"Compromise is inevitable," Gartner Research Vice President Peter Firstbrook informed the audience bluntly at his opening keynote at the Gartner Security and Risk Management summit, taking place this week in London.
Citing the increasingly high profile of cyber-attacks, including the recent Ashley Madison hack, he argued that the "timing" as now right for security professionals to become leading figures in the technology industry.
"At Gartner, we believe that your time has come. We’re seeing an increased concern among CEOs and directors about legal liability, customer frustration and profit loss from security breaches. This has given security professionals an unprecedented spotlight. Budget is suddenly available for security projects."
Firstbrook, however, cautioned them that a change of approach was the most important step.
"Don’t blow it all on shiny new security products. The time is right to make proactive lasting change in how you approach information security.
"You have the opportunity to lead your organisation into a risk managed future of digital business: a future of more profits, better customer service, where organisations and security professionals can thrive, a future where you will have a place at the business strategy table."
In this world, it is important to accept that attacks are inevitable and build resilience, which, according to Firstbrook, constitutes 6 key principles.
"Resilience is about absorbing the punches and bouncing back, while accepting a certain risk for the achievement of success. We need to start absorbing some punches too."
1. Risk-based thinking
"You must move from check box compliance to risk-based thinking. This idea is not totally new but the urgency to embrace it is new. Following regulation or a framework or just doing what your auditors tell you to do has never resulted in appropriate or sufficient protection for an organisation.
"Risk-based thinking is about understanding the major risks your organisation will face and prioritising controls and investments in security to achieve those business outcomes."
2. Business outcomes
"We must move from a singular focus on protecting the infrastructure to a new focus on protecting organisational outcomes. For the last two decades our investment decisions have been focused on protecting infrastructure.
"That standard is no longer sufficient. You still do have to protect your infrastructure but you also have to elevate your security to protect things the business actually cares about. For most businesses this means things like performance and profitability. You can connect the work you do in IT security to these outcomes."
"We must move from being righteous defenders of an organisation to the facilitators of a balance between the needs to protect the organisation and achieve that business outcome. We must resist the temptation to tell the business what to do. It is never appropriate for IT security people to decide how much risk is good for the organisation.
"If the business decides it wants to move workloads to the cloud, the defender might push back, fearing a loss of control. A facilitator will work effectively with their business counterparts to educate them on what risks are there and negotiate appropriate levels of security for the information to support those business outcomes."
4. Understanding the flow
"We must move from trying to control the flow of information to understanding how does it flow, so we can improve its resilience and the outcome it supports. Digital business will introduce massive new volumes and types of information and that information needs to be understood so it can be appropriately protected.
"We will not own all the infrastructure anymore. So information may be flowing through and stored in locations that are beyond your control. You can’t apply appropriate security controls to protect the information if you don’t know where it is."
"You can’t do this alone. We must understand the limits of security technology and realise that properly motivated people can be the strongest link in our security chain. We need to shape behaviour. We need to properly motivate people to do the right thing, not just force them to do what we want.
"Phishing is the initial infection vector in almost 80 percent of infrastructure breaches. However, there are no completely effective technical controls for this problem. But when employees are motivated and understand the limitations of trust in email, the click-through rate of phishing emails drops dramatically."
6. Detect and respond
"Compromise is inevitable. We must move from a singular focus on trying to prevent compromise to acknowledging that we’ll never have perfect protection. We need to be able to protect compromise and react faster. The disparity between the speed of compromise and the speed of detection is one of the starkest findings in recent breach reports.
"You have to invest in technical, procedural and human capabilities to detect when a compromise occurs, and you must provide the first responders with the tools they need to react quickly to investigate the source and impact of the breach and start remediating."