Skip to main content

You can count on CARTA for a better security posture

Davey Winder, security journalist
A Continuous Adaptive Risk and Trust Assessment (CARTA) approach to your security posture may not be a new thing, Gartner formalized the idea two years ago at its 2017 security summit, but neither is it an advisable one: it’s absolutely essential for organizations to adopt agile security

Digital transformation is not only inevitable; it is everywhere. This is not going to stop whether security comes as part of the package or not. Obviously, the latter is preferable. If you stop to think for a moment about the way that risk within the digital business model works then you will quickly come to the conclusions that there is no such thing as perfect security just as there is no binary position that will work when the threatscape itself is fluid. Good and bad, black and white, are becoming increasingly blurred in other words. Gartner’s CARTA, or agile security enables the kind of adaptive and agile security posture that is required to keep up in this brave new business world: continuously assessing and adjusting that posture has to be front and center of your security strategy.


Prevention isn’t better than cure, it is the cure

If you read my Never trust, always verify article from earlier this year, then you will already know that I’m a great believer in the zero-trust security model. This is neither a case of buying into a product, zero-trust is a strategy first and foremost, nor of simply blocking everything and trusting nothing. What it is, then, is the removal of trust as a by default concept and demanding it has to be earned first. The fluidity within the threat landscape that I mentioned previously is key as to why zero-trust is so important: you have to push the perimeter to encompass every endpoint and every user. Business is collaborative; IT infrastructure spans across network, application and cloud; data volumes never stop expanding; users introduce ‘Shadow IT’ into the system, which all adds up to gap after gap after gap for hackers to exploit. So everything has to be considered external and internet facing within this new digitally transformed reality, everything has to assessed on a continuous and adaptive basis. This is precisely where CARTA enters the equation.


Continuously assess and re-assess your risks

It should come as absolutely no shock to anyone that risk is ever-present and dynamic, but that risk has to be balanced with trust if the zero-trust model is to stand any chance of working effectively. And that requires a process of continuous risk identification, or total visibility if you prefer the one-word description. CARTA demands you have visibility into the entire IT environment by way of the roles and privileges that exist within it. Everything from being able to assess technology silos through to the full stack, from being able to fire-fight through to prioritizing risk, the ad-hoc remediations against the backdrop of persistent threats; this all requires context and context demands visibility. To bring a CARTA approach to life within your enterprise means having ‘eyes on’ so as to be able to correlate risk profiles across networks, web apps, cloud services and data to give a continuous moving picture of the business risk.


Shifting left is not just for application development

A CARTA approach requires you to be able to detect and respond to incidents and activity that may well be missed by siloed systems and processes. It brings analytics, automation, and orchestration into the secure strategy mix, to provide the agility and speed demanded by the exponentially evolving risk that dynamic and advanced threat actors introduce. Full stack security assessment underpins the CARTA model by constantly assessing and readjusting your responses to risk, be that through incident remediation or security controls such as zero-trust, to ensure that your security posture is actually a repeatable process, a digital business enabler. Limited resources can be focused, therefore, on the most relevant threats; the high-risk and critical vulnerabilities that matter the most in other words.

Your business must avoid holding up the pace of innovation as much as it has to fixing those vulnerabilities that will otherwise come back and burn you. Think of CARTA, then, very much in terms of how the application development world has shifted left and adopted a DevSecOps approach, and you’ve got a good handle on the risk-based approach that you can use to secure your business proactively. What’s more, because it is a continuous and adaptive beast by definition, CARTA will continue to secure business as you move forward, getting ever more effective and cost efficient over time…


Book a free demo


About the author:

Davey Winder is a veteran security journalist with three decades under his belt. The only three-time winner of the BT Security Journalist of the Year award, he was presented with the Enigma Award for a 'lifetime contribution to IT security journalism' in 2011. Currently contributing to Digital Health, Forbes, Infosecurity, PC Pro, SC Magazine and The Times (via Raconteur Special Reports) you can catch up with all his latest writings at

Looking for anything in particular?

Type your search word here