I have taken lead on organizing Gartner’s guidance to our clients following the Sony Hack revelations. Of course you have already read dozens of blogs and news articles packed with advice so why would you need more?
The simple answer is that all the eyeball grabbers out there seeking to be first to print are only giving your eyeballs something to do. Long after the press and bloggers have moved on to the next shiny object, our clients are going to be fighting through the strategic repercussions of this event.
With 60+ analysts covering risk and security, our perspectives range from “we are all going to die” to “what’s the big deal?” but we are generating some very concrete guidance. Here are some early observations:
- North Korea, Shmorth Korea. The implications of this event do not hinge on North Korean involvement.
- Business disruption attacks are the new black. Regardless of who did it, the fact that you can walk into work one morning and everything will be down…hard…and it will take weeks to recover has not been seen before. Yes, we’ve seen this in nation state related enterprises in events such as Stuxnet and Saudi-Aramco, but downing (with prejudice) a commercial enterprise with no state sponsorship is new.
- What’s old is new again. We’ve been through hacks that capture executive attention many times before, but executives are already primed to listen this time. Don’t bang the drum on pet projects; there are new things to do, and old things to finally fix.
- Changes in the standard of due care. The low bar for security programs is going up.
In my previous blog post on Sony, I mentioned that behavior change is critical to success and that Gartner has some guidance on that with our people-centric security guidance. My colleague Tom Scholtz has written a guest blog: People-Centric Security Can Help Limit Sony-esque Damage
Gartner clients should stay tuned for more good, practical Gartner advice in the wake of this event.