© 2014 IBM Corporation
IBM Security
1 © 2014 IBM Corporation
Varför traditionella approacher till IT
säkerhet inte håller, och vilka
riskkonsekvenser det innebär
Stockholm 2015-02-19
Ola Wittenby
© 2014 IBM Corporation
IBM Security
2
© 2014 IBM Corporation
IBM Security
3
© 2014 IBM Corporation
IBM Security
4
A new security reality is here
61%
data theft and cybercrime are their greatest threats 2012 IBM Global Reputational Risk & IT Study
of organizations say
Average cost of a
data breach 2014 Cost of Data Breach, Ponemon Institute
$3.5M
70% of security
executives have cloud and
mobile security concerns 2013 IBM CISO Survey
Mobile malware growth
in just one year 2012 - 2013 Juniper Mobile Threat Report
614% security tools from
vendors
85 45
IBM client example
83% of enterprises
have difficulty finding the
security skills they need 2012 ESG Research
© 2014 IBM Corporation
IBM Security
5
© 2014 IBM Corporation
IBM Security
6
Trend: Advanced and sophisticated threats show no signs of slowing down
More than 95% of CISOs say it’s likely they will be subject to an advanced attack in
the next 12 months1
Nearly 90% of CISOs believe today’s advanced security threats cause substantially
more damage than traditional threats2
Organizations are turning to analytics to help detect advanced threats and drive
intelligent security measures3
Point of view: Use analytics and insights to stop advanced
threats and create a unified defense
Detect sophisticated threats in real time with next-generation defenses, reduce
operating costs and complexity with integrated controls and managed services
1. CEB Information Risk Leadership Council, 2015 Security Outlook - Ten Imperatives for the Information Security Function, November 2014.
2. Corporate Executive Board, Responding to Advanced Threats, February 2014.
3. IDC, Worldwide Specialized Threat Analysis and Protection 2013-2017 Forecast and 2012 Vendor Shares, August 2013.
© 2014 IBM Corporation
IBM Security
7
Trend: Security awareness is heightened at every level of the organization; it’s now a C-Level executive priority
76% of CISOs say they are asked to present to the board at least once a year; this
figure continues to grow as senior executives’ concern over data breaches and
hacks increases4
When broken out by technology, spending on security is the highest priority for CIOs5
Point of view: Optimize security programs across the enterprise;
integrate security silos, reduce complexity, and lower costs
Benchmark your security maturity, treat security as a path to reduce risk and grow
your business, and engage professionals across the enterprise
4. CEB Information Risk Leadership Council, 2015 Security Outlook - Ten Imperatives for the Information Security Function, November 2014.
5. UBS Equities, IT Hardware CIO Survey, July 2013.
© 2014 IBM Corporation
IBM Security
8
Trend: Intelligent detection of security threats and protecting data is becoming more important than just prevention
By 2020, 75% of enterprises’ information security budgets will be allocated to rapid
detection and response approaches, up from 10% in 20126
Clients’ vendor-selection criteria is increasingly focused on security vendors that
understand threat intelligence/predictive security, complexity, and regulatory issues7
Threat intelligence security services spending will reach $905.5 million in 2014 and is
expected to grow to $1.4 billion by 20188
Point of view: Protect critical assets; use context-aware and role-
based controls to prevent unauthorized access
Discover and classify critical data assets and applications; validate “who is who” to
defend against unauthorized access and identify and remediate vulnerabilities
6. Gartner, Top Security Trends and Takeaways for 2014,(webinar), November 2014.
7. IDC Analyst Briefing with Christina Richmond, 2014.
8. IDC, Worldwide Threat Intelligence Security Services 2014–2018 Forecast: "Iterative Intelligence" — Threat Intelligence Comes of Age, March 2014.
© 2014 IBM Corporation
IBM Security
9
Trend: The increasing number of infrastructure entry points created by cloud, mobility, and social networks is straining traditional security models Privacy and security of data in a cloud environment is the No. 1 concern of CISOs9
76% of CISOs see theft/loss of device or loss of sensitive data on a device as a
major concern10
Organizations indicate that the lack of internal security skills is preventing them from
responding to data breaches efficiently; many are willing to pay a 20% premium to
hire qualified security candidates11
Point of view: Safeguard cloud and mobile; employ cloud and
mobile initiatives to build a new, stronger security posture
Address security at the beginning of cloud and mobile initiatives; maintain cloud
visibility and control by monitoring attack activity and implementing compliance in the
cloud; protect devices, applications, and data in the mobile enterprise
9. IBM MDI, Chief Information Security Officer Survey, 2013.
10. IBM MDI, Chief Information Security Officer Survey, 2013.
11. Ponemon Institute, Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness, September 2014.
© 2014 IBM Corporation
IBM Security
10
To address security, leaders must avoid common myths
Your company’s not infected (it is).
There’s a silver bullet to protect you (there’s not).
You need to put your company on lock-down (you don’t).
Your company is not infected. (It is.)
Whatever you’ve done is enough. (It is not.)
You need to put your company in lock-down. (You don’t.)
There’s a silver bullet to protect you (there’s not). There’s a silver bullet to protect you. (There isn’t.)
© 2014 IBM Corporation
IBM Security
11
Use five fundamental security principles to help guide you
(incidents will happen)
Prepare to respond,
faster
(train, test, trick)
Increase the security IQ
of every employee
(analytics = threat insights)
Leverage
security intelligence
Protect your
crown jewels
(define, protect, monitor) (the vanishing perimeter)
Safeguard
Mobile & Cloud
© 2014 IBM Corporation
IBM Security
12
Make security education a continuous process – for everyone
Increase the security IQ of every employee
Make training a priority from the
start, then provide annual education
– keep it fun and engaging
Require testing for all employees,
and spell out the consequences
for non-compliance
Provide real-life scenarios that
catch your employees off-guard
with learning traps – “phish” them
Nearly 60% of security incidents are caused internally1
1,2014 Cost of a Data Breach, Ponemon Institute
Train Test Trick
Your help needed for IBM Cloud opportunity
Christina Martin to: Daniel Allen Please respond to chris.martyn.ibm.executive
Hi Daniel Allen,
Your manager recommended you to contribute to a proposal for an important new client opportunity
that I am working on. This is a great opportunity for IBM with large commissions likely when we win
this account. Please review the material posted on CloudFile and provide your feedback by EOD.
We’re counting on you!
http://fileinthesky.com/IBMClientOpportunity
Thanks,
© 2014 IBM Corporation
IBM Security
13
Prepare to respond more quickly and effectively to attacks
Prepare to respond, faster
12013 IBM CISO Assessment, 2Verizon 2013 Data Breach Investigations Report 3 Surviving the Technical Security Skills Crisis: a commissioned study conducted by Forrester Consulting on behalf of IBM, May 2013
Constantly monitor to
see if someone has
breached your defenses
of data breaches took
months or more to
discover2 66%
Have an emergency
response and forensics
partner
of security decision-
makers say that staffing
issues contribute to a
heightened level of risk3 92%
Keep your incident
response plan updated
of incident response
plans are outdated1 50%
© 2014 IBM Corporation
IBM Security
14
Get ahead of with a formal program
Safeguard Mobile & Cloud
Mobile workers use at least one business-focused app in a year2
200M
of employed adults use at least one personally-owned device for business1
81%
of users surveyed had corporate security on their personal devices1
<1%
1) Harris Interactive, 2012; 2) Global Mobile Enterprise 2011-2017 Forecast, Strategy Analytics
Protect the
data
Protect the
apps
Manage the
device
Protect the
transaction
Corporate
container
© 2014 IBM Corporation
IBM Security
15
Identify your most critical data and protect these vital assets
Protect your crown jewels
12013 Commission on the Theft of American Intellectual Property
of publicly traded corporations’ value1 is represented by intellectual property
and other enterprise-critical data
1
Define Protect Monitor
your organization’s
“crown jewels”
these valuable assets
at all stages
the access and
usage of the data
© 2014 IBM Corporation
IBM Security
16
Use analytics and insights for smarter prevention and defense
Leverage security intelligence
Prioritized incidents
Endpoints
Mobile devices
Cloud infrastructure
Data center devices
Threat intelligence
Network activity
Automated
offense
identification
Real-time correlation and analytics
Anomaly detection
Industry and geo trending
© 2014 IBM Corporation
IBM Security
17
Make security an enabler, not an inhibitor.
Take an active role in policy – even if it’s unpopular.
Cybersecurity is a business risk that you need to manage actively
Everyone is part of the solution in a risk aware culture,
and effective security starts at the top
Get involved. Set the tone and develop a governance model.
Security Principles for CEOs
Engage the senior leadership.
© 2014 IBM Corporation
IBM Security
18
Learn more about IBM Security
Visit our website
IBM Security Website
Watch our videos
IBM Security YouTube Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
IBM Security Intelligence. Integration. Expertise.
© 2014 IBM Corporation
IBM Security
19
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.