I’m very excited to kick off survey development for upcoming Forrester Forrsights surveys that will feature security content. Continuing on from previous years will be the Forrsights Security Survey. This is an annual survey of IT security decision-makers from North American and European SMBs and enterprises. New for 2013 is a Workforce Survey that will provide the (also North American and European) employee perspective when it comes to security and devices in use within their workplace.
These surveys will be fielded April through May, and the results will make their way into published research this summer. Survey development starts now, and I would love to hear what you think about the proposed topics. What are some areas where you’d like to see us gather more data?
Facebook made headlines last Friday with its announcement that it had been the victim of a sophisticated security attack. All major news publications picked up the story, citing widespread concern about the implications of the breach.
The breach itself, however, was largely a nonevent from a security standpoint.
Facebook identified the security breach before it infiltrated too deeply into company systems, remediated all compromised machines, informed law enforcement, and reported the Java exploit to its parent owner Oracle – acting quickly and appropriately. Most importantly, Facebook made it clear that the breach did not expose any of its users’ data.
I’m proud to announce that this week Forrester launched our Governance, Risk, and Compliance Playbook, a collection of in-depth reports covering the critical information you need to implement a successful GRC program… one that focuses on supporting business success, not getting in its way.
We have started a new report series on Cyber Threat Intelligence. The first report, "Five Steps To Build An Effective Threat Intelligence Capability," is designed to help organizations understand what threat intelligence is and how to establish a program. If you're not a Forrester client and would like the report, Proofpoint is providing a complementary copy. On Thursday March 28th, I will be conducting a Forrester webinar on the report. Please join me if you'd like to get a deeper perspective on it. In the future, we will expand on sections of this intial report with additional research including:
A collaborative report with Ed Ferrara looking at the cyber threat intelligence vendor landscape
On Tuesday, President Obama issued a Cybersecurity Executive Order, which outlined policies to defend against cyber attacks and espionage on US companies and government agencies. The EO came nearly a year after the proposed and much-hated Cyber Intelligence Sharing and Protection Act (CISPA) got stalled in the Senate. The privacy community sees the CISPA as a great threat to Internet privacy. Many of them are encouraged by this executive order, which stayed away from suggesting changes to privacy laws and regulations.
The salient points of the EO are as follows:
The president acknowledged formally that information warfare, at the level of nation states, is ongoing and is a clear and present danger.
The government will build a “Cybersecurity framework” with the private sector to share information on cyber attacks and threats, with the goal to reduce Cyber risk to critical infrastructure.
The Cybersecurity framework will expand existing government programs to bring more private sector subject-matter experts into Federal service on a temporary basis.
Unlike the CISPA, the EO does not carry languages that will change or direct impact privacy laws and regulations.
The EO puts forth specific timelines on the publication of the Cybersecurity framework as well as an assessment report on its implication to privacy.
We just published the Forrester Wave on Enterprise Fraud Management - piece of research that has been consistently asked for by our clients. See how vendors stack up on current offering criteria including statistical models, rules authoring, case management,, and reporting and strategy criteria including vendor staffing, customer satisfaction and financial stability.
Your customers are consumers too. They don’t turn into business bots when they set foot in the enterprise. Whether your organization sells a product or a service to enterprises or consumers, you’re interfacing with consumers who have opinions about security and privacy. S&R pros, you already know that you have to be on top of things like regulatory compliance (Hello HIPAA! Hi EU Data Protection Directive!) when creating policies and implementing controls. But what about consumer perceptions and behavior? Consider that*:
49% of US online consumers are concerned about security and privacy when purchasing products online
44% of EU online consumers say the same about sharing personal information to access a website
39% of US online consumers express security and privacy concerns over sharing personal information to participate on a website (e.g, discussion boards, writing reviews)
20% of EU online consumers are concerned about their security and privacy when downloading apps to their mobile phone
Last week I flew to Puerto Rico to attend Kaspersky’s industry analyst summit (IAS). This is the second year that Kapersky held a global analyst summit. The event is co-located with their security analyst summit (SAS), which is turning into a mini black hat event with attendance from many premier security researchers in the industry. Unfortunately, I only had time for IAS this year.
Kaspersky is an interesting company. In the last 10 years, they came out of nowhere, built a global brand, established their founder Eugene Kaspersky as a cybercrime-fighting celebrity in popular media (see the Vanity Fair and Wired articles on Kaspersky, and the Formula One sponsorship), and at the same time, grew a tremendous business.
As Kaspersky’s CMO, Alex Erofeev, got on stage talking about how the Kaspersky brand, in many parts of the world, is now the third most well-known AV brand behind Symantec and McAfee. I did a bit of Googling. Look what the Google trends graph below shows (search volume from 2004 to 2013) -- not only the global search volume for “Kaspersky” has increased over the years, it has surpassed “Symantec” and “McAfee”! This is no small achievement for a company that, until two years ago, had no formal B2B marketing function.
This Forrester-moderated panel of top security executives from Allergan, Zappos and Humana will discuss the impact of scale in solving Big Security challenges. Issues from the importance of scale in detecting advanced threats to benefits to the average user will be debated. Drawing on their experiences, these experts will share their views on why scale matters in the era of big data.
David Hannigan, Zappos, Information Security Officer
Stephen Moloney, Humana Inc., Manager, Enterprise Information Security
Jerry Sto. Tomas, Allergan, Inc., Director, IS Global Information Security
Predicting what malware will look like five years from now requires more than a crystal ball. In order to fully understand future threats and challenges, you need a finger on the broader pulse of technological innovation. Our panel of esteemed experts will attempt to guide a better understanding of where we may need to target our defensive efforts in the coming months and years.
You are now no doubt aware that Boston-based security firm Bit9 suffered an alarming compromise, which resulted in attackers gaining access to code-signing certificates that were then used to sign malicious software. See Brian Kreb’s article for more details. (Symantec breathes a quiet sigh of relief to see a different security vendor in the headlines.)
The embarrassing breach comes at a time when the company has been seen as one of the security vendor landscape’s rising stars. Bit9 has actually been around for more than a decade, but the rise of targeted attacks and advanced malware has resulted in significant interest in Bit9’s technology. In late July, Bit9 secured $34.5 million in funding from Sequoia Capital. Bit9’s future was bright.
On Friday afternoon, Bit9 CEO Patrick Morley published a blog providing some initial details on the breach. A few of his comments stood out: “Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network … We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9."