21
www.cloudsec.com | #CLOUDSEC
Stop Thinking IT Security – Think Business Risk!Simon Piff, Vice President, Security PracticeIDC Asia Pacific@spiffatidc
IDC FutureScape: IT Security Products and Services ‐ APeJ Implications
IDC FutureScape: Worldwide IT Security Products and Services 2017 Predictions – Asia/Pacific Excluding Japan Implications. Doc #AP42209917 3
1
2
3
4
5
6
7
8
9
10
By 2019, 50% of all online transactions will incorporate biometric authentication driven by a ubiquitous technology infrastructure that enables low implementation costs and broad user acceptance.By 2019, more than 75% of IOT device manufacturers will use security and privacy as competitive positioning to capture the attention of security and privacy advocates and earn consumer trust.By 2019, nearly every major multinational corporation with ties to the U.S. or Europe will face significant cybersecurity attacks aimed at disruption of commodities.
Over the next two years, 80% of consumers in developed nations will defect from a business because their personally identifiable information is impacted in a security breach.By 2018, 30% of enterprise cybersecurity environments will incorporate cognitive/AI technologies to assist humans in dealing with the vastly increasing scale and complexity of cyber threats.
By 2018, 30% of enterprise customers will leverage analytics‐as‐a‐service to help solve the challenge of combing through security related data and events
By 2020, cloud security gateway functionality begins to be integrated as part of web service offerings to entice IT leaders to move offerings to the cloud.
By 2020 30% of U.S. broadband homes will have at least one IP enabled home automation or security monitoring sensor/device
Reactive security services such as Incident Response and Forensics services will marginally increase by 2020 but still overshadowing proactive services
By 2025, on premises security management will be a thing of the past subsumed by SaaS security and Network‐based security.
TIME (MONTHS) TO MAINSTREAM
ORG
ANIZAT
IONAL
IMPA
CTA sin
gle
departmen
tor a business
unit
Multip
le
departmen
ts
or business u
nits
Companywide
0‐12 12‐24 24+
Cloud SecurityGateways
BiometricAuthenticationConsumer PII
Cloud, Hosted, & SaaS Security Services
Analytics‐as‐a‐Service
IOT Securityand Privacy
Incident Response Retainers
CyberattackDisruption
IP enabled Home
Automation
Cognitive Cybersecurity
21
4
56
9 10
3
7
8
Doc #AP42209917
Getting Past The Eye Test (on Previous Slide)
•Mobile biometrics• IoT•Cyber‐terrorism/warfare•Consumer reaction•Machine learning/ AI
•Analytics•Cloud security• Incident response and Forensics
•Security as a service
So Much For The Future. What about today?
43.8% 40.2%9.2%
6.1%0.7%
Naïve NoviceEmploy basic operational security measures and act on security needs as they arise
Reactive ResponderFull-time staff address most significant security requirements but look to external sources to provide guidance in compliance-oriented program
Compliant CompanionSolid security program and control framework address all regulator needs and internal risk assessments
Proactive PartnerRobust security program with strong compliance and early exploration of the cost effectiveness of solutions
Predictive ProfessionalRisk recognized as an element of overall business value proposition for technology, and the security strategy approach seeks most efficient and effective ways to manage enterprise security
Business OutcomeOrganization unknowingly accepts large risks that leave it extremely vulnerable
Business OutcomeOrganization keeps auditors at bay but can be challenged in a breach scenario and overspends on ineffective measures
Business OutcomeOrganization invests significant resources and money but has difficulty describing value proposition in strategic terms
Business OutcomeOrganization successfully manages risk but lacks understanding of critical overarching business context
Business OutcomeOrganization has an efficient and effective economics driven security strategy, including risk returned per unit cost, for entire portfolio
n= 852
IDC IT Security MaturityScape Benchmark Report ‐ APeJ
84% at Stage 1&2
42.5%
51.5%
4.6% 1.3% 0.1%
Naïve NoviceEmploy basic operational security measures and act on security needs as they arise
Reactive ResponderFull-time staff address most significant security requirements but look to external sources to provide guidance in compliance-oriented program
Compliant CompanionSolid security program and control framework address all regulator needs and internal risk assessments
Proactive PartnerRobust security program with strong compliance and early exploration of the cost effectiveness of solutions
Predictive ProfessionalRisk recognized as an element of overall business value proposition for technology, and the security strategy approach seeks most efficient and effective ways to manage enterprise security
Business OutcomeOrganization unknowingly accepts large risks that leave it extremely vulnerable
Business OutcomeOrganization keeps auditors at bay but can be challenged in a breach scenario and overspends on ineffective measures
Business OutcomeOrganization invests significant resources and money but has difficulty describing value proposition in strategic terms
Business OutcomeOrganization successfully manages risk but lacks understanding of critical overarching business context
Business OutcomeOrganization has an efficient and effective economics driven security strategy, including risk returned per unit cost, for entire portfolio
IDC IT Security MaturityScape Benchmark Report - India
94% at Stages 1&2
8Source: IDC Asia/Pacific C-suite Barometer Research 2017 India
31.4%
19.4%
The Critical Issue for all organizations
• It’s not about IT security – this limits the view and places all the resolution onto over‐stretched IT teams.
• It is about Business Risk – this engages the business units, the executive and the board, and helps define the role IT play in the process.
Attacks are Everywhere!
A Highly Transformed Industry
• Niche engineers design advanced products• One organization employs hundreds of malware designers, linguists and other professionals
• Key products will the keyboard language before choosing to execute, or not• Avoidance technology embedded in many “applications” (seeking bare metal, and not a VM before executing
• Use social engineering for targeted campaigns• Extensive use of big data and analytics to identify further opportunities• Delivers 24x7 helpdesk support• Offers a range of offerings “as a service”• Leverages Cryptocurrency for global transactions
However … old habits die hard
Distributed Integrity
Endpoint, AV, firewalls, patches, Monitoring, analytics, IDS, DLP,user training, 2FA, gateways, tags and tethers
micro-segmentation
Prevention Detection MitigationMesh, Hub & Spoke.
More process driven than technological
ResponseIT response
Crisis Management response Legal mitigation, press & PR
strategy
Essential Guidance
Re‐Format the Issue
• It’s not IT security. It’s what IT can do to limit business risk• Engages other parts of the organization that need to have a stake
• Ensure the CEO/Board understand there is no such thing as being connected, and 100% secure
• Drives the conversation from protection, to risk management and mitigation
• IT security has at least two distinct mindsets• Hunters – who are constantly tasked with seeking threats across the internal systems
• Remediation team – who respond to and remediate the threats that the Hunters detect
Military SpendingThe funding model for IT Security is more akin to Military Spending that
traditional IT metrics of ROI
Understand Your Unique Environment
• What is at stake for the business?• Legislative compliance• Core Intellectual Property• Personally Identifiable Information (customers, employees, partners)• Business Continuity
• Understand the Threatscape• What do you own that is of value to the hacking community?• How equipped are you to protect this from a persistent threat?• How well do you monitor you internal systems and critical employees?• What level of access do you provide to customers, partners and contractors?
Resourcing!!
• The future is SecDevOps• Embed security at the outset, no more bolting‐on after the fact
• Chief Security Officer• Have one!• Not reporting into IT!• The “Hunter” team only reports into the CSO (Remediation team is part of the CIO, COO remit)
• CEO engagement• If the CEO does not have a KPI for security, then it will never get the attention it requires
Changing the Rules
• Business continuity and data integrity• Compliance is not the goal, compliance is part of the journey to excellence• Risk appetite of the business is in a constant state of flux• Consider re‐evaluation of key risk indicators for Digital Security
• Control efficacy that leverages well‐established concepts like confusion matrices and sensitivity and specificity measures to compare controls.
• Infection/compromise rate to identify the number of infections per individual assets, such as endpoints.
• Controls per transaction that identifies the number of inline security tests performed on average for every event on the network.
• Incidents per billion events to identify the number of unwanted outcomes that occur for every billion events evaluated.
• Relative risk ratio of one environment to another, again leveraging established concepts in epidemiology.
State Of War Has Been Declared
•The bad guys are not playing by the rules. This is a particular problem because security as a whole is too reactive and slow to adapt.
•We need to do a better job at protecting ourselves.
20
Eric Michael O'Neill is an American former FBI counter‐terrorism and counterintelligence operative
www.cloudsec.com | #CLOUDSEC
THANK YOU
Simon Piff, Vice President, Security PracticeIDC Asia [email protected]
