Gartner Security and Risk Management Conference, June 2016
Last week BWise attended the Gartner Security and Risk Management Summit with 3,000 of Information Security attendees from around the globe. The 4 day event opened with a keynote session by Felix Gaehtgens, Peter Firstbrook, and Jeffrey Wheatman from Gartner, highlighting a bold vision for todays digital business environment, in contrast to the previous years primary focus on protection and prevention.
Making Information Security Resilient
The keynote theme focused on making information security resilient. It stressed the importance of viewing security threats in a business context and clearly tying the threats to the harmful exposures that InfoSec professionals aim to protect the company against. Instead of saying no to new digital business initiatives, and/or explaining the security limitations, the speakers recommended presenting the business choices to management, while balancing between acceptable risk (risk appetite) and business performance goals. From our perspective, it was encouraging to hear others speaking our language, knowing the solutions we provide are specifically designed to meet exactly that: both the business and risk teams needs.
Risks are strategic; security threats are tactical
With any new digital business initiative risks factors can include: reputation, profit variability, liability, and compliance. The consequences of these risks could be;
- Brand damage
- High recovery costs
- Being held liable
- Regulator-imposed fines, ceased expansion opportunities, or more serious measures
These risks and consequences are the topics that management needs to understand more clearly. Clear communication and transparency about the information security implications of these risks should be the foundation for the advice the InfoSec team provides when evaluating the efficacy of new business plans and activities to achieve strategic goals.
This doesnt mean that companies should stop their technological advances and efficiencies. As Gartner stated, its impossible to be 100% secure, as that would mean ceasing or limiting new digital business initiatives. Ultimately, management can decide to accept certain risks, and if bad things happen, its all about how to detect and respond to them.
So when the InfoSec teams collaborate with the business on possible courses of action, they should not only talk about the threats, but make sure their story relates to the key risks and the measures toward resilience.
No Single Version of the Truth
I really like this vision as it is a perfect match with our new BWise InfoSec Solution. Our solution is designed to address the overlap in functionality within the security technology landscape, with no one single version of the truth. It provides the connection to the business relevance of IT systems. Our system sits on top of all existing Information Security platforms, policies, procedures, and regulations. It includes predefined user level functionality, regulatory reporting, board reporting, audit reporting, and stress testing functions for Information Security across the enterprise. The Nasdaq BWise platform streamlines reporting from all systems and gets the right information to the right people, at the right time, reducing overhead spend and overall InfoSec budgets. By implementing BWise InfoSec, organizations are no longer dependent on highly technical individuals to translate system output and simplify the information for non-InfoSec executives. As a result of these efficiencies, theyre able to make critical decisions in nearly real time.