After an in-depth survey of IT security and risk professionals, as well as our ongoing work with leaders in this field, Forrester recognized the need for a detailed, practical way to measure the maturity of security organizations. You asked, and we responded. I'm happy to announce today we published the Forrester Information Security Maturity Model, detailing 123 components that comprise a successful security organization, grouped in 25 functions, and 4 high level domains. In addition to the People, Process, and Technology functions you may be familiar with, we added Oversight, a domain that addresses the strategy and decision making needed to coordinate functions in the other three domains.
Our Maturity Model report explains the research and methodology behind this new framework, which is designed to help security and risk professionals articulate the breadth of security’s role in the organization, identify and fix gaps in their programs, and demonstrate improvement over time.
What makes the Forrester Information Security Maturity Model work?
“Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users’ iPhones. The information may also have been saved to a user’s computer if it had been synched with an iPhone. The issue affected the approximately 117,600 customers who had registered the iPhone app with Citi since its launch in March 2009, a person familiar with the matter said. The bank doesn’t believe any personal data was exposed by the flaw.”
Forrester customers who are also Citi banking or credit card customers should immediately update their iPhone app. They should also change their account password if their phones have been stolen or lost.
I have not spoken to Citi about this matter, and I do not have inside knowledge about the nature of the vulnerability. However, it stands to reason that:
I just completed my second quarter as the Research Director of Forrester’s Security and Risk team. Since no one has removed me from my position, I assume I’m doing an OK job. Q2 was another highly productive quarter for the team. We published 20 reports, ran a security track at Forrester’s IT Forum in Las Vegas and Lisbon, and fielded more than 506 client inquiries.
In April, I discussed the need to focus on the maturity of the security organization itself. I remain convinced that this is the most important priority for security and risk professionals. If we don’t change, we’ll always find ourselves reacting to the next IT shift or business innovation, never predicting or preparing for it ahead of time. It reminds me of the Greek myth of Sisyphus. Sisyphus was a crafty king who earned the wrath of the gods. For punishment, the gods forced him to roll a huge boulder up a steep hill, only to watch it roll back down just before he reached the top — requiring him to begin again. Gods tend to be an unforgiving lot, so Sisyphus has to repeat this process for the rest of eternity.
If my protestations don’t convince you, perhaps some data will. The following are the top five Forrester reports read by security and risk professionals in Q2:
Forrester has just completed a comprehensive assessment of vulnerability management products. The Forrester Vulnerability Management Wave report is now live. If you are a subscriber, please see here for the full report.
In Forrester’s 53-criteria evaluation of vulnerability management vendors, we found that the market is rife with mature products. In particular, we found that Qualys leads, with Rapid7, McAfee, nCircle, and Lumension following as Leaders.
Qualys showed itself to be the leader of the pack in this evaluation. Qualys pioneered the SaaS hybrid delivery model of vulnerability management, combining fully-managed scanner applications with a security console hosted in the Qualys cloud. Once considered radical, this service model is now used by some of the largest organizations in the world. Qualys delivers vulnerability assessment, application-level scanning, and configuration compliance auditing. It’s worth noting that their offering provides concrete mappings from a wide list of regulations to actual IT controls.
We found several other vendors offering competitive solutions. Rapid7 is the up-and-comer, with an impressive 50%-plus year-over-year growth over the last two years. In addition to its solid technology, it is the only vendor in this evaluation whose application-scanning capabilities can handle Ajax and Web 2.0 technologies. Rapid7 recently signed OEM deals with two of the largest security and service vendors in the industry, which should give them a boost in the market.
ComputerWorld columnist Roger Grimes recently blogged about “Security Rule No. 1: Assume You’re Hacked.” Roger, in turn, was reacting to a Forbes magazine article written by Richard Stiennon that made the same point. Both posts describe steps IT security and risk professionals should take, assuming their company computers have already been compromised.
These are well-written articles, and I recommend you read them. Here is Forrester’s take on this important issue. In short, I view accepting the inevitability of compromise as the first step in a broader risk management journey. It might seem a little odd to suggest that compromises (risks that have become tangibly expressed as threats, and successfully carried out) might have some relationship to risk management, but allow me to explain.
First, some background. In Roger’s column, he notes that every company he works with these days is compromised. The advice he gives on how to prevent compromise is generally very good:
My colleague Boris Evelson, who covers business intelligence for Forrester and serves business process professionals, recently wrote a great post about the use of spreadsheets for business intelligence. He explains that while many BI vendors initially sought to replace spreadsheets in the corporate environment, it's now clear that they are not going anywhere any time soon.
Sound familiar? While many governance, risk, and compliance professionals and GRC vendors continue to work toward helping customers consolidate data and move away from spreadsheets, they are still basically ubiquitous. In fact, several of the top GRC vendors are now working to improve the way their tools interface with Excel... Not just for exporting reports, but for data input and analysis as well.
I recommend reading Boris' post, where he details three best practices regarding the use of spreadsheets for BI:
Create spreadsheet governance policies.
Monitor and enforce compliance with those policies.
Give preference to vendors that work well with spreadsheets.
Creating clear policies for what information will and will not be managed on spreadsheets is critical here, and extremely important for the GRC universe. Unless you have specially-built controls, spreadsheets do not give you the level of security, access control, change control, or audit trail you should have for data related to compliance or risk management. Knowing Office tools are going to be handling substantial amounts of important information for the foreseeable future, so it's worthwhile to review and update your policies and make sure they are being appropriately enforced.