Post on 07-Aug-2020
transcript
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved.
Ray Wagner
Managing VP
August 29, 2013
Top Security Trends and Take-Aways for 2013/2014
@GARTNER_INC
Gartner at a Glance
935+ Analysts
13,000 Client
Organizations
290,000 Client
Interactions
Vertical Coverage
in Nine Industries
5,500 Benchmarks
10,200 Media
Inquiries
World's Largest
Community of CIOs
64 Conferences
72% of Global 500
2,100 Consulting
Engagements
Clients in 85 Countries
71% of Fortune 1000
500 Consultants
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2012 Gartner, Inc. and/or its affiliates. All rights reserved.
Ray Wagner
Managing VP
August 29, 2013
Top Security Trends and Take-Aways for 2013/2014
Top Trends and Takeaways
The State of the (crumbling) State
Data Loss Prevention
Secure Web Gateway
Secure Web Gateway
Risk
Security Application Testing
Security Information &
Event Management
Cryptography
Firewalls
Managed Security Services
Intrusion Prevention
Mobile Security
Endpoint Protection
Social Media Security
Monitoring
Digital Surveillance
Information Security and the Nexus of Forces
Identity & Access Management
Traditional Security Models Are Strained: Increasingly We Don't Own or Control Much of IT
Security Inflection Points in Our Business and IT Infrastructure
• Socialization and Collaboration
• Mobilization
• Consumerization
• Virtualization
• Cloudification
• Industrialization of Hackers
• Nationalization of Hackers
Everything You Know About Security Changes
• Common thread is a loss of control
- "Trustability" replaces the misguided notion that ownership = trust
• All entities must be considered potentially hostile
- All packets, URLs, devices, applications, users are suspect
• Huge number of resource usage combinations
- Context becomes critical to making real-time security decisions
• Increasing ineffectiveness of traditional security controls
- Antivirus, perimeter firewalls increasingly ineffective
• Need to shift up the stack to protect information
- The final frontier, beyond networks and devices
• Extremely hard to detect compromises/ATAs
- You are already infected, you just don't realize it
Top Trends and Takeaways
CIOs and CISOs: What Are They
Thinking?
Top 2012-2014 Security Priorities
1. Mobile Device Management
2. Data Loss Prevention
TIED for Third Place:
3. Security information and Event Management
3. IT Governance Risk and Compliance
3. Strong User Authentication
Source: Gartner North America-EMEA Security Summits surveys
Top Trends and Takeaways
IT Security Jobs: (Your Resume
Here)
Prosper, Survive or Leave
Business Expertise
Technology Expertise
In-house people Business analyst, user acceptance tester
Vaporize into cloud (partially) Programmer, security tester, database administrator
Best
• Visionaries
• Technologists
• Business people
will be cloud creators and providers
Don't even think it CTO, senior architect, project liaison
Creativity and Vision
Top Trends and Takeaways
Monitor, Monitor, and Monitor
Some More
User Activity and Resource Access Monitoring — Targeted Attack Detection
Perfect defenses are not achievable — better detection is also required
Find and fix
vulnerabilities
Shield
vulnerable
applications
Network
defenses
Shield
vulnerable
systems
Steal data
Compromise accounts
Target user
Install malware
Surveillance
Steal user's credentials
Compromise servers
Compromise applications
Targeted Attacks
Monitoring
Information Security in 2020: Detection More Important Than Prevention
Seek vendors that focus on virtualization and cloud security controls, and support feature parity on x86-based compute fabrics.
Begin the transformation to context-aware and adaptive security infrastructure now as you replace static security infrastructure, such as firewalls, and Web security gateway and endpoint protection platforms.
Consider cloud security brokers to enforce enterprise security policy as public cloud-based services are consumed.
Look for cost reductions in increasingly ineffective perimeter and signature-based security controls to fund investments in monitoring and analytics.
Begin experimentation with big data analytics for the next-generation of security problems. Don't assume your SIEM takes this role.
Persistent threats must be met with persistent security; therefore, focus on uplifting older security technology and enabling the latest features that include context-aware security technologies.
By 2020, 75% of enterprises' information security budgets will be
allocated for rapid detection and response approaches, up from
less than 10% in 2012.
Top Trends and Takeaways
Cloudy with a Chance of…
Dispelling the Three Major Cloud Security Myths
• Cloud services are inherently riskier than what we are already doing:
- Cloud does combine new technology and new processes
- Risks are different, not necessarily greater
• Cloud service providers are professionals and are more secure than we are:
- Many cloud service providers have consumer roots
- Risks are different, not necessarily lower
• Cloud is global, we can't even assess risk:
- Locations do and will matter
- Cloud services do not have to be global
Growing
opportunity for
more secure SaaS
Cloud Risk Appetite Spectrum
Low High
Large and highly-regulated
•Have much sensitive data
•Sophisticated IT capability
•Usually start with IaaS
Small and non-regulated orgs
•Have minimal sensitive data
•Primitive IT capability
•Usually start with SaaS
Sensitivity of Data Typical of External Cloud Use
Fortune 500
Finance
Individual
Small to Medium Business
Civilian Government
Military
Top Trends and Takeaways
Bring Your Own:
A) Device
B) Disaster
Mobile Device Security and BYOD
In 2011, Gartner conducted a survey and found that 62% of our clients either had, or planned for an IT funded BYOD project.
Driving following markets:
• Mobile Device Management
• Network Access Control
• Secure Web Gateways
• Mobile Data Protection
• Containerization Tools
• Strong Authentication
• SSL VPN
• Application Security
• Data Loss Prevention
The Four Phases of BYOD
Accommodate
Focus: Data
Protection, Cost
• BYO Policies
• Formal Mobile
Support Roles
• MDM
• NAC
• Limited Support
• Extend Existing
Capabilities
Avoid
Don't Ask, Don't Tell
Corporate-Owned
Devices Only
Adopt
Focus: Productivity
• Desktop Virtualization
• Adoption of New
Enterprise-grade
Services
• Enterprise 'App
Stores'
• Self-Service and P2P
Platforms
Assimilate
Realization of the
Personal Cloud
• Context awareness
• Identity-Aware NAC
• Workspace
Aggregators
• 'Walk Up' Services
Top Trends and Takeaways
OT = Over Time
Until 2015, more than 70% of enterprises will need to take urgent action over the risks of serious operational and strategic failure caused by ineffective management of OT or of IT/OT convergence.
Strategic Planning Assumption
A Wakeup Call for OT Security and Risk
• The type, frequency, and quality of OT security threats are increasing
• The visibility of the threats is also increasing, placing pressure on OT industries to respond quickly
• While IT security architecture, principles, and practices can help, OT security has unique issues in those areas that must be addressed
• OT security will require a significant “inflection point” change in culture, organization, and process to address properly
"The greatest obstacle to discovery is not ignorance; it is the illusion
of knowledge." — Daniel Boorstin
Top Trends and Takeaways
IAM…and how the CISO should be
thinking
By the end of 2015, 50% of all new retail customer identities will be based on social network identities.
Strategic Planning Assumption
End-2012 (<5%)
End-2015
25
Security Risks
Concern Commentary
Identity proofing Social networks generally ask for
no proofs of real-world identity.
Risk is not significantly higher
than allowing self-assertion for
new account creation.
User authentication
Social network login typically
relies on a legacy password with
variable ―strength‖ requirements.
Most retail customer login relies
on legacy passwords too.
Risk arises from relatively poor
―strength‖ requirements (but
these are overrated anyway).
Underlying protocols
OAuth and OpenID are less
robust than SAML.
Historically a barrier, but
RESTful social networks compel
enterprises to accept the risk.
OpenID Connect promises to
raise the bar.
• Do you want Facebook and so on to know who your customers are?
• Do your customers want Facebook and so on to know that they‘re your customers — and what they do/buy/view?
Is it creepy?
• Is it reliable? (No SLAs!)
• Will it persist?
Is it strategic?
• Will a focus on social network login detract from other customer experience initiatives?
• Will customers without social network logins feel disenfranchised?
Is there a net benefit?
26
Business Risks
Top Trends and Takeaways
The (Security) Free State…?
If We Can Reduce Security Controls
• Less bureaucracy
• Cost reduction
• Improved staff morale
• A truly agile IT environment with
reduced barriers to business flexibility
• Better security:
- Less "underground activity"
- Focus on monitoring and reactive processes
“Bad things do happen; how I respond to them defines my character
and the quality of my life…”
— Walter Anderson
29
From Control-Centric Security to People-Centric Security
Policy Rules
People
Punishment
Control
Rights Principles
Policy
Responsibilities
People
Monitor
Educate
Action Plan
Top Security Trends and
Takeaways
Top Security Trends — 2013&2014
The State of the (crumbling) State
CIOs and CISOs
IT Security Jobs: (Your Resume Here)
Monitor, Monitor, and Monitor Some More
Cloudy with a Chance of…
BYOD
OT = Over Time
IAM and CISO Thinking
The (Security) Free State
• The Security Scenario
• Board Communications
• Risk, Riskier, Riskiest
• Program Maturity
• Encryption ≠ Security
• If not passwords, then what?
• App Security Grows Up
Action Plan for Security & Risk Leaders
Monday Morning
- Assess how well the strategic vision of your security & risk program addresses the Nexus of Forces and specific trends
Next 90 Days
- Educate your IT delivery and executive stakeholders on the challenges and opportunities of the Nexus of Forces.
- Assess the maturity of the major elements of your risk and security program and decompose gaps into projects.
- Map key risk indicators into business key performance indicators and use this to engage the business in risk discussions.
Next 12 Months
- Develop a long-term strategy for continuous improvement.
- Develop and deliver an executive reporting scheme that addresses the needs of a business audience.
Recommended Gartner Research
Agenda Overview for Security and Risk Management Leaders, 2013
Carsten Casper | Roberta J. Witty | Paul E. Proctor | Tom Scholtz | John A.
Wheeler (G00238845)
Agenda Overview for Information Security Technology and Services,
2013
Andrew Walls (G00239321)
Agenda Overview for Identity and Access Management, 2013
Earl Perkins | Gregg Kreizman (G00245842)
Define the Structure and Scope for an Effective Information Security
Program
Tom Scholtz (G00238280)
A Guide to Security and Risk-Related Hype Cycles, 2012
Ray Wagner (G00230394)
For more information, stop by Experience Gartner Research Zone.
34
Events for
Security &
Risk Management
Professionals
Experience live analyst expertise plus much more at a Gartner event
Identity & Access Management Summit
November 18 – 20, Los Angeles, CA
Security & Risk Management Summit
July 1 – 2, Tokyo, Japan
August 19 – 20, Sydney, Australia
September 18 – 20, London, U.K.
Catalyst Conference
July 29 – August 1, San Diego, CA
Visit gartner.com/events
• Visit gartner.com/webinars
– Today's presentation is available to download on the Attachment
Tab of our webinar portal or will be available shortly on our
webinar page
– Check out the schedule of upcoming Gartner webinars (plus on-
demand webinars) and don‗t forget to share these resources with
your colleagues
• Contact your Gartner account executive with any additional
questions, comments or for a complimentary copy of today's
presentation
Simple steps for increasing the value
of today's webinar experience
36