On Monday April 20, 2015 the biggest security event in the USA, the RSA Conference, kicks off with the ever popular Innovation Sandbox event. This event brings in hundreds of submissions from security startup companies around the world all hoping to make the top 10 finalist list, and eventually be declared the winner. The Innovation Sandbox has been running for the last ten years resulting in a great quantity of security startup data to analyze along with some very notable winning companies.
Previous sandbox winners include SourceFire, Imperva, AlertEnterprise and most recently Red Owl Analytics. Many security companies have been declared finalists, fared well with additional funding, and found reasonable financial success, specifically acquisition. The graph to the left shows the acquisition trends for Innovation Sandbox finalists since 2009. Security start up success is on the rise and the Innovation Sandbox is there to build on that success.
Forrester’s Security and Risk team will have a lot of analysts out once again for this year’s RSA Conference. After all these years (12 for me!) we have to balance our excitement to see old friends and colleagues with our cynicism that says it will be a week of empty buzzwords just slightly updated from those we heard last year.
We expect this to be mostly a fashion show – or what my old friend and colleague Rachel used to call the security industry’s debutante ball. We will hear far too many definitions for words like threatintelligence, platform, and integration; and we won’t hear the phrases case study examples, customer trust, or customer value nearly often enough.
But rather than dwell on our skepticism, here are a few things we’re excited about going into next week:
The Innovation Sandbox is always a highlight. Most of our team will come by to see the finalists on Monday, and you should look for our upcoming blog posts, tweets, and a report or two examining some of the vendors that have competed in this annual contest.
The expo dress code will be a whole lot classier. I’m personally glad to see RSA’s leadership with the new vendor dress code guidelines this year. (And kudos to our former colleague Chenxi Wang for her role in this change.) Hopefully that means everyone’s more focused on the substance of vendor messaging.
Risk professionals aren’t prepared for the age of the customer. Empowered consumers and changing market dynamics are upending longstanding business models and lines of operation, but risk professionals largely stand pat, and continue to neglect risks related to their organizations’ most critical asset – company reputation. Yesterday we published a report on "Brand Resilience" that will hopefully help you change that legacy risk mentality.
Corporate Reputation Is Increasingly Valuable…
Companies today rely on their reputation to generate greater portions of their revenue, attract new customers, and retain existing ones. This is why we see:
PRISM’s impact is still felt in the market for Internet services although the size of the storm and its resultant impact is smaller than was originally thought. It seems the international business was a lot more insulated from US spying as compared to what was originally thought.
Since Edward Snowden revealed the US National Security Agency's PRISM spying program, there has been widespread speculation that the disclosure of US spying would significantly harm US cloud, hosting, and outsourcing businesses as international customers walked away from any firm within the NSA’s reach.
Why Is PRISM So Important?
International spying is still a global issue and is driven by the current state if international affairs. Global political, economic instability is fueling an epidemic of cyberattacks, the source of which includes nation states, organized crime groups, and unfortunately terrorists. Edward Snowden’s disclosure of the PRISM program lifted cybersecurity from an abstract concept to one that evoked a tremendous level of emotion – much of it driven by the emotion surrounding privacy – or more accurately – the need so many have for privacy.[i]
S&R pros, is there a Chief Data Officer (CDO) in your organization? Do you work with them? Previously, John and I wrote about the CDO role and how we believe that CDOs will help to drive security policy in the future because they can 1) directly tie business value to data assets, 2) have a deep understanding of data identity and purpose, and 3) possess a great incentive to protect the company’s data (it’s a strategic business asset after all!). Colleagues like Gene have also written about the CDO and the importance of the CDO in data management.
The emergence of this role now brings about more questions than answers, and we’d like to provide more in-depth analysis and clarity around this topic. What is a CDO, and what do they do exactly? Is this a temporary role, or a critical C-level position that is here to stay? Why should we even care about this CDO role? These and other questions are ones that a team of analysts from Forrester are exploring in upcoming joint research, and we’d love to hear from you if you are a CDO, currently work with one, or don’t feel there is a need for a CDO because there are other roles in your organization are responsible for data strategy. Some of the key themes we are looking into include:
The responsibilities of the CDO role
Where CDOs reside in firms’ organizational structure
How CDOs help their firms win, retain, and serve their customers
This month’s S&R Analyst Spotlight Podcast features a slight change to our usual program: we have a guest host! Chris McClean, our San Francisco-based Research Director, interviewed the newest addition to our analyst team, Merritt Maxim. Merritt’s coverage areas include identity and access management, access governance, federation, authentication, and role design and management. In our podcast, Maxim tells us about his career before Forrester, his planned coverage area and his current must-read book on security.
These Analyst Spotlights are all included in S&R’s First Look newsletters. Email email@example.com to be added to the list!
To download the mp3 version of the podcast, click here.
This winter in Boston has been a record breaker. Bostonians are tired of the weather, while non-Bostonians are tired of hearing Bostonians complain about the weather. However, this never-ending winter provides a useful analogy for assessing your organization’s identity and access management (IAM) processes.
My analogy is based on two words that strike fear into many Boston-area homeowners: ice dams. Ice dams are ice structures that form on roofs, following heavy snowfall, that can cause leaks.
Ice dams often dissipate naturally, but record snowfalls and persistent cold temps have exacerbated ice dams this winter.
Just as ice dams can cause leaks, “identity dams” can cause data leaks and other internal problems. Identity dams may result from reorganizations or may just be existing business processes, but they should be removed.
The challenge is overcoming complacency. Just as many homeowners hope ice dams will dissipate naturally, organizations delude themselves with “This is how we’ve always done it,” and conclude that therefore removing identity dams is not necessary. For complacent organizations, the worst case is having users become accustomed to complicated manual processes for requesting access to new applications, waiting weeks to get access to new applications, and having multiple passwords.
Organizations and homeowners should follow these three steps to minimize the potential damage caused by ice dams and identity dams:
Did I pack socks? Check. Toothbrush? Check. Business cards, phone charger, passport? Check, check, and check. Do I know what I need to do and what not to do to protect myself, my devices and the company’s data while I’m on the road and traveling for work? [awkward silence, crickets chirping]
S&R pros, how would employees and executives at your firm answer that last question? It’s an increasingly important one. Items like socks and toothbrushes can be replaced if lost or forgotten; the same can’t be said for your company’s intellectual property and sensitive information. As employees travel around the world for business and traverse through hostile countries (this includes the USA!), they present an additional point of vulnerability for your organization. Devices can be lost, stolen, or physically compromised. Employees can unwittingly connect to hostile networks, be subject to eavesdropping or wandering eyes in public areas. Employees can be targeted because they are an employee of your organization, or simply because they are a foreign business traveler.
So what to do? Rick Holland and I are conducting research now to produce a guide to security while traveling abroad. It’s going to provide guidance for S&R pros to better prepare your executives and employees for travel, including actions to take before, during, and after a trip. We’ll be looking at considerations for things like:
OPSEC. How to determine if employees are being targeted, the pros/cons of using burner equipment, the use of privacy screens on laptops, etc.
On February 25, 2015, Google publicly announced its latest functionality and updates to the Android OS, titled "Android for Work" (AFW). Some of the new functionalities include secure work profiles, secure personal information management, and an enterprise app store through "Google Play for Work." These new changes in AFW will impact the businesses, the Android ecosystem, and the overall market in a far-reaching way. EMM vendors and enterprise EMM buyers must review these technology changes and understand how they will influence future product direction before making any purchases. It took just a few years for core MDM functionality to commoditize to a $0 price tag. I wonder how long until the advanced security components being folded into Android via AFW are also essentially free?
Cloud Data Protection (protecting data in SaaS, IaaS and PaaS workloads with a centralized and industrial strenght solution) remains a key priority of CIOs, CISOs and architects.
In this market overview report, we identified 17 key vendors in the CDP space (see the figure below) that provide data protection in SaaS, IaaS and PaaS environments. This report details trends and predictions in CDP and also our findings about how each vendor is approaching CDP and to help security and risk (S&R) professionals select the right partner for CDP.