Introducing A New Incident Response Metric: Mean Time Before CEO Apologizes (MTBCA)

Rick Holland

For years cybersecurity professionals have struggled to adequately track their detection and response capabilities. We use Mean Time to Detection/Containment/Recovery. I wanted to introduce an additional way to track your ability to detect and respond to "sophisticated" adversaries: Mean Time Before CEO Apologizes (MTBCA). Tripwire’s Tim Erlin had another amusing metric: Mean Time To Free Credit Monitoring (MTTFCM).

Here are some examples (there are countless others) that illustrate the pain associated with MTBCA:

1) CareFirst breach announced 20 May 2015

2) Premera breach announced 17 March 2015

Your CEO doesn't want to have to deliver a somber apology to your customers, just like you don't want to have to inform senior management that a "sophisticated attack" was used to compromise your environment. Some of these attacks may have very well been sophisticated but I'm always skeptical. In many cases I think sophisticated is used to deflect responsibility. For more on that check out, "The Millennium Falcon And Breach Responsibility."  

Read more

Forrester’s Security & Risk Research Spotlight – The IAM Playbook For 2015

Stephanie Balaouras

Once a month I use my blog to highlight some of S&R’s most recent and trending research. When I first became research director of the S&R team more than five years ago, I was amazed to discover that 30% to 35% of the thousands of client questions the team fielded each year were related to IAM. And it’s still true today. Even though no individual technology within IAM has reached the dizzying heights of other buzz inducing trends (e.g. DLP circa 2010 and actionable threat intelligence circa 2014), IAM has remained a consistent problem/opportunity within security. Why? I think it’s because:
 

Read more

Are Passwords Dead? Take the Forrester Password Usage & Trends Survey!

Merritt Maxim

To paraphrase the great humorist Mark Twain, rumors of the death of passwords have been greatly exaggerated. While people lament the challenges and problems posed by passwords, they remain a core authentication and security technology.

My colleague Andras Cser and I have been fielding so many client inquiries around passwords that we are undertaking a quantitative, anonymous survey from end user organizations to gauge their current password policies and usage. This online survey asks about your organization’s current password policies and challenge as well as the future role of passwords in your organization. We also are using the survey to gain perspectives on the future of passwords and how other technologies might replace passwords completely.

The survey is completely confidential, but participants who provide contact details will receive a complimentary copy of the report when it’s published later this year.

You can access the survey here:

http://forr.com/PWTrends2015

We look forward to your responses!

Forrester’s Security & Risk Analyst Spotlight – Martin Whitworth

Stephanie Balaouras
Once a month, my co-research director and partner in crime, Chris McClean, and I will use our blog to highlight one of the 26 people who collaborate to deliver our team’s research and services and always make Chris and I look really, really good. Each “Analyst Spotlight” includes an informational podcast and an offbeat interview with the analyst. This month’s Analyst Spotlight features our newest analyst, Martin Whitworth. Based in London and bringing experience as a CISO and Head of Security across several industries, Martin will cover the most pressing issues keeping CISOs reaching for another bourbon on the rocks, including security strategy, maturity, skills and staffing, business alignment, and everyone’s favorite pastime, reporting to the board. 
 
Martin Whitworth Image Prior to joining Forrester, Martin served as CISO and senior security leader for a number of blue chip organizations, including Coventry Building Society, Steria Group, UK Payments Council, British Energy/EDF Nuclear Generation, and GMAC. In these roles, he developed and executed a variety of security strategies and programs, and he has extensive experience successfully engaging business and board-level stakeholders. He also has considerable experience as a trusted advisor to security leader peers in the public and private sectors internationally, as well as advising standards and regulatory bodies.
 
Read more

Do You Have An Effective Privacy Organization?

Heidi Shey

A guest post from researcher Enza Iannopollo.

Upcoming changes to privacy regulation in the EU as well as rising business awareness that effective data privacy means competitive differentiation in the market makes privacy a business priority today. And this is not only relevant for tech giants: protecting both customer and employee privacy is a business priority for companies of all sizes and across industries.

But where do you start? Many companies start by hiring a chief privacy officer. Some have built brand-new privacy teams that manage privacy for the whole firm, while others prefer a decentralized model where responsibilities are shared across teams. What are the pros and cons of each approach? Which organizational structure would better meet the needs of your firm?

And when your privacy organization is in place, how do you establish smooth collaboration with other teams like marketing and digital, for example? Too often we hear that privacy teams do not have the visibility that they need into the data-driven initiatives happening within the company. When this happens, privacy organizations are less effective and the business risks failing its customers, undermining their expectation for privacy.

Read more

What A Teenaged Driver Can Teach You About Access Governance

Merritt Maxim

Most parents cheerfully mark the key milestones in their child’s path to adulthood: first step,first word, first school, first sleepover, first broken bone, and so on. But for many parents, no milestone causes as much anxiety as “first-time driver,” which is bestowed on all USA-based teenagers upon their16th birthday.

While surviving the experience of having our child become a driver may seem far removed from the world of access governance and entitlement certification, I found some parallels between managing a teenaged driver and managing the access rights and IT privileges of the end users in your organization. You can read more about it in my latest report, “Wake-Up Call: Poorly Managed Access Rights Are A Breach Waiting To Happen,” but here is a quick preview.

A common problem facing parents of teenaged drivers and IT organizations is that they have properly authorized users but often lack visibility into actual usage of those access rights. In the case of the teenaged drivers, parents often seek data around vehicle usage (Where did it go? At what time and at what speed?). For IT security professionals, organizations can no longer rely purely on static lists of authorized users and their access rights. So, just the way parents can impose mileage restrictions (reading the odometer to limit the distance a car can go in a given night) or fuel restrictions, an IT security team cansupplement access governance processes with additional usage data such as:

1.       Has the employee accessed the application/system during the last certification period?

2.       How often did the employee use the given entitlement?

Read more

Go Play In The Innovation Sandbox

Tyler Shields


RSAC INNOVATION SANDBOX FINALISTS SPUR INGENUITY IN SECURITY: CISOs SHOULD LOOK TO FINALISTS FOR FUTURE DIRECTION AND INVESTMENT

On Monday April 20, 2015 the biggest security event in the USA, the RSA Conference, kicks off with the ever popular Innovation Sandbox event. This event brings in hundreds of submissions from security startup companies around the world all hoping to make the top 10 finalist list, and eventually be declared the winner. The Innovation Sandbox has been running for the last ten years resulting in a great quantity of security startup data to analyze along with some very notable winning companies.

Previous sandbox winners include SourceFireImpervaAlertEnterprise and most recently Red Owl Analytics. Many security companies have been declared finalists, fared well with additional funding, and found reasonable financial success, specifically acquisition. The graph to the left shows the acquisition trends for Innovation Sandbox finalists since 2009. Security start up success is on the rise and the Innovation Sandbox is there to build on that success.

Read more

RSA Conference 2015 – What We Hope And What We Expect To Hear

Chris McClean

Forrester’s Security and Risk team will have a lot of analysts out once again for this year’s RSA Conference. After all these years (12 for me!) we have to balance our excitement to see old friends and colleagues with our cynicism that says it will be a week of empty buzzwords just slightly updated from those we heard last year.

We expect this to be mostly a fashion show – or what my old friend and colleague Rachel used to call the security industry’s debutante ball. We will hear far too many definitions for words like threat intelligence, platform, and integration; and we won’t hear the phrases case study examples, customer trust, or customer value nearly often enough.

But rather than dwell on our skepticism, here are a few things we’re excited about going into next week:

  • The Innovation Sandbox is always a highlight. Most of our team will come by to see the finalists on Monday, and you should look for our upcoming blog posts, tweets, and a report or two examining some of the vendors that have competed in this annual contest.
  • The expo dress code will be a whole lot classier. I’m personally glad to see RSA’s leadership with the new vendor dress code guidelines this year. (And kudos to our former colleague Chenxi Wang for her role in this change.) Hopefully that means everyone’s more focused on the substance of vendor messaging.
Read more

Brand Resilience: Risk Pros' Key Role In Protecting Company Reputation

Nick Hayes

Risk professionals aren’t prepared for the age of the customer. Empowered consumers and changing market dynamics are upending longstanding business models and lines of operation, but risk professionals largely stand pat, and continue to neglect risks related to their organizations’ most critical asset – company reputation. Yesterday we published a report on "Brand Resilience" that will hopefully help you change that legacy risk mentality.

 

Corporate Reputation Is Increasingly Valuable…  

Companies today rely on their reputation to generate greater portions of their revenue, attract new customers, and retain existing ones. This is why we see:

Read more

PRISM And Its Impact On Global Cloud And Internet Outsourcing

Edward Ferrara

Did PRISM Cause An Exodus From US Clouds?

PRISM’s impact is still felt in the market for Internet services although the size of the storm and its resultant impact is smaller than was originally thought. It seems the international business was a lot more insulated from US spying as compared to what was originally thought.

Since Edward Snowden revealed the US National Security Agency's PRISM spying program, there has been widespread speculation that the disclosure of US spying would significantly harm US cloud, hosting, and outsourcing businesses as international customers walked away from any firm within the NSA’s reach.

Why Is PRISM So Important?

International spying is still a global issue and is driven by the current state if international affairs. Global political, economic instability is fueling an epidemic of cyberattacks, the source of which includes nation states, organized crime groups, and unfortunately terrorists. Edward Snowden’s disclosure of the PRISM program lifted cybersecurity from an abstract concept to one that evoked a tremendous level of emotion – much of it driven by the emotion surrounding privacy – or more accurately – the need so many have for privacy.[i]

The Impact

Read more