This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from June 12-15. An underlying theme emerged from the numerous sessions I attended and the various conversations I had: all roads lead back to business value. Whether it’s a new vendor that a company is looking to onboard, or a cloud technology the organization is implementing, everything should tie back to a business decision.
Cybersecurity Should be a Critical Part of the Business
Security teams do not want to be blockers to business progress. There is a need for them to be part of business discussions rather than in their own silos viewed as shooting down ideas from the business. Although CISOs and CIOs meet regularly with their Board of Directors, there is a lack of understanding between business needs and security requirements. Paul Proctor, for example, highlighted that there is no such thing as "perfect protection." Companies take either higher risk with lower costs, or take less risk but at a much higher cost. As their business needs change, the company moves along that spectrum, and security must be an important part of that dialogue. This process highlights the need for executive reports that measure the link between where the business is going and how risk management, including vendor risk management, fits into that narrative.
Growing Concern: Complexities of the Third Party Ecosystem
Jay Heiser delivered a great presentation where he discussed security ratings and how they fit into a company’s vendor risk management strategy. The message is clear: continuous information outweighs a single point-in-time snapshot. In fact, organizations today are beginning to understand that continuous assessment processes are more reliable than rigorous assessments conducted once. Gartner estimates that by 2021, 50% of data will be outside of the physical control of enterprise IT, up from 10% today. As companies migrate their systems to the cloud, the need to scale their vendor risk management program and focus on cloud security will continue to grow.
The Need for Agility and Scalability in Risk Management
Security teams are being asked to be agile and adapt to the growing demands of the business. One of the themes that came up multiple times at the Gartner Summit is how organizations can do more with their existing resources. There is a need for organizations to scale their vendor risk management programs, adjust their approach with the speed of the business, and collaborate with internal and external stakeholders -- all with limited resources. Jasper Ossentjuk, CISO of TransUnion, was highlighted in the opening keynote as a result of his security rating program and its ability to improve the company’s risk management processes without the need for additional headcount.
To be agile, companies don’t necessarily need additional headcount. In fact, there was an interesting anecdote in one of the sessions. Jeffrey Wheatman talked about a CISO who would frequently report to the board and ask for additional security budget. Each time, he failed to connect the need for more budget to the needs of the business, and he was unable to use metrics to demonstrate improvements with the budget that he had already been given. Eventually, that CISO was “demoted,” and was forced to report to the CIO instead of the board of directors. This highlights the need for CISOs to be more agile with the resources they have and measure and clearly communicate the success of their security initiatives. A security ratings platform can help measure their security posture and the aggregate risk of their vendor ecosystem.
The Evolving Regulatory Landscape: GDPR and China’s New Cybersecurity Law
There were discussions at the Gartner Summit on GDPR and China’s new cybersecurity law. Gartner estimates that by 2019, 30 percent of organizations will face significant financial exposure from regulatory bodies due to their failure to comply with GDPR requirements to protect personal data on mobile devices.
Organizations appear to be focused on the concept of breach notification and data protection, and how these new guidelines potentially impact them as third parties to companies abroad. There is quite a bit of buzz around GDPR and China’s new cybersecurity law as organizations try to figure out how to approach the new guidelines. BitSight Security Ratings have provided a way for organizations to continuously monitor the security posture of their vendors and demonstrate their efforts to mitigate the risk from these third parties. The solution also enables those same service providers to monitor their own security posture and measure improvements over time.
This year’s Gartner Summit brought together a diverse set of c-level executives, risk managers, industry analysts, and technology providers. There were many innovative ideas shared during the sessions and keynotes, at lunch tables and networking events, and throughout the exhibit floor. The underlying theme is that the interconnected digital world of today is driving organizations to adjust their stance on security and risk management to better align with the needs of the business. One area in particular that is rapidly evolving is third party risk management. As organizations expand their supply chain ecosystem, it will become increasingly important to assess the varying levels of risk with each new vendor.
BitSight is at the forefront of that evolution, with nearly 100 Fortune 500 companies using security ratings to quickly scale their approach to third party risk management.