The movement to cloud is fast changing the method companies will deploy and consume security services. The number one issue that drives the adoption of managed security services (MSS) and the business of managed security service providers (MSSPs) is complexity reduction. As companies replace premise-based data centers with virtual cloud data centers, the expectations of these customers will change as well, they look for elastic ways to purchase security services, as well as, methods that allow for the active defense of both cloud, and premise based workloads. Consider the following:
We have heard that the perimeter is dead, and many ways it is. We name the normal assassins and they include outsourcing, mobile solutions, and the cloud.
Another truism is that companies never wanted to be in the information technology business in the first place. Information technology has brought real productivity improvements but it has also brought significant costs.
Moving information technology to the cloud provides companies the opportunity to reallocate costs from capital expenditures to operational expenditures and reassign operations staff to other roles.
Roughly a year and a half ago I began a process of measuring the importantance of technologies in the mobile security space. I'm currently beginning that same process for the application security market. Many technologies exist that provide business value to enterprises for the security of their applications, but which ones are better at delivering on the business value that the enterprise really wants? Have any of these technologies outlived their usefullness, falling to innovation and new ideas? Which technologies should the enterprise prioritize spending their limited security budget on? I hope to answer these questions and more!
I've identified nine distinct application security technologies that make up the application security market. (Link to additional details!). I'm sure there are technologies that I've missed and arguments to be made to remove something. As always, my research is significantly improved with your help!
If you are interested in participating in this research or have feedback on the technology list, respond via this web form, in the comments below, or via email / tweet to firstname.lastname@example.org (@txs).
The CES Tech West Expo has a number of specific areas of coverage including fitness and health, wearables, connected home, family safety, and some young innovative companies located in the startup area of the section. I spent a few hours interviewing and discussing the Internet of Things (IoT) with as many vendors as I could find. I had many good laughs and shed a few tears during the process. To describe the process, the general communication would go something like this:
Me: "Can you point me at the most technical person you have at your booth? I'd like to talk about how you secure your devices and the sensitive / personal data that it accesses and collects."
Smartest tech person at the booth: "Oh! We are secure; we [insert security-specific line here]."
Me: "Never mind . . ." (dejected look on my face).
Security pros got the Target breach for Christmas last year. The breach hit the retailer during its busiest time of the year and cost them millions in lost business. For security pros desperate for more budget and business prioritization, you couldn’t have asked for a more perfect present - it’s as is if Santa himself came down the chimney and placed a beautifully wrapped gift box topped with a bow right under your own tree. This year it looked as if all we were getting was a lump of coal - but then Sony swooped in to save us like a Grinch realizing the true meaning of Christmas.
The Sony Picture Entertainment (SPE) breach is still unfolding, but what we know so far is that a hacktivist group calling themselves the Guardians of Peace (GoP) attacked Sony in retribution for the production of a movie, “The Interview,” which uses the planned assassination of North Korea’s leader as comedic fodder. The hacktivists supposedly stole 100 TBs of data that they are gleefully leaking bit by bit (imagine Jingle Bells as the soundtrack). The attack itself affected the availability of SPE’s IT infrastructure, forcing the company to halt production on several movies.
Casual spectators of business behavior can't help being jaded; every day they see news stories about corporate fraud, security breaches, delayed safety recalls, and other sorts of general malfeasance. But what they don't see is the renewed time and investment companies around the world are putting toward implementing and reporting on responsible behavior (this less sensational side of the story gets far less coverage).
This week, Nick Hayes and I published an exciting new report, Meet Customers' Demands For Corporate Responsibility, which looks at the corporate responsibility reporting habits of the world's largest companies. While it's easy to think that the business community is as dirty as ever, we actually found a substantial increase over the past 6 years in what these companies included in their CSR and sustainability reports.
We’ve all done it. We've spent hours flinging birds at pigs, only to be frustrated with that one little piggy that got away. We can all thank the phenomenon “Angry Birds” for this wonderful experience. Today marks the fifth birthday of the release of the original Angry Birds. Since its release, the highly successful mobile game creator Rovio has gone on to sell hundreds of millions of dollars of mobile apps, licenses, and merchandise amassing $216M in revenue in 2013 alone. Who knew that a simple change in game mechanics could gain such a cult foothold with the public? From a business perspective, the team at appfigures did a great write-up on the history of the franchise, along with its successes and failures in the eyes of the public. If you’re interested in the business life cycle of apps in the public app store, I highly recommend you go read their research: Angry Birds Turns Five: What We Can Learn From The Franchise’s Success.
Earlier today, we published a report that dissects global risk perceptions of business and technology management leaders. One of the most eye-popping observations from our analysis is how customer obsession dramatically alters the risk mindset of business decision-makers.
Out of seven strategic initiatives -- including “grow revenues,” “reduce costs,” and “better comply with regulations,” -- “improve the experience of our customers” is the most frequently cited priority for business and IT decision-makers over the next 12 months. When you compare those “customer-obsessed” decision-makers (i.e. those who believe customer experience is a critical priority) versus others who view customer experience as a lower priority, drastic differences appear in how they view, prioritize, and manage risk.
Customer obsession has the following effects on business decision-makers’ risk perceptions:
Risk concerns heighten dramatically across several risk types – especially reputational risk. Reputational risk concern more than doubles for customer-obsessed decision-makers, and other risks also see significant increases, including corporate social responsibility (CSR) and sustainability risk, regulatory and compliance risk, and talent and human capital risk.
Do you remember the scene from The Empire Strikes Back where the Millennium Falcon is trying to escape an Imperial Star Destroyer? Han Solo says, “Let’s get out of here, ready for light-speed? One… two… three!” Han pulls back on the hyperspace throttle and nothing happens. He then says, “It’s not fair! It’s not my fault! It’s not my fault!”
Later in the movie when Lando and Leia are trying to escape Bespin, the hyperdrive fails yet again. Lando exclaimed, “They told me they fixed it. I trusted them to fix it. It's not my fault!” In first case transfer circuits were damaged, and in the second case, stormtroopers disabled the hyperdrive.
Ultimately they were at fault; they were the captains of the ship, and the buck stops with them. It doesn't matter what caused problems, they were responsible; excuses don't matter when a Sith Lord is in pursuit.
I am seeing a trend where breached companies might be heading down a similar “it’s not my fault” path. Consider these examples:
Forrester's 26-criteria evaluation of managed security service providers (MSSPs) published today! The report focuses on the 13 most significant vendors in the North American market — AT&T, CenturyLink, CSC, Dell SecureWorks, HP, IBM, Leidos, SilverSky, Solutionary/NTT, Symantec, Trustwave, Verizon, and Wipro. This report details how well each vendor met our criteria and where they stand in relation to each other. This report will help you refine your selection criteria and choose the right partner for your outsourced security needs.
Cloud adoption has historically been hampered by security concerns. All of Forrester's research shows this to be the number one impediemtn to adoption. Forrester just finished evaluating four cloud platform providers on the depth and breadth of their security controls. This Forrester Wave™ evaluates four of the leading public clouds along 15 key security criteria evaluations to answer this question. The participating cloud services providers were: AWS, CenturyLink Cloud, IBM SoftLayer, and Microsoft Azure. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other, to help S&R professionals select the right public cloud partner with the best options for security controls and overall security capabilities.