Applying the CARTA Approach to Stay Ahead of Competition in 2018

Advanced methods of information security are more of a necessity than a business edge in today’s digital landscape. And as we continue to move through digital transformation, we’re learning more and better ways to keep our systems safe. Case in point: Gartner recently unveiled a new, more agile approach to security—CARTA. This new approach is about changing the way you look at security altogether. And if done right, it can give you the edge you’re looking for.

Making Security Adaptive—and Agile

In the past, I’ve talked a lot about the importance of agility in digital transformation. The pace of change in today’s business world is so fast that businesses need to be able to pivot quickly—and sometimes sharply—to stay afloat. It makes sense, then, that security must be agile, as well.

CARTA follows that logic by focusing on continuous adaptive risk and trust assessment. The approach—which is meant to apply to every level of the business, from development to HR—is meant to deliver “security that moves at the speed of digital business.” In other words: in real time.

So how does it work? CARTA recognizes that in today’s world, we’re all connected. One person’s problem is another person’s problem, whether we like it or not. That means, if your vendor is running lousy security, your system could be equally compromised because you regularly interface with them. Thus, security efforts must focus not just on internal security assessment, but on the company’s working “ecosystem” as a whole.

In effect, CARTA focuses on three phases of security risk management: Run, Build, and Planning:

• Run: threats and access protection (who is logging in, and where)
• Build: Ecosystem partners (how do they impact you)
• Planning: Governance and new vendor evaluation (forward-thinking prevention)

Yes, you understood that right: Today’s security professionals need to be thinking beyond their office or even their cloud. They need to be thinking beyond their gigantically fragmented security systems and into the hugely fragmented world. That’s a tall order.

Analytics for the Win 

It likely goes without saying that analytics and machine learning play a huge role in CARTA. There is simply no way to manage the immense number of threats otherwise. Obviously: predictive analytics in the security realm are not new. In fact, you may already be using them in your business. But with CARTA, your analytic systems work to adapt to real-time information they gather from both outside threats and internal users. In so doing, it can change its security rules in real-time, as well.

For instance, one example would be a disgruntled employee who decides to hijack your network. Of course, he’s not going to do that right from his desk. He’s going to log in secretly from a remote location to reduce the chance of being found out. With CARTA, the adaptive analytics would recognize that this person is logging in from a weird location, or at a time they don’t usually work on that certain program. And in real time, it could prevent the log in, and send an alert to the employee’s manager. It’s kind of like your credit card company alerting you to weird activity on your card—it recognizes the types of things an employee usually does and adapts its security accordingly. In real time, no less! That’s the kind of security I want in my company.

Recognizing Trust is Temporary

CARTA recognizes that trust doesn’t last forever. Just like in the example above, we may trust one employee and change our opinions based on certain behavior. Thus, we can’t just have set-it-and-forget-it model of security within our organizations. That goes f or password protection, access protection, and everything in between. We need smart machines working on our behalf to find out when things are fishy—and to automatically stop them.

If you’re like me, you might be thinking this sounds a bit like DevOps or AI automation. You’d be right. The truth is, CARTA is just a new way of saying: “Hey, if we want to protect our information, we need to acknowledge that we are all connected—and that anything can, at some point, become a risk.” It’s not about buying new programs (unless you’re still in the dark ages on machine learning and analytics) or hiring more IT people. It’s about thinking bigger and smarter when it comes to IT planning. And, of course, it’s about keeping our information secure.