Upload
bill-burns
View
399
Download
2
Tags:
Embed Size (px)
DESCRIPTION
What kept your CISO up last night? What market forces and threats are most impactful to your peers? How will these shape the future of enterprise security? Bill Burns, Informatica CISO and former Scale Venture Partners Executive-in-Residence, formed an InfoSec investment thesis by combining his 20+ years of domain expertise with over 100 CISO peer interviews and online survey responses. In this session Bill will share his results and perspectives on what's ahead for practical enterprise security.
Citation preview
ScaleVP CISO Research: Investing in Information Security
Bill Burns, CISO
Today’s Goals
n What trends affect your security program?
n What are other CISOs doing about them?
n What should you focus on going forward?
Public 2
Who and Why am I here?
n Goal: Invest in InfoSec, share back to security community
n Background in Security @ scale – Co-developed Amazon CloudHSM for IaaS hardware roots of trust – Deployed one of the largest distributed, hybrid cloud WAFs – Corporate IT “all-cloud”, mobile-first security strategy – Public Root CAs, PKIs
n Active advisor: RSA Conference Committee, ISSA CISO Forum, ISSA CISO Career Lifecycle, Startup Technical Advisory Boards
n Previously:
Public 3
ABOUT THE SURVEY Survey Results: InfoSec Organizational Structure
Public 4
Research Methodology
1. Scale Venture Partners: 35-question survey
2. In-person interviews: 22 peer CISOs, across 15 industries
3. Expanded survey via (Wisegate : Total data set: n=102
4. Only small variations between both datasets
5. Not statistically rigorous, Margin of Error= +/-7% @ 90% confidence
Public 5
Demographics – Reporting Structure
Public 6
Other: • COO • CTO • Managing Director • EVP • Strategy
Impacts budget approval, project prioritization, implementation friction
CRO/Risk 10%
CIO 63%
CFO 7%
CEO/President
5%
Legal/Privacy
4%
Other 11%
Who does Security Lead / CISO report to?
How is Security Organized within your company?
Centralized 55%
By LoB 5%
Hybrid 37%
Other 3% Impact to project approval,
implementation processes, ability to execute
Public 7
Who handles operational security tasks?
Security Dept 46%
ExclusivelyOther Teams 18%
Shared 36%
Examples: • Firewall rules, maintenance • System Patching • Vulnerability Scanning • Configuration Management
Impact to budget approval, implementation processes, operational ownership, mean time to resolution
Public 8
HOW DID WE GET HERE? Top Trends: Where are we headed?
Public 9
Security Forcing Functions – Mobility & BYOD
(1) Pew Research, Jan 2014 | (2) Gartner May 2013, (3) Nov 2013
Smartphones: 58%
Tablets: 42%
By 2017, 50% of employers will require you to BYOD[2] for work.
By 2018, 25% of enterprise traffic will flow directly mobile-to-cloud.[3]
Public 10
Security Forcing Function – Cloud-IaaS
n Clouds are compelling for businesses, hard for old security controls to match pace
n AWS Example: – ~Quadrupled # of services in past 4 years – Reduced pricing 42 times in 8 years as they age equipment out
Source: AWS
Public 11
4,000,000
3,000,000
2,000,000
1,000,000
0
5/2010
11/2010
4/2011
10/2011
5/2012
10/2012
Toal Amazon Elastic Map Reduce (EMR) Clusters Launched by Customers
3.7 M ClustersLaunched since May 2010
Q4 2006
Q1 2007
Q2 2007
Q3 2007
Q4 2007
Q1 2008
Q2 2008
Q3 2008
Q4 2008
Q1 2009
Q2 2009
Q3 2009
Q4 2009
Q1 2010
Q2 2010
Q3 2010
Q4 2010
Q1 2011
Q2 2011
Q3 2011
Q4 2011
Q1 2012
Q2 2012
Amazon S3: Total Objects 1.3 Trilliontotal objects
835,000 peakrequests/sec
Even Security Products Are Embracing Cloud Services
Public 12
0
500
1000
1500
2000
2500
3000
3500
4000
2010 2011 2012 2013 2014 2015 2016 2017
Global Cloud-Based Security Forecast
18
19
19
20
21
21
23
23
26
27
0 5 10 15 20 25 30
Email security services
Web security services
Website protection (fraud, DoS)
Application security testing
Identity and access management
Security intelligence engines
Vulnerability assessment services
Web application firewall as a service
SIEM as a service
Tokenization/encryption as a service
% of respondents
Cloud security services consumed over the next 12 months
WHAT DID WE LEARN? Survey Results
Public 13
What did we learn?
n Cloud usage at companies falls into three buckets. Which describes yours? – Cloud Always: New companies. Born with the Cloud.
No desire for on-prem infrastructure. – Cloud First: Existing companies. Pick Cloud-based
alternatives first. – Cloud Cautious: Laggards or Heavily-regulated. See the
benefits in limited use cases.
Public 14
What did we learn?
For CISOs:
n Cloud, Mobility and Compliance put pressure on their security programs
Public 15
CISOs: Externalities and Forcing Functions
Q: “What top trends most/least affect your security program?”
CISOs are most concerned about Maintaining security and compliance while losing direct control of the underlying infrastructure.
0
10
20
30
40
50
Agile/DevOps
BYOD
Consumerization of IT / Shadow
IT
Increased regs or compliance
Mobile/IoT
IT Automation /API-level
integrations Mobility
(smartphones and tablets)
Cloud-SaaS
Ubiquitous Internet Access
Cloud-IaaS
Weaponization of the Internet / State-sponsored
espionage
Work / Life Integration
Sum - Affected
Sum - Unaffected
Public 16
Most Affects
Least Affects
What did we learn?
For CISOs:
n Cloud, Mobility and Compliance put pressure on their security programs
n Their top concerns are growing…
Public 17
CISOs: What kept you up last night?
(Q: “What are your top 3 risks right now?”)
Public 18
Malware Outbreak 16%
Breach of sensitive information
16%
Malicious Outsider Threat
8%
Malicious Insider Threat
6% Advanced
Persistent Threats 5%
BYOD Management & Security
5%
CISOs: What kept you up last night?
(Q: “What are your top 3 risks right now?”)
Top 20: • Malware Outbreak • Breach of sensitive information • Malicious Outsider Threat • Malicious Insider Threat • Advanced Persistent Threats • BYOD Management & Security • Social Engineering • Privacy & Regulatory Compliance • Identity Management • Threat & Vulnerability Management • 3rd Party / Supply Chain Security • End User Training • Asset Management • Cloud Security • IT Continuity • People Security • Server security • Cyber Threat Intelligence • Governance • Insider Unintentional threat
32%
51%
Public 19
10%
18%
23%
50%
14%
20%
33%
34%
26%
45%
24%
5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
I decide based on how much money we have in our budget
I look at what parts of the program we need to mature
I look at changes to our business strategy
I use a risk-based approach 1
2
3
Priority
Programs based on risk, business alignment, maturity, cost
Public 20
Top risks are growing for my company
Public 21
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Top Risk #3
Top Risk #2
Top Risk #1
GROWING for Your Company SHRINKING for Your Company
Top risks are growing for my industry, but even more!
Public 22
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Top Risk #3
Top Risk #2
Top Risk #1
GROWING for Your Industry SHRINKING for Your Industry
What did we learn?
For CISOs:
n Cloud, Mobility and Compliance put pressure on their security programs
n Their top concerns are growing, but
n They aren’t confident in their current controls …
Public 23
Q: How confident your current controls working?
A: Slightly more than 50% L
Public 24
0%
25%
50%
75%
100%
Top Risk #1 Top Risk #2 Top Risk #3
What did we learn?
For CISOs:
n Cloud, Mobility and Compliance put pressure on their security programs
n Their top concerns are growing, but
n They lack confidence in their current controls, and
n They struggle to measure impact on the business
Public 25
Lack of Metrics, Unable to Map to Business Impact
Q: Do you have metrics to track your top risks? A: Half do NOT have metrics (!)
Public 26
No Yes
0%
10%
20%
30%
40%
50%
60%
Top Risk #1 Top Risk #2 Top Risk #3
WHAT ARE THEY PLANNING TO DO ABOUT IT?
Survey Results
Public 27
Protecting Corporate Data – At Every Enforcement Point
Data-centric controls to protect enterprise information are hot. Most desired control for any enforcement point.
As IT hands off infrastructure control, CISOs focus on the data. Shared risk models – a nod to the expanding universe of user devices and the dissolving enterprise perimeter.
Public 28
Endpoint Security Controls
Public 29
12%
15%
9%
19%
13%
16%
16%
6%
9%
6%
29%
13%
5%
22%
12%
12%
13%
15%
10%
19%
19%
0% 10% 20% 30% 40% 50% 60% 70%
(Consumer) Patching, field upgrades
Sandboxing / Containerization (Enterprise/Consumer)
Incident Response Automation, Orchestration
Information protection and control
Enterprise endpoint management (proactive, reactive)
Server Security
Anti-malware 1
2
3
Priority
Mobile/IoT Security Controls
Public 30
22%
13%
16%
46%
28%
31%
24%
18%
21%
29%
31%
19%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Enterprise endpoint / App / Security Posture management
Vulnerability Management
Threat management
Information protection and control (DLP, tracking, masking, encryption)
1
2
3
Priority
Messaging, Collaboration, File Sync/Sharing Security Controls
Public 31
41%
16%
24%
13%
6%
22%
22%
18%
21%
18%
15%
28%
21%
26%
10%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Information protection and control (DLP, tracking, masking, encryption)
Antispam / Antiphishing / Brand Reputation
Antivirus / Antimalware
Encryption / Encryption Key Management
Social Media / Social Networks Content filtering
1
2
3
Priority
21%
26%
13%
7%
32%
29%
15%
21%
15%
21%
21%
29%
22%
12%
16%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Encryption / Encryption Key Management
Web application firewall
Database Firewall / Activity Monitoring
Sandboxing / Process isolation lightweight containers
Information protection and control (DLP, tracking, masking, encryption) 1
2
3
Priority
Infrastructure Security Controls
Public 32
4. Automate All the Things
CISOs want automation, orchestration to manage point solution sprawl.
APIs: Three-quarters of CISOs are building or integrating solutions to address their top risks.
Public 33
Q: Did you need to build something custom to address?
A: Yes, we had to build something to address our top risks.
Public 34
0%
25%
50%
75%
100%
Top Risk #1 Top Risk #2 Top Risk #3
4. Automate All the Things
Anecdotes:
n “I’m always adding new controls, I can’t turn anything off!”
n “When tool X finds something wrong, why can’t system Y apply a fix or contain the risk?”
n “I can’t afford to keep adding staff to monitor GUIs and consoles. Why can’t tools automate this?”
Public 35
SURPRISES AND OPEN QUESTIONS
What did we learn?
Public 36
Agile/DevOps: Equally impactful and not impactful
Public 37
Top Forcing Functions
Are APT and State-Sponsored Espionage a top concern?
No: Top Forcing Functions Yes: Top Risks Versus
Public 38
Advanced Persistent Threats
5%
Long-tail of individual “top concerns”
Top Risks, Categorized
Public 39
9%
6%
22%
26%
28%
9%
0% 5% 10% 15% 20% 25% 30%
Software-Defined Networking & Security Automation
Network Admission Control
Firewall
Unified threat management (UTM)
Intrusion detection and prevention
Cloud Service Brokers / Cloud Application Gateways 1
Priority
Network Security Controls – don’t address top externalities
Public 40
0% 5% 10% 15% 20% 25% 30%
Software-Defined Networking & Security Automation
Network Admission Control
Firewall
Unified threat management (UTM)
Intrusion detection and prevention
Cloud Service Brokers / Cloud Application Gateways 1
Priority
…But implementing Cloud gateways would
Public 41
IAM – Still biased towards basic controls
Public 42
9%
3%
6%
25%
22%
10%
25%
12%
9%
9%
26%
13%
18%
13%
9%
25%
12%
12%
13%
18%
12%
0% 10% 20% 30% 40% 50% 60% 70%
Converged physical / logical security
PKI, Digital Certificates
Social Media Indentity Management
User provisioning and identity management especially Cloud, SaaS,
social media
Web SSO (includes federation)
Risk-, behavior-, context-based authentication, authorization
Advanced authentication & identification schemes
1
2
3
Priority
31%
10%
15%
44%
22%
9%
28%
41%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Threat Feeds, Intelligence, Sharing
Forensics and incident investigation (includes "Mandiant In A Box")
Incident Response Automation, Orchestration
Proactive detection, automated / real-time response
1
2
Priority
Incident Response – Need actionable data, not more feeds
Public 43
INSIGHTS – CALL TO ACTION Information Security Market
Public 44
Insights & Calls to Action
1. IT handing off infrastructure control of endpoints and networks – Shared risk requires *aaS vendors to have security and auditability core features – Authentication and Data become the new perimeters; controls move closer to data – User endpoints are typical attack vector; focus on intel, orchestration, encrypt/wipe – Build “right to audit”, security best practices in your partner agreements; test them
2. Predictive, behavioral analytics become standard security features – Broad, horizontal function applicable everywhere (logs, app execution, network) – Potential to increase confidence, faster remediation, lower false positives – Early market, room for maturity. Start building simple metrics to measure efficacy.
Public 45
Insights & Calls to Action
3. Teams embrace automation, SecDevOps, cloud security services – Integrating security into dev workflows improves visibility, consistency, efficacy – Security products will offload compute, storage to cloud to keep up with attackers – Buy/build products based on APIs not GUIs, data interoperability – Worry less about threat feeds, focus on incident response and automation
4. Virtuous Cycle to focus on improving your security program maturity – Mature security programs have more confidence in their controls – Measurability leads to better insights, confidence, prioritization
5. CISOs, exec mgmt, Boards need broad security metrics, risk insights – Aggregate your security point solutions to build holistic risk scores – Identify, create metrics that show security program’s impact on business
Public 46
Insights & Calls to Action
6. Future Look: Enterprise security controls respect user privacy – End users are becoming their own Chief Privacy and Security Officers. – Confluence of forces: Work/Life Integration, Mobility, BYOD, Privacy – Mutually beneficial: Users trust security teams to protect their BYOD, still protect
corporate data – New class of vendors observing a personal/work separation in usage, flows
Public 47