Technology-only approach 'not adequate' for protection

Gartner analyst advises addressing cultural, organisational and governmental changes.

Tags: Gartner Inc. (www.gartner.com/technology/home.jsp)
  • E-Mail
Technology-only approach 'not adequate' for protection Perkins: A revolution is coming in the way enterprises organise for security
By  Tom Paye Published  March 17, 2014

A solely technology-driven approach to information security is no longer adequate when it comes to protecting the enterprise, according to Earl Perkins, research vice president at Gartner.

Speaking to ITP.net, Perkins explained that, while technology still plays an important role in securing the enterprise, organisations need to consider the cultural, organisational and governmental changes required to combat the latest threats.

"If you throw technology at this problem or view it only in the context of technology, you will fail in your efforts to adequately protect your enterprise," he said.

"A revolution is coming in the way enterprises organise for security - it will no longer be just about ‘information' or ‘IT' security, but will have a broader remit that includes operational technology (OT, which means industrial control and automation systems), physical security and mobile security. In other words, the new security responsibility is IT, plus OT, plus physical and mobile."

Speaking about the new breeds of security threats facing the Middle East, such as cyber-warfare, Perkins said that the biggest threat facing the region was a lack of preparedness.

"While the media has made much of cyber-warfare concepts and the threat itself is real, the major problem is one of unpreparedness," he said.

Perkins said there was a lack of understanding by executives on the nature and scope of threats, and how they can impact the bottom line. He added that there is a lack of prioritisation for addressing the problem due to other urgent issues. The final issue, he pointed out, was the way in which companies approach detection awareness.

"Within the operations of the company, [there is] an issue of ‘not knowing what we don't know'. This means a lack of detection awareness of a successful attack and taking steps to mitigate the impact rather than depending too much on prevention that is becoming increasingly ineffective."

However, the industry can take steps to remedy the problem, Perkins said. It begins with a top-down approach that starts with executive awareness, understanding and accountability, he said. Perkins also advised establishing security principles and policies consistent with enterprise business goals, and identifying skills deficits.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code