My colleagues and I recently attended the Gartner Security and Risk Management Summit. We participated in many of the Gartner sessions and found the content of the presentations engaging. Gartner shared several key messages in relation to risk management that I think are important for security practitioners and align with my philosophy in terms of mitigating risk.
One of the messages Gartner shared at this summit this year is a significant departure from what they shared in previous years. For the past two years, Gartner consistently communicated that a data breach is inevitable, and advised risk professionals to shift spending away from prevention technologies in favor of detection and response technologies. This year, however, Gartner communicated a very different view.
The conference opened with a hypothetical scenario of a new insurance company highly connected to its clients, business partners, and various information sources to ensure a high level of service. However, in providing its clients with greater convenience and expanded coverage, comes much risk associated with the many layers of information connectivity. This scenario highlighted the many challenges new digitally connected businesses will face. New challenges set the stage for discussions and presentations on proposed solutions.
The overarching theme of multiple presentations related back to the hypothetical scenario of the modern digitally connected enterprise, and to its security risk challenges. Unlike other years, not once did I hear “prevention is dead,” nor did I hear “shift your spending from prevention, in favor of incident response solutions.” In fact, it became clear to me Gartner had shifted its view from previous years. During a session given by Gartner Research VP, Greg Young, on “State of the Threat Environment 2016”. Young rebutted one bad idea that was floated in the past by Gartner- - detection should trump prevention. Young stated, “If you can prevent something, you should!” He went on to encourage a high level balanced approach to risk management. I found this ‘balanced’ approach reinforced throughout the conference, and as clearly communicated within a session given by Research VP Peter Firstbrook, titled “Next-Generation Endpoint Protection.” In this session, as a precursor to his main topic on endpoint protection, Firstbrook covered a high level solution to the challenge of managing information risk which includes a balancing out of four primary activities: Predict, Prevent, Respond and Detect, and where the appropriate mix of these is dependent upon the risk profile of the given business. Both presentations communicated a change in thinking and the need for both preventative and incident response solutions to address information security challenges.
I found the Gartner conference valuable and insightful, with several strong messages all consistently relating back to information security risks which the modern digitally connected business will faces and will continue to face in the future. I was delighted to hear Gartner clearly recant their previous view on prevention versus incident response, in favor of a more realistic and balanced view of solutions to security risk management.