Forrester’s Security & Risk Spotlight – Joseph Blankenship

Stephanie Balaouras

A lifelong Atlanta Braves fan, Forrester Senior Analyst Joseph Blankenship longs for the mid-1990's with respect to his baseball team, but we promise that he looks to the future as he advises his clients on current and emerging security technologies. He covers security infrastructure and operations, including security information management (SIM), security analytics, and network security, and his research currently focuses on security monitoring, threat detection, operations, and management. Joseph has presented at industry events, been quoted in the media, and has written on a variety of security topics.

Joseph Blankenship Image

Joseph's over 10 years of security experience includes marketing leadership and product marketing roles at Solutionary (NTT), McAfee (Intel Security), Vigilar, and IBM (ISS), where he focused on managed security services, consulting services, email security, compliance and network security. As a marketing leader, Joseph helped to align client needs with marketing strategy, messaging, and go-to-market activities while educating users about security strategy. His background also includes extensive experience in the IT, telecommunications, and consulting industries with Nextel, IBM, Philips Electronics, and KPMG.

Listen to Joseph's conversation with VP, Research Director Stephanie Balaouras to hear about Joseph's biggest surprises since starting as a Forrester analyst, his most frequent client inquiries, and the topics he's excited to research in the coming year:

Read more

Automated Malware Analysis Technologies Central To Defense Strategies

Jeff Pollard

"The most important security alerts we see."

That’s how one customer described the importance of Automated Malware Analysis technologies in their security workflow. After months of demonstrations, reference calls, and analysis we are thrilled that The Forrester Wave™: Automated Malware Analysis, Q2 2016 is live! Many clients we talked to used multiple vendors to analyze malware in order to maximize analysis results.

The underlying mechanisms for automated malware analysis are fascinating for the technophile - combining content security, hypervisor-driven execution, behavioral analytics, and algorithmic API analysis. Incredibly sophisticated software engineering and statistical modeling adds another layer of intrigue. Mix those together with evasive adversaries attempting to bypass the technology and it's an intense discussion!

We used the importance of AMA solutions as the dominant element of detection and prevention in client environments to inform our assessment.

Here’s an overview of our approach:

  • Visibility is a cornerstone of detection and protection. In order to detect it, you must see it in the first place.
  • Flexible deployment models are key to dynamic production environments. If it is hardware or on-premise only, then it only fits in environments that match the form factor.
  • Scalability avoids creating a problem as the environment grows. Scalable infrastructure allows the business to orchestrate workloads based on need and priority, AMA solutions should offer the same capabilities to better align with technology needs.
Read more

The EU General Data Protection Regulation (GDPR) Is Here

Enza Iannopollo

More than four years after the European Union started its journey toward new privacy rules, the EU Parliament adopted the final text of the new EU General Data Protection Regulation (GDPR) last week. The EU will complete the long and controversial process that led to the new rules next month, publishing the Regulation in the Official Journal of the European Union, but no changes can be made at this point. This leaves businesses with a two-year period in which to get ready for its implementation. Some EU countries, like France, will implement the new rules before 2018.KEEP CALM AND PREPARE FOR THE GDPR

As a security and risk professional, you must start working now to assess what the new rules mean for your organization and make the necessary changes to technology, processes, and people. As you approach the task, keep in mind that the GDPR introduces important changes, such as:

Read more

Forrester’s Security & Risk Spotlight – Jeff Pollard

Stephanie Balaouras

One of the S&R team’s newest additions, Principal Analyst Jeff Pollard comes to Forrester after many years at major security services firms. His research guides client initiatives related to managed security services, security outsourcing, and security economics, and integrating security services into operational workflows, incident response processes, threat intelligence applications, and business requirements. Jeff is already racking up briefings and client inquiries, so get on his schedule while you still can! (As a side note, while incident response is generally not funny, Jeff is. He would be at least a strong 3 seed in a hypothetical Forrester Analyst Laugh-Off tournament. Vegas has approved that seeding.)

Jeff Pollard Image

Prior to joining Forrester, Jeff served as a global architect at Verizon, Dell SecureWorks, and Mandiant, working with the world's largest organizations in financial services, telecommunications, media, and defense. In those roles he helped clients fuse managed security and professional services engagements in security monitoring, security management, red teams, penetration testing, OSINT, forensics, and application security.


Read more

Reflections on my First Year as an IAM Analyst

Merritt Maxim

At the RSA Conference two weeks ago, a common question from both clients and former colleagues -- “So, what’s it like being analyst?” -- led me to write this blog post.

In the interest of full disclosure, there were no massive epiphanies during my first year, but the transition from being on the vendor side for 15+ years to an analyst provided some perspectives, listed here in no specific order:

·         The security industry is massive. Some former colleagues who learned of my new role often joked, “So you’ve gone to the dark side.” The irony is that analysts are actually removed from the penumbra of the four to six competitors that you obsess about when you work for a vendor. Once removed from this tunnel vision, you become more aware of the diversity of the infosecurity ecosystem. As an example, the number of exhibiting vendors at the RSA Conference is up 45% since 2014, to over 550 vendors. This reflects the ongoing vitality and demand for cybersecurity but also presents challenges to today’s security and risk professionals who have to evaluate an increasingly large and dynamic vendor landscape.

Read more

Is Breach Notification A Part Of Your Incident Response Plan?

Heidi Shey

Is customer-facing breach notification and response a part of your incident response plan? If should be! This is the part where you notify people that their information has been compromised, communicate to employees and the public about what happened and set the tone for recovery. It's more art than science, with different factors that influence what and how you do the notification and response. Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

At RSA Conference last week, I moderated a panel discussion with three industry experts (Bo Holland of AllClear ID, Lisa Sotto of Hunton & Williams, and Matt Prevost of Chubb) who offered their insights into the what to do, how to do it, and how to pay for it and offset the risk as it relates to breach notification and response. Highlights from the discussion:

Read more

Apple Did The Right Thing To Defend Customer Privacy, But It Will Make Security And Risk Management More Difficult For You

Chris McClean

Apple's refusal to follow a court order to support the FBI's San Bernardino shooter investigation was the right move for the company and for its customers, as my colleagues and I cover in Fatemeh Khatibloo's blog post here, and in our full, detailed report, here. As we discuss, there are many constituents with a large stake in the outcome of this case, but I will focus on security and risk management decision makers in this post.

There are four key implications to consider:

Read more

Forrester’s Security & Risk Spotlight: CISO Expertise From Across The Pond

Stephanie Balaouras

2015 was a tumultuous year for CISOs. Breaches affecting The Home Depot, Anthem Blue Cross Blue Shield, and T-Mobile dominated the headlines worldwide and left no industry, region, or CISO unscathed. These unfortunate spotlights created a slew of negative infosec publicity along with panicked demands from business leaders and customers alike. How secure are we? Ask the CISO. How did this breach occur? Ask the CISO. Why did this breach occur? Ask the CISO. Could we have prevented it? Ask the CISO. How could we let this happen? Ask the CISO.

Yet, CISOs continue to struggle to gain clout and influence with the rest of the C-suite and sometimes it can feel like a thankless role. There is little recognition when you’re doing your job right, but you face a whirlwind of pain and blame the second something goes wrong. The world’s growing emphasis and focus on cybersecurity should be running parallel with the capabilities and reputation of the CISO. Instead, CISOs see their responsibilities increasing with only modest funding increases, recognition, or support from their fellow colleagues.

Read more

How Do You Set Your Company Up For Success With Data Classification?

Heidi Shey

Defining your data via data discovery and classification is the foundation for data security strategy. The idea that you must understand what data you have, where it is, and if it is sensitive data or not is one that makes sense at a conceptual level. The challenge, as usual, is with execution. Too often, data classification is reduced to an academic exercise rather than a practical implementation. The basics aren’t necessarily simple, and the existing tools and capabilities for data classification continue to evolve.* Still, there are several best practices that can help to put you on the road to success:

  • Keep labels simple. At a high level, stick to no more than 3 or 4 levels of classification. This reduces ambiguity about what each classification label means. Lots of classification labels increases confusion and the chance for opportunistic data classification (where users may default to classifying data at a lower level for ease of access and use).
  • Recognize that there are two types of data classification projects: new data and legacy data. This will help to focus the scope of your efforts. Commit to tackling new data first for maximum visibility and impact for your classification initiative. 
  • Identify roles and responsibilities for data classification. Consider data creators, owners, users, auditors (like privacy officers, or a risk and compliance manager), champions (who’s leading the classification initiative?). Data is a living thing and all employees have a role in classification. Classification levels may change over time as data progresses through its lifecycle or as regulatory requirements evolve. 
Read more

Answering The Question: What Are The Real And Frightening Risks Within Healthcare Security?

Christopher Sherman

Connected medical devices are transforming healthcare. Unfortunately, security is too often an afterthought for the clinical engineering and business technology (BT) management teams implementing these revolutionary new technologies. In a recent report, Forrester predicted that 2016 will be the year we see ransomware for a medical device or wearable. This is a delicate thought, considering: 1) the Healthcare Industry is actually behind on data security compared to other industries and 2)  the FBI highlighted the risk posed to medical devices in their recent public service announcement: Internet Of Things Poses Opportunities For Cyber Crime.

This research initiative seeks to answer the following: Are there real threats posed by the emergence of connected medical devices? What can you do to protect your patients and employees from life threatening breaches? Is there an underground market for medical device exploits? This research will publish in early 2016 and will be featured in my talk at the RSA Conference this March.

We are looking for research interview candidates to support this initiative, specifically security professionals working in a healthcare setting or medical device security vendors with current solutions on the market. In exchange for your time, we will provide you with a complimentary copy of the final research. While anyone who participates will have the opportunity to be listed as an interviewee in the final report, all interviews will be treated as confidential unless expressly instructed otherwise.

Read more