3 Steps to Resilient SecurityGartner's Scholtz on a Risk-Based Approach to Enterprise Security
To build a resilient and secure enterprise, security leaders must take a risk-based approach and build the capabilities to understand the risk appetite of the organisation, says Tom Scholtz, Research Vice President and Fellow at Gartner.
They must also understand that there is no silver bullet for risk management. "There is no structured risk management frameworks or models; it is all about how you build the risk culture combined with 95 percent of one's experience and 5 percent using technology," Scholtz says.
"To build this risk culture or frame an agenda," he says, "security leaders need to map the risk appetite of the organisation."
The three imperative aspects security leaders from this region seem to overlook, he says, are:
- Leadership team doesn't seem to have established a link with the board to discuss security;
- Practitioners at large, to a large degree, focus on compliance and ISO standards as the only security approach;
- They don't seem to be using the right language to communicate with business.
To bridge these gaps, Scholtz advises security heads to integrate hygiene, risk, security and compliance into the fabric of enterprise, a proactive risk-based approach and establish that security risk management is part of corporate governance.
"To meet this," he says, "security leaders need to reinforce into the management mind through strong communication methods that security is part of executive corporate governance."
He also suggests that CISOs focus on three core aspects in building a resilient enterprise to combat growing threats, which include: focusing on core data that needs to be secured; make a shift from preventive controls to detection and invest in the capabilities to detect and respond; and approach users in a positive sense with the understanding that they are the weakest link.
In this interview with Information Security Media Group, Scholtz says that CISOs need to be the catalysts who tie all divisions into driving the corporate secure governance. He offers insights on:
- How to develop a risk agenda;
- organizational risk with the right approach;
- How to build an effective security and risk governance function.
Scholtz is a Research Vice President and Fellow at Gartner, where he advises clients on security management strategies and trends, and is an acknowledged authority on information security governance, security strategy, security organizational dynamics, and security management processes. Based in the United Kingdom, Scholtz is a regular presenter at European industry events.