Africa EU Global US


Neil MacDonald: Vice-president and distinguished analyst, Gartner

Combat security risks with an adaptive approach to risk management, says Gartner.

Security is an integral part of the digital business equation when it comes to technologies like cloud services and big data, mobile and IT devices, rapid DevOps and technologies such as blockchain –security experts must adapt security techniques for the digital age.

Speaking at the Gartner Security & Risk Management Summit 2017, Neil MacDonald, VP and distinguished analyst at Gartner said: “The truth is, we’ve had a binary view of the world that no longer exists. Black or white, good or bad the answer is we don’t really have certainty in either extreme. It could be either. It can be both. Ambiguity is the new reality. Embrace the grey.”

To stay competitive with emerging business opportunities, MacDonald, a Gartner veteran and specialist in securing next-generation virtualized and cloud-based computing environments from advanced attacks, recommends that security experts apply a new approach, specifically CARTA: Continuous Adaptive Risk and Trust Assessment. The key to CARTA is to apply the philosophy across the business from DevOps to external partners.

Ambiguity is the new reality.

“We need security that is adaptive everywhere — to embrace the opportunity — and manage the risks — that come with this new digital world, delivering security that moves at the speed of digital business,” says MacDonald.

Run, Build, Plan

MacDonald, together with research director Eric Ahlm and research vice-president Ramon Krikken, explored how to apply CARTA across three phases of information security and risk management:

1. Run: Runtime threat protections and access protection
2. Build: Development and ecosystem partners
3. Planning: Adaptive security governance and evaluating new vendors.


Data analytics should come as standard when it comes to CARTA, and companies can derive real value from machine learning, said Ahlm. “Anomaly detection and machine learning are helping us to find bad guys that have otherwise bypassed our rules-based prevention systems. That’s why analytics are so relevant to security operations today; they are good at finding bad guys in the data that other systems missed.”

The average time to detect a breach in the Americas is 99 days and the average cost is $4 million. Analytics speeds up detection and automation speeds up response time, ensuring that enterprises focus with confidence on events with the highest risk. Constant monitoring is another issue. One-time authentication is fundamentally flawed when the threat is past the gate…


When it comes to DevOps, security needs to start early in development to identify issues that represent a risk to the organisation before they’re released into production. Modern applications are not developed, but rather assembled from libraries and components. Scan the libraries for known vulnerabilities and eliminate the majority of the risk. For custom code, balance the need for speed with the need for security.

An ecosystem of business alliances adds new business capabilities – and new security complexities. “Risk management is no longer the domain of a single enterprise and it must be considered at ecosystem level,” said Ahlm. “The success of my product or service is now fundamentally intertwined with others. My risk is their risk. Their risk is my risk. It’s one and the same.”

Continuous monitoring and assessing of the risk and reputation of major digital partners is essential.

With the CARTA mindset, organisations must continuously assess the ecosystem risk and adapt as necessary. Your partners should also be assessing your enterprise, infrastructure, control and digital brand reputation. For ecosystems with a dominant anchor provider, the only way a company will be allowed in is after a security and risk assessment. If your company is too risky, the organisation might be removed from the ecosystem. Continuous monitoring and assessing of the risk and reputation of major digital partners is essential.


Assess compliance and governance at an enterprise level. What level of risk is acceptable to business leaders? Analytics will provide modelling and predictions about areas of risk and what opportunities are available if the business is willing to accept more risk. Continuous monitoring of analytics will allow you to explain risk in business terms. The business will need support in setting priorities, security experts must do their best to build reasonable guardrails and help define acceptable levels of trust and risk.

CARTA should also be used to evaluate vendors to ensure they offer five criteria: Open APIs, support of modern IT practices such as cloud and containers, support adaptive policies such as being able to change security postures based on context, full access to data without penalties and multiple detection methods.

“A CARTA strategic approach enables us to say yes more often”, said MacDonald. “With a traditional binary allow/deny approach we had no choice but to be conservative and say no. With a CARTA strategic approach, we can say yes, and we will monitor and assess it to allow us to embrace opportunities that were considered too risky in the past.”

These and other security issues will be discussed further at the Gartner Symposium/ITxpo taking place in Cape Town, South Africa, from 18 to 21 September this year.