by Anton Chuvakin | October 17, 2016 | Comments Off on Security Planning Guide for 2017
Our team has just released our annual security planning guide: “2017 Planning Guide for Security and Risk Management.” Every Gartner GTP customer should go and read it!
The abstract states: “Achieving three goals for resilient digital business — privacy, safety and reliability — in a fast-paced business, IT and risk landscape remains challenging. This will require technical professionals to practice strong planning and execution of information security initiatives for 2017.”
Here are a few random quotes:
- “Because persistent attackers will inevitably circumvent preventive controls, detection and response capabilities are critical. Newer approaches, such as machine learning and deception, promise to lessen the amount of human effort required to execute these capabilities.” [BTW, for those of you who think that any/all deception is expert-resource-heavy, think again! We have solid data on “frictionless deception” – of course NOT vs advanced attackers, but as a better way to handle some mundane threats]
- “Take an increasingly evidence-based approach to cybersecurity technology and practices. Unless required by compliance mandates, avoid “best practice” controls if they have questionable effectiveness [in your environment] or are too expensive for the amount of risk reduction they deliver.” <- ponder this one for a bit, this IS deep!
- “Many organizations struggle to interpret what “taking a risk-based approach” means versus using stricter compliance checklists.” <- yes indeed, this is still a very real problem for many….
- “Increasing the use of detection and response capabilities is still gaining importance as attackers are finding gaps in, and inevitable ways around, strongly implemented preventive controls.”
- “Strict static security monitoring and enforcement policies are difficult propositions in digital business, because needs are changing rapidly. As a result, organizations should look to invest more in controls that combine coarse-grained static policy with fine-grained dynamic policies that are created through the use of analytics.”
Much of the stuff in our document is, of course, not new, but has been eternally challenging to security professionals. As we all know, security is full of evergreen challenges [credential theft, a penultimate 1980s threat … TODAY!]
- Security Planning Guide for 2016
- Security Planning Guide for 2015
- Security Planning Guide for 2014
- Security Planning Guide for 2013
- Security Planning Guide for 2012
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.