Express Info-Tech Research Group 11

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.Info-Tech’s products and services combine actionable insight and relevant advice with

ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997-2016 Info-Tech Research Group Inc.

Improve Information Security Practices in the Small EnterpriseCreate a realistic security plan that manages the threats of today and tomorrow.

Strategy Infrastructure Applications Security

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.Info-Tech’s products and services combine actionable insight and relevant advice with

ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997-2016 Info-Tech Research Group Inc.

Express Info-Tech Research Group 22

Info-Tech Research Group

ANALYST PERSPECTIVE The days of purely high-profile hacking are over. Smaller enterprises are now at the forefront of targeted attacks. Smaller organizations still have valuable data that threat actors want and that can be more easily compromised due to less resources dedicated towards security. Often, small enterprises are compromised for the purpose of being a hopping point to a larger target, generating complex levels of security considerations and legal liabilities.

Just because you don’t see headline news about small organizations being breached doesn’t mean it isn’t happening. The reality is that small enterprises are now faced with the same security concerns and requirements as large organizations, but with limited resources. Small enterprises need to know what matters to them even more than large organizations so that they can build a right-sized security program.  

Wesley McPherson Info-Tech’s Security, Risk, and Compliance Practice

The VIP Boardroom at Info-Tech Research Group’s Toronto Office

Express Info-Tech Research Group 33

Security programs are aMUST-HAVE, not a nice-to-have

WHY? The volume, intelligence, and complexity of threats has been and will be increasing.

New Attack Types • Targeted malware • Zero-day vulnerability exploits• Advanced persistent threats

(APTs)

Increasing Threat Actors • Commodification of hacking

techniques • Conventional threats adopting

hacking • Increasing in number and

complexity

Changing Environments • Mobile• Cloud• Big Data• Internet of Things23%

of CIOs polled stated increasing cybersecurity was the most significant

driver behind IT investments in 2015 (CIO, 2015).

of data breaches impact small businesses.

(First Data, 2014)

90%

Express Info-Tech Research Group 44

MYTHCyber-attacks aren’t an issue for small enterprises.

60%of all targeted attacks are towards small to medium-sized organizations. Source: Symantec, 2015.

82%of small to medium-sized businesses consider themselves non-targets for cyber-attacks because they have nothing worth stealing.Source: London Chamber of Commerce and Industry, 2014.

AND YET

THE UNFORTUNATE REALITY

Cyber-attackers prefer targeting smaller enterprises because they often have weak security systems.

In a transaction- and data-heavy society, nearly all organizations have highly valuable and sensitive data (contract information, customer data, payment information, etc.).

Express Info-Tech Research Group 55

Address foundational and baseline functions of security

Info-Tech’s Information Security Framework

= Foundational Security Components

Focus on components and capabilities that will be the most feasible and critical for your organization.

Foundational components include: Response and recovery

capabilities Prevention Detection performance

Expand into governance to address business awareness of security and to incorporate a security mindset into the organizational culture.

Info-Tech SE Perspective

Express Info-Tech Research Group 66

Be prepared for all types of incidents

Recognize a potential security incident.Business decisions are a common source of IT expansion. Unfortunately, these decisions are rarely done with IT or Security consultation. Unexpected expansions cause more expenses than expected, throwing off budget, resourcing, and project plans.Account for IT systems expansionsAddressing security concerns and requirements after the fact impacts budgeting and resourcing. As an IT leader, try to be involved whenever the discussion of IT initiatives is brought up.

Traditional security incidents include malware detection, system availability loss, or compromised data. It is not if a security incident will happen, but when. Using risk management to prepare for multiple scenarios could be the difference between business closure and continuity.

Marketing moves customer data to the cloud without notifying Security and engaging them while selecting a vendor and migrating data

EXAMPLE The Security Implications• Sensitive customer data was sitting in an

environment outside of the scope of the organization’s security program.

• Unexpected security costs were incurred analyzing the vendor after the fact and addressing concerns related to on-premise to cloud data integrations.

Express Info-Tech Research Group 77

Allocated Resources

Miti

gatio

n an

d C

ontr

ol E

xpen

ditu

re

Time

Security Incident

Reactive Mitigation Posture

Proactive Mitigation Posture

Take a proactive approach to managing security

BENEFITProactive mitigation lowers overall security costs over time.

Proactive Mitigation Posture• Enables the team to learn from security

incidents and apply lessons to security practices, increasing security strength.

• Entails pre-emptive “what-if” planning and prevention actions.

• Is done to introduce more specific technology, policies, and procedures that better protect information at a lower cost.

Reactive Mitigation Posture • Allows for security investments to occur, but

does not extensively consider past incidents and incident analysis, keeping security strength stagnant.

• Lacks the ability to recognize security incidents before their occurrence.

• Involves little analysis of incidents.

Security incidents inevitably affect budget planning, regardless of posture. A proactive posture allows for lessons learned that actually improve information security capabilities and cost measures over time.

Express Info-Tech Research Group 88

If you answered YES to most of these questions, keep reading this blueprint.If you answered NO to question 4 or have significant concerns with your current security capabilities, go to the Build an Information Security Strategy research.

Research NavigationInfo-Tech Research Group has two research reports related to building an information security strategy. Use the questions below to help steer you to the research project that best suits your organization.

Is this research right for you?

1 Does your IT department consist of fewer than 15 full-time employees?

2 Does your organization have limited resources for its security program?

3 Is your organization looking to build a lean information security strategy?

4 Is your organization in a loosely/un-regulated industry?

Express Info-Tech Research Group 99

Improve your ability to prevent security incidents and improve protective practices by leveraging Info-Tech’s four-step approach.

Assess Security Requirements

Determine Current and

Target States

Develop Improvement

Plans

Create and Communicate

Your Roadmap

Info-Tech Recommends

You will need to have a deep understanding of the business, even and especially if your organization does not have an awareness or

understanding of information security. Use the information and insight that you gather at the outset to drive your

project’s activities and enable you to build and implement a roadmap that best maps to your business’s priorities and vulnerabilities.

Express Info-Tech Research Group 1010

Don’t just read it – do it!Use this research to create the following key deliverables.

Program Roadmap

Scoped Initiatives

Security Strategy • Plans for improving the performance of

foundational security functions.• A vision for how to mature the organization’s

security program (estimated one- to three-year trajectory).

WALK AWAY FROM THIS PROJECT WITH:

Use this research to create the following key deliverables:

Tactical guidance, immediate support.

Express Info-Tech Research Group 1111

Use this research to build a security strategy

Intended Audience• IT departments with 15 or fewer full-time employees.• Organizations that want to quickly assess and build a

security strategy focused on foundational capabilities.

Expected Benefits • Completed security strategy documentation using

best-practice templates.• Strong understanding of security issues and

requirements.• Improved business awareness and understanding of

the importance of information security. • Improved performance of critical security functions.

This Research Includes• Guidance for analyzing and building security

capabilities.• Directions that help to accelerate brainstorming,

analysis, and execution of security plans.

• Plans for improving the performance of foundational security functions.

• A vision for how to mature the organization’s security program (estimated one- to three-year trajectory).

WALK AWAY FROM THIS BLUEPRINT WITH:

Use the following tools and templates:

Information Security Strategy and Workbook Template

Security Pressure Posture and Analysis Tool

Security Component Maturity Level Descriptions

Information Security Program Gap Analysis and Roadmap Tool

Project Charter and Status Update Template

Information Security Strategy and Roadmap Communication Deck

Express Info-Tech Research Group 1212

Want to learn more about this research? Improve Information Security Practices in the Small Enterprise

Info-Tech Research Group’s advisory services include a team dedicated to Security, Risk, and Compliance Management

Experience of Info-Tech’s security team • Former CIOs and CISOs • Security architects

Topics Covered • Security strategy planning • Data Classification • Vulnerability Management • Identity Management • Endpoint Security • Penetration Testing • And many more…

Express Info-Tech Research Group 1313

Consulting

“Our team does not have the time or the

knowledge to take this project on. We need

assistance through the entirety of this project.”

Guided Implementation

“Our team knows that we need to fix a

process, but we need assistance to

determine where to focus. Some check-ins along the way would

help keep us on track.”

DIY Toolkit

“Our team has already made this critical

project a priority, and we have the time and capability, but some guidance along the

way would be helpful.”

Workshop

“We need to hit the ground running and

get this project kicked off immediately. Our

team has the ability to take this over once we get a framework and

strategy in place.”

Info-Tech offers various levels of support to best suit an organization’s IT needs

Express Info-Tech Research Group 1414

Info-Tech Research Group is an information technology research and advisory firm that has been working with clients to help them make strategic, practical, and well-informed decisions and plans since 1997.

Info-Tech leverages the experience of its analysts and over its 3,000 IT professional members to help build practically oriented research that guides organizations to learn from experiences of their peers and best position their departments and empower their organizations.

Info-Tech’s Mission Help IT leaders and their teams:• Systematically improve their core processes and

governance• Successfully implement critical technology projects

Contact Us

London, Ontario, Canada Corporate headquarters

602 Queens Avenue, London, Ontario, N6B 1Y8

Toronto, Ontario, Canada 888 Yonge Street

Toronto, Ontario, M4W

Las Vegas, Nevada, USA3960 Howard Hughes Parkway,

Suite 500Las Vegas, Nevada 89169

Website:Infotech.com

Phone:North America: 1-888-670-8889International: +1-519-432-3550

INFO-TECH RESEARCH GROUP