Enterprises need to acknowledge that it’s impossible to stop all cyber attacks and breaches from occurring and must accept a certain amount of loss – as well as elevating response and recovery to equal status as prevention, according to two Gartner analysts.
For many CISOs who have take the ‘zero failure tolerance’ approach, this advice from Gartner VPs – Akif Khan and Christopher Mixter – during the influential analyst firm’s annual Risk and Security Summit – must have felt counter intuitive.
The analyst duo told leaders that in an ever-expanding landscape, firms needed to start writing off annual losses because of cyber-attacks and ransomware.
“Retail stores accept a certain amount of loss due to shoplifting. Banks accept a certain amount due to the fraud because they know that stopping these things entirely would be completely cost prohibitive,” reasoned Khan.
“Organisations and their leaders have well developed thresholds for fault tolerance everywhere. Everywhere that is accept cybersecurity. Why are organisations ok about being ripped off by 3% of revenue due to fraud but think it’s completely impossible to experience any losses due to a cyber attack?” he asked delegates.
According to Mixter, preventing every single attack from happening was simply cost prohibitive. “We could spend 10 times what we do today on preventing cyber-attacks and still every organisation in this room would be massively exposed.”
The analysts argued that zero tolerance was also leading to burnout among staff. “Our zero tolerance kicks in and we say, ‘not on my watch’. But that’s a major source of burnout because heroism is exhausting,” said Khan.
“We need to break this hero mentality and one of the best ways to do that is talk about what kind of impact you can tolerate. Work backwards and think of the level of investment,” he advised
In the conference’s opening keynote, Gartner unveiled the concept of “Augmented Cybersecurity,” advising leaders to shift away from zero tolerance mindset and engage in response and recovery capabilities.
Mixter called this “resilience through intention rather than resilience through adrenaline.” The analysts suggested that firms start by building incident response (IR) playbooks around two areas that are already coming under constant attack.
The first was Generative AI – an area, said Khan, where it was impossible to prevent attacks from occurring 100% of the time. “Therefore, your ability to adapt, and respond and recover from the inevitable issues becomes critical for your organisation to explore Gen AI successfully.
For the Gartner analysts, start by building an IR handbook which asks questions like: ‘If our data is not AI-ready due to quality issues how much information are we willing to tolerate?’ Especially for critical apps like an AI chatbots.
“Can you swap it out for a different AI alternative application? What’s the switching costs? The most crucial question: can we pull the plug and recover business operations if something goes horribly wrong – for instance – How do we react if our chatbot decides to give customers unwarranted refunds?” Khan suggested.
While some may say that hand-holding an organisation though its GenAI efforts may create even more work for an overstretched cyber team, Mixter claimed it presents a unique opportunity for CISOs to lead an organisation and demonstrate how strong response and recovery was “the only way to succeed in the face of an ever-evolving technology like Gen AI,” he maintained.
Gartner also predicted that by 2026 AI security applications would increase the efficiency of security operation centres by 40%.
“Rather than replacing existing tools, AI augments them by presenting it with issues that make it easy for non security staff to understand and take action – explainability, risk assessments and noise reduction all help to make sure the right issues are being prioritised while keeping distractions to a minimum,” Mixter observed.
He added that the next wave of Gen AI would create augmented agents “that observe user tasks and workloads but unlike chatbots where you to talk to them, the AI augment talks to you – reducing workloads and speeding up decision making…” he added.
Gartner predicts that these augments will help “collapse the cyber security skills gap” by 2028, removing the need for specialised education for up to half of all of entry level cyber security positions.
The firm also highlighted third party risk from vendors, recommending that organisations have a formal third-party contingency plan, including an exit strategy when or if an incident occurs with a vendor.
Recent incidents such as the global CrowdStrike outage have highlighted the impact third-party systems can have on businesses.
“Augmented cyber security means building out these lines of defence to make it as easy as possible to manage third party risk exposure… and put those plans in practice by conducting third party incident response plans.
“We tabletop lots of things, surely its time we added third party tabletop exercises to our roster?” said Mixter.
Such a plan, he added could lead to a 43% improvement in effectiveness of third-party cyber risk management.
Elsewhere, Gartner also advised that firms further consolidate their toolsets and create an inventory of what an organisation already must see where tech stacks can be streamlined – something the firm first suggested at the same conference last year.
On the show floor meanwhile, vendors had mixed views on Gartner’s keynote messaging.
Danny Jenkins, founder and CEO of Zero Trust cyber firm ThreatLocker pointed out that in some sectors, once a breach has occurred, the irreversible damage has already been done.
“You can’t recover when your data has been extracted. The idea that you can recover from a cyber attack is rubbish.
“What happens when someone takes six terabytes of your confidential files? How do you recover from that? Once it’s out you can’t get it back.
“It doesn’t matter how good your IR is if you are a hospital or if you are Boeing and all your aircraft designs go out to your rivals – that’s unrecoverable you can’t transfer that risk and insure yourself against a market cap loss,” he told TI.
“The idea you should be investing in response and not in detection is crazy. Of course, you want to have an IR plan, but this plan should never have to be used. I’ve got fire extinguishers in my home and smoke detectors, but I’d rather not leave the pan on the hob when I go out.
“The best response should be never having to execute it. There are so many attacks and that’s why zero trust is so important. It’s impossible to detect every single attack – but if you harden and make your system more controlled than the attacks can’t happen.”
Nicholas McKenzie, CIO and CISO of bug bounty platform Bugcrowd meanwhile, said that while a consolidation of tools made sense, protective security controls and preventive controls should still be the priority.
“Both from an operation and cost perspective consolidation of security tools are forefront and centre of everyone’s agenda.”
“However, accepting that there’s a risk and being effectively breached and responding all the time is a vastly different mentality. If you keep responding and recovering to attacks, you are going to have to keep pooling more and more resources into responding versus stopping them at the gate.”
Subscribe to our Editor's weekly newsletter
Share
