It has been a few weeks since GSX has wrapped up in Chicago and even if the onsite event is already a few weeks behind us, I am, as are many of my colleagues, still in post-GSX mode.
Here is my take on this year’s GSX.
As many of you know, the reason that TrackTik has an Industry team is that we are focused on the security industry. Part of our raison d’être is to positively impact the same. We want to disrupt it, and we want to contribute to “better” and “smarter” security. That brings me to my first takeaway, namely, knowledge. There were four main points that stuck with me throughout GSX as a theme.
If you did not see these 4 letters stuck together at GSX you likely never left your hotel room! Enterprise Security Risk Management is the industry’s battle cry and it defines where we should be going. The concept was defined over and over again, but in short, think about it in this way –
ESRM is a strategic security program management approach that ties an organization’s security practice to its mission and goals, using globally established and accepted risk management principles. In other words: not security for security’s sake, but rather, how can security enable the business to operate and attain its goals.
The definition resonates with me because one of the key ways to show the contribution is by having and harnessing the data that is generated by your security program. With this, you can create internal report cards for all of your stakeholders.
As a security service provider in this landscape your approach to supporting corporate security’s goal in supporting business’ objectives will make or break their ability to prove their value. Providing the data to your clients helps you clearly show the value of what you are bringing to the table, and this, in turn, allows them to show the value internally.
Continuous improvements on the security plan occur as a result of the ESRM outcomes: improved communications, greater visibility into security risks, and effective response – all of which are more obvious when you can share data with your clients.
While Similar to ESRM, I found risk on its own to be a common theme.
While ESRM is security showing its value and supporting an organisation, security risk, in general, is what security professionals manage on a daily basis regardless of the sector or the environments that they operate in. Sure, the equation of T x V x I has not changed, but the variables of it are rapidly evolving. Such evolution is forcing security professionals to constantly educate themselves on the sources of risk, and forcing service providers to adjust as well. Part of said adjustment is feeding information to clients. This includes, but is not limited to:
- Where are incidents happening?
- Based on what threat?
- How does that impact the risk register?
We often make educated guesses on the topic, but the more accurate and factual the incident data, the more precise we can be in preventing future incidents.
If we take a step back to ESRM then consider the following 4 key pillars of the foundation of an ESRM program as it applies to risk:
- Holistic risk management
- Partnership with stakeholders
- Governance: be able to understand successes and failures as a security department.
It is fun watching the industry mature and professionalize in its adoption of a management approach that we can all rally around, and, it goes without saying that the value that quality service providers can bring to this evolution is obvious.
There are no longer physical barriers between information security threats and physical security threats. I heard this over and over again in multiple sessions.
The information security silo and the physical security silo are not only getting closer and closer they more often than not overlapping, at least in theory, if not in reality of organization structures. When the analysis is being done you have to look at threats coming from any source: seen or unseen; physical or logical. The mitigating measure being put in place should consider these multiple threat angles. This goes back to a point I often make: we can no longer secure facilities only through guns, gates, and guards.
During the GSX seminar that I had a chance to participate in, one of my co-presenters mentioned that in the past they were never asked about cybersecurity. This sounds baffling given that today it is a part of most conversations – considering the volume of connected devices, information security can be threatened in any situation.
We cannot forget compliance in this discussion. Whether it be GDPR or other data protection regulations, security must be included in the design phase of projects, and defined goals around how data is used, protected, and possibly deleted should be clearly stated. Thus, partnering with service providers that are in line with this approach is essential.
Innovation is possibly one of today’s biggest buzzwords, and I heard it a lot in the conversations at GSX.
The good thing is that there appears to be a genuine appetite to truly start doing things differently. The status quo does not cut it anymore. We now know that we should leverage automation- using the machine for repeatable tasks and the humans where their intervention skills are necessary. The desire to at least be open to Industry 4.0 is refreshing. As an industry we have always relied on partnerships and that was obvious and present again at GSX. The evolution, in this case, is more around how the innovation really wants to take us beyond features of individual parts. The overall desired outcome is what is important.
The realisation that there are many political, economic, social, technological and legal factors that need to be addressed in order to truly be able to deliver quality security. The volume of many of these legal items, bringing me back to compliance are far too voluminous to be able to be managed in an ad-hoc way. Taking advantage of “current event technology” including mobility, software as a service, etc., are now part of the conversation where just a few years ago they were mere anecdotes. Innovation can help with engagement, performance, turnover, overtime management, and much more- I encourage you to keep an eye on our take of how the 360-degree environment could look like!
On the tradeshow floor, I found the security conversations to be much more business-focused. There appeared to be a deeper understanding that corporate security executives have a clear desire to be as efficient as possible and are working with their service providers to nail shut the efficiency gaps.
The discussions went beyond ROI (return on investment), venturing also into how can we do these things better, and what other factors can be measures of success. ROD (return on data) was a common item and realising that as we address these multiple economic factors we have data that will enable us to run better. The data that people were after went beyond incident data, and more into operational data. In a nutshell, security service companies’ feedback was in and around the need to partner up in order to cope with the industry pains correctly and efficiently. All the efficiency is well and good, but without a way to harness them in some sort of dashboard and analytics reporting, it would be too much to handle and to act upon.
See you in Georgia!
September 2019 is barely behind us but I am looking forward to what #GSX20 has in store for us. If I had to consult my crystal ball then I would guess that many of the underlying themes will be back but their impact will be exponential. Everything changes quicker, and what is next is not on the horizon, it is around the corner. A clear desire to do more with less will prevail as will the appetite for data. More decisions will be “automated” and a serious catch up of the 10 years of technology lag will have taken place.
See you in Atlanta (if not before!).