Security pros got the Target breach for Christmas last year. The breach hit the retailer during its busiest time of the year and cost them millions in lost business. For security pros desperate for more budget and business prioritization, you couldn’t have asked for a more perfect present - it’s as is if Santa himself came down the chimney and placed a beautifully wrapped gift box topped with a bow right under your own tree. This year it looked as if all we were getting was a lump of coal - but then Sony swooped in to save us like a Grinch realizing the true meaning of Christmas.
The Sony Picture Entertainment (SPE) breach is still unfolding, but what we know so far is that a hacktivist group calling themselves the Guardians of Peace (GoP) attacked Sony in retribution for the production of a movie, “The Interview,” which uses the planned assassination of North Korea’s leader as comedic fodder. The hacktivists supposedly stole 100 TBs of data that they are gleefully leaking bit by bit (imagine Jingle Bells as the soundtrack). The attack itself affected the availability of SPE’s IT infrastructure, forcing the company to halt production on several movies.
If you’re a security and risk leader, it’s either the best of times or the worst of times. Today, it feels as if not a week goes by without yet another revelation of a large scale cyberattack targeting a trusted corporate brand. Suddenly, business executives who used to avoid you want to be your best friend and are looking at security as an integral piece of the business technology agenda. Why the sudden corporate conviviality? Well, now when there is a major customer breach, it’s not just your job that’s on the line, it’s their job on the line as well - and potentially up to a $1 billion in corporate profits. This means that protecting customers’ data and preserving their privacy can no longer be limited to the CISO or chief privacy officer. In fact, if your company execs are smart, they’ll make it one of their top business and corporate social responsibilities in 2015 - and if they’re not, look for a new job, because you don’t want to be working there.
This is why we predict that in 2015 there will be:
Each year, Forrester Research and the Disaster Recovery Journal team up to launch a study examining the state of business resiliency. Each year, we focus on a particular resiliency domain: business continuity, IT disaster recovery, crisis communications, or overall enterprise risk management. The studies provide BC and other risk managers an understanding of how they compare to the overall industry and to their peers. While each organization is unique due to its size, industry, long-term business objectives, and tolerance for risk, it's helpful to see where the industry is trending, and I’ve found that peer comparisons are always helpful when you need to understand if you’re in line with industry best practices and/or you need to convince skeptical executives that change is necessary.
This year’s study will focus on business continuity. We’ll examine the overall state of BC maturity, particularly in process maturity (business impact analysis, risks assessment, plan development, testing, maintenance, etc.), but we’ll also examine how social, mobile, analytics, and cloud trends are positively and negatively affecting BC preparedness. In the last BC survey, one of the statistics that disturbed me the most was that very few firms assessed the BC preparedness of their strategic partners beyond asking for a copy of their BC plan. And we all know plans are always up to date, tested and specific enough to address the risk scenarios that the partner is most likely to experience (please note the tone of sarcasm in this sentence). I hope this year’s survey shows an improvement; otherwise, most of the industry is in mucho trouble.
Yesterday, Symantec announced that it too was ordering up a bowl of the organizational strategy du jour and splitting itself into two independent, publicly traded companies, one focusing on security and the other on information management.
I have doubts whether simply splitting in two can spark innovation after nine years of gobbling up gargantuan (I still miss you, Veritas) and small vendors alike with little to show for it but operational indigestion. But I suppose anything is better than changing CEOs as frequently as I change the oil in my car and standing by and watching CISOs turn to completely new security brands as their trusted advisor. And there is this little matter of how mobile, social, cloud, and big data are completely transforming not only the way digital businesses compete and serve their customers but how technology vendors themselves deliver their own solutions and engage with their clients -- and Symantec isn't leading the charge in any of those market shifts.
October has arrived and it's time for what is becoming a fan-favorite series here at Forrester: the Security & Risk Analyst Spotlight Podcast featured in our bimonthly newsletter. This month, we're featuring 8-year Forrester veteran and analyst Heidi Shey, one of our leading analysts on data security and privacy. You'll hear some great insights from Heidi on clients' top challenges, surprising research findings, and upcoming research and vendors to watch. To download the MP3 version of the podcast, please click Read more
Each month we use our newsletter and a podcast to highlight one of the many talented and hardworking analysts and researchers on Forrester's Security & Risk team. If you're not signed up for our newsletters, I highly encourage you to do so; please email email@example.com for additional details. In the meantime, click below to listen to our analyst spotlight on senior analyst Renee Murphy, one of our leading analysts on governance, risk, and compliance. You'll hear some great insights from Renee on clients' top challenges and requirements, surprising research findings, and upcoming research and vendors to watch. To download the MP3 version of the podcast, please click here.
The Forrester S&R team has doubled in size during the last several years. Today, we're 17 analysts and researchers across the US, Europe, and India, 19 if you count the research associates that support every project. Given the size of the team and the degree to which analysts have been able to specialize, we decided that we'd take a little time each month to highlight each member of the team in one of our bi-monthly newsletters and in a short podcast. If you're not signed up for our newsletters, I highly encourage you to do so, please email firstname.lastname@example.org for additional details. In the meantime, click below to listen to our analyst spotlight on Senior Analyst, Tyler Shields.
S&R Podcast Listening Options
Click here to download the MP3 file of this episode.
On May 5, 2014, Target announced the resignation of its CEO, Gregg Steinhafel, in large part because of the massive and embarrassing customer data breach that occurred just before the 2013 U.S. holiday season kicked into high gear. After a security breach or incident, the CISO (or whoever is in charge of security) or the CIO, or both, are usually axed. Someone’s head has to roll. But the resignation of the CEO is unusual, and I believe this marks an important turning point in the visibility, prioritization, importance, and funding of information security. It’s an indication of just how much:
Security directly affects the top and bottom line. Early estimates of the cost of Target's 2013 holiday security breach indicate a potential customer churn of 1% to 5%, representing anywhere from $30 million to $150 million in lost net income. Target's stock fell 11% after it disclosed the breach in mid-December, but investors pushed shares up nearly 7% on the news of recovering sales. In February 2014, the company reported a 46% decline in profits due to the security breach.
Poor security will tank your reputation. The last thing Target needed was to be a permanent fixture of the 24-hour news cycle during the holiday season. Sure, like other breached companies, Target’s reputation will likely bounce back but it will take a lot of communication, investment, and other efforts to regain customer trust. The company announced last week that it will spend $100 million to adopt chip-and-PIN technology.
I attend numerous security and IT conferences each year, most of which simply blur together into a vendor cacophony about the perils of social, cloud, and mobile device adoption or the ever present danger from devious cybercriminals and nefarious state-sponsored agents. The uniform repetition of this narrative from every vendor in the industry reminds me of the drowning din of thousands of cicadas awakening from hibernation. McAfee Focus had a different feel. And overall, compared to other conferences, it was a worthwhile trip, and not just because Chris McClean and I won at craps, but because while McAfee did pay homage to the technical security pros in the audience with the requisite discussion of the changing threat landscape and accompanying hacking demo, there was a palpable difference in their narrative, particularly in CEO Mike DeCesare’s keynote. Here are a few notable highlights from the conference:
When I talk to security (S&R) leaders, they always tell me that in an ideal world, they would have enough advanced warning of impending business and technology disruptions in order to understand the security, privacy and overall risk implications and then prepare and present their business executives with a balanced opinion about how best to proceed if and when the enterprise decides to move forward. Unfortunately, most often, business and IT colleagues move on these disruptions and technology shifts far in advance of the security team’s readiness, and we don’t have to look far for examples; just think of employee BYOD, mobile apps for customer engagement, cloud services, social technology for marketing and collaboration, massive big data projects for business intelligence, or virtual and converged infrastructures within the data center.