The Forrester Blog For Security & Risk Professionals
This blog is a roll-up of all the posts from analysts who serve Security & Risk Professionals. Individual analyst blogs are listed below. Visit Forrester.com to learn how we make Security & Risk Professionals successful every day.
There are many types of criminals. These include thrill-seeking hackers, politically motivated hackers, organized criminals after financial gain, and state-sponsored groups after financial gain and intellectual property or both. Any of these have the potential to break these capabilities through information loss, or denial of service. Business processes and their associated transactions need to look at information security as a key component of any architectural design we might create as Enterprise Architects.
Security architecture is dependent on the idea of “security.” Security by some definitions is the trade-off of convenience for protection. When I am unloading the car and have an armful of groceries, it's challenging to unlock the front door at the same time. Alternatively I could just leave the front door unlocked but that might invite guests I had not planned for. So I trade convenience for protection.
Security is often seen as in conflict with business users; however, security is a process that protects the business and allows it to effectively operate.
Security is in response to perceived business risks.
Security can be seen as a benefit and a business enabler and can aid organizations to achieve their business objectives.
Host-based intrusion prevention systems, host-based data leak protection, full disk and file level encryption . . . all are important tools used on the frontline of endpoint security. They all offer added levels of protection when used with traditional client AV and patch management systems, but at what cost? In order for these tools to be used correctly, organizations must be prepared to invest in increased IT staffing and product training for administrators. This generally proves to be too high of an obstacle for many SMBs, leaving a majority of the market to comprise of enterprises customers and big spenders. With their higher budgets and dedicated IT staff, enterprises are better positioned to take advantage of these advanced security technologies.
However, according to recent Forrester survey data, SMBs are just as interested in using these advanced security technologies. In our latest report "Endpoint Security Adoption Trends, Q2 2011 To Q4 2012," we present data showing adoption patterns of the various endpoint technologies in both SMBs and enterprises, while offering some analysis on what this means for security professionals looking to support current and future trends.
For those of you who are already planning on increasing your investment in endpoint security next year, which tools specifically are you looking at? What are your decision criteria?
After months of diligent product and vendor evaluations, today we published The Forrester Wave: Enterprise GRC Platforms, Q4 2011. In the next few days, we will also publish The Forrester Wave: IT GRC Platforms, Q4 2011. These two reports feature a total of 20 vendors, all with proven capabilities to help customers tackle their continuously mounting regulatory challenges and manage their complicated risk profiles.
Why two Forrester Waves?
Governance, risk, and compliance functions within large and medium enterprises demonstrate tighter collaboration all the time... audit is working more closely with risk, and compliance programs are consolidating under more centralized control. However, Forrester still sees a gap between the requirements of those responsible for IT risk and compliance and the requirements of those managing risk and compliance outside of IT. No doubt, there is often substantial overlap between these groups, and many of the vendors evaluated have customers using their products to supports both IT and enterprise GRC functions. You’ll notice that of the roughly 60 evaluation criteria for each Wave, there are only 3-4 that differ between them. For now though, they remain basically two distinct markets.
So, what did we learn from the countless hours of briefings, demos, customer surveys, and other research we did for this Wave?
Winter is coming; the year is quickly drawing to a close, and its time to a look back and see how accurate our content security crystal ball was for 2011. Last year we predicted three trends; two were accurate and one was partially correct. Let's take a closer look.
1) Content security spending will slow down - We were right. According to our latest survey data, the content security budget represented 6% of the total IT security budget; this is a 1% decrease from 2010. Content security remains one of the lowest budgeted technology areas in IT.
2) Consolidation will continue to drive suite offerings - We were partially correct. In 2011, we didn't see any significant M&A activity in the content security space. While we were wrong on the vendor consolidation prediction, we were correct on the prediction that market leaders would increase their data loss prevention and mobile capabilities to further solidify their market positions.
3) Mobile filtering will enter mainstream IT - We were correct. Laptop filtering is mainstream, and mobile device filtering is gaining momentum and getting significant attention. Content security vendors are currently testing content filtering on mobile phones and tablets.
What about 2012? To see what five trends we predict will impact your strategy next year, check out the full document: "Content Security: 2012 Budget And Planning Guide." Here's a teaser, is your content security strategy ready for the extended enterprise?
We are excited to announce "Planning For Failure," the first collaborative report in a series of new research taking a closer look at incident management and response.
A look back at the year's headlines isn't encouraging. Many companies have experienced security breaches, and their bottom lines and brand reputation have suffered. You might not have considered it, but your organization is a likely target. In fact, your intellectual property could be exfiltrating your network even as you read this blog; you must be prepared. Once the airplane is going down, it is too late to pack the parachute.
Preventive security controls will fail, and you should operate under the assumption that if you are not already breached, you will be. An ounce of preparation is worth a pound of remediation, and the sooner you can detect and respond to a security breach, the more likely you will be able to minimize the impact and scope of the incident. The proper execution of a well-thought-out strategy can reduce your remediation costs and protect your brand reputation.
"Planning For Failure" takes a look at why an incident management strategy is critical to the success of your business and provides recommendations on how to implement or improve your plans.
If you have questions or comments, please let us know. We would love to hear your feedback.
While you are at the Forrester Security IT Forum in Miami, you might also want to attend my session on Managed Security Services Providers. In my role as an analyst, I speak to many security leaders that wrestle with the outsourcing question. Security is a sensitive topic and many security executives are uncomfortable transferring operational responsibility for this function to a third party.
This presentation will present techniques to help security managers make decisions on what they can trust to a third party and more importantly, what they should outsource to a third party. This should be a lively presentation and discussion on what is a sometimes-controversial topic. I hope to see you there.
At the upcoming Forrester Security IT Forum (November 9) in Miami, Florida, I will present information on President Obama's cybercrime legislative initiative. This presentation and discussion will focus on the pending legislation in Congress and the Obama administration’s proposal to strengthen cybercrime law. There is a real need for this. Today there are 46 states with cybercrime breach reporting laws. While similar, there are enough differences to make reporting more complex. In addition, these laws only address PII and do very little to address other types of cybercrime. This new proposal addresses both PII and attacks on the nation’s critical infrastructure. The proposal stiffens criminal penalties and provides for the Department of Homeland Security to serve as the “new sheriff in town” when it comes to cybercrime.
Also associated with this proposal is a mandatory reporting requirement for organizations that manage more than 10,000 pieces of PII in a twelve-month period, or who provide critical infrastructure. Critical infrastructure is a very broad definition and includes financial services, utility, healthcare, as well as other industries. Please join me in Miami, as we present and discuss the proposal and its impact on private industry. I hope you can join us.
At Forrester's Security Forum 2011 in Miami, November 9-10, we will be reprising the wildly successful "Hackers Vs. Executives" track session. There will be two leading security professionals sitting on the panel representing the executive viewpoint, and they will be joined on stage by two noted researchers who will provide a hacker's-eye for this session. Rodney Joffe of Neustar will give us a live guided tour of the “Invisible Internet” – the IRC chat rooms and carder forums where the underground cybercrime economy lives. Michael Hamelin of Tufin Technologies – a noted white hat hacker and multiple winner of the DefCon “Capture the Flag” competition – will do another demo to help us understand how attacks work. We will then turn to our panelist representing the executive viewpoint to start an interactive discussion about current and future threats and how best to understand them and protect against them.
Last year this session was packed. It was highly interactive with lots of provocative questions coming from the audience. I encourage you to join us in Miami, November 10th from 11:35 a.m. to 12:20 p.m. for this unique and informative presentation.
Go to the security forum website for more information. Hope to see you there!
I am very excited to introduce my first Forrester report, "The Content Security Forecast Calls For Clouds." I wrote the report to help guide your strategy on SaaS based email and web content security. During my inquiries, I am frequently asked about content security in the cloud:
"Is web SaaS mature enough for enterprises?"
"Will SaaS help secure my mobile and remote users?"
"What about the hybrid model?"
"What are other organizations doing?"
In the report, I take a closer look at these questions, and I also address the benefits and challenges associated with the SaaS model. I leave you with multiple deployment options and specific recommendations for your journey to the cloud. If you have questions or comments please let me know, I would love to hear from you.
Back in July, I wrote about a new RESTful API that cloud providers and provisioning vendors are working on for doing identity provisioning and synching: Simple Cloud Identity Management, or SCIM (like the milk). At last week's Internet Identity Workshop -- only five months after this draft spec made its formal debut! -- I had a chance to see the SCIM developers' live interop session in action. The interop saw successful participation by the likes of Cisco, Ping Identity, Sailpoint, salesforce.com, Technology Nexus, and UnboundID, with user accounts being securely created and torn down rapid-fire over the ether.
What's more, in talking with a more traditional on-premises identity vendor later in the week, I discovered that they loved how SCIM was shaping up, and planned to check it out ASAP as a way they could expose their own provisioning functionality.
In this Zero Trust world, with perimeters melting all over the place, I'm seeing signs that this lightweight API trend for IdM functionality is only going to accelerate. What do you think? If you're coming to Forrester Security Forum in a couple of weeks, I hope you'll grab me for a conversation about how this trend impacts your plans.