Our team has just released our annual security planning guide: “2018 Planning Guide for Security and Risk Management.” Every Gartner GTP customer should go and read it (in fact, the above link requires just such a subscription…)
The abstract states: “Although security has been a major challenge for digital business for many years, recent events mark a shift in security incident and compliance trends. This shift will require technical professionals to practice strong planning and execution of information security initiatives for 2018.”
Here are a few quotes (admittedly, they do not do this broad doc any justice):
- “Despite the strong enterprise focus on malware protection, recent ransomware incidents have caused significant business impacts, partly because enterprises have concentrated on data breaches, not sabotage. These incidents also reflect continued weakness in security hygiene.”
- “The number of security regulations is also rapidly increasing, mostly in the form of geography- or industry-specific compliance mandates related to protecting PII. But, none have as much potential impact as GDPR, which is front of mind for many organizations. […] Some organizations are even hesitant to invest in new security initiatives because of this uncertainty.”
- “Stay the course with a pragmatic approach to cybersecurity technology and practices. Avoid making radical changes just because of uncertainty from emerging compliance mandates and current attacks. Understand the minimum required security baseline, and supplement it with controls that are known to be effective against a wide range of threats and attacks.”
Much of the stuff in our planning document is, of course, not new, but has been eternally challenging. So, perhaps some of you would be offended that we say “do OLD stuff better” vs “do NEW stuff” a lot.
When we write this document every year, we ourselves royally struggle with this dilemma: do we say “try harder” [with the stuff like patch management and network segmentation, for example – the so-called basics] or do we say “forget it, it never worked and it probably never will – try this instead.” However, in the absense of solid proof that the new stuff is better, it is really hard to say “out with the old, in with the new” only becase the old has been kinda iffy…