Published on the 19/03/2024 | Written by Heather Wright

Thriving amid complexity…

It’s time to dump the zero tolerance to failure mindset of cybersecurity – and some of your cybersecurity tools.

Attendees at this week’s Gartner Security and Risk Management Summit in Sydney were told to build fault tolerant organisations – shifting leaders away from the zero tolerance for failure – while elevating response and recovery to equal status with prevention, and embracing a minimum effective toolset approach in order to enable cyber security practices to thrive, despite increasing complexity and threats.

“For once, regulation is emerging as a tailwind rather than a headwind.”

Chris Mixter, Gartner VP analyst and Denis Xu, Gartner senior director analyst took to the stage to outline Gartner’s take on how cyber security practices can thrive, rather than merely survive, with a concept the analyst firm is calling ‘augmented cybersecurity’.

And yes, it does include AI, but it extends well beyond AI too, Mixter says.

“It is a whole of function approach to increasing your organisation’s resilience in a sustainable way,” he says.

Xu says its not the legions of threat actors, the ever expanding attack surfaces or even the chronic shortage of resource causing the biggest issues for CISOs and cyber security teams.

“It’s the mindset of zero tolerance for cyber failure that exists both within the cyber function and throughout the organisation,” Xu says.

While retailers are willing to accept a certain amount of losses from shoplifting, and banks accept a certain amount of fraud, the common thinking is that any impact from cyber attacks is unacceptable, the pair note.

“Regardless of where the zero tolerance to failure mindset came from it is the responsibility of folks in this room to break it,” Mixter told conference attendees.

He urged them to change tack and when asked whether an attack in the news could happen to your organisation, to say ‘yes, so lets talk about what impact we can tolerate’.

“That is the smart way to work backward to the appropriate cybersecurity investments,” he says, while also acknowledging that for many it would spark concerns of being sacked.

“We need to get passed that.”

And if the increasing volume and impact of breaches globally isn’t enough to “give you the courage to impart a bit of realism to your stakeholders zero tolerance mindset” Mixter offered up legislation. He noted that the SOCI Act, ARPA CPS234 and CPS235 and other legislation being passed around the world signal the trend to reset expectations around cyber security. But rather than considering them as yet more compliance to deal with, Mixter says the regulations will help security professionals.

“These regulations are moving to a place where we don’t have to be perfect. We have to be transparent. We have to be defensible.

“For once, regulation is emerging as a tailwind rather than a headwind. Lean into that tailwind. Build out and make visible your practices and procedures for responding to, adapting and recovering from incidents that are inevitable.

“If zero tolerance for failure was ever an appropriate mindset, it is a liability today,” Mixter says.

Part of building that fault tolerant organisation will also lie in rebalancing cybersecurity control spend, with more emphasis put on response and recovery.

Gartner’s Cybersecurity Controls Assessment shows organisations rank response and recovery as of higher importance than protection, yet response and recovery had the biggest gap between current and desired levels of maturity.

“In a time when incidents and breaches are daily occurrences, we need to close those gaps and get better at response and recovery,” Xu says.

Mixter says the zero tolerance for failure mindset is to blame for the collective under-investment in response and recovery.

They’re not advocating companies stop investing in protection, but that response and recovery take equal status as prevention and become seen as value creators, rather than emergency activities.

Two key areas where Gartner says companies can start their journey to a fault tolerant organisation – and where preventative measures can’t keep up with the rapidly expanding attack surfaces – are generative AI and the use of third parties.

Gartner has forecast generative AI to cause a spike of cybersecurity resources required to secure it, causing more than 15 percent in incremental spend on application and data security.

The pair urged organisations to start building handbooks for generative AI use which ask questions such as:

• If our data is not AI-ready, how much hallucination is tolerable?
• What alternatives to AI are available to achieve the objective?
• What is the switching cost to another approach if we need to?

And the most critical response and recovery question:

• Can we pull the plug if something goes wrong?

“When it comes to building cyber fault tolerance in your organisation, prioritise conversations today around likely generative AI cases, engage generative AI app owners with the four questions playbook and focus third party cyber risk management fire power on the business continuity management activities,” Mixter says.

The pair were also clear there’s an overabundance of cybersecurity offerings in most organisations. And it’s hindering, rather than helping.

Gartner is advocating a ‘minimum effective toolset’ approach using the fewest number of technologies needed to manage observations, defence and response to exploitation.

But that approach isn’t as simple as cleaning out your toolsets.

“Old gaps in our defence expand and new gaps get created everyday. So we need to make it safe and not create more gaps in this pursuit of a minimum effective toolset,” Xu says.

And first up, he says, is creating an inventory of what you already have.

That’s the approach taken by bathroom manufacturing company Kohler.

It mapped its existing tools to its controls framework to create a single source of truth around its technology portfolio, bringing objectivity to where it had unhelpful redundancy or opportunities for streamlining and providing clarity on real gaps so it could be intentional in closing them.

Mixter says some Gartner clients have knocked out the mapping exercise using spreadsheets, highlighting the straightforward nature of the project.

Before going to market to close any gaps, Kohler also looked internally at what existing tools could augment existing capabilities.

“Buying new tools risks re-crowding the attic that we just cleared out,” Xu says. “And we have all seen security tools with unused licenses and components.

More intriguingly, Kohler found non-security products used by other teams that could also be used for security purposes.

Mixter says generative AI augments – genAI based agents that observe user tasks and workflow and provide inline support to boost staff capability, providing prompts for users – will also be key to the solution, enabling existing teams to do more, and new staff to become more productive more quickly.

“But we want to acknowledge that for those of us in cybersecurity just like those all around organisations, when it comes to this AI business there are going to be setbacks. There are probably going to be failures, but we need to be bold here.

“We need to see if generative AI can create some slack in the system to enable our humans to work more productively to turn their attention to more complex problems.”

Rounding out the concept of augmented cybersecurity was a push for the creation of a more resilient cyber workforce with ‘resilience through intention’.

Building self care resources directly into employee workflows and treating personal resilience as the competency it is and helping people build that competency, along with redesigning work to reduce burnout all featured in Xu and Mixter’s recommendations.