More Money, More Problems For Security Organizations In 2015

Stephanie Balaouras
If you’re a security and risk leader, it’s either the best of times or the worst of times. Today, it feels as if not a week goes by without yet another revelation of a large scale cyberattack targeting a trusted corporate brand. Suddenly, business executives who used to avoid you want to be your best friend and are looking at security as an integral piece of the business technology agenda. Why the sudden corporate conviviality? Well, now when there is a major customer breach, it’s not just your job that’s on the line, it’s their job on the line as well - and potentially up to a $1 billion in corporate profits. This means that protecting customers’ data and preserving their privacy can no longer be limited to the CISO or chief privacy officer. In fact, if your company execs are smart, they’ll make it one of their top business and corporate social responsibilities in 2015 - and if they’re not, look for a new job, because you don’t want to be working there.
 
This is why we predict that in 2015 there will be:
 
Read more

Categories:

Privacy Becomes A Competitive Differentiator In 2015

Heidi Shey
We are in a golden age of data breaches - just this week, the United States Post Office was the latest casualty - and consumer attitudes about data security and privacy are evolving accordingly. If your data security and privacy programs exist just to ensure you meet compliance, you’re going to be in trouble. Data (and the resulting insights) is power. Data can also be the downfall for an organization when improperly handled or lost. 
 
In 2015, Forrester predicts that privacy will be a competitive differentiator. There is a maze of conflicting global privacy laws to address and business partner requirements to meet in today’s data economy. There’s also a fine line between cool and creepy, and often it’s blurred. Companies, such as Apple, are sensitive to this and adjusting their strategies and messaging accordingly. Meanwhile, customers — both consumers and businesses — vote with their wallets. 
 
Read more

New Research: Know Your Adversary

Rick Holland
Mandiant's APT1 report changed the threat intelligence marketing game, and you would be hard pressed to find a cybersecurity company that doesn't have a research/intelligence team that produces threat actor reports. The previous few weeks have seen a significant amount of threat intelligence marketing around threat actor groups. FireEye released "APT28: A Window into Russia’s Cyber Espionage Operations?" The analytics firm Novetta released "Operation SMN: Axiom Threat Actor Group Report."  
 
We have even seen law enforcement documents on threat actors. In August, Mr. Su Bin, a Chinese national, was indicted for the theft of Boeing’s trade secrets. The criminal complaint regarding Su Bin’s activities became public in June and offers a fascinating perspective into espionage as a service.  
 
Read more

EY Releases New Global Information Security Survey For 2014

Edward Ferrara

EY has released its Global Information Security Survey 2014. The survey, published every year, focuses on the issues facing information security pros for the coming year. Many of the trends identified in the report are trends that Forrester has seen evolve in the past two years. At the same time, these trends are accelerating. I am one analyst that is reluctant to paint information security with the fear, uncertainty, doubt (FUD) brush, but after reading the EY report I am not sure that FUD is inaccurate. We live in challenging times and the EY report validates this assertion. For example the research shows:

  • Attack power on the part of adversaries continues to grow. The capabilities and attack power of the adversary are on the rise. Criminal syndicates, hacktivists, and state-sponsored attackers top EY's respondents' list of top attack sources. This is not surprising based on the level of political instability in the world and the financial gains cybercrime can provide criminal groups derived from cybercrime.
  • Organizations are in battle with outdated weapons and strategies. Business today is using a set of outdated strategies and technologies to combat adversarial groups that are well financed and supported using some of the best offensive technologies available. These groups are well trained in the use of social engineering and technical cyberattack craft.
  • Organizations continue to see a dissolution of the perimeter. Mobility, outsourcing, cloud computing, and third-party consulting agreements continue to poke holes in companies' perimeters. All of these issues point to the need of a more flexible defense that uses a variety of smart detection and protection methods.
Read more

Proofpoint Acquires Nexgate: SRC Market Matures, But Still Lots Of “Points To Prove”

Nick Hayes

Yesterday, Proofpoint announced it will acquire social risk and compliance (SRC) vendor Nexgate for approximately $35 million.

The Acquisition Signals The SRC Market Is Maturing

This acquisition points to a budding and rapidly evolving SRC market. With the proliferation of social media, organizations face a slew of emerging regulatory challenges, brand threats, and security vulnerabilities – just look at recent incidents with Cole Haan, Zarbee’s, US Airways, British Gas, among countless others, even including our own US military. While once a niche market helping financial services firms meet FINRA obligations, SRC solutions now offer more than just compliance support, helping organizations better manage today’s wide gamut of social risks with social threat detection, account protection, and risk monitoring.

Proofpoint Has To Prove The Sum Is Greater Than Its Parts

Read more

Salesforce.com And Risk Analytics – They May Soon Be A Vendor To Watch?

Nick Hayes

Last week Salesforce.com (SFDC) hosted its annual Dreamforce Conference in San Francisco, and for the first time, the cloud giant’s products could soon have some major implications in the governance, risk, and compliance (GRC) market.

Amidst the chaos of keynotes, partner sessions, guest speakers like Hilary Clinton, wil.i.am, Al Gore, and our very own George Colony, two of SFDC’s major announcements demonstrated how its new offerings and future strategy will position the company to compete in the very big business intelligence market:

  1. SFDC plans to grow from $5.4 billion to $20 billion by competing more directly with BI vendors like SAP
  2. SFDC announced its "Wave" Analytics Cloud offering, which helps deliver dashboards and analytics from any data source in its platform.
Read more

Amazon Web Services Announces Cloud Active Directory

Andras Cser

As we predicted in May 2012, user directories are moving into the cloud. Cloud workloads require that users who are authorized to access them are stored near the cloud workload and not just on-premises. While this offering announced now by AWS is not necessary technically groundbreaking (Cloud IAM vendors and Microsoft Azure have been offering AD integration for a relatively long time), obviously this announcement is relevant because of AWS's broad presence in IaaS. We urge Forrester's clients that plan to use AWS AD service to ask AWS the following questions:

1. What safeguards are there to protect information (user, computer, etc.) in AWS AD?

2. How does AWS integrate in real time with on-premises AD and shared folder infrastructures?

3. What types of true identity management (access governance and provisioning) services does AWS offer to complement this new AD service?

 

Check AWS's blog entry at http://aws.amazon.com/blogs/aws/new-aws-directory-service/ for more details.

Business Continuity Pros, We Need Your Help!

Stephanie Balaouras

Each year, Forrester Research and the Disaster Recovery Journal team up to launch a study examining the state of business resiliency. Each year, we focus on a particular resiliency domain: business continuity, IT disaster recovery, crisis communications, or overall enterprise risk management. The studies provide BC and other risk managers an understanding of how they compare to the overall industry and to their peers. While each organization is unique due to its size, industry, long-term business objectives, and tolerance for risk, it's helpful to see where the industry is trending, and I’ve found that peer comparisons are always helpful when you need to understand if you’re in line with industry best practices and/or you need to convince skeptical executives that change is necessary.

This year’s study will focus on business continuity. We’ll examine the overall state of BC maturity, particularly in process maturity (business impact analysis, risks assessment, plan development, testing, maintenance, etc.), but we’ll also examine how social, mobile, analytics, and cloud trends are positively and negatively affecting BC preparedness. In the last BC survey, one of the statistics that disturbed me the most was that very few firms assessed the BC preparedness of their strategic partners beyond asking for a copy of their BC plan. And we all know plans are always up to date, tested and specific enough to address the risk scenarios that the partner is most likely to experience (please note the tone of sarcasm in this sentence). I hope this year’s survey shows an improvement; otherwise, most of the industry is in mucho trouble.

Read more

Symantec No Longer Wants To Be The Company Where Good Software Goes To Live A Life Of Quiet Desperation

Stephanie Balaouras

Yesterday, Symantec announced that it too was ordering up a bowl of the organizational strategy du jour and splitting itself into two independent, publicly traded companies, one focusing on security and the other on information management.

I have doubts whether simply splitting in two can spark innovation after nine years of gobbling up gargantuan (I still miss you, Veritas) and small vendors alike with little to show for it but operational indigestion. But I suppose anything is better than changing CEOs as frequently as I change the oil in my car and standing by and watching CISOs turn to completely new security brands as their trusted advisor. And there is this little matter of how mobile, social, cloud, and big data are completely transforming not only the way digital businesses compete and serve their customers but how technology vendors themselves deliver their own solutions and engage with their clients -- and Symantec isn't leading the charge in any of those market shifts.

Read more

Analyst Spotlight Podcast With Renee Murphy

Stephanie Balaouras

Each month we use our newsletter and a podcast to highlight one of the many talented and hardworking analysts and researchers on Forrester's Security & Risk team. If you're not signed up for our newsletters, I highly encourage you to do so; please email srfl@forrester.com for additional details. In the meantime, click below to listen to our analyst spotlight on senior analyst Renee Murphy, one of our leading analysts on governance, risk, and compliance. You'll hear some great insights from Renee on clients' top challenges and requirements, surprising research findings, and upcoming research and vendors to watch. To download the MP3 version of the podcast, please click here

Read more