Security and Risk Management in 2007 and beyond: The only constant thing is change Thomas Raschke Senior Analyst Forrester Research Berlin, 6 November

Security and Risk Management in 2007 and beyond: The only constant thing is change

Thomas Raschke

Senior Analyst

Forrester Research

Berlin, 6 November 2007

4Entire contents © 2007 Forrester Research, Inc. All rights reserved.

Theme

Demystifying security is paramount when wanting to deliver business relevant IT.


Myth #1: We’ve got everything under control…

“Never in all history have we harnessed such formidable technology. Every

scientific advancement known to man has been incorporated into its design.

The operational controls are sound and foolproof!”

E.J. Smith, Captain of the Titanic


Myth #2: Security needs to be confusing…

Identity mgmt SSO ProvisioningAccess and authentication BiometricsTokens Smart cards

Firewalls VPNs IDP

Content securitySpywareAVThreat protection

Spam

ILP

IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Data IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

Servers CD-RomsDBsAppsClients USB-Sticks

Ne

two

rk

C o

n t

e x

t


• Security is moving from a technical discipline to one with a business focus

• New job requirements are different

» e.g. need to understand regulations and be able to talk to lawyers

• Reduce complexity – both technical and organizational

» E.g. fewer products, people, and resources

• Address new threats and compliance

» Need solutions that proactively ensure threat protection, business continuity, network availability, and secure remote workers

• Improve cost efficiency: contribute to corporate efficiency

• Unchanged imperative: “Be 100% secure!”

Myth #3: The CSO job role is not changing…


Passwordguessing

Self-replicatingcode

Passwordcracking

Exploitingknown

vulnerabilities

Disablingaudits

Backdoors

Hijackingsessions

Stealthdiagnostics

Packet forging/spoofing Tools

Skill - Amateurs

Anti-detection

Specialized technical knowledge required

High

Low

Reverse-engineering

Machine-level programming

Encryption knowledge

OS knowledge

Virus & hacker script writing

Vulnerability knowledge

Limited programming(macros, scripts, VBS)

Automated programming

1985 1990 1995 2000 2005 2010

Skill - Insiders

Skill - Professionals

Myth #4: The threat race can be won…


• Security software (40%, 10% growth)

» Content security and AV: Symantec, McAfee, Trend, MS

» FW and IDS/IPS: Check Point, ISS

» Access and authentication: CA, IBM, HP, Novell, Sun

» Security mgmt: NetIQ, CA, Symantec

• Security hardware (15%, 20% growth)

» Appliances: Cisco, Juniper, Nokia

» Hardware authentication: RSA, VASCO, Gemalto

• Security services (45%, 12% growth)

» MSS: BT/Counterpane, Verizon/Cybertrust, VeriSign, Unisys, etc.

» Integration/consulting: IBM GS, Deloitte, Accenture, etc.

Myth #5: It’s only about FW and AV software…


Myth #6: Access & IDM is for big companies only…• Why Access & Identity Management?

» Perimeter evaporates, data and identity theft: Information protection becomes paramount, market dynamics and complexity, cost and time savings, regulations

Primary driver for enterprise investment in identity management shifts from compliance to information protection

• What does IDM?

» Allow the right people to have access to the right information at the right time!

» Single sign-on, provisioning, strong authentication, also: password & user management, legacy products (e.g. authorization), PKI, Directory or meta directory

» Result: Cost savings and simplicity – also for small companies

• Who?

» IBM, CA, Sun, HP, Oracle, BMC, Novell, Microsoft, NetIQ


Myth #7: There is no insider threat in my company…• Why Information Leak Prevention?

» Data classification = what is sensitive and where does it sit/travel?

» Sensitive information is leaking via USBs, also CDs/DVDs, print outs, email, zip files, encrypted file, etc

Disclosure, also: regulations, theft, and espionage

• What does ILP?

» Monitor, measure, and protect information assets

» Identify: (A) Structured information: database records, PII/PHI; (B) Unstructured information: document fragments, email conversations, web postings; (C) Semi-structured information: CAD files, source code

» Scan multiple vectors through which sensitive information may travel

• Who?

» Oakley, Orchestria, Port Authority Websense, Proofpoint, SecureWave PatchLink, Tablus RSA/EMC, Verdasys, Vericept, Vontu


Myth #8: Mobile security is futuristic stuff…


Myth #9: Compliance is not an issue yet…• Why governance, risk, and compliance?

» Regulatory pressure: If non-compliant fines, etc

» Positive: Better business processes

» Also: Marketing tool

• What is compliance?

» (1) Adhering to internal rules, restrictions, standards, and policies

» (2) Adhering to external regulations (e.g. SOX)

Powerful communications and business process improvement mechanism

• Who?

» Generalists: IBM, HP, MS, Oracle, etc.

» Security vendors: Symantec, McAfee, Trend micro, VeriSign, CheckPoint, ISS, Cisco, RSA, NetIQ, etc.

» GRC specialists: ERM dashboards, GRC platforms, other


Myth #10: Ultimately, it’s all reactive chaos anyway…

1. Define security & corporate assets; Evaluate risks and regulations

1

2 2. Update security policy and establish delta of “is/want”

3

3. Specify investment and implementation

strategy

4

4. Act: Educate, enforce, audit,

update, and comply

Security Action Cycle


Myth #11: So, Security Managers can relax now…

• Implement key strategic technologies

• Anticipate changes to your S&RM role

• Learn to balance business, organization, and technology. . .

• . . . as a means to raising S&RM’s profile within the organization

Business-focused information risk management


Thomas Raschke

[email protected]

www.forrester.com

Thank you

mailto:[email protected]

Documents

Security and Risk Management in 2007 and beyond: The only constant thing is change Thomas Raschke Senior Analyst Forrester Research Berlin, 6 November