by Anton Chuvakin | October 3, 2014 | Comments Off on Security Planning Guide for 2015
Our team has just released our annual security planning guide: “2015 Planning Guide for Security and Risk Management.” Every GTP customer should go and read it!
Its abstract states: “In planning for security and risk management projects for 2015, organizations must scale and adjust their risk management and security practices to satisfy current and future IT and business needs.”
Here are a few fun quotes:
- “Risk management programs often haven’t scaled, which increased reliance on traditional security patterns — so which should change first? In other words, if security and compliance are indeed falling farther behind, with compliance in particular remaining deeply entrenched in tradition, how can we even begin to adopt new security patterns?”
- “Use threat assessment and attack models as part of risk assessment and mitigation to determine which controls should be considered. The attack model helps identify what set of controls is necessary to cover various attack stages, channels and target assets. ”
- “Architect for microperimeterization where the network security boundary shrinks to the host level or smaller. Because perimeters will have to become more dynamic, security will need to be split among the moving parts and pieces.” (perimeter is NOT dead, it is just different…)
- “Loss of control and visibility will continue in the Nexus of Forces, with mobility and cloud leading the way. But with compliance still often equating security to having control, this leads to challenges in adoption of these now not-so-new technologies.”
- “Logging and monitoring of privileged activity is also key when the lines are blurred between compute, storage, network and security administration. At a minimum, monitoring must enable reporting and post hoc investigations of events; this paves the way for adding real-time analytics, alerting and enforcement later on.”
Much of the stuff in our doc is, of course, not new, but has been highlighted as important by recent events. Also, some things – while not truly new – may be new to some organizations that are just waking up to the needs of information security (or “cyber“, if you have to call it that)
Past guides from GTP SRMS team (i.e. us):
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.