BRINGING CYBERSECURITY INTO THE FUTURE: Internal auditors should consider whether CARTA is a smarter approach to addressing information security risks.

Author:Mar, Steve

One can get overwhelmed reading about data breaches such as last year's massive Equifax incident, which may have exposed 145.5 million customer records. The December Identity Theft Resource Center Report lists other big breaches in 2017 at America's Joblink Alliance (5.5 million records), Sonic Drive-in (5 million), Dow Jones (2.2 million), Schoolzilla (1.3 million), and Washington State University's Social & Economic Sciences Research Center (1 million). Accenture's 2017 Cost of Cyber Crime Study notes such incidents increased 23 percent and cost on average $11.7 million in 2017. These findings suggest that current security methods are unsustainable.

Against this backdrop, Gartner introduced an alternative approach to cybersecurity, the Continuous Adaptive Risk and Trust Assessment (CARTA), as part of its Top 10 Strategic Technology Trends for 2018 report. The CARTA approach calls for real-time risk assessment and making trust-based decisions. This contrasts with previous information security strategies that revolved around periodic risk assessments and controlling users through single sign-on authentication. "Existing security decision-making based on initial one-time block/allow security assessments for access and protection is flawed," the Gartner report explains. "It leaves organizations open to zero-day and targeted attacks, credential theft, and insider threats." In this new paradigm, internal audit needs to determine how it will respond to the CARTA approach.

A Big Change in Thinking

The CARTA approach could become the model for organizations that are adopting the Development and Operations (DevOps) approach for rapid application delivery. It relies on using application program interfaces (APIs) for automation, moves away from simple rule-based systems, and puts greater emphasis on detection and response vs. prevention. At its core is a three-pronged strategy combining deception, continuous authentication, and a development security operations (DevSecOps) mindset.

That requires a big change in thinking about cybersecurity. "CARTA is good at the framework level, but the implementation of it will require a major shift for vendors, software developers, and the organizations, themselves," says Sajay Rai, CEO of Securely Yours LLC in Bloomfield Hills, Mich. "Most organizations will have to deploy a different set of tools, technologies, people, and processes."

Although CARTA can be a helpful approach, it should not be viewed as a standard...

To continue reading