How to Align Security to Business PerformanceGartner's Deshpande on New Strategies for Measuring Security Investments
Increasingly, as enterprise leaders plan security investments, they think not just about threats and technology, but also how to tie their decisions to business performance. Gartner's Sid Deshpande explains the shift.
"Most organizations are thinking along the lines of aligning risk and security to corporate performance," says Deshpande, Singapore-based principal analyst at Gartner.
To meet this objective, security practitioners need to get strategic in their approach to make tactical investments in security, says Deshpande.
"Since organizations are taking a risk-based approach to their investments, practitioners need to learn best practices and mechanisms to do risk profiling, where the budget procurement process gets easier and quicker," he observes.
The focus, then, comes to moving from preventive technologies to detection and control mechanisms, where practitioners are constrained owing to lack of skills.
"It is all about dealing with people, process and technology, and I would recommend CISOs having a cross-pollination of teams to enhance the security posture of the organization," Deshpande says.
In this interview with Information Security Media Group, Deshpande discusses:
- Priority areas for security practitioners in the next 12 months;
- Leveraging outsourcing models to better security;
- Taking a strategic approach to have board-level security discussions.
Deshpande advises both technology providers and buyers on security-related topics. He frequently engages Gartner clients in a variety of ways - ranging from research, inquiry and strategic advisory to speaking engagements at Gartner events and client-side events/workshops. His primary areas of focus include security market opportunity and growth projections; managed security services; cloud access security brokers; security sales and go-to-market strategies. Secondary areas of focus include: SIEM; CIO strategic priorities; distributed denial-of- service; and digital risk.