by Anton Chuvakin | October 4, 2017 | Comments Off on 2018 Planning Guide for Security and Risk Management
Our team has just released our annual security planning guide: “2018 Planning Guide for Security and Risk Management.” Every Gartner GTP customer should go and read it (in fact, the above link requires just such a subscription…)
The abstract states: “Although security has been a major challenge for digital business for many years, recent events mark a shift in security incident and compliance trends. This shift will require technical professionals to practice strong planning and execution of information security initiatives for 2018.”
Here are a few quotes (admittedly, they do not do this broad doc any justice):
- “Despite the strong enterprise focus on malware protection, recent ransomware incidents have caused significant business impacts, partly because enterprises have concentrated on data breaches, not sabotage. These incidents also reflect continued weakness in security hygiene.”
- “The number of security regulations is also rapidly increasing, mostly in the form of geography- or industry-specific compliance mandates related to protecting PII. But, none have as much potential impact as GDPR, which is front of mind for many organizations. […] Some organizations are even hesitant to invest in new security initiatives because of this uncertainty.”
- “Stay the course with a pragmatic approach to cybersecurity technology and practices. Avoid making radical changes just because of uncertainty from emerging compliance mandates and current attacks. Understand the minimum required security baseline, and supplement it with controls that are known to be effective against a wide range of threats and attacks.”
Much of the stuff in our planning document is, of course, not new, but has been eternally challenging. So, perhaps some of you would be offended that we say “do OLD stuff better” vs “do NEW stuff” a lot.
When we write this document every year, we ourselves royally struggle with this dilemma: do we say “try harder” [with the stuff like patch management and network segmentation, for example – the so-called basics] or do we say “forget it, it never worked and it probably never will – try this instead.” However, in the absense of solid proof that the new stuff is better, it is really hard to say “out with the old, in with the new” only becase the old has been kinda iffy…
- Security Planning Guide for 2017
- Security Planning Guide for 2016
- Security Planning Guide for 2015
- Security Planning Guide for 2014
- Security Planning Guide for 2013
- Security Planning Guide for 2012
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.