite statements are becoming linked to business outcomes
- Security operations centers are being implemented with a focus on threat detection and response
- Data security governance frameworks will prioritize data security investments
- Passwordless authentication is achieving market traction
- Security product vendors are increasingly offering premium skills and training services
- Investments being made in cloud security competencies as a mainstream computing platform
- Increasing presence of Gartner’s CARTA in traditional security markets
Security and risk = business issues
It is the first trend that is especially pertinent. More than ever, IT security and risk is very much a business issue. The impact of a security breach or other risk can be catastrophic and the days when it just impacted the IT teams are long gone. Similarly, IT is used in a much more strategic fashion than it once was.
With Gartner correctly identifying this closer alignment between IT strategy and business goals as a trend for 2019, it means that security and risk professionals should have more access to CEOs and other board members. This will help secure organisations against cyber attack, with CEOs more aware of the exact threat and investing in the right tools to manage them.
Approaching cyber security as a business risk will see firms benefit from a real-time and integrated view of all cyber security threats, offering a better level of security and performance.
Data security and the importance of processes
The other trend that is of particular relevance to Oxial and our customers is trend three, looking at data security governance frameworks. Gartner states how complex an issue data security is, especially in the era of GDPR.
The report explains that data security ‘cannot be solved without a strong understanding of the data itself, the context in which the data is created and used, and how it is subject to regulation’. This fits exactly with the Oxial model. In all the discussion and noise around GDPR over the past 18 months, many have looked the critical importance of starting GDPR with business processes.
It’s processes that really impact how data is used, managed and accessed, and so documenting these processes is critical for identifying risk in GDPR. Then the organisation can look to implement a technology solution to address GDPR, such as our own GDPR Express. Any data security must begin with business risk and processes, otherwise it will struggle to be effective right from the start.
IT security and risk are both issues that can have a negative impact on a business and should be addressed as business priorities. Gartner’s report only reinforces this. Oxial works with organisations all over the world on such programs – for further details of our work please click here.