Nasdaq Hack Brings Security Issues Into The Boardroom

Chris McClean

 Have you been having trouble getting your board of directors to care about information security? This weekend’s news that Nasdaq’s Directors Desk web application was compromised by hackers may help to improve your situation.

Details have been elusive thus far, but reports indicate that multiple breaches occurred, resulting in “suspicious files” on the company’s servers. A statement released by Nasdaq assures us that its trading systems and customer data were not compromised, and those in the know tend to agree that infiltrating the trading systems would be substantially more difficult than breaking into the web environment and leaving a few files behind. As the investigation continues, hopefully we'll learn more, but what can we take away from this story so far?

  • The list of attractive hacker targets continues to grow. Whoever perpetrated this breach chose not to go after traditionally lucrative targets like customer/employee data or a more difficult and devastating attempt to dismantle one of the world’s biggest exchanges. Instead the target was a more accessible set of extremely sensitive corporate data – details about mergers, acquisitions, dividends, and earnings. Without much sophistication, criminals could use this information to execute rather impressive “insider trading” transactions or simply find an outlet like WikiLeaks for some of the more embarrassing tidbits.
Read more

How Do You Support Splinternet Security On Mobile Devices?

Andras Cser

Mobile authentication is nothing new.  SiteMinder, a prominent web access management tool, has been able to handle mobile browsers and sessions for at least 7-8 years. Some users complained of WAP and its limitations, but most could access information and log in to websites with minimal issues.

WAP is gone and it is now replaced by a multitude of devices: tablets, PDAs, smartphones, etc. With the proliferation of Splinternet, we are witnessing not only a boom of content, but also the need to limit access to sensitive applications and data not only from the device but also on the device. Authentication, authorization, and data protection challenges multiply as companies embrace the post-PC tablets, etc.

 What do we see people asking about? From the enterprise security perspective, the biggest challenges seems to be protecting the data on the device, performing a remote wipe on a lost or stolen piece of equipment, and making sure corporate information is separated clearly from any private data. Writing mobile applications or designing mobile-capable and still rich, interactive web pages is no easy task either. Companies also wonder about how to deliver and (de)provision applications quickly and securely.

 What do we see companies do? Sandboxing corporate data and mandating the use of remotely wipeable devices is the first step. Storing certificates and using transaction signature mobile authenticators to defend against stolen or compromised text messages with one-time passwords is a logical follow-on.

Read more

For GRC Decisions, Avoid The ROI Discussion If Possible . . . But If You Can't, Here Are Some Tips

Chris McClean

This week we published the first in a series of reports I'll be writing to help clients calculate the return on investment of GRC technologies. This report, How To Measure The ROI Of A GRC Platform, outlines the key factors and suggested metrics to show what GRC can do for your organization. 

Of course, my first recommendation is to exhaust your arsenal of arguments before falling back into ROI terrain. GRC is about improving oversight, strengthening controls, and finding ways for the business to succeed within the boundaries of risk tolerance. But these board-level issues can quickly give way to questions of costs and savings... so it's good to be prepared.

The considerations for costs (software, hardware, maintenance, implementation, etc.) are not much different than other large IT projects, nor are the associated risks (requirements, scope, adoption, integration, etc.). What's tough is articulating the benefits. The report offers much more detail, but generally the success factors of a GRC implementation fall into three categories. These are:

  • Efficiency, which includes product and process consolidation as well as facilitation of processes such as policy development and distribution, risk and control assessments, incident/issue management, data/report aggregation.
  • Risk reduction, which  includes decreases in audit and examination findings, reduction in regulatory fines, faster remediation of issues, and the secondary benefits of these improvements, such as deceased cost of capital and lower insurance costs.
Read more

In 2011 The GRC Market Will Grow 20%, Driven More By Breadth Than Maturity

Chris McClean

On the heels of Forrester's GRC Market Overview last month, this week we published my Governance, Risk, And Compliance Predictions: 2011 And Beyond report. Based on our research with GRC vendors, buyers, and users, this paper highlights the aggressive regulatory environment and greater attention to risk management as drivers for change. Specifically, here is a brief summary of the top five trends we will see next year:

  • Increasing vendor competition will continue to bring more choices and more confusion. Strong market growth will encourage more technology and service vendors to get into the market, which means the fragmentation (which I've discussed previously) and confusion will continue.

Read more

New Report: The GRC Platform Market Is Taking Big Steps Toward Clarity But Still Has A Long Way To Go

Chris McClean

I'm proud to say that we published my report "Market Overview: GRC Platforms" earlier today.

It will come as little surprise to most of you that the overall GRC market is still saturated with relatively small vendors, many of which continue to struggle to maintain their market niches. At the same time, a handful of market leaders (notably BWise, IBM/OpenPages, MetricStream, RSA/Archer, and Thomson Reuters/Paisley) continue to distance themselves from the rest of the pack, while several large competitors (including Oracle, SAP, SAS, Software AG, and Wolters Kluwer) put more and more pressure on the market all the time.

It's been interesting to watch these vendors that competed head-to-head regularly for SOX compliance deals now drifting further apart . . . some focusing more on risk management and analytics, some strengthening their compliance and content offerings, some building deeper integration with IT systems, and others building bridges into audit departments. The current environment of increased government oversight and regulation — and in some cases, reform of whole industries — worldwide promises to bring a strong resurgence to the GRC platform market overall, which means increased competition both from veteran vendors and newcomers alike.

Read more

Vote For Forrester's IT Forum 2011 Theme

Stephanie Balaouras

It's that time of year when we begin planning our spring Forums. Our Security & Risk Forum EMEA will take place in London, March 17th and 18th. Planning and content creation for that Forum is already well underway and we're looking forward to another great event. But I also wanted to highlight our spring IT Forum. Mark your calendars for May 25-27 in Las Vegas and June 8-10 in Barcelona.  Not only is there a dedicated track for Security and Risk professionals at IT Forum but there is an opportunity for Security & Risk pros to learn about broad IT  challenges and trends. I believe this is critical because in order for security organizations to become much more proactive and less reactive, they have to understand what's happening across IT and not just narrowly within security. We need to be ready for the next major business or IT shift before it happens.

We've come up with three potential draft themes and need your vote for the best IT Forum 2011 theme:

1. Unleash your empowered enterprise.

As technology becomes more accessible through mediums beyond IT's control, you have but one choice: Get proactive by empowering employees, or swim against the current. Successful BT leaders will react not by blocking access but by lending their expertise to increase the chances of technology success and empowering the users to solve customer and business problems. This year's IT Forum will provide a blueprint for reaping the benefits of your empowered organization — complete with case studies, methodologies, and step-by-step advice tailored to each IT role.

Read more

Oracle Acquires Passlogix -- A Signal That eSSO Is No Longer A Separate Market

Andras Cser

In a rather unsurprising move, Oracle acquired its longtime OEM partner of eSSO solutions, Passlogix. The sale has closed after a relatively long courtship – the eSSO market has been consolidating for a long time: Novell’s OEM agreement with ActivIdentity, IBM’s acquisition of Encentuate all signal IAM stack consolidation. Beyond the obvious — 1) eSSO integration with Oracle Access Manager and Oracle Adaptive Access Manager to integrate with web single sign on, 2) a multitude of second factor and adaptive authentication mechanisms using v-GO User Access Manager, and 3) using v-GO SSO’s screenscraping technology to create Oracle Identity Manager connectors to arcane, no-CLI systems — large tasks remain for Oracle: a) providing access management for mobile devices and b) getting to be a credible player in Privileged User Management (where Passlogix’s v-GO Shared Accounts Manager is a second-tier player).

Join Forrester's New Online Community For Security & Risk Professionals!

Stephanie Balaouras

Here at Forrester, we like to eat our own dog food. Hot on the heels of the book launch of Empowered, Forrester has launched an online community for security and risk professionals. The community is a place for security and risk professionals to exchange ideas, opinions, and real-world solutions with each other. Forrester analysts will also be part of the community, helping facilitate the discussions and sharing their views.

The community is open to all security and risk professionals, whether you’re a Forrester client or not. Do you want to know if your peers plan to support new consumer mobile devices in the workplace? Do you want to know how your peers are promoting cyber awareness? You can post these and other questions, thoughts, and ideas to the community.

I’m excited to announce the launch of this community. At our recent Security Forum in Boston, the topic of better information sharing and collaboration — among security and risk professionals and between the public and private sector — came up on numerous occasions. In this new era of advanced threats from well-organized and well-funded crime and state sponsored agents, together with the rapid pace of innovation from mobile to social to cloud, I believe the active exchange of best practices and solutions is a critical need for the security community.

Here’s what else you’ll find in the community:

  • A simple platform on which you can pose your questions and get advice from peers
  • Insight from our analysts, who weigh in frequently on the issues.
  • Fresh perspective from peers, who share their success stories and best practices.
  • Content on the latest technologies and trends  — from Forrester and other thought leaders.
Read more

Security Forum 2010: Day 2 Keynotes-At-A-Glance

Stephanie Balaouras

Last week, I wrote a blog post summarizing the Day 1 opening keynotes at Forrester’s Security Forum.  This week, I’d like to recap the Day 2 opening keynotes. The second or last day at any event is always a challenge; attendees are always tempted to leave early or to stay in their hotel rooms to get some work done or if the event is in Vegas, squeeze in some craps (my favorite) or drop a few coins in a nearby slot. Luckily, we held the event in Boston and the lobsters have nowhere to run, so most attendees were happy to stick around until the end of the day. Not only did we have great attendance on Day 2, but there was a palpable buzz in the air. The audience asked tough questions and no one was spared — Forrester analysts, industry guest speakers, and vendors. While the main topic of Day 1 seemed to focus on risk and overall strategy, governance, and oversight, Day 2 focused on coming up with the specifics — the specific plans, the specific policies. As Andrew Jaquith stated in his keynote, to provide better data security, “you don’t need more widgets, what you need is a plan.”

Below are some of the highlights from the Day 2 keynotes: 

Read more

Live Streaming From Forrester's Security Forum 2010 - Day Two

Stephanie Balaouras

Today's Live Stream
8:30 a.m.-8:45 a.m. EST
Day 2 Opening Remarks
Stephanie Balaouras
, Principal Analyst, Research Director, Forrester

8:45 a.m.-9:30 a.m. EST
Forrester Keynote:
Moving To Information Control: Forrester's Maturity Model For Data Security
Andrew Jaquith
, Senior Analyst, Forrester