Digitization requires big changes to companies’ strategic processes, and security is no different: In a recent report, Gartner predicts that 60% of digital businesses will experience major service failures by 2020 due to the inefficacy of their IT security teams to handle digital risks.
“Digital security is the risk and resilience-driven expansion of current cybersecurity practices to protect the pervasive digital presence in business, government and society,” Pratap said in an email interview.
In the report, the IT research and advisory firm identified five major areas for organizations to focus on to successfully address cybersecurity in the digital era.
The role of leadership
Investing in leadership and governance improvements will triumph over technology tools when it comes to addressing cybersecurity, according to the report.
“CISOs need to communicate with business leaders,” Pratap said about CISOs’ role in mitigating cyber risks. “First, they need to figure what cybersecurity means for their organization and then get a consensus of that understanding from the business. Everything else related to assessments, recruiting talent, threat intelligence and incident response procurements are pointless if this key piece is missing.”
Creating and developing roles like a digital risk officer to address the changing nature of risks and threats will help connect the dots between different parts of the organization’s digital strategy, she added.
Protection, detection and response
With cybersecurity threats increasing in number and sophistication, IT risk and security leaders should stop focusing their efforts solely on prevention and balance investments across data protection, incident detection and response, Pratap said.
Gartner predicts that by 2020, 60% of enterprise information security budgets will be allocated for quick detection and response approaches, a significant increase from less than 30% in 2016.
IT risk and cybersecurity leaders should employ existing and innovative technologies to detect and respond to external and insider threats, according to the report.
One important step will be to stop focusing on checkbox compliance and shift to risk-based decision making, Pratap said.
Cultivating a new approach
Security approaches designed for traditional businesses won’t work for digital businesses, according to the report. With introduction of new strategies like bimodal IT, enterprises need a new approach to address cybersecurity, Gartner predicts.
“The challenges of designing and running a digital business make digital security a broader term,” she said. “Digital business is creation of new business designs that connect not only people and business, but also connect people, business and things — physical objects that are active players and contribute to business value — to drive revenue and efficiency.”
Security in the cloud era
In the digitization era, organizations are often required to address cybersecurity and potential risks for technologies and assets that they no longer own or control, the report states.
Gartner predicts that by 2018, 25% of corporate data traffic will bypass enterprise security controls and flow directly to the cloud from mobile devices.
With data no longer restricted to data centers, it is important to stop trying to control information and instead determine how it flows, Pratap added.
“Finding all sensitive data and tracking all access in all forms will be too onerous for most organizations,” she said. “Each organization will have to manage their ability to do this within the limits of the resources they can commit. From personally identifiable information to sensitive intellectual property, the impact of compromise of such information on the organization needs to be assessed regularly.”
A people-centric approach
When it comes to cybersecurity, people and processes have failed to receive the same attention as technology, according to the report. A recent CEO survey conducted by Gartner shows the majority of CEOs still look at cybersecurity as an IT issue and not a business one, Pratap added.
Cybersecurity in the digital age must cater to the needs of the employees and customers, the report states. It is important to accept the limits of technology and become more people-centric, Pratap said, because monitoring and analyzing user behavior can replace many restrictive controls.
“It is commonly recognized that normal, everyday users just trying to get their work done can be the weakest links in the digital security chain,” she said. “Conversely, motivated people can be the strongest links in our security chain. It is necessary to shape behavior and motivate people to do the right thing.”