Upload
george-goodall
View
191
Download
0
Embed Size (px)
Citation preview
Express Info-Tech Research Group 11
Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997-2016 Info-Tech Research Group Inc.
Improve Information Security Practices in the Small EnterpriseCreate a realistic security plan that manages the threats of today and tomorrow.
Strategy Infrastructure Applications Security
Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997-2016 Info-Tech Research Group Inc.
Express Info-Tech Research Group 22
Info-Tech Research Group
ANALYST PERSPECTIVE The days of purely high-profile hacking are over. Smaller enterprises are now at the forefront of targeted attacks. Smaller organizations still have valuable data that threat actors want and that can be more easily compromised due to less resources dedicated towards security. Often, small enterprises are compromised for the purpose of being a hopping point to a larger target, generating complex levels of security considerations and legal liabilities.
Just because you don’t see headline news about small organizations being breached doesn’t mean it isn’t happening. The reality is that small enterprises are now faced with the same security concerns and requirements as large organizations, but with limited resources. Small enterprises need to know what matters to them even more than large organizations so that they can build a right-sized security program.
Wesley McPherson Info-Tech’s Security, Risk, and Compliance Practice
The VIP Boardroom at Info-Tech Research Group’s Toronto Office
Express Info-Tech Research Group 33
Security programs are aMUST-HAVE, not a nice-to-have
WHY? The volume, intelligence, and complexity of threats has been and will be increasing.
New Attack Types • Targeted malware • Zero-day vulnerability exploits• Advanced persistent threats
(APTs)
Increasing Threat Actors • Commodification of hacking
techniques • Conventional threats adopting
hacking • Increasing in number and
complexity
Changing Environments • Mobile• Cloud• Big Data• Internet of Things23%
of CIOs polled stated increasing cybersecurity was the most significant
driver behind IT investments in 2015 (CIO, 2015).
of data breaches impact small businesses.
(First Data, 2014)
90%
Express Info-Tech Research Group 44
MYTHCyber-attacks aren’t an issue for small enterprises.
60%of all targeted attacks are towards small to medium-sized organizations. Source: Symantec, 2015.
82%of small to medium-sized businesses consider themselves non-targets for cyber-attacks because they have nothing worth stealing.Source: London Chamber of Commerce and Industry, 2014.
AND YET
THE UNFORTUNATE REALITY
Cyber-attackers prefer targeting smaller enterprises because they often have weak security systems.
In a transaction- and data-heavy society, nearly all organizations have highly valuable and sensitive data (contract information, customer data, payment information, etc.).
Express Info-Tech Research Group 55
Address foundational and baseline functions of security
Info-Tech’s Information Security Framework
= Foundational Security Components
Focus on components and capabilities that will be the most feasible and critical for your organization.
Foundational components include: Response and recovery
capabilities Prevention Detection performance
Expand into governance to address business awareness of security and to incorporate a security mindset into the organizational culture.
Info-Tech SE Perspective
Express Info-Tech Research Group 66
Be prepared for all types of incidents
Recognize a potential security incident.Business decisions are a common source of IT expansion. Unfortunately, these decisions are rarely done with IT or Security consultation. Unexpected expansions cause more expenses than expected, throwing off budget, resourcing, and project plans.Account for IT systems expansionsAddressing security concerns and requirements after the fact impacts budgeting and resourcing. As an IT leader, try to be involved whenever the discussion of IT initiatives is brought up.
Traditional security incidents include malware detection, system availability loss, or compromised data. It is not if a security incident will happen, but when. Using risk management to prepare for multiple scenarios could be the difference between business closure and continuity.
Marketing moves customer data to the cloud without notifying Security and engaging them while selecting a vendor and migrating data
EXAMPLE The Security Implications• Sensitive customer data was sitting in an
environment outside of the scope of the organization’s security program.
• Unexpected security costs were incurred analyzing the vendor after the fact and addressing concerns related to on-premise to cloud data integrations.
Express Info-Tech Research Group 77
Allocated Resources
Miti
gatio
n an
d C
ontr
ol E
xpen
ditu
re
Time
Security Incident
Reactive Mitigation Posture
Proactive Mitigation Posture
Take a proactive approach to managing security
BENEFITProactive mitigation lowers overall security costs over time.
Proactive Mitigation Posture• Enables the team to learn from security
incidents and apply lessons to security practices, increasing security strength.
• Entails pre-emptive “what-if” planning and prevention actions.
• Is done to introduce more specific technology, policies, and procedures that better protect information at a lower cost.
Reactive Mitigation Posture • Allows for security investments to occur, but
does not extensively consider past incidents and incident analysis, keeping security strength stagnant.
• Lacks the ability to recognize security incidents before their occurrence.
• Involves little analysis of incidents.
Security incidents inevitably affect budget planning, regardless of posture. A proactive posture allows for lessons learned that actually improve information security capabilities and cost measures over time.
Express Info-Tech Research Group 88
If you answered YES to most of these questions, keep reading this blueprint.If you answered NO to question 4 or have significant concerns with your current security capabilities, go to the Build an Information Security Strategy research.
Research NavigationInfo-Tech Research Group has two research reports related to building an information security strategy. Use the questions below to help steer you to the research project that best suits your organization.
Is this research right for you?
1 Does your IT department consist of fewer than 15 full-time employees?
2 Does your organization have limited resources for its security program?
3 Is your organization looking to build a lean information security strategy?
4 Is your organization in a loosely/un-regulated industry?
Express Info-Tech Research Group 99
Improve your ability to prevent security incidents and improve protective practices by leveraging Info-Tech’s four-step approach.
Assess Security Requirements
Determine Current and
Target States
Develop Improvement
Plans
Create and Communicate
Your Roadmap
Info-Tech Recommends
You will need to have a deep understanding of the business, even and especially if your organization does not have an awareness or
understanding of information security. Use the information and insight that you gather at the outset to drive your
project’s activities and enable you to build and implement a roadmap that best maps to your business’s priorities and vulnerabilities.
Express Info-Tech Research Group 1010
Don’t just read it – do it!Use this research to create the following key deliverables.
Program Roadmap
Scoped Initiatives
Security Strategy • Plans for improving the performance of
foundational security functions.• A vision for how to mature the organization’s
security program (estimated one- to three-year trajectory).
WALK AWAY FROM THIS PROJECT WITH:
Use this research to create the following key deliverables:
Tactical guidance, immediate support.
Express Info-Tech Research Group 1111
Use this research to build a security strategy
Intended Audience• IT departments with 15 or fewer full-time employees.• Organizations that want to quickly assess and build a
security strategy focused on foundational capabilities.
Expected Benefits • Completed security strategy documentation using
best-practice templates.• Strong understanding of security issues and
requirements.• Improved business awareness and understanding of
the importance of information security. • Improved performance of critical security functions.
This Research Includes• Guidance for analyzing and building security
capabilities.• Directions that help to accelerate brainstorming,
analysis, and execution of security plans.
• Plans for improving the performance of foundational security functions.
• A vision for how to mature the organization’s security program (estimated one- to three-year trajectory).
WALK AWAY FROM THIS BLUEPRINT WITH:
Use the following tools and templates:
Information Security Strategy and Workbook Template
Security Pressure Posture and Analysis Tool
Security Component Maturity Level Descriptions
Information Security Program Gap Analysis and Roadmap Tool
Project Charter and Status Update Template
Information Security Strategy and Roadmap Communication Deck
Express Info-Tech Research Group 1212
Want to learn more about this research? Improve Information Security Practices in the Small Enterprise
Info-Tech Research Group’s advisory services include a team dedicated to Security, Risk, and Compliance Management
Experience of Info-Tech’s security team • Former CIOs and CISOs • Security architects
Topics Covered • Security strategy planning • Data Classification • Vulnerability Management • Identity Management • Endpoint Security • Penetration Testing • And many more…
Express Info-Tech Research Group 1313
Consulting
“Our team does not have the time or the
knowledge to take this project on. We need
assistance through the entirety of this project.”
Guided Implementation
“Our team knows that we need to fix a
process, but we need assistance to
determine where to focus. Some check-ins along the way would
help keep us on track.”
DIY Toolkit
“Our team has already made this critical
project a priority, and we have the time and capability, but some guidance along the
way would be helpful.”
Workshop
“We need to hit the ground running and
get this project kicked off immediately. Our
team has the ability to take this over once we get a framework and
strategy in place.”
Info-Tech offers various levels of support to best suit an organization’s IT needs
Express Info-Tech Research Group 1414
Info-Tech Research Group is an information technology research and advisory firm that has been working with clients to help them make strategic, practical, and well-informed decisions and plans since 1997.
Info-Tech leverages the experience of its analysts and over its 3,000 IT professional members to help build practically oriented research that guides organizations to learn from experiences of their peers and best position their departments and empower their organizations.
Info-Tech’s Mission Help IT leaders and their teams:• Systematically improve their core processes and
governance• Successfully implement critical technology projects
Contact Us
London, Ontario, Canada Corporate headquarters
602 Queens Avenue, London, Ontario, N6B 1Y8
Toronto, Ontario, Canada 888 Yonge Street
Toronto, Ontario, M4W
Las Vegas, Nevada, USA3960 Howard Hughes Parkway,
Suite 500Las Vegas, Nevada 89169
Website:Infotech.com
Phone:North America: 1-888-670-8889International: +1-519-432-3550
INFO-TECH RESEARCH GROUP