THE MSSP MARKET IS GROWING MORE SOLID AND STABLE

Edward Ferrara

Forrester's 26-criteria evaluation of managed security service providers (MSSPs) published today! The report focuses on the 13 most significant vendors in the North American market — AT&T, CenturyLink, CSC, Dell SecureWorks, HP, IBM, Leidos, SilverSky, Solutionary/NTT, Symantec, Trustwave, Verizon, and Wipro. This report details how well each vendor met our criteria and where they stand in relation to each other. This report will help you refine your selection criteria and choose the right partner for your outsourced security needs.

You can get the report here: The Forrester Wave™: Managed Security Services: North America, Q4 2014

CLOUD SECURITY CONTINUES TO BE A WORK IN PROGRESS

Edward Ferrara

Cloud adoption has historically been hampered by security concerns. All of Forrester's research shows this to be the number one impediemtn to adoption. Forrester just finished evaluating four cloud platform providers on the depth and breadth of their security controls. This Forrester Wave™ evaluates four of the leading public clouds along 15 key security criteria evaluations to answer this question. The participating cloud services providers were: AWS, CenturyLink Cloud, IBM SoftLayer, and Microsoft Azure. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other, to help S&R professionals select the right public cloud partner with the best options for security controls and overall security capabilities.

The results can be found here:  The Forrester Wave™: Public Cloud Platform Service Providers' Security, Q4 2014

Security & Risk Consultant Spotlight Podcast With Todd Barnum

Stephanie Balaouras

For the past few months, we've been using our newsletter and podcast to highlight one of our analysts on Forrester's Security & Risk Team. This month, we decided to interview an S&R consultant. Todd Barnum is our consulting director, a two-time CISO, and a leading expert in information security governance, design, and operations!  Click below to hear our consultant spotlight on Todd. If you're not signed up for our newsletters, I highly encourage you to do so; please email srfl@forrester.com for additional details. 

Todd Barnum Image

To download the MP3 version of the podcast, please click here.

More Money, More Problems For Security Organizations In 2015

Stephanie Balaouras
If you’re a security and risk leader, it’s either the best of times or the worst of times. Today, it feels as if not a week goes by without yet another revelation of a large scale cyberattack targeting a trusted corporate brand. Suddenly, business executives who used to avoid you want to be your best friend and are looking at security as an integral piece of the business technology agenda. Why the sudden corporate conviviality? Well, now when there is a major customer breach, it’s not just your job that’s on the line, it’s their job on the line as well - and potentially up to a $1 billion in corporate profits. This means that protecting customers’ data and preserving their privacy can no longer be limited to the CISO or chief privacy officer. In fact, if your company execs are smart, they’ll make it one of their top business and corporate social responsibilities in 2015 - and if they’re not, look for a new job, because you don’t want to be working there.
 
This is why we predict that in 2015 there will be:
 
Read more

Categories:

Privacy Becomes A Competitive Differentiator In 2015

Heidi Shey
We are in a golden age of data breaches - just this week, the United States Post Office was the latest casualty - and consumer attitudes about data security and privacy are evolving accordingly. If your data security and privacy programs exist just to ensure you meet compliance, you’re going to be in trouble. Data (and the resulting insights) is power. Data can also be the downfall for an organization when improperly handled or lost. 
 
In 2015, Forrester predicts that privacy will be a competitive differentiator. There is a maze of conflicting global privacy laws to address and business partner requirements to meet in today’s data economy. There’s also a fine line between cool and creepy, and often it’s blurred. Companies, such as Apple, are sensitive to this and adjusting their strategies and messaging accordingly. Meanwhile, customers — both consumers and businesses — vote with their wallets. 
 
Read more

New Research: Know Your Adversary

Rick Holland
Mandiant's APT1 report changed the threat intelligence marketing game, and you would be hard pressed to find a cybersecurity company that doesn't have a research/intelligence team that produces threat actor reports. The previous few weeks have seen a significant amount of threat intelligence marketing around threat actor groups. FireEye released "APT28: A Window into Russia’s Cyber Espionage Operations?" The analytics firm Novetta released "Operation SMN: Axiom Threat Actor Group Report."  
 
We have even seen law enforcement documents on threat actors. In August, Mr. Su Bin, a Chinese national, was indicted for the theft of Boeing’s trade secrets. The criminal complaint regarding Su Bin’s activities became public in June and offers a fascinating perspective into espionage as a service.  
 
Read more

EY Releases New Global Information Security Survey For 2014

Edward Ferrara

EY has released its Global Information Security Survey 2014. The survey, published every year, focuses on the issues facing information security pros for the coming year. Many of the trends identified in the report are trends that Forrester has seen evolve in the past two years. At the same time, these trends are accelerating. I am one analyst that is reluctant to paint information security with the fear, uncertainty, doubt (FUD) brush, but after reading the EY report I am not sure that FUD is inaccurate. We live in challenging times and the EY report validates this assertion. For example the research shows:

  • Attack power on the part of adversaries continues to grow. The capabilities and attack power of the adversary are on the rise. Criminal syndicates, hacktivists, and state-sponsored attackers top EY's respondents' list of top attack sources. This is not surprising based on the level of political instability in the world and the financial gains cybercrime can provide criminal groups derived from cybercrime.
  • Organizations are in battle with outdated weapons and strategies. Business today is using a set of outdated strategies and technologies to combat adversarial groups that are well financed and supported using some of the best offensive technologies available. These groups are well trained in the use of social engineering and technical cyberattack craft.
  • Organizations continue to see a dissolution of the perimeter. Mobility, outsourcing, cloud computing, and third-party consulting agreements continue to poke holes in companies' perimeters. All of these issues point to the need of a more flexible defense that uses a variety of smart detection and protection methods.
Read more

Proofpoint Acquires Nexgate: SRC Market Matures, But Still Lots Of “Points To Prove”

Nick Hayes

Yesterday, Proofpoint announced it will acquire social risk and compliance (SRC) vendor Nexgate for approximately $35 million.

The Acquisition Signals The SRC Market Is Maturing

This acquisition points to a budding and rapidly evolving SRC market. With the proliferation of social media, organizations face a slew of emerging regulatory challenges, brand threats, and security vulnerabilities – just look at recent incidents with Cole Haan, Zarbee’s, US Airways, British Gas, among countless others, even including our own US military. While once a niche market helping financial services firms meet FINRA obligations, SRC solutions now offer more than just compliance support, helping organizations better manage today’s wide gamut of social risks with social threat detection, account protection, and risk monitoring.

Proofpoint Has To Prove The Sum Is Greater Than Its Parts

Read more

Salesforce.com And Risk Analytics – They May Soon Be A Vendor To Watch?

Nick Hayes

Last week Salesforce.com (SFDC) hosted its annual Dreamforce Conference in San Francisco, and for the first time, the cloud giant’s products could soon have some major implications in the governance, risk, and compliance (GRC) market.

Amidst the chaos of keynotes, partner sessions, guest speakers like Hilary Clinton, wil.i.am, Al Gore, and our very own George Colony, two of SFDC’s major announcements demonstrated how its new offerings and future strategy will position the company to compete in the very big business intelligence market:

  1. SFDC plans to grow from $5.4 billion to $20 billion by competing more directly with BI vendors like SAP
  2. SFDC announced its "Wave" Analytics Cloud offering, which helps deliver dashboards and analytics from any data source in its platform.
Read more

Amazon Web Services Announces Cloud Active Directory

Andras Cser

As we predicted in May 2012, user directories are moving into the cloud. Cloud workloads require that users who are authorized to access them are stored near the cloud workload and not just on-premises. While this offering announced now by AWS is not necessary technically groundbreaking (Cloud IAM vendors and Microsoft Azure have been offering AD integration for a relatively long time), obviously this announcement is relevant because of AWS's broad presence in IaaS. We urge Forrester's clients that plan to use AWS AD service to ask AWS the following questions:

1. What safeguards are there to protect information (user, computer, etc.) in AWS AD?

2. How does AWS integrate in real time with on-premises AD and shared folder infrastructures?

3. What types of true identity management (access governance and provisioning) services does AWS offer to complement this new AD service?

 

Check AWS's blog entry at http://aws.amazon.com/blogs/aws/new-aws-directory-service/ for more details.