Are we losing yet?

That’s what I asked myself after reading the IC3 Internet Crime Report, which shows:

  • A 22.3% increase in complaints over 2008
  • Total dollar loss from all referred cases was $559.7 million, **up over 110%** from 2008
  • Of the top five categories of offenses, identity thieft ranked second, at 14.1% of complaints; computer fraud (destruction/damage/vandalism of property) ranked fifth, at 7.9% of complaints.


The security industry readily admits that cyber-criminals are evolving their attack tactics faster than we’re evolving our defenses. How long can we continue to fall behind before we should start saying that we’re losing?


Privacy, regulation, and reputation

I wrote previously about Google's challenges with respect to privacy, and since then it has incurred the wrath of consumers with its initial rollout of Buzz. And my colleague Chenxi Wang blogged about Facebook's issues with its privacy policy.

What's intrigued me about these two incidents is that the companies each ended up making serious missteps by publicizing information that at first blush seems innocuous. Google exposed information about who you email with; Facebook made public your circle of Friends.

Nor does this type of data fall into the category of PII (personal identifiable data). So despite the ever-growing regulatory climate on privacy (HITECH, Massachusetts 201 CMR 17.00, PCI, etc.), the nature of consumer concerns far outpaces any legislative efforts.

Read more


Forrester's latest Security Survey findings published

I wanted to announce that the reports based on our annual Security Survey of nearly 2,000 organizations are live as of Monday, January 25th. These are among our most widely read security reports, with insight into IT security priorities, challenges, state of compliance efforts, and of course adoption of security technologies and services.

The two reports are:

“The State of Enterprise IT Security And Emerging Trends: 2009 to 2010”, at

“The State of SMB IT Security And Emerging Trends: 2009 to 2010”, at

Here’s a taste of some of the findings:

Read more

Forrester's latest Security Survey findings published

I wanted to announce that the reports based on our annual Security Survey of nearly 2,000 organizations are live as of Monday, January 25. These are among our most widely-read security reports, with insight into IT security priorities, challenges, state of compliance efforts, and of course adoption of security technologies and services.

The two reports are:

Read more


What Google v. China tells us about how the security market is changing

[This entry is cross posted to Jonathan Penn's blog, Cyberia]

Expanding on the Google meme from Andy Jaquith's prior post...

Rather than discuss the extent of the cyber threat from China, or whether Google should effectively pull out of China by ending the censoring of search results (or why it was even in China to begin with), the most interesting and telling thing I'm seeing from all the discussion on this is the visibility of the defense contracting and intelligence consulting community, and how that visibility and even dominance is going without much comment by industry watchers and without much challenge by traditional security firms. Who is going to analyze and say with confidence whether the attack came from proxies or direct representatives of the Chinese state? It's the defense contractors. Like the July 4 attacks targeting the US and South Korea, the traditional defense contractors — Lockheed Martin, Northop Grumman (also targeted), and Raytheon, most notably) are the go-to authorities on this, while Symantec (which was also one of the targets in the multi-pronged attack), McAfee, and others are left merely to talk about how the attacks in and of themselves might fuel greater interest in their security technologies.

Read more


Security Predictions For 2010


Trying to avoid the obvious and the already underway, here are my predictions for 2010.

1. Cloud security standards emerge. By the end of 2010, we’ll see a framework emerge for establishing a well defined set of technology, practices, and processes, organized into different levels of trust. Ultimately, adherence to these specifications will need be certified by third parties. The effort won’t be complete, but it will be underway. Look to the government as key industry (other than the vendors) driving this effort.

COROLLARY: The use of cloud will take off as adopting organizations by and large overcome their security concerns – or at least, understand them at a specific enough level to seek out providers that satisfy these concerns.

2. Federation will start to take off by the end of 2010. Use of federation will be fueled by SaaS and cloud computing and the need for single sign-on to bridge identity from the enterprise to those external environments. Where standards reign over kludges, SAML will be the leading mechanism. OpenID will continue to be just a lab toy for the "Identerati".

3. Managed Security Services expands far beyond “Managed”. Organizations are not only turning to managed security services, they are seeking more from their providers than merely assuming operational functions. Increasingly, they seek partners to help them with security strategy, benchmarking, making the business case, and integration. MSSPs that are in fact multifaceted solution providers will start to establish market dominance. Big winners will be IBM, VZB, Wipro, among others.

Read more

VOTE: Does your cloud strategy factor in security concerns?

We all know that end user organizations have security concerns about cloud computing. But let’s put some numbers to that: according to our latest Enterprise And SMB Hardware Survey, North America And Europe, Q3 2009, fully half of organizations (49% of enterprises and 51% of SMBs) cited security and privacy concerns as their top reason for not adopting cloud computing. This means security is far more than just a concern; it’s a major inhibitor to growth.

Many of you vendors have incorporated cloud computing into your strategy, or are preparing to. In order to gauge how security factors into such plans across the tech industry, we’ve set up a poll on the Vendor Strategy home page within for vendors to take.

Please go to and answer the polling question under “You Vote. We Write.”

One of the Heartland lawsuits dismissed

See the news article here

This was the shareholder lawsuit, not the consumer/victim lawsuit, so different issues apply. But it's still interesting. Somewhere down the road, such a case will win…likely because of a smoking gun email by IT security staff. That calls for greater communication and accountability around security, which smells like GRC to me. maps stock price showing when the data breach occurred. Here's the chart for Heartland. Stock price isn't always affected, even in big breaches. DSW stock kept rising after its breach of 1.4 million records. TJX stock didn't seem affected either, after its big breach.

Read more


Google's Achilles' heel

Sure, people trust Google to come out with cool technology. But do they trust Google with their data and their privacy? Many don’t. Worse, many fear what Google does or could do with the data it aggregates.

I’ll let Google itself tell the story. If you do a Google search on “Google” and “big brother” you’ll get a whopping 58.9 million hits. Doing the same for “Microsoft” and “big brother” yields only 7.1 million. Even more surprising, a search on “government” and “big brother” results in just 13.4 million hits. Using search results as a rough proxy: people are more than 4 times more concerned that Google, rather than the government, is amassing too much information about us.

I see a lot of parallels between Google today and Microsoft circa 1999. What security was to Microsoft (but to Microsoft’s credit, isn’t any longer), privacy is to Google: a looming threat of customer dissatisfaction that could result in a mass migration of users and their eyeballs away from Google’s applications and search engine. And the friction for such a diaspora from Google’s web-based services and add-on applications is far lower than from Microsoft’s Windows or Office.

Read more


A new blog site for one of our analysts

Jonathan Penn

For those that have been following my blog posts, I've started up my own blog. It's called Cyberia, and it's at

I've wanted to blog more often about a broader set of topics, but found Forrester’s existing team blogs such as this one don’t offer me the best forum to speak to the diverse kind of audience that I seek to engage. The topics will fairly consistently be about security and privacy issues; but the role of the audience to whom I address these posts will shift between IT security practitioners, IT vendors, and even the IT users (both corporate and consumer) who are affected by both security and privacy risks, as well as by the measures designed to mitigate those risks.

I've already started posting several items, so it's live and active.

I hope to see you there!
-- Jonathan