"A fire is coming," says Steve Riley, a research director at Gartner. It's a metaphorical fire, representing the rapid change in cybersecurity that's making traditional techniques like blacklists, whitelists, and malware signatures irrelevant.
It's now a spectrum of risk, Riley told the Gartner Security and Risk Management Summit in Sydney on Monday. Embrace the shades of grey, he said. Embrace all the colours of risk.
Each year, Gartner's summit kicks off with an explanation of their current framework for thinking about cybersecurity. Each year it morphs a little bit, adding new concepts as the cybersecurity threat landscape and technology evolve, dropping items as they lose significance because everyone's already on that same page.
Gartner's framework is, therefore, an indication what organisations are not doing. And the more Gartner emphasises it, the more organisations really need to pull their fingers out.
In recent years, Gartner has stressed the importance of a risk-based approach to security, and a people-centric approach. Their most recent keyword has been "adaptive", steering away from the overused "agile". Most of these ideas were in one of the first slides we were shown on Monday.
"Manage Risk. Build Trust. Embrace Change by Becoming Adaptive Everywhere."
There's nothing new there, but it needs to be repeated.
Gartner also stressed the importance of using analytics to reduce the workload of cybersecurity staff. They cited the example of one US organisation that had used analytics to reduce the number of security events needing investigation daily from 1500 to 30.
Such productivity improvements are not unheard of. There's nothing new there, but if Gartner has to remind us, then there are plenty of organisations that are not doing that either.
This year, Gartner wants us to go beyond "adaptive", and they've got a new word for it: CARTA, which stands for continuous adaptive risk and trust assessment.
"A CARTA strategic approach enables us to say 'yes' more often. With a traditional binary allow-or-block approach, we had no choice but to be conservative, and to say 'no'. With a CARTA strategic approach we can say 'yes', and monitor to make sure, allowing us to embrace opportunities that were once considered too risky in the past," Riley said.
But is that so new? Not really. Gartner has simply -- and effectively -- condensed a bunch of contemporary concepts in cybersecurity into a catchy initialism. But again, it needs to be repeated.
Sid Deshpande, one of Gartner's principal research analysts, reminded us that digital business -- which is to say business -- is now deeply intertwined.
"Risk management is no longer the domain of a single enterprise, and it must be considered at the ecosystem level," Deshpande told the summit. Businesses should expect to continuously monitor the security posture of key providers, and should expect them to do the same back.
Still nothing new there, at least if you've been to some of the cybersecurity conferences in the last couple of years, but it needs to be repeated.
I'm not mocking Gartner. Far from it. Gartner's frameworks provide a pre-packaged mindset for organisations unable to create their own, which seems to be most of them. After all, as the Australian Financial Review reminded us on Monday, the Dunning-Kruger Effect means that clueless executives actually imagine themselves to be leaders.
Riley ended the keynote by returning to his metaphorical fire.
"There are two types of fires. Some that will consume everything in an uncontrolled and catastrophic manner, others that are anticipated. Perfect fire prevention isn't possible. Striving for it makes the fire worse when inevitably it does occur. To adapt, we light backfires to clear out the underbrush and continuously monitor for indications of an outbreak. Now, the ecosystem adapts, and even flourishes when smaller fires burn," Riley said.
"The fire is coming. It can bring destruction, or it can bring a new landscape of opportunity. Embrace the grey. Embrace the risk. Embrace CARTA."
All hail CARTA!
Seriously, though, if organisations are still failing in so many fundamental ways -- risk-based security, agility, trust-building, extending their security view out into their business ecosystem -- then they'll need more than a Gartner framework to save them.
They need a bit of that all-consuming, cleansing fire.