Upcoming Research -- Brief: US Department Of Homeland Security (DHS) Provides Funding For Cybersecurity Innovation

The United States Department of Homeland Security (DHS) plans to sponsor important research in cybersecurity over the next three to five years through the Broad Agency Announcement (BAA) process.  The US Federal government’s participation in cybersecurity is one of false starts. Members of each of the branches of government have made statements on the need for improved cybersecurity but very little has been done, at least in any public sense, to help the private sector deal with an onslaught of cyberattacks. At the same time, the National Security Agency (NSA) has been actively spying on private sector companies and their customers. This has sent mixed messages.

Encouragingly, the DHS is now making money available to fund research in cybersecurity with the goal of solving some of the toughest cybersecurity issues. The amount of money is small compared to the enormity of the cybersecurity problem, but it is a step in the right direction. This report will focus on what the money funds and what it means to commercial enterprises and their customers. Look for this report to publish in early August.

New Research: CISOs Need To Add Customer Obsession To Their Job Description

The CISO And The Customer

Next month Forrester will publish research focusing on the role the customer plays in security planning. Customer attitudes are changing, and companies need to recognize these changes or risk losing customers. These changes put enormous attention on the CISO and the security team. But CISOs should also look at this as a big opportunity for CISOs to move from the back office to the front office. Security incidents, managed well, can actually enhance customer perceptions of a company; managed poorly, they can be devastating. If customers lose trust in a company because of the way the business handles personal data and privacy, they will easily take their business elsewhere. Sales will fall, stock prices will follow, and the CISO will be accountable. CISOs need to improve their security program by focusing on the company’s true customers – the ones that create revenue – clarifying and speeding communications and implementing customer-focused security controls.  Look for it next month!

Symantec Challenges Financial Services Security

Symantec Challenges Financial Services Security

In this age of the customer, there is nothing more important than the effective and safe operation of the global financial system. Trillions of dollars move around the world because of a well-oiled financial services system. Most consumers take our financial services system for granted. They get paid, have the money direct deposited into their account, pay bills, use their ATM card to get cash, and put family valuables in the safety deposit box. The consumer’s assumption is that their cash, investments and valuables are safe.

Symantec’s 2014 CyberWar Games set out to prove or disprove how correct are these assumptions. Symantec’s cyberwar event is the brainchild of Samir Kapuria, a Symantec vice president within the Information Security Group. Symantec structures the event as a series of playoff events. Teams form and compete, earning points for creating and discovering exploits. Out of this process, the ten best teams travel to Symantec’s Mountain View, California headquarters to compete in the finals.

Not Just Hackers Need Apply

Read more

New Research: AWS Cloud Security - AWS Takes Important Steps For Securing Cloud Workloads

Security is the No. 1 impediment to Cloud Service adoption. Forrester’s research has shown this over the last three years. Cloud Service Providers (CSPs) are responding to this issue. AWS has built an impressive catalog of security controls as a part of the company’s IaaS/PaaS offerings.  If you are currently or considering using AWS as a CSP you should check out the following new research.

AWS Cloud Security - AWS Takes Important Steps For Securing Cloud Workloads

Technology Use By MSSPs -Check Out Our Survey

Technology is essential in any managed security operations center. Technology has come a long way to create an active defense of the enterprise. There are vendors that offer solutions for log management, web application defense, firewall, incident event correlation, and many others. In order to understand the size of the security technology market, Forrester and the MSP Alliance are partnering in a survey to look at the managed security functions and the technology MSSPs use to deliver their services. If you are an MSSP or an end user of these technologies, you can complete this survey at:

FORRESTER - MSP ALLIANCE SURVEY

For completing the survey you are automatically entered into a contest to win an iPad mini. Also for completing the survey you will receive a complimentary copy of the resulting research paper.

Cloud And Cloud Security – Get Rid Of The Box

Peter Kujawa CEO of Locknet, Steve Tallent from Fortinet, and I were speaking at the recent MSPWorld Conference in San Jose, California about the cloud revolution. Steve was interested in the conversation because Fortinet is now offering virtualized versions of their Fortigate UTM solution. Peter was interested because his business is built on taking the pain away that platform management entails. Obviously security intersects both of these worlds.

We discussed the changes cloud computing was making to the MSP/MSSP markets and the differences between the SMB and enterprise businesses and what motivates them to consider the cloud IaaS, SaaS, and PaaS model.

Peter talked about one of his clients – a smaller client – that managed their business from a small server stashed in the closet of their offices. Peter’s company offered to replace the box with a cloud-based system that took over patching, updates, and maintenance for the system for a simple monthly fee. The client would access their applications via the Internet.  The risk to this business was huge for so many reasons. The customer leapt at the chance to get rid of the box.

In another case, I was speaking with a large client and we talked about the motivation for the cloud. Inasmuch as maintenance and support are an issue, the larger issues for large companies are the IT assets on the balance sheet. This company liked cloud because of their need to “clean up” the balance sheet. There were too many IT assets loading down the balance sheet – distorting the company's return on assets.

Read more

Small And Mid-Size Business Have Security Issues Too

I think that small and mid-size businesses are the most underserved in the information security market today. These companies have not paid the necessary attention to information security, and the data indicates they will pay a steep price for not doing more.

Robert Plant, writing for the Harvard Business Review on June 4, 2013, spoke very plainly and clearly on the need for the CSO in companies today. Mr. Plant in his blog writes:

“First off, if the company doesn't have a CSO and the chief executive thinks the "S" has something to do with sustainability, just fire him. If it does have a CSO and the CEO chooses to eliminate that position, do the same thing, because it's the wrong answer. While you're firing him, inform the CEO that data security is the number one critical need for U.S. corporations today, and that the CSO is kind of like the chairman of the Joint Chiefs of Staff. You wouldn't get rid of the chairman of the joint chiefs in wartime.”[1]

While Mr. Plant is speaking of large corporations, the reality is the CEOs of smaller firms should have the same concerns as large companies when it comes to information security. It may not seem like it, but we are at war — an economic war — and the prize is the intellectual property held by companies large and small. The number of cyber attacks is on the rise and the level of effort being applied by both nation states and cyber criminals is huge. All of us in the security field have heard this before. However, there has been a real challenge in the industry to get information security the role it deserves as a critical component of enterprise risk.

Read more

Deloitte Acquires Vigilant - Harbinger of a Push By Consultancies Into The MSSP World

This week Deloitte announced the acquisition of Vigilant. This is important news for several reasons. With over 14,000 consultants that specialize in information security, Deloitte is the largest and broadest of any security consultancy globally. Deloitte provides customized security solutions across a broad number of vertical industries, including financial services, aerospace, defense, retail, manufacturing, technology, communications, energy and pharmaceuticals. The company's offerings include[i]:

  • Application security — secure coding practices, code review
  • Business continuity/disaster recovery planning
  • Consumerization — iOS, Android, Endpoint Security
  • Regulatory compliance certification, assessment, and audit services (excluding penetration and vulnerability testing)
  • Information security certification, compliance assessment, and audit services (excludes vulnerability and penetration testing, includes SOC 2, and ISO 27001 certification)
  • Data loss prevention
  • Fraud investigation
  • Governance — strategy, design, and implementation
  • Identity and access management
  • Computer emergency response team (CERT) services
  • Information security architecture — strategy, design, and implementation
  • Network security — strategy, design, and implementation
  • Penetration testing (includes cloud, infrastructure, mobile, SCADA, social engineering, and/or wireless)
  • Physical security — strategy, design, and implementation
  • Privacy — strategy, design, and implementation
  • Risk identification and management
  • Security awareness — strategy, design, and implementation
  • Security organization management — strategy, design, and implementation
Read more

CLOUD SECURITY - EXPECT ACCELERATED DEPLOYMENTS DUE TO STRONG MOVES BY PROVIDERS TO IMPROVE SECURITY

Forrester research has always identified security as a major impediment to broad scale implementation for cloud, regardless of the model, SaaS, PaaS, IaaS, the adoption rate has been slowed by security concerns. Cloud providers recognize this is an impediment to selling cloud services and in response are strengthening their security controls. In Forrester’s Forrsights® research program we interview over 2000 security decision makers on a variety of security issues and topics. Cloud security tops the list of concerns regarding cloud deployments.

The appetite on the buy-side is very real for secure IT cloud infrastructures. Our research shows a lot of very strong interest in the deployment of private cloud platforms because of the elasticity, reduced cost and cycle times required to deploy solutions in these environments.

This week Amazon Web Services (AWS) announced that AWS GovCloud (U.S.) and all U.S. AWS Regions have received an Agency Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS) under the Federal Risk and Authorization Management Program (FedRAMP) requirements. 

Obtaining FISMA Moderate certification indicates AWS’ focus on providing strong security controls for its cloud offerings. Forrester assumes AWS commercial clients could benefit from this as well by AWS security processes propagating to other areas of AWS’ cloud business.

Read more

OK, Tell Me I'm Wrong!

Everyone knows that in business you need to do two things: Increase top-line revenue growth and reduce bottom line cost. Doing both of these is how companies grow profitably. It really is that simple. Now why is it that Information Security Officers have trouble thinking this way? Read my new paper titled Determine The Business Value Of An Effective Security Program — Information Security Economics 101 - developed for the The S&R Practice Playbook.

In the paper, I argue that we need to associate the value of information security with the value of the information assets we protect. How is this value determined, you may ask? Well, ask away, because in the paper I outline a method to determine that value. It’s simple. We live in an information economy and even though we may be a bank, manufacturer, or a retailer, at the end of the day we wouldn’t be in business without information. In many ways information is what we sell.

Think about it; if we associate information security with asset value defined by the revenue these assets produce, we would understand how to prioritize security effort and we would have a lot more productive conversations at budget time.

Join in the debate, and tell me why this approach couldn’t work in your firm. I want to hear from you.