After the Gartner Security & Risk Management Summit APAC, the analyst presented its strategic vision for vulnerability management, the challenges of enabling users to access corporate resources in a post-COVID-19 world, and the latest developments in the privacy landscape.
Strategic vision for vulnerability management
Vulnerability management is a critical security process; however, many organizations have problems optimizing their programs to achieve desired results. Craig Lawson, VP analyst at Gartner offered the following key takeaways:
- “Vulnerability management is arguably the best proactive thing you could be doing in your security operations program.”
- “One of the big changes you can make to your vulnerability program is to focus on the vulnerabilities that are being exploited in the wild. That should be the number one goal and will drive down the most risk, the fastest.”
- “Don’t think about whether a vulnerability is exploitable or accessible across the network, or whether it is medium or critical ranked. What you want to know is if bad guys are using them.
- “Review your existing vulnerability assessment solutions and look for better prioritization. Make sure they support new assets like cloud, containers and IoT in your environment. If not, augment or replace the solution.
- “Patching isn’t everything. It’s hard, can break things and takes time. Have a plan B - you need more arrows in your quiver than patching.”
- “If you do a better job of your vulnerability program, you drastically reduce your attack surface. It presents a much harder target for a threat actor to try to get an exploit working, and therefore, gain some leverage inside your environment. This is a big deal.”
Solving challenges of remote access
No one was ready for the onslaught of remote workers that COVID-19 brought on. Rob Smith, senior director, analyst at Gartner, shared the following:
- “Remote access VPN is arguably the most important tech for security and infrastructure and operations today.”
- “With the onset of COVID-19, workers now need a VPN to ‘get into the office’.”
- “The first step in brainstorming the best VPN technology for your organization is to define your use case along four key variables: 1) user, 2) device, 3) data and 4) location.”
- “There is no one right approach to remote access - you have to understand the strengths and limitations of each solution.”
- “Don’t use always-on VPN unless you have to.”
- “For the paranoid security people, virtual desktop infrastructure (VDI) solutions are best. It prevents enterprise data from making it to devices, however poor end-user bandwidth is a caution for workers in disparate locations.”
- “Classify the data that is important to your organization rather than trying to protect it all, and then pick the appropriate controls based on that classification.”
Privacy in 2021
New privacy laws are being proposed, passed, or struck down monthly. Customer trust hinges on how organizations handle their data, as consumers are more than likely to go to the competition if they are not satisfied.
Nader Henein, research vice president at Gartner, said that privacy is not a one-off project but rather an ongoing program that is just getting started.
- “Creating a strong privacy program means having an understanding of three things: 1) the current regulatory landscape, 2) the technology capabilities that support it and 3) the best practices that give control back to customers.”
- “COVID-19 highlighted the maturity of the framework established by the General Data Protection Regulation (GDPR). This has made a noticeable difference to global privacy.”
- “While organizations need to start the privacy discovery process manually to get a feel for the complexity within their data, it becomes quickly evident that there is a need for automation to deliver scale.”
- “One key success factor for a privacy program is the partnerships built with other organizational teams. Connect with your chief data officer (CDO) to understand what data is being used and how you can support them with privacy-preserving alternatives.”
- “Privacy is deeply personal.”
- “As you gain control over the data you process and turn it back over to consumers, compliance is no longer just a goal. It becomes part of the ethical fabric of your business.”
- “The pressure to transform has increased during the pandemic and trust is central in doing so: Through 2023, organizations that can instil digital trust will be able to participate in 50% more ecosystems to expand revenue-generating opportunities.”