.JPG)
Gartner states that security is an integral part of the digital business equation when it comes to technologies such as Cloud and Big Data services, mobile and IT devices, agile DevOps and Blockchain. According to Gartner, security experts need to adapt security techniques for the Digital Age.
“The truth is that we had a binary worldview that no longer exists. White or black, good or bad, the answer is that we're not sure at either extreme. It could be either of the two. It can be both”, said Claudio Neiva, vice president of Research at Gartner, during the opening keynote of the Gartner Security & Risk Management Conference 2017, in São Paulo. “Ambiguity is the new reality. Adopt gray. The reality is that business leaders are moving full speed ahead, with or without you,” said Neiva.
A new way of thinking about security and risk
In 2014, Gartner introduced the Adaptive Security Architecture – Balancing blocking and prevention capabilities with an equivalent critical capability of detection and response when the inevitable happens.
Today, security experts must focus on applying a new approach: CARTA – Continuous Adaptive Risk and Trust Assessment. The key is to apply the philosophy across the entire business, from DevOps to external partners.
“We need to focus on applying CARTA not just to already-implemented products, but to new services and features as they are built,” said Augusto Barros, Research Director at Gartner.
Execute, build and plan
Gartner analysts say organizations should apply CARTA in all three phases of risk management and information security: Execute – protect against threats and access during execution; Build – ecosystem development and partners; and Plan – adaptive security governance and assessment of new vendors.
Execute the LETTER
When it comes to LETTER, Data Analytics needs to be a standard part of the arsenal. Companies can, despite the high expectations surrounding Big Data, derive real value from machine learning.
“Anomaly detection and machine learning are helping us find the bad guys that would otherwise slip through our rule-based prevention systems,” said Felix Gaehtgens, Director of Research at Gartner. “That's why Analytics is so relevant to security operations today. The process is good for finding villains in the data that other systems haven't.”
The average time to detect a failure in the Americas is 99 days and the average cost is US$ 4 million. Analytics will speed up detection and automation will speed up response time, acting as a multiplier for the team without adding people. Analytics and automation ensure that companies confidently focus their limited resources on higher risk events.
For access protection in the digital world, companies must be constantly monitored. Doing just one authentication is fundamentally flawed when the threat gets past the gate. For example, if a user is downloading confidential data to a device, the information must be encrypted with digital rights management before it is downloaded and then the user must be monitored. If it starts to download a lot, access should be restricted or an alert should be activated for investigation.
Build the LETTER
When it comes to DevOps, security needs to start early in development and identify issues that pose a risk to the organization before they are sent to production. Modern applications are not developed, but built from libraries and components. You need to search libraries for known vulnerabilities and eliminate most of the risk. For proprietary code, you must balance the need for speed with the need for security.
Ecosystem partners add new business capabilities and new security complexities. “Risk management is no longer the domain of a single company and must be considered at an ecosystem level,” says Gaehtgens. “The success of my product or service is now directly linked to others. My risk is their risk. Their risk is my risk. We are all in the same”.
With the CARTA way of thinking, organizations must continually assess ecosystem risk and adapt as needed. Partners should also analyze their company, infrastructure, control and digital brand reputation. For ecosystems with a dominant provider, the only way for a company to enter the ecosystem is after a risk and security assessment. If your company is too insecure, the organization may be removed from the ecosystem. Continuous monitoring and assessment of the risks and reputation of major digital partners is essential.
Plan the LETTER
The shift to the CARTA way of thinking will change how suppliers are evaluated going forward. They should offer five criteria: open APIs, support for modern IT practices like Cloud and containers, support for adaptive policies like being able to change security postures based on context, and a focus on threat prevention and detection systems that can protect against a wide range of threats accurately and efficiently, using diverse analytical methods.
“The LETTER strategic approach allows us to say yes more often. With a binary allow/deny approach, we have no choice but to be conservative and say no,” said Neiva. “With CARTA, we can say yes, and we will monitor and evaluate to be sure, allowing us to reach opportunities that were previously considered too risky.”
Access the presentation made by Gartner executives here.
EN 
PT 
