Gartner: How to make a digital risk plan and sell it to the board

Collaborate with business units when writing the plan, write a pitch in the board’s own language

It’s not enough for security pros to figure out how to protect digital enterprises from risks that can ruin the business, they must effectively sell it to corporate boards whose blessing is needed to authorize the plan, Gartner analysts told attendees at their Security and Risk Management Summit.

With that in mind, three Gartner security specialists walked the roughly 3,400-person audience through how to create a plan to manage risk and minimize damage when – not if – an attack succeeds, and the strategy for buy-in from the board of directors.

“One hundred percent protection should not be the goal,” Gartner analyst Peter Firstbrook told the gathering. “The goal should be resilience.”

That means figuring out how to quickly detect attacks, then respond as fast as possible, he says.

The plan should find the top half-dozen risks that threaten the business, and those are not necessarily the same as the ones that affect IT, says Garner analyst Jeff Wheatman. The question to address is, “What are top IT related risks that could lead to business risks becoming real?” he says. That’s what the corporate decision makers care about.

Security executives have to create controls that balance the need to protect the business with the need of to keep it running efficiently. To do that the security experts have to talk to the business leaders while they are creating the plan, he says. That acts as a trial run of what might fly when the plan is presented to the board.

Reactions from business group leaders can go three ways:  We never thought of that; we worry about something else that’s not on your list; your list has items we don’t care about.

All of these answers are helpful because they focus IT’s security plan on what’s important to the business stakeholders, he says. “They all give you a better idea of what matters,” Wheatman says.

Digital businesses rely on complex combinations of machines, technology, partners and service providers, many of which are out of direct corporate control, so it’s important to work trust into the calculus, he says. Will the company be held liable for damages stemming from a breach of a digital business even though the element that was exploited was not directly controlled by the company?

Risk of fraud being carried out against the digital business is a top concern, he says. Fraud and legal liability can both be addressed by establishing an effective trust scheme that helps thwart attackers, he says.

What’s needed is a decentralized, distributed trust platform to establish trust between two platforms that have never met before, says Gartner analyst Felix Gaehtgens. The architecture should accommodate approaches to trust that range from trust everything until it proves itself untrustworthy to trust nothing until it proves itself trustworthy. He calls this adaptive trust.

It’s a sliding scale that businesses must adjust so the level of trust is equal to or greater than the risk to the business. If not, the business needs to either adjust trust or risk, he says.

Context is important in determining trust, he says. The machine connecting to a network, who the user is, how the connection is made, the user’s role and where data comes from are all examples of trust attributes that can be weighed in making trust decisions. Identity federation, attribute access control, standards and methodologies for demonstrating trust all contribute to assigning appropriate levels of trust, he says.

This must be balanced with concerns about privacy of personal and corporate data. That can be aided with encryption that is underpinned by blockchain technology like that used to verify Bitcoin transactions. He says startups are working on adapting this to delivering secure transactions and insuring privacy by enabling the sharing of identity attributes without over-exposing them.

Tools that can help include trusted hypervisors and containerization on untrusted devices, filtering with security gateways, and pervasive use of encryption with trusted key management.

IT needs to bridge the gap with software developers to encourage building security into the software development life cycle, Gaehtgens says. “We need to be involved at every phase of SDLC,” he says to encourage use of security APIs in applications and then protect them with API gateways.

Despite the best effort, security will likely be breached and a plan for detecting and quickly responding to these incursions must be in place, Firstbrook says.

Tools to do this include behavior analytics of both users and devices using machine learning to spot changes in behavior that could indicate trouble. Deception tools can trap attackers and reveal their goals, he says.

Businesses need to find security hunters to digest this information to pick up on security incidents quickly, he says. When these are spotted, businesses need to isolate suspect devices and users and put a hold on transactions pending investigation, he says.

A crisis management team that spans legal, HR, IT, PR and business units needs to be created, trained and practiced so it can act quickly together when incidents arise, he says.

Once that is all in place, the plan has to be sold to the board using this template: 

  • Show the board you understand its business goals and objectives.
  • List the risks you can control or manage in order to help meet business goals.
  • Specify the technical steps you will take to address risks and meet business goals.

Join the CSO newsletter!

Error: Please check your email address.

More about Gartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place