Challenging the myths and embracing change for secure sustainability transformation

Fujtisu / November 16, 2023

Fujitsu has identified Data & Security as one of five key technology areas that can drive sustainability transformation and enable digital trust, which in turn helps to create a secure cyber-physical society better able to protect against cyber threats. Fujitsu addresses these key security aspects within the services and solutions provided to support our clients in their digitalization journeys. Represented by John Swanson — Head of Cyber Security Division, Fujitsu Hybrid IT — Fujitsu recently participated in the Gartner Security & Risk Management Summit 2023 to hear the latest industry trends and insights to ensure that we are able to support, and exceed, the demands of our clients. In this interview, Swanson uncovers key myths about cyber security and also discusses Zero Trust security challenges.

What are your key take aways from the recent Gartner Security & Risk Management Summit?

The Gartner Security & Risk Management Summit, a 2-day event hosted in London end of September 2023, is an annual event that helps leaders in the field of security and risk management gain know-how on upcoming trends and threats in the field. Gartner reinforced the tangible value that cyber security can, and should, generate for the enterprise while simultaneously challenging cyber security professionals to rethink outdated security principles and practices to enable transformation.

Gartner proposed a paradigm shift for cyber security professionals to rethink many of the current principles used for securing the enterprise and challenge us to reconsider the approach to cyber security across business engagement, technology, and talent. By having a ‘minimum effective mindset’, which is a ROI-driven approach, we can deliver maximum effect and debunk four myths, namely:

  • Myth #1: More data equals better protection — Instead, cyber security should concentrate on obtaining the minimum amount of data necessary to address vulnerabilities effectively.
  • Myth #2: More technology leads to enhanced protection — This perspective can result in hasty or point technology acquisitions creating greater complexity and noise.
  • Myth #3: More cyber security professionals mean better protection — Scaling services to match enterprise pace necessitates a different approach than more people.
  • Myth #4: More controls yield better protection — Excessive controls often create employee ‘friction’, which encourages the wrong behaviors as employees seek to achieve their objectives, thus rendering this counterproductive.
  • The perpetual pursuit of maximum effort in cyber security operations takes its toll on CISOs, security leaders, and their teams. The reality for most organizations is that they simply cannot focus on perfecting all aspects — more data, more people, more controls, and more technology — given limited resources and budgetary constraints. The analogy here is if we consider four attributes of a car — chassis, suspension, brakes, and engine — then there has to be a balance of the investments and development, or we could end up with a very fast, great handling car that you cannot stop due to no investment in the brakes.

    Swanson: “With a minimum effective mindset, the focus is shifted away from trying to be absolutely perfect at everything, but making sure your security meets the requirements of the organization, thus unlocking tangible, valuable outputs.”

    Another take away from the summit was about what was important for CIOs and CEOs from a cyber security perspective and the implications for security and risk leaders. The view was that company boards are willing to increase risks but want tangible dividends from their digital investments. In other words, this means that they need their CISOs and their teams to ensure they are working on the key initiatives that offer the greatest business impact. This explains the shift to more human-centric design practices in cyber security programs. What is then needed is not necessarily security for security’s sake, but rather security that is best aligned to what the business is trying to do and visibly so.

    What did you learn about Zero Trust?

    Zero Trust, which is one of the most often used terms in the cyber security industry, is a strategic approach to cyber security built with continuous authentication with access control based on the principle that there shall not be trust by default. It’s based on trust and constant verification, and it's a powerful principle; however, from a Gartner viewpoint, the execution is far from straightforward due to the complexity of organizations, the tactical demands taking priority over strategic initiatives and not having a lifecycle approach.

    Convergence and consolidation will help simplify some aspects of increasing maturity; however, organizations need to recognize that Zero Trust is a strategic initiative and not a technology led approach; hence, this initiative needs to be underpinned with plans and measures to be seen to be increasing maturity and delivering benefits.

    John Watts, Gartner: “By 2026, 10% of large enterprises will have a mature and measurable Zero Trust program in place, up from less than 1% today.”

    Conclusion

    The Gartner Security & Risk Management Summit offered invaluable insights into the evolving cyber security landscape, urging professionals to challenge conventional wisdom and embrace change to safeguard enterprises effectively in the digital era. This not only reinforced our understanding of emergent risks and threats, but it has also allowed us to consider key strategic points such as the minimum effective mindset. It also helped us understand organizational and Board-related needs and drivers. Our participation in these sorts of events helps Fujitsu retain our market-leading position by inspiring confidence and trust in the services we provide for our customers, so that they may grow their business, but in a secure and sustainable way.

    To learn more about our cyber security offerings, check out our webpage here.

    John Swanson
    Head of Cyber Security Division, Fujitsu Uvance Hybrid IT
    John has fulfilled many Information Security leadership roles across Public and Private sectors including security program and capability leadership, consultancy (advisory and delivery), Security Operations Centers and Security Pre-sales functions. He is responsible for developing Fujitsu’s compelling Cyber security go-to-market propositions, which also underpin Fujitsu’s wider Applications, Hybrid IT, Digital Workplace, and Industry Sector aligned propositions. John focuses on the business aspects of Information Security and how Fujitsu can help clients enhance their strategic and operational maturity of the information security capabilities within their organizations.

    Editor's Picks

    AI-driven transformation: A synergistic path to sustainability and profitability
    Drawing on Fujitsu’s research and extensive experience with customers worldwide, this blog discusse…
    Fujitsu / November 20, 2024
    Understanding Zero-Knowledge Proofs and their impact on privacy: A simple guide
    Zero-knowledge proof (ZKP) technology is rapidly evolving, and its impact is being felt across vari…
    Fujitsu / November 12, 2024
    Unlocking Net-Zero: The role of emerging technology
    Increasing levels of environmental awareness has led both governments and organizations to commit t…
    Fujitsu / November 12, 2024