I recently attended a Gartner event on security and risk management. There were many high-level sessions that talked about risk management and security strategy - good guidance when you are focused at that level. I always feel that is the easy part - we are still stuck trying to turn the conceptual into reality.
Here are my key takeaways from the event. I plan to write a blog post to explore each of these in more detail.
The SDLC is now a complex supply chain. This has long been true of the physical infrastructure, and now also true on the software side due to the use of packaged applications. How can you trust your suppliers? How can you ensure they effectively manage their sub-contractors? Gartner introduced the challenges and started a conversation about supply chain management. These challenges are at the heart of managing components, especially open source components sourced externally – that's the motivation behind Sonatype CLM.
There were numerous sessions about how IT risk management must be tied to the business. Strategy, reporting, communication, policy, and risk thresholds – all these topics need to be done in the context of the business. Although it seems obvious, many organizations have CISOs that manage and communicate from a technical perspective – an approach that doesn't cut it with other execs or the board.
Gartner tried to stir up some controversy with a debate about whether security and risk should be managed with tools or processes. It was an "either or" discussion meant to stimulate thought. My personal thought was that the best strategy developers use both – and more important – is that the process is built into the tools, the tools that developers use today. What our CSO calls "delivering solutions that fit the practice of the practitioner."
What IT related conference would be complete without these topics? Gartner managed to hit them all by relating information security to the nexus of forces – not surprisingly, those forces are social, mobile, information (big data), and cloud. One can argue these trends are overhyped, but that doesn't discount the security and risk management impact.
In the context of security trends and risk management maturity, Gartner advised security professionals to shift their focus to the application. Applications are the window to the information – focusing on the basics or taking a perimeter approach is no longer good enough. This message is perfectly in line with our strategy at Sonatype – to protect the new world of component-based applications.
You can attribute this quote to Wayne Jackson, our Sonatype CEO. In a spirited session with Curtis Yanko, Architecture Manager – Clinical IT / DevOps from Cigna, Wayne and Curtis addressed that policy enforcement must be automated and integrated. Given the speed of development, and the number of moving parts in the software supply chain, any other approach will fail.
Although there were technical sessions dedicated to infrastructure and network security. The theme of the conference was more focused on risk management, business factors, and strategy. One statement that stuck for me was the need to think about policy more strategically, vs. thinking about policy in the context of technology.
The initial keynote presenters lamented how security professionals were viewed in most companies. They also spoke about how the security function can be overwhelmed by the pace of change. But there is a light at the end of the tunnel – just like we responded to the move from the mainframe to distributed computing, we'll reset and respond to mobile, cloud, big data, etc. We can't do it by focusing on technology and control.
As security professionals, we need to move from an attitude that we own the risk. We can't dismiss people with the message that "you hired us, we'll do the job." We have to inform the business and help them make decisions about acceptable risk. That will drive strategy, budgets, etc. We have to increase our relevance to the business – we can't just focus on rule following, we have to become risk leaders.
Admiral Mike Mullen presented a keynote focused on leadership and national security concerns. He noted that we have to move from a patch contest to a more strategic plan. From a leadership perspective, he emphasized the need for accountability, which can be applied to many things, including your security and risk management strategy.
Several sessions focused on the maturity of an organization's security strategy and provided recommendations about how to "move up the curve." According to Gartner, one indicator of security maturity is organizational structure. In more mature organizations, the security leader is elevated outside the CIO so that he or she is parallel to the CIO. Among other things, this indicates that security is a high priority and is a primary concern of the business.
I attended a working session on designing a balanced scorecard to measure and report on risk. Gartner walks you through a process – company goal or destination statement; business objections tied to financial, customer, operational and learning and growth; defining linkages (what we do to achieve objectives) and risks (things that can stop you from achieving objectives). All good so far – but we wasted time translating that to measures and targets for the scorecard! But the intent of managing risk with a balanced score card tied to the business is spot on.
As a security professional, which take away resonates with you? Was Gartner spot on in addressing the right topics for security professionals? What do you consider the must-have discussions around security and risk management?