+ All Categories
Home > Technology > Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

Date post: 19-Aug-2015
Category:
Upload: chris-ross
View: 14 times
Download: 1 times
Share this document with a friend
20
22
Transcript
Page 1: Assessing and Managing IT Security Risks

22

Page 2: Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

2

CONTENTS

Introduction ............................................................................................................................. 3  

IT Security Environment in the Business ................................................................................. 4  

Risks and Tech Trends Drive Security Programs ................................................................... 5  Risks at the Forefront .............................................................................................................. 6  Top Trends Affecting IT Security ............................................................................................ 7  Top 5 Risks ............................................................................................................................. 9  

Enterprise Security: Definitely Data-Driven ........................................................................... 11  Information Protection and Control: Top-Ranked Across the Board .................................... 12  

Automated, Integrated Controls ............................................................................................ 13  Old Threats Never Die (And New Ones Keep Appearing) ................................................... 16  

Metrics are a Problem ........................................................................................................... 17  Top Risks are Growing .......................................................................................................... 17  But Where Are The Metrics? ................................................................................................. 18  

The Bottom Line .................................................................................................................... 19  

About the Author ................................................................................................................... 20   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.

Page 3: Assessing and Managing IT Security Risks

Top Takeaways from the Wisegate Survey

3

Introduction In June of 2014, Scale Venture Partners and Wisegate collaborated to conduct a member-driven, member-developed research initiative to gauge what meaningful IT security risks are growing, as well as which (if any) are shrinking. We wanted to understand what senior IT professionals identify as top risks, how confident they are in existing controls, and how they’re measuring the significance of these risks. We wanted to understand what industry trends and opportunities will affect respondents’ company's security efforts in the near future, and how security programs are being affected by evolving security issues—where opportunities are both increasing and decreasing for security professionals in IT. We gathered data using a hybrid approach: first, by personally meeting with leading CISOs across approximately 15 industries. We asked what trends and externalities affected their security programs, and what areas security teams are focusing on to protect their evolving enterprise risks. These conversations revealed common themes driving InfoSec program prioritization and spending.

Page 4: Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

4

We then expanded this study to a larger audience, conducting an online survey among a large cross-section of senior IT professionals, to get a broader perspective and stronger conviction on the trends observed in the in-person conversations. Overall we saw strong consistencies between both data sets: large numbers got larger, and the gaps between lowest and highest security priorities increased as more survey participants chimed in. We did see some “spreading” amongst priorities, implying that both program maturity and product choice is alive and well within the Information Security market. We also collected attributes about InfoSec programs and heard glimpses of makes programs successful.

IT Security Environment in the Business In order to get a sense of the business context in which IT security professionals are working, this survey asked a few questions about the line of business to which the security function reports, how IT security is organized, and who is responsible for day-to-day security operations. As shown in Figure 1, security teams are aligned either centrally (55%) or with some blending of accountability (37%). A purely decentralized approach is an outlier (5%).

Figure 1. Survey Question: How is your company's security function organized?

Source: Wisegate, June 2014

Page 5: Assessing and Managing IT Security Risks

Top Takeaways from the Wisegate Survey

5

Having a bias toward more centralization typically enables a security team to have tighter coordination and response times within itself, at the expense of local optimization with its internal customers. When asked who handles operational security tasks, the vast majority of security teams (82%) handle some or all of the operational security duties necessary to secure their enterprise (see Figure 2). Nearly half of IT security departments handle all of the IT-focused tasks such as endpoint patching, antivirus updates and network firewall maintenance.

Figure 2. Survey Question: Who handles operational security tasks at your company?

Source: Wisegate, June 2014 It’s interesting to note that, as Figure 2 shows, more than half (54%, combining “shared” and “exclusively other teams”) of the security teams rely on partners to implement security controls into their business’ operations. A final important point to observe in Figure 2 is that only 18% of security departments function in a purely non-operational capacity, instead focusing on security policies, training, governance, audits, oversight and reviews, security consultation, and so forth.

Risks and Tech Trends Drive Security Programs IT security is in the press with increasing—and, sadly, distressing— frequency. There seems to be no lack of serious examples of company data being compromised, nor of ways these kinds of attacks and thefts can be accomplished. With so many possible ways for harm to affect a company and its data, how do information security programs prioritize what to focus on, what threats to address first, and when to change their focus?

Page 6: Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

6

Risks at the Forefront As shown in Figure 3, respondents to the recent Wisegate / ScaleVP survey overwhelmingly follow “Risk-Based” approaches as their primary criteria for prioritization in their security program. Twice as many teams chose “risk-based approach” over “business strategy changes” as their first priority, which is likely because to security teams, business strategy changes are just another risk for the security team to consider.

Figure 3. Survey Question: Indicate how you most often determine what to prioritize in your security program.

Source: Wisegate, June 2014 Changes to business strategy are the second-most common guide security professionals use to prioritize their security program, particularly when considering first and second choices. As Figure 3 demonstrates, security organizations aren’t prioritizing their program’s maturity. Nearly three-quarters (70%) are primarily focused on meeting external demands such as risks and business strategies instead of improving the operational excellence of their own security efforts. This raises concerns about building up security technical debt, either because the business’s strategies and risks change so fast, it becomes difficult to focus on maturity. It’s worth considering that if a solution is presented (tech or otherwise) that is aligned to business priorities and addresses an important business risk, it almost doesn’t matter what the fix costs. Budget isn’t the limiting factor.

Page 7: Assessing and Managing IT Security Risks

Top Takeaways from the Wisegate Survey

7

In terms of setting plans and priorities, this reactive approach to prioritization is manifested in the length of the roadmap, as shown in Figure 4.

Figure 4. Survey Question: How far out does your department and / organization build its strategic roadmap?

Source: Wisegate, June 2014

Most security teams look forward 1-3 years when reviewing their strategic roadmap. Only 19% look out further than three years, and 12% forecast out even less than a year. While this tendency toward short-term planning might look near-sighted to many of those in the business side of an enterprise, the fact is that attacks and technology itself are changing so fast—and so unexpectedly—that planning much beyond two or three years is simply pure guesswork, and will have to be revised multiple times. As business objectives shift and external threats morph, IT must adjust its own priorities. So while there is often little security teams can do to predict long-term shifts in external threats, IT security professionals must understand—and be a part of—business context and trends.

Top Trends Affecting IT Security Businesses and security programs are under serious pressure from external threats, which is often forcing them to change direction or add new controls to manage these new risks. IT is rapidly losing control over endpoints, applications, and even networks when accessing corporate information. This has shattered many security controls that are based on traditional strategies such as passive traffic inspection, signature-matching signatures, and restricting specific applications endpoints can use.

Page 8: Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

8

In Figure 5, leading technology trends and other forcing functions are displayed around a circle, showing what trends security professionals find both most and least impactful to a security team’s program (participants could choose multiple options). Figure 5. Survey Question: Which of these trends most / least affect your security program?

Source: Wisegate, June 2014

Top areas of concern to security teams included Cloud technologies (both IaaS and SaaS), the consumerization of IT technology and services, and the proliferation of mobile devices such as smartphones and tablets. Security teams tend to be sensitive to changes in regulations and compliance mandates, so it’s not surprising that this category had widespread agreement among participants. This reflects the increased granularity in controls from contractual obligations such as the payment card industry’s PCI-DSS v.3.0, the impact of EU Data Protection Directive as companies expand globally, and growing interest from the U.S. Securities and Exchange Commission over corporate cyber risk. However, the most-affected and least-affected ratings aren’t necessarily opposed to each other, likely because of differences in regulatory mandates, corporate culture, or the business’ mission itself.

Page 9: Assessing and Managing IT Security Risks

Top Takeaways from the Wisegate Survey

9

For example, businesses that do not frequently write online applications are unaffected by advances in Agile methodologies, whereas security teams at engineering-focused firms find Agile & DevOps growth disruptive to how they do application security reviews. Smart teams are looking to integrate security into these development processes (e.g. “SecDevOps”), becoming more effective and secure than ever. A highly regulated company might be able to enforce stricter network admission controls, prohibiting IoT devices and enforcing MDM-like controls on mobile devices. Such security policies would be counter to “open access” companies that encourage innovation and freedom on their corporate networks. It’s also worth noting that some low rankings of the importance of different trends may have to do with lack of knowledge or understanding of that trend. When asked follow-up questions about Internet of Things, for example, most respondents indicated that IoT was still confusing to them—not yet fully-backed and therefore not yet impactful to strategic security program decision-making. Other businesses that rely on remote sensors for data acquisition, for example, are actively investigating this technology and engaging their security teams to understand the implications to enterprise risk. As consumer electronics such as wearable sensors continue to grow in popularity, enterprise security teams will be faced with a huge array of new networkable devices attempting to join their corporate wireless networks. Finally, it’s not clear why Weaponization of the Internet / State-sponsored cyber-espionage ranked low overall, and equally scored in both sides of the “impactful” equation. As the next section points out malware, external threat actors and APT score highly as top-risks. As the Verizon Data Breach Report 2014 points out, attackers are more efficiently breaking in than defenders are at detecting them.

Top 5 Risks Wanting to get a sense of what is keeping security practitioners up at night—what they perceive as the top risks to their companies – we asked survey respondents to list their top three security concerns. As shown in the word cloud in Figure 6, the words data, security, malware, outbreak, and breach were especially prominent. We then grouped these responses into general categories to find larger themes, which revealed themselves in Figure 7. A few categories gathered the most votes and quickly degenerated into a long-tail. Identified risks beyond the top 10 or so tended to be organization—and implementation-specific.

Page 10: Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

10

The top two identified risks—Malware Outbreak and Sensitive Data Breach—comprise nearly a third of all participants’ attention. They were more important to participants than the next 6 identified risks combined.

Figure 6. Survey Question: What are your top three security risks?

Source: Wisegate, June 2014

Figure 7. Survey Question: What are your top three security risks?

Source: Wisegate, June 2014

Page 11: Assessing and Managing IT Security Risks

Top Takeaways from the Wisegate Survey

11

Malicious Outsider Threat was slightly more important to participants than Malicious Insider Threat. Although Malicious Insider Threat continues to receive a lot of press, and it was ranked in our survey’s top five responses, it was a “top of mind” concern for only 6% of our participants. Because malicious insiders tend to be more insidious than attacks from external threat actors, they are high-impact events but one of the hardest to detect. Verizon’s 2014 Data Breach Incident Report indicated that only 8% of reported data breaches involved malicious insiders, and while our data suggests that the “insider threat” is definitely a concern, it doesn’t break into the top three of practitioners’ perceived risks.

Enterprise Security: Definitely Data-Driven Taking a “data-driven” approach was one of the most common themes that cut across all of questions we asked about security controls and methods of controlling enterprise risk. Teams hope to address enterprise security concerns more strategically by focusing on the data that needs to be protected, applying these types of controls at every enforcement point. Figure 8. Survey Question: Which endpoint-targeted security controls will be a top-3 priority to you in the next 3-5 years (multiple selections allowed).

Source: Wisegate, June 2014

Page 12: Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

12

Information Protection and Control: Top-Ranked Across the Board Based on top-priority choices among asset type, Information Protection and Control products (“IPC”, including DLP/DRM/masking/encryption technologies) was the single most-desired control to apply at computers (see Figure 8), Mobile/IoT endpoints (see Figure 9), within applications (see Figure 10), at the infrastructure layer (see Figure 11).

Figure 9. Which mobility / IoT security control will be most important to your company in the next 3-5 years?

Source: Wisegate, June 2014

Figure 10. Which of these Messaging, File/Doc Sharing controls will be a top priority to you in the next 3-5 years (multiple selections allowed).

Source: Wisegate, June 2014

Page 13: Assessing and Managing IT Security Risks

Top Takeaways from the Wisegate Survey

13

Figure 11. Survey Question: Which of these Infrastructure controls will be a top priority to you in the next 3-5 years (multiple selections allowed).

Source: Wisegate, June 2014

This movement towards data-centric security is especially important as emerging companies grow up with “Cloud Always” enterprise stacks, established enterprises adopt “Cloud First” technology refresh initiatives, and even “Cloud Cautious” companies realize the benefits of SaaS and IaaS options. IT organizations are losing control over the devices their end users want to use, the networks over which they communicate, and the applications and infrastructure they use. The acceleration of technology innovation will make the typical “security review” process harder for security teams to keep up with change, or else be seen as stifling creativity. By focusing on capabilities and adherence to data-centric security controls (instead of specific device types and protocols) security teams can more comfortably support a wider range of endpoints (including BYOD) and applications.

Automated, Integrated Controls Security teams frequently track three areas of growth:

1. Enterprise size and complexity 2. Changes in the capabilities of adversaries looking to harm their company 3. Relevant regulatory compliance mandates

Page 14: Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

14

Growth in any of these areas increases the need to implement new security controls, streamline and integrate them into existing security controls, and create tighter feedback loops between the security team and their partners. This ultimately reduces the window of opportunity for accidental data loss or malicious activity. Managing the increased complexity and dealing with interoperability and manageability of technical security controls was another common theme expressed both during the in-person interviews and in the comments section within the online survey. Several examples follow: 1. Almost one-third (31%) are making DevOps security controls a top priority, as shown in Figure 12.

Figure 12. Survey Question: What is your top priority for Development / SDLC Controls?

Source: Wisegate, June 2014

2. Over half (59%) of respondents marked either proactive threat/misuse detection or

automated orchestration as a top choice to streamline their incident response plans and limit their exposure windows (see Figure 13).

3. 31% are planning to participate in threat intelligence feeds and sharing platforms, to get a broader view of the risks they and their peers face, as seen in Figure 13.

4. Nearly half (46%) list risk-based authentication/authorization as a top-three Identity and Access Management security controls priorities (see Figure 14).

Page 15: Assessing and Managing IT Security Risks

Top Takeaways from the Wisegate Survey

15

Figure 13. Survey Question: Which Incident Response security controls will be most relevant to you during the next 3 - 5 years in your organization?

Source: Wisegate, June 2014

Figure 14. Survey Question: Indicate which of these Identity and Access Management security controls will be a top-3 priority during the next 3 - 5 years in your organization (multiple selections allowed).

Source: Wisegate, June 2014

Page 16: Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

16

Old Threats Never Die (And New Ones Keep Appearing) When asked which components and controls of their security program could be decommissioned, only a tiny fraction of survey (less than 8%) respondents indicated anything at all. Remarkably, nearly nine times as many participants (approximately 70%) mentioned a part of their security program that was growing. Many respondents noted that they seem to be always adding new controls to address new threats, but aren’t able to turn anything down. However, even if security teams could easily find qualified staff to run these new controls, focusing on control integration and automation always pays off. Participants mentioned the need to drive security products and services via APIs, combining results from one service to power and feed other services. To address their most important security risk, more than three-quarters of the security teams needed to build a custom solution/integration, as shown in Figure 15. Even for their third-most important security risk, 39% of security teams were building something in-house. Figure 15. Survey Question: For which risks (if any) did you need to build something in-house because there were no acceptable commercial alternatives available?

Source: Wisegate, June 2014 In fact, more than three-quarters of respondents indicated needing to build a custom solution to address their top area of risk, indicating either a demand for programmatic interoperability between security controls or possibly a need for new solutions in the marketplace.

Page 17: Assessing and Managing IT Security Risks

Top Takeaways from the Wisegate Survey

17

Metrics are a Problem Information Security programs and their effectiveness at managing enterprise risk are quickly becoming Board-level discussions. Unfortunately, security products are doing a poor job at providing actionable, high-level metrics to prioritize a security team’s efforts and to communicate to executive management the business impact of their programs.

Top Risks are Growing Survey respondents strongly indicated that their top three risks were increasing for their company (72% agree) and their particular industry (82% agree), as shown in Figure 16.

Figure 16. Survey Question: Which risks are growing for your specific company and industry?

Source: Wisegate, June 2014

With risks growing for all top risks—both company- and industry-wide—we were of course interested in how confident respondents are in the efficacy of the controls they have in place to address the risks they had identified as being important. Overall, teams were optimistic but not overwhelmingly confident. Figure 17 shows that on a scale of 0 (no confidence) to 3 (high confidence), the average rating was just under 2, which could be described as “somewhat confident.”

Page 18: Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

18

Figure 17. Survey Question: What is your confidence that your current controls are effectively managing that risk?

Source: Wisegate, June 2014

But Where Are The Metrics? However, the real problem with security risk management in the enterprise isn’t of confidence—it’s of measurement; survey respondents don’t really have a good way of indicating the effectiveness (or lack thereof) of existing programs. Simply put, for all of their top three risks, approximately half said they didn’t have a way to measure these risks, as shown in Figure 18.

Figure 18. Survey Question: Do you have a metric to measure the risk in your top three areas of concerns?

Source: Wisegate, June 2014

Page 19: Assessing and Managing IT Security Risks

Top Takeaways from the Wisegate Survey

19

This is concerning, implying that security teams can’t easily measure if their top risks are increasing or declining, or if their efforts are having an effect on the risk. Many security products have built-in dashboards based on the specific threat they address, but aggregating and mapping these back to a holistic business impact appears to be elusive and part of evolving security program maturity. This is like flying a plane with the three most important cockpit indicators taped over while you try to navigate over complex terrain and weather conditions. There’s also a clear need for holistic risk measurement systems to help security teams prioritize their resources and communicate their impact to their executive management and Boards of Directors.

The Bottom Line IT is giving up control over most devices and infrastructure. This has profound implications to risk models and the types of controls that are effective going forward. In exchange, security programs are moving their controls closer to the business data and applications. Enlightened security teams are focusing on data-centric controls such as encryption and DLP, working closely with DevOps teams to “bake in” security controls into the orchestration layer and cloud hosting systems, and leveraging APIs and cloud computing capabilities to build scalable security solutions that meet the unique needs of their enterprise and address the sprawl of point solutions. As concerns of security and compliance rise, teams struggle to map their security programs’ efforts to business impact. Growing interest from Boards of Directors and increased scrutiny from compliance regulations has placed more emphasis on identifying the right security metrics and finding ways to increase the efficiency and efficacy of security programs. In order to be competitive against increasingly-sophisticated adversaries, security teams must look for ways to streamline their operational capabilities and provide actionable insights from an ever-growing set of security event data.

Page 20: Assessing and Managing IT Security Risks

Assessing and Managing IT Security Risks

20

About the Author Bill Burns is a well-known and well-respected security professional, having held leadership positions Director of Information Security for Netflix where his teams migrated critical business workloads and infrastructure to Amazon’s cloud. Most recently Bill held the role of Executive-In-Residence at Scale Venture Partners, where he created their InfoSec investment strategy. Bill is a founding member and active advisor to Wisegate, and is member of the RSA Conference Program Committee, ISSA CISO Forum Advisory Committee and ISSA CISO Career Lifecycle Committee. Bill has 20 years of experience in security, specializing in cryptography and communications, and graduated from Michigan Technological University with electrical engineering and business degrees.

PHONE 512.763.0555

EMAIL [email protected]

www.wisegate i t .com

Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.


Recommended