Today, I had the privilege and honor to help kick-off Gartner’s 2015 Security and Risk Management Summit in Sao Paulo, Brazil. Joined by my Gartner colleagues Andrew Walls (2014 Gartner Analyst of the Year) and Claudio Neiva (Brazil Security and Risk Management Summit Chairman), I delivered the keynote address for the event focusing on managing risk and delivering security in a digital world.
The next five years will present unprecedented challenges for security and risk management professionals. In this year’s keynote, we provided evidence that the digital business revolution is real and successful companies will be the ones that can quickly address the rapidly evolving risks while taking advantage of the valuable opportunities.
For example, the new digital business world will require technology to authenticate not only the identities of people, but also things. It will also require new methods to analyze how people and things will interact via technology, as well as how they create and share information. In fact, Gartner predicts that by the year 2020, a typical company’s Identity & Access Management (IAM) initiatives will span millions of people, tens of millions of things, and billions of relationships.
Given this backdrop, my Gartner colleagues and I presented six key principles for companies to adopt in their pursuit of digital business success. IAM plays a critical role in each of the six principles.
Principle No. 1: Stop Focusing on Check Box Compliance, and Shift to Risk-Based Decision Making
Use adaptive approaches such as risk-based scoring models to determine authorized access. When a person or a thing attempts to access data through an application, risk-based scoring models can authenticate the request using factors like location, time of day, IP address and application requested.
Principle No. 2: Stop Solely Protecting Infrastructure, and Begin Supporting Business Outcomes
Focus on what can be done to meet the needs of the customer while also protecting valuable IT assets. For example, we have seen that banks have lost about one in every thirty customers when they implemented new controls that added too much friction in the use of their customer applications. IAM initiatives must become more customer-focused in addition to workforce-focused.
Principle No. 3: Stop Being a Defender, and Become a Facilitator
IT security and risk leaders will need to adopt an “innovator” leadership style and take a novel approach to developing new IAM systems that have the agility demanded by digital business.
Principle No. 4: Stop Trying to Control Information; Instead, Determine How It Flows
Use an attribute-based access control approach that leverages metadata to help determine where information should reside and who should be able to access it.
Principle No. 5: Accept the Limits of Technology and Become People-Centric
Through better data classification schemes, allow users to determine how to handle non-sensitive and non-critical access to applications and data.
Principle No. 6: Stop Trying to Perfectly Protect Your Organization, and Invest in Detection and Response
As the amount of data within companies continues to expand exponentially, the ability to fully protect everything is impossible. Invest in technology such as behavior anomaly detection tools to identify potential access risks.
The digital business challenge faced today by IT security and risk leaders is exemplified in the 1952 film “Scaramouche”. In the film, the fencing master tells his student, “A sword is like a bird. If you clutch it too tightly, you choke it — too lightly, and it flies away.” IT risk and security leaders have the same tension between tightly controlling their organizations to minimize exposure to risks and enabling business success in the digital industrial economy. Controlling the organization too tightly frustrates employees, customers and business partners.
These six principles will help leaders shift from tight and ineffective controls to resilience-driven measures that will enable IT risk and security leaders to propel digital business.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Category: cyber-risk cyber-security digital-risk information-technology it-risk-management operational-risk-management security technology-and-emerging-trends
Tags: digital-risk-2 gartner gartner-summit risk-management
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.