This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved.

Earl Perkins

Research VP

May 8, 2013

Top Security Trends and Take-Aways for 2013

@GARTNER_INC

Gartner at a Glance

902 Analysts

13,000 Client

Organizations

290,000 Client

Interactions

Vertical Coverage

in Nine Industries

5,500 Benchmarks

10,200 Media

Inquiries

World's Largest

Community of CIOs

64 Conferences

74% of Global 500

1,700 Consulting

Engagements

Clients in 85 Countries

72% of Fortune 1000

500 Consultants

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Earl Perkins

Research VP

May 8, 2013

Top Security Trends and Take-Aways for 2013

3

Security and Risk Management and the Nexus of Forces

Top Trends and Takeaways

Infrastructure Protection

Requirement: Increased Depth in Two Technology Dimensions

Transport

Internet

Application

Link

WAF

FW

IPS

Host/OS VA/M

Data

DLP

DAP

HIPS

FW2 FW3 FW1 IPS1

Web Zone App Zone Database Zone

VM: Web

VM: ftp

VM: app1

VM: app2

VM: db1

VM: db2

ADC

WAF

DLP

HIPS

VA/M

DAP

De

pth

of in

sp

ectio

n

Depth of application path

The Four Phases of BYOD

Accommodate

Focus: Data

Protection, Cost

• BYO Policies

• Formal Mobile

Support Roles

• MDM

• NAC

• Limited Support

• Extend Existing

Capabilities

Avoid

Don't Ask, Don't Tell

Corporate-Owned

Devices Only

Adopt

Focus: Productivity

• Desktop Virtualization

• Adoption of New

Enterprise-grade

Services

• Enterprise 'App

Stores'

• Self-Service and P2P

Platforms

Assimilate

Realization of the

Personal Cloud

• Context awareness

• Identity-Aware NAC

• Workspace

Aggregators

• 'Walk Up' Services

Managed Diversity — A Framework for BYOD

Service Levels

User Categories (defined by attributes below)

Managed Diversity Matrix

Key Goals

Cost control

Auditable

security

Defined

Responsibilities

A Complex Mobile Device Landscape

Basic media tablet

Premium media tablet

Ultramobile notebook

Mobile PC

Smartphone

Feature phone

Predicted global mobile

device shipments

0.0

500 million

1 billion

1.5 billion

2 billion

2.5 billion

3 billion

3.5 billion

2012 2013 2014 2015 2016 6 billion

4 billion

2 billion

0 billion

Predicted handset installed

base

Scoping the Mobility Security Problem

The User

• No security standards

• Incomplete management

• Bring your own device challenges

• Multiple devices

• Travel distractions

• Uncontrolled environments

• Exceptions and surprises

• Business process rebellion

• User experience trumps accountability

• Personal productivity focus

• Process, data fragmentation

• Unmanaged, nonstandard apps

Security Intelligence: Overview

Advanced Security

High Accuracy

Breadth of Coverage

New Capabilities

Optimal Risk and Business Decisions

Resource Allocation, Prioritization Based on Contextual Assessments

High

Accuracy

Input

Post- factum

Long Term

Manual

Information Integration and

Correlation

Repositories, Queries, Contextual Assessments

IT, CISO, Biz Staff

Automated

Technology Interaction

Scanners, Monitors

Detection, Protection

Software, Hardware

Real Time

Top Trends and Takeaways

Application Security

Application Security SWOT

Opportunities • Security intelligence (SI)

• Cloud and SaaS

Threats • Dual-purpose technologies for all

• Changing nature of attacks

• New languages,

frameworks, platforms

• Hackers' industry

• Extreme openness, collaboration

Strengths • Some "good enough"

technologies

• Increasing awareness

• Pressure from government,

regulators

Weaknesses • Users are less mature than tools

• Developers' reluctance

• Misconceptions about:

- Inward-facing applications

- Role of QA

- Network security

Hype Cycle for Application Security, 2012

Technology Trigger

Peak of

Inflated Expectations

Trough of Disillusionment

Slope of Enlightenment Plateau of

Productivity

time

expectations

Plateau will be reached in:

less than 2 years 2 to 5 years 5 to 10 years more than 10 years

obsolete

before plateau

As of July 2012

Mobile Fraud Detection

Runtime Application Self-Protection

Visual Watermarking

Application Shielding

Dynamic Data Masking Interactive Application Security Testing

Mobile Application Security Testing

Privacy Management Tools

Model-Driven Security (DevOpsSec) Security Intelligence

Context-Aware Security

Application Security Professional Services

Tokenization

Application Security as a Service Identity and Access Intelligence

Fraud Detection

Software Composition Analysis

Mobile Data Protection

Application Control

Application-to-Application Password Management Tools Application Obfuscation Database Audit and Protection (DAP)

Static Application Security Testing

Static Data Masking

Web Application Firewalls

SIEM XML Firewalls

Dynamic Application Security Testing

ERP SOD Controls

Web Access Management

Application Security Road Map

Technology Trigger

Peak of

Inflated Expectations

Trough of Disillusionment

Slope of Enlightenment Plateau of

Productivity

time

expectations

Plateau will be reached in:

less than 2 years 2 to 5 years 5 to 10 years more than 10 years

obsolete

before plateau

As of July 2012

Runtime Application Self-Protection

Dynamic Data Masking Interactive Application Security Testing

Mobile Application Security Testing

Mobile Data Protection

Application Obfuscation Database Audit and Protection (DAP)

Static Application Security Testing

Static Data Masking

Web Application Firewalls

Dynamic Application Security Testing

WAF + IAST RASP

Top Trends and Takeaways

Risk and Compliance

Program Maturity: ITScore Overview for Security and Risk Management

Level 1 Initial

Level 2 Developing

Level 3 Defined

Level 4 Managed

Level 5 Optimizing

No visibility into critical risks; very

technology -focused and

reactive

Initiator such as data

loss or regulatory concern

Governance committees

formed

Control gaps

closed

(Re-) Formulate

team to address concerns

Policy development

Formalize processes and create process

catalog

Risk assessments proactively executed

Executive-level reporting

Key risk indicators

are mapped into key

performance indicators

Continuous assessment

Enterprise- wide risk-

aware culture

Assess current state

Create charter

No risk and security policy

Lines of business

engaged in addressing security and risk issues

Formal residual risk sign-

off

Risk fully integrated with

strategic business-level

decision making; governance

driven by executive

management; board-level

visibility into and commitment to

security and risk management

Operational metrics to benefit operational efficiency

Executive Decision Makers

IT Operations

• Percentage of YTD spending of security budget

• Percentage of completion of annual objectives

• Percentage of confidence of completing objectives

• Number of new processes created and implemented

• Project status (major, per project)

• Percentage completed

• Percentage of confidence of completion

• Number of compliance deficiencies, last audit

• Number of remaining open compliance deficiencies

Effective Communication With Non-IT Executive Decision Makers

Mapping KRIs and KPIs

Revenue Loss

Miss the

Quarter

Leading Indicator That…

Leading Indicator That…

Leading Indicator That…

Critical Application

Fault

Supply Chain

Support Application

Key Risk Indicator

Open Incidents

Poor Patching

Negative Impact KPI

Supply Chain Slows

CRO/CISO CIO The Business

IT GRCM Market Placement In Relation to the Enterprise GRC Market

19

IT GRCM Dashboards Executive Decision Support

Integrated IT Risk

Assessment and

Reporting

IT Policy Management

and Reporting

IT Vendor Risk

Management

IT Internal Audit

Reporting

EGRC

Finance GRC

Legal GRC

Operations GRC

IT GRCM

20

From Control-Centric Security to People-Centric Security

Policy Rules

People

Punishment

Control

Rights Principles

Policy

Responsibilities

People

Monitor

Educate

Top Trends and Takeaways

Identity and Access Management

Requirement: Access the Enterprise Securely

22

Process Execution

Reliable Infrastructure

Employee

Identity Access

Customer

Citizen

Partner

The Death (and Rebirth) of Identity Governance

Identity & Access

Governance (IAG)

User Administration & Provisioning

Identity Governance & Administration

(IGA)

Identity Analytics

& Intelligence

Authorization Management

(Data & Application)

By the end of 2015, 50% of all new retail customer identities will be based on social network identities.

Strategic Planning Assumption

End-2012 End-2015

Cloud Computing Drives IAM Decisions, Offers New Delivery Options

Workforce

Customers and

Partners

Administration Intelligence Access

Customer- Facing

Applications

Enterprise Applications Outsourced

Enterprise Applications

SaaS

Partner Application

Action Plan

Top Security Trends and

Takeaways

Action Plan for Security & Risk Leaders

Monday Morning

- Assess how well the strategic vision of your security & risk program addresses the Nexus of Forces and specific trends

Next 90 Days

- Educate your IT delivery and executive stakeholders on the challenges and opportunities of the Nexus of Forces.

- Assess the maturity of the major elements of your risk and security program and decompose gaps into projects.

- Map key risk indicators into business key performance indicators and use this to engage the business in risk discussions.

Next 12 Months

- Develop a long-term strategy for continuous improvement.

- Develop and deliver an executive reporting scheme that addresses the needs of a business audience.

Recommended Gartner Research

Agenda Overview for Security and Risk Management Leaders, 2013

Carsten Casper | Roberta J. Witty | Paul E. Proctor | Tom Scholtz | John A.

Wheeler (G00238845)

Agenda Overview for Information Security Technology and Services,

2013

Andrew Walls (G00239321)

Agenda Overview for Identity and Access Management, 2013

Earl Perkins | Gregg Kreizman (G00245842)

Define the Structure and Scope for an Effective Information Security

Program

Tom Scholtz (G00238280)

A Guide to Security and Risk-Related Hype Cycles, 2012

Ray Wagner (G00230394)

For more information, stop by Experience Gartner Research Zone.

29

Events for

Security &

Risk Management

Professionals

Experience live analyst expertise plus much more at a Gartner event

Identity & Access Management Summit

November 18 – 20, Los Angeles, CA

Security & Risk Management Summit

June 10 – 13, National Harbor, MD

July 1 – 2, Tokyo, Japan

August 19 – 20, Sydney, Australia

September 18 – 20, London, U.K.

Catalyst Conference

July 29 – August 1, San Diego, CA

Visit gartner.com/events

• Visit gartner.com/webinars

– Today's presentation is available to download on the Attachment

Tab of our webinar portal or will be available shortly on our

webinar page

– Check out the schedule of upcoming Gartner webinars (plus on-

demand webinars) and don‘t forget to share these resources with

your colleagues

• Contact your Gartner account executive with any additional

questions, comments or for a complimentary copy of today's

presentation

Simple steps for increasing the value

of today's webinar experience

31