Traditional antivirus techniques have been fighting a losing battle for years. Popular hacker exploit kits pounce on new vulnerabilities quickly while advanced tools such as polymorphic viruses propagate their malicious intents. As a result, signature databases (known as “blacklists”) have ballooned in size, causing strain on a company’s infrastructure and endpoint performance. Combined with the fact that antivirus vendors miss a significant number of the unknown or zero-day threats, many security professionals are left questioning their antivirus-centric approach to endpoint protection. As the number of malware samples rise, this traditional "Whack-A-Mole" blacklist strategy of signature-based antivirus protection is simply unscalable.
During the past three years, you may have noticed that security and risk professionals have added a new term to their lexicon – business resiliency. Is this just an attempt by vendors to rebrand business continuity (BC) and IT disaster recovery (DR) in much the same way that vendors rebranded information security as cybersecurity to make it seem sexier and to sell more of their existing products? Some of it certainly is rebranding. However, like the shift in the threat landscape from lone hackers to well-funded crime syndicates and state sponsored agents that precipitated the use of the term cybersecurity, a real shift has also taken place in BC/DR.
If you look up the term “resiliency” in the dictionary, it’s defined as “an occurrence of rebounding or springing back”. Thus, business resiliency refers to the ability of a business to spring back from a disruption to its operations. Historically, BC/DR focused on the ability of the business to recover from a disruption. Recovery implies that there was in fact a disruption, that for some period of time, business operations were unavailable, there was downtime as the business strove to recover. Resiliency, on the other hand, implies that an event may have affected the business’ operations, perhaps the business operated in a diminished state for some period of time, but operations were never completely unavailable, the business was never down.
The current state of business continuity management (BCM) standards? Abysmal. According to a joint Forrester/DRJ study, 69% of respondents said that British Standard (BS) 25999 did not influence or only somewhat influenced BCM at their company. It’s not much better for NFPA 1600, 70% of respondents said that it did not, or only somewhat, influenced BCM at their company. I find this shocking. BS 25999 is one of the most widely recognized standards for BCM worldwide and NFPA 1600 has been popular in the US for years. In addition, the U.S Department of Homeland Security’s Private Sector Preparedness Program (PS‑Prep) recognizes both of these standards for assessing preparedness. If you’re wondering what standards respondents named in the “Other” category, it was mostly the Federal Financial Institutions Examination Council (FFIEC) and NIST. Not surprising but also a little disheartening, it’s clear that unless compelled to do so, most BC professional would not adopt or follow a BCM standard.
Even if you don’t intend to certify to these standards, they should strongly influence your BCM program. Why? It’s because:
They provide a foundation and a common vocabulary for BCM best practices and processes. This is important if you need to implement BCM across a geographically dispersed enterprise or you have to work with a multitude of global partners on joint preparedness.
In a recent Forrester/DRJ joint survey on BC preparedness, of organizations that have invoked a BC plan in the last five years, 37% said that their BC plans had not adequately addressed communication. In my experience, I’ve found that many organizations:
Don’t appreciate the importance of effective communication. Many organizations focus the content of their BC plans and the goals of their BC exercises on the details of recovery procedures but don’t focus on how they will contact and coordinate response teams, employees, partners, first responders and customers. If you can’t communicate, you can’t respond to anything.
Rely on manual procedures like call lists or email alone. By themselves, manual procedures are unreliable, they don’t scale for organizations with thousands of employees (or citizens) and they don’t provide any kind of reporting.
Underestimate the difficulty of communicating effectively under stress. During the incident is not the time to attempt to craft effective communication messages or look for a secondary mode of communication because your first mode of communication (land lines and email) is no longer available.
Host-based intrusion prevention systems, host-based data leak protection, full disk and file level encryption . . . all are important tools used on the frontline of endpoint security. They all offer added levels of protection when used with traditional client AV and patch management systems, but at what cost? In order for these tools to be used correctly, organizations must be prepared to invest in increased IT staffing and product training for administrators. This generally proves to be too high of an obstacle for many SMBs, leaving a majority of the market to comprise of enterprises customers and big spenders. With their higher budgets and dedicated IT staff, enterprises are better positioned to take advantage of these advanced security technologies.
However, according to recent Forrester survey data, SMBs are just as interested in using these advanced security technologies. In our latest report "Endpoint Security Adoption Trends, Q2 2011 To Q4 2012," we present data showing adoption patterns of the various endpoint technologies in both SMBs and enterprises, while offering some analysis on what this means for security professionals looking to support current and future trends.
For those of you who are already planning on increasing your investment in endpoint security next year, which tools specifically are you looking at? What are your decision criteria?
According to our survey data dating back to 2008, despite year after year of high profile security breaches from Heartland Payment Systems to Wikileaks to Sony, security budgets have only increased by single digits. This is hardly enough to keep up with the increasing sophistication of attacks, the avalanche of breach notification laws and the changing business and IT environment.
The changing business and IT environment is perhaps the greatest concern. With a massive explosion of mobile devices and other endpoint form factors and an ever expanding ecosystem of customers, partners, clouds, service providers and supply chains, you increasingly have less and less direct control over your data, your applications and end-user identities. We refer to this expanding ecosystem as the “extended enterprise.” An extended enterprise is one for which, a business function is rarely, if ever, a self-contained workflow within the infrastructure boundaries of the company. We believe that the extended enterprise is such a major shift for CISOs and security professionals that we dedicated our upcoming Security Forum to it as well as a significant stream of research.
As a follow-up to my blog post yesterday, there’s another area that’s worth noting in the resurgence of interest in BC preparedness, and that’s standards. For a long time, we’ve had a multitude of both industry and government standards on BCM management including Australian Standards BCP Guidelines, Singapore Standard for Business Continuity / Disaster Recovery Service Providers (which became much of the foundation for ISO 24762 IT Disaster Recovery), FFIEC BCP Handbook, NIST Contingency Planning Guide, NFPA 1600, BS 25999 (which will become much of the foundation for the soon to be released ISO 22301), ISO 27031, etc. There are also standards in other domains that touch on BC, security standards like ISO 27001/27002.
And when you come down to it, several of the broad risk management standards like ISO 31000 are applicable. At the end of the day, the same risk management disciplines underpin BC, DR, security and enterprise risk management. You conduct a BIA, risk assessment, then either accept, transfer or mitigate the risk, develop contingency plans, and make sure to keep the plans up to date and tested.
In my most recent research into various BCM software vendors and BC consultancies, as well as input from Forrester clients, BS 25999 seems to be the standard with the most interest and adoption. In the US at least, part of this I attribute to the fact that BS 25999 is now one of the recognized standards for US Department of Homeland Security’s Voluntary Private Sector Preparedness Accreditation and Certification Program. The other standards are NFPA 1600 and ASIS SPC.1-2009. I’ve heard very few Forrester clients mention the latter as their standard.
During the last 12 to 18 months, there have been a number of notable natural catastrophes and weather related events. Devastating earthquakes hit Haiti, Chile, China, New Zealand, and Japan. Monsoon floods killed thousands in Pakistan, and a series of floods forced the evacuation of thousands from Queensland. And of course, there was the completely unusual, when for example, ash from the erupting Eyjafjallajökull volcano in Iceland forced the shutdown of much of Western Europe’s airspace. These high profile events, together with greater awareness and increased regulation, have renewed interest in improving business continuity and disaster recovery preparedness. Last quarter, I published a report on this trend: Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And 2011.
For the second year in a row, I have the honor of hosting our Security Forum EMEA in London, March 17th - 18th. This is Forrester's 5th annual Security Forum in Europe, and each year brings a larger, more influential audience and more exciting Forrester and industry keynotes. The theme of this year's event builds on our fall event in Boston - Building The High-Performance Security Organization. It would have been easy to focus the event on one of the myriad of threats and challenges facing security and risk (S&R) professionals today — from the emergence of advanced persistent threats to the security and risk implications of cloud services, social technologies and consumer devices in the workplace — but the real challenge for S&R professionals is not in the specific response to today's threats. It's building the oversight and governance capabilities, repeatable processes, and resilient architectures that deal with today's threats but can also reliably predict, analyze, mitigate, and respond to tomorrow's threats and new business demands. For many of us in security, we are mired in day-to-day operational responsibilities — or as some of us like to call it, the Hamster Wheel Of Hell.
It's that time of year when we begin planning our spring Forums. Our Security & Risk Forum EMEA will take place in London, March 17th and 18th. Planning and content creation for that Forum is already well underway and we're looking forward to another great event. But I also wanted to highlight our spring IT Forum. Mark your calendars for May 25-27 in Las Vegas and June 8-10 in Barcelona. Not only is there a dedicated track for Security and Risk professionals at IT Forum but there is an opportunity for Security & Risk pros to learn about broad IT challenges and trends. I believe this is critical because in order for security organizations to become much more proactive and less reactive, they have to understand what's happening across IT and not just narrowly within security. We need to be ready for the next major business or IT shift before it happens.
As technology becomes more accessible through mediums beyond IT's control, you have but one choice: Get proactive by empowering employees, or swim against the current. Successful BT leaders will react not by blocking access but by lending their expertise to increase the chances of technology success and empowering the users to solve customer and business problems. This year's IT Forum will provide a blueprint for reaping the benefits of your empowered organization — complete with case studies, methodologies, and step-by-step advice tailored to each IT role.