Forrester’s Security & Risk Spotlight – Jeff Pollard

Stephanie Balaouras

One of the S&R team’s newest additions, Principal Analyst Jeff Pollard comes to Forrester after many years at major security services firms. His research guides client initiatives related to managed security services, security outsourcing, and security economics, and integrating security services into operational workflows, incident response processes, threat intelligence applications, and business requirements. Jeff is already racking up briefings and client inquiries, so get on his schedule while you still can! (As a side note, while incident response is generally not funny, Jeff is. He would be at least a strong 3 seed in a hypothetical Forrester Analyst Laugh-Off tournament. Vegas has approved that seeding.)

Jeff Pollard Image

Prior to joining Forrester, Jeff served as a global architect at Verizon, Dell SecureWorks, and Mandiant, working with the world's largest organizations in financial services, telecommunications, media, and defense. In those roles he helped clients fuse managed security and professional services engagements in security monitoring, security management, red teams, penetration testing, OSINT, forensics, and application security.

 

Read more

Reflections on my First Year as an IAM Analyst

Merritt Maxim

At the RSA Conference two weeks ago, a common question from both clients and former colleagues -- “So, what’s it like being analyst?” -- led me to write this blog post.

In the interest of full disclosure, there were no massive epiphanies during my first year, but the transition from being on the vendor side for 15+ years to an analyst provided some perspectives, listed here in no specific order:

·         The security industry is massive. Some former colleagues who learned of my new role often joked, “So you’ve gone to the dark side.” The irony is that analysts are actually removed from the penumbra of the four to six competitors that you obsess about when you work for a vendor. Once removed from this tunnel vision, you become more aware of the diversity of the infosecurity ecosystem. As an example, the number of exhibiting vendors at the RSA Conference is up 45% since 2014, to over 550 vendors. This reflects the ongoing vitality and demand for cybersecurity but also presents challenges to today’s security and risk professionals who have to evaluate an increasingly large and dynamic vendor landscape.

Read more

Is Breach Notification A Part Of Your Incident Response Plan?

Heidi Shey

Is customer-facing breach notification and response a part of your incident response plan? If should be! This is the part where you notify people that their information has been compromised, communicate to employees and the public about what happened and set the tone for recovery. It's more art than science, with different factors that influence what and how you do the notification and response. Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

At RSA Conference last week, I moderated a panel discussion with three industry experts (Bo Holland of AllClear ID, Lisa Sotto of Hunton & Williams, and Matt Prevost of Chubb) who offered their insights into the what to do, how to do it, and how to pay for it and offset the risk as it relates to breach notification and response. Highlights from the discussion:

Read more

Apple Did The Right Thing To Defend Customer Privacy, But It Will Make Security And Risk Management More Difficult For You

Chris McClean

Apple's refusal to follow a court order to support the FBI's San Bernardino shooter investigation was the right move for the company and for its customers, as my colleagues and I cover in Fatemeh Khatibloo's blog post here, and in our full, detailed report, here. As we discuss, there are many constituents with a large stake in the outcome of this case, but I will focus on security and risk management decision makers in this post.

There are four key implications to consider:

Read more

Forrester’s Security & Risk Spotlight: CISO Expertise From Across The Pond

Stephanie Balaouras

2015 was a tumultuous year for CISOs. Breaches affecting The Home Depot, Anthem Blue Cross Blue Shield, and T-Mobile dominated the headlines worldwide and left no industry, region, or CISO unscathed. These unfortunate spotlights created a slew of negative infosec publicity along with panicked demands from business leaders and customers alike. How secure are we? Ask the CISO. How did this breach occur? Ask the CISO. Why did this breach occur? Ask the CISO. Could we have prevented it? Ask the CISO. How could we let this happen? Ask the CISO.

Yet, CISOs continue to struggle to gain clout and influence with the rest of the C-suite and sometimes it can feel like a thankless role. There is little recognition when you’re doing your job right, but you face a whirlwind of pain and blame the second something goes wrong. The world’s growing emphasis and focus on cybersecurity should be running parallel with the capabilities and reputation of the CISO. Instead, CISOs see their responsibilities increasing with only modest funding increases, recognition, or support from their fellow colleagues.

Read more

How Do You Set Your Company Up For Success With Data Classification?

Heidi Shey

Defining your data via data discovery and classification is the foundation for data security strategy. The idea that you must understand what data you have, where it is, and if it is sensitive data or not is one that makes sense at a conceptual level. The challenge, as usual, is with execution. Too often, data classification is reduced to an academic exercise rather than a practical implementation. The basics aren’t necessarily simple, and the existing tools and capabilities for data classification continue to evolve.* Still, there are several best practices that can help to put you on the road to success:

  • Keep labels simple. At a high level, stick to no more than 3 or 4 levels of classification. This reduces ambiguity about what each classification label means. Lots of classification labels increases confusion and the chance for opportunistic data classification (where users may default to classifying data at a lower level for ease of access and use).
  • Recognize that there are two types of data classification projects: new data and legacy data. This will help to focus the scope of your efforts. Commit to tackling new data first for maximum visibility and impact for your classification initiative. 
  • Identify roles and responsibilities for data classification. Consider data creators, owners, users, auditors (like privacy officers, or a risk and compliance manager), champions (who’s leading the classification initiative?). Data is a living thing and all employees have a role in classification. Classification levels may change over time as data progresses through its lifecycle or as regulatory requirements evolve. 
Read more

Answering The Question: What Are The Real And Frightening Risks Within Healthcare Security?

Christopher Sherman

Connected medical devices are transforming healthcare. Unfortunately, security is too often an afterthought for the clinical engineering and business technology (BT) management teams implementing these revolutionary new technologies. In a recent report, Forrester predicted that 2016 will be the year we see ransomware for a medical device or wearable. This is a delicate thought, considering: 1) the Healthcare Industry is actually behind on data security compared to other industries and 2)  the FBI highlighted the risk posed to medical devices in their recent public service announcement: Internet Of Things Poses Opportunities For Cyber Crime.

This research initiative seeks to answer the following: Are there real threats posed by the emergence of connected medical devices? What can you do to protect your patients and employees from life threatening breaches? Is there an underground market for medical device exploits? This research will publish in early 2016 and will be featured in my talk at the RSA Conference this March.

We are looking for research interview candidates to support this initiative, specifically security professionals working in a healthcare setting or medical device security vendors with current solutions on the market. In exchange for your time, we will provide you with a complimentary copy of the final research. While anyone who participates will have the opportunity to be listed as an interviewee in the final report, all interviews will be treated as confidential unless expressly instructed otherwise.

Read more

Daily Fantasy Sports Sites’ Emerging Identity Management & Verification Challenges

Merritt Maxim

Recent business and sports headlines in the US have been dominated by state and federal government efforts to assess whether daily fantasy sports (DFS) sites, such as FanDuel and DraftKings, should be treated and regulated like gambling. The New York State Attorney General recently issued cease-and-desist letters against DraftKings and FanDuel to stop accepting bets in the state, stating that DFS operations are illegal gambling.  

Last week, Massachusetts Attorney General Maura Healey announced a plan to allow DFS providers to operate in Massachusetts under certain provisions, such as:

·         Prohibiting anyone under 21 participating in DFS.

·         Prohibiting professional athletes and other employees of pro teams from participating in DFS.

·         Prohibiting employees of DFS providers from participating in games

·         Requiring DFS providers to identify ‘‘highly experienced’’ players on all contest platforms and offer ‘‘beginner’’ games that would be off limits to the more experienced players.

These provisions present a range of identity management and identity verification challenges and questions, such as:

·         How will sites verify the ages of online participants?

·         How will systems detect DFS employees?

Read more

Two-Factor Authentication (2FA) Companies Continue to be Attractive Acquisition Targets

Merritt Maxim

Last week, Courion announced its acquisition of Nova Scotia-based SecureReset, which, through its QuickFactor product, provides mobile-based two-factor authentication (2FA). This is the fourth acquisition of a 2FA startup by an enterprise software vendor in 2015:

·         Twilio acquired Authy, February 2015 (purchase price N/A).

·         Salesforce acquired Toopher, April 2015 (purchase price N/A).

·         Micro Focus acquired Authasas, July 2015 (purchase price N/A).

·         Courion acquired SecureReset, November 2015 (purchase price N/A).

These acquisitions reflect ongoing enterprise demand for 2FA solutions as an alternative to passwords. By now, the problems with passwords are well-known: They are easy for hackers to steal in bulk, and ongoing advances in computing processing power have eroded password security.

Since a password-free world is still somewhere off in the future, two-factor authentication provides a compelling password alternative that can help mitigate security risks. The evolution toward software-based 2FA form factors running on smartphones instead of dedicated single-purpose hardware tokens has eased deployment and training costs; it has also enabled large-scale consumer deployments of two-factor authentication as a password replacement alternative. These 2015 acquisitions demonstrate the continued interest in two-factor authentication.

Read more

Forrester Predictions: What’s In Store For Privacy In 2016?

Heidi Shey

When evaluating the top 10 critical success factors that will determine who wins and loses in the Age of the Customer in 2016, it comes as no surprise that privacy is one of them. In fact, privacy considerations and strategy augments all of the 10 critical factors to drive business success in the next 12 months.

 

So, what does this mean for businesses moving forward?

 

Read more