8/8/2019 Security and Risk Management Jpescatore
1/26
Notes accompany this presentation. Please select Notes Page view.These materials can be reproduced only with written approval from Gartner.Such approvals must be requested via e-mail: [email protected] is a registered trademark of Gartner, Inc. or its affiliates.
Doing More With Less: Securityand Risk Management inEconomically Challenging Times
John Pescatore
8/8/2019 Security and Risk Management Jpescatore
2/26
Welcome!Heres how to participate in todays webinar You can listen to the presentation using your
computers speaker system as the default(VoIP).
Or dial the conference line by selecting UseTelephone in the webinar audio pane.
Have a question for the presenter(s)? Type itinto the Questions panewe will answer asmany as time permits.
A recording of this presentation will be sentto you within 48 hours.
If you would like a copy of todayspresentation, contact your Gartner AccountExecutive or e-mail us at:[email protected].
8/8/2019 Security and Risk Management Jpescatore
3/26
Our world-class, objective insight is drawnfrom thousands of daily client interactions
65% ofFortune 1000;
85% ofGlobal 500
60+Conferences
3,700CIOs
650 AnalystsAcross 80Countries
100,000IT End-User
Inquiries
10,000Media
Inquiries
2 Million+IT End-User
Searches
60,000Clients
10,000Client
Enterprises
5,500Benchmarks
2 2009 Gartner, Inc. and/or its affiliates. All rights reserved.Gartner is a registered trademark of Gartner, Inc. or its affiliates.
8/8/2019 Security and Risk Management Jpescatore
4/26
Aha Slide
Really, not that much security budget-cutting is going on. Many, if not most, security budgets could use a good haircut. First, do the same for less; then, do more for the same.
0
-0.5
-0.4
-2.7
2.1
0.7
1.6
2.0
-3 -2 -1 0 1 2 3
Asia/Pacific
EMEA
Latin America andCaribbean
North American
Percent
Percentage Change Decrease Percentage Change IncreaseAs of December 2008
8/8/2019 Security and Risk Management Jpescatore
5/26
There is No Threat Recession
Latest "largest ever" Heartland Payment Systems DoD Bans USB after trojan on thumb drive Security incidents rise 24.7% at educational institutes Conficker hits medical machinery Worms hit Twitter, Facebook, LinkedIn, MySpace "Chinese attackers" steal jet fighter data
DNS attacks in Puerto Rico, Brazil,New Zealand, U.S. Google, others targeted
8/8/2019 Security and Risk Management Jpescatore
6/26
Security Is Still In the CIO Top Ten
8/8/2019 Security and Risk Management Jpescatore
7/26
Cybercrime as a Service
Customers,employees
$$Data$$
Command/control
www.news.com
Rentahack
8/8/2019 Security and Risk Management Jpescatore
8/26
Targeted Threat Growth
Source: Microsoft Malicious Software Removal Tool disinfections by category, 2H062H08'
8/8/2019 Security and Risk Management Jpescatore
9/26
Management 101: Defend Your Budget
1. Fight the cuts. If not, then2. Move costs to someone else's budget. If not, then
3. Protect vital organs and the "good" leg, then4. Tactical steps toward efficiency
5. Strategic steps toward effectiveness
8/8/2019 Security and Risk Management Jpescatore
10/26
Where's the Sweet Spot?
Level of Protection
Securitycost to
business
Very High(>5% of rev)
Very Low(
8/8/2019 Security and Risk Management Jpescatore
11/26
8/8/2019 Security and Risk Management Jpescatore
12/26
How Much Should You Spend onInformation Security?
5.4 % of Revenue (2008)(Operations/Capital Expenses)
IT Budget
Information Security Budget(3% to 7% of IT Budget)
Primary Casualty Risks
0.16% to 0.38% ofRevenue
0.138% to 0.232% of Revenue
8/8/2019 Security and Risk Management Jpescatore
13/26
Key Issues
1. How can organizations tactically change theirsecurity processes and technologies to quicklyspend less and become more secure?
2. How can organizations strategically change
their security processes and technologies toreduce spending and improve security overthe long term?
8/8/2019 Security and Risk Management Jpescatore
14/26
AttacksUsers
IT Infrastructure
IntrusionPrevention
NetworkAccessControl
ID/AccessManagement
VulnerabilityManagement
PhasedDeployment Evolve to Platforms
Evolving for Efficiency and Effectiveness
Data Security
Avoid and TransferInclude in
Business Process
Defend
8/8/2019 Security and Risk Management Jpescatore
15/26
Stop Chasing Rainbows and Unicorns Unless you're an early
adopter/Type A, kill projectsthat are chasing mirages.
Require 18-month paybackperiods incremental resultsare OK!
If service costs are greater than50% of product costs, thinktwice and maybe wait, ordescope:
- Single sign-on
- Digital rights management
- Security/risk dashboards
- "De-perimeterization"
Someday
8/8/2019 Security and Risk Management Jpescatore
16/26
Transferring Security Spending toOther Budgets
Security Function IT Budget Opportunity
Web Application Firewall Application Delivery Controller
Application Vulnerability Testing C&A/Application Development
Security Configuration Auditing Configuration Management
Data Center Firewall Data Center Virtualization
Network Access Control Guest NetworkingNetwork Behavior Analysis Network Performance Monitoring
Network Forensics eDiscovery, DMCA
Web Application Firewall Application Delivery Controller
Best : To own it and control it
Worst : To not have it at all Interim : To lose control but still have the security applied
8/8/2019 Security and Risk Management Jpescatore
17/26
Take a Platform Approach The biggest single element in a
security control budget is usuallydesktop security and it is oftenthe least effective spending.
Next-generation firewalls vs.firewalls and IPS
E-mail security as a service Defend the Web security
gateway budget Other platforms:
- Security configuration assessment
- Security info/event management- Identity/access management
Web security gateway- URL filtering- In-bound malware prevention
- Security as a service
Endpoint:- Host firewall- AV, AS,- DLP, encryption, port control- HIPS/application control
Network:- Firewall- Attack-facing IPS- Vulnerability-facing IPS
E-Mail gateway- Antivirus/antispam- DLP
- Security as a service
8/8/2019 Security and Risk Management Jpescatore
18/26
Do It Yourself
Cuts can apply to staff levels, too trading labor for products can be a
stop gap:- Open source : firewalls, penetration
testing, vulnerability assessment, IPS,
proxy/URL blocking- Built-ins : firewalls, disk encryption,
file encryption, antimalware
- Services : DNS-based Web filtering,anti-DDoS, in the cloud Higher TCO brings risks, but
hiring may come back beforeprocurement funds.
8/8/2019 Security and Risk Management Jpescatore
19/26
Take Advantage of The Cloud
Off-Premises Cloud
SecaaS
Infrastructure Utility
Hardware managedby other than you
Elastic Internetresources
Dedicated applications
Security as aService
Dedicated Web Applications,
Web Content
Shared applicationinfrastructure (AI)APaaS -ApplicationPlatform as a service
IaaS Integration asa Service
Programmable orProgrammatically accessibleresources
Commodity
(industrialized)computing resources
Outsourcing
Dedicatedresources
Hosting
Web Hosting
size of the cloudlets and overlap shown is not to scale
AIaaSAPaaSWeb Platform IaaS
Native CloudApplications
L Bi I f t t Mi ti
8/8/2019 Security and Risk Management Jpescatore
20/26
Leverage Big Infrastructure MigrationProjects as a Catalyst for Change
Network access protection/control MIIS for simple provisioning
Windows 7 migration
Data center virtualization
ERP migration
X as a Service
Windows Server 2008
Run users as standard user Switch to IE8 Switch AV vendors for better pricing
Virtual firewalls Baked-in secure images
Static and proactiveseparation of duties analysis
Security as a service
8/8/2019 Security and Risk Management Jpescatore
21/26
The No-Brainer: Avoid Vulnerabilities
In the long term, security must be integrated into allapplication development and procurement.
In the short term, find the "gates" and move upstream:- Final QA, certification/accreditation- Build integration and test- Design sign-off/RFPs
Analysis Design Construction Testing Operations SDLC
Detection
Prevention Correction
Point Sources for Cutting Spending
8/8/2019 Security and Risk Management Jpescatore
22/26
Point Sources for Cutting SpendingWithout Reducing Security
Require ISPs to provide you "clean bits" and protect against denial of service.Leverage endpoint, network, e-mail and Web security platforms.Utilize outsourcing or alternative sources on a trial basis.
Take advantage of overlap with operational efforts in configuration managementand application testing.Reduce emergency patching. Network-based and host-based IPS solutions enableyou to schedule fewer machine updates.
Use open-source security software or what comes for free in the operating systemwith Windows, Mac and Linux.Leverage Active Directory for reduced sign-on. Consider IDM for low-cost userprovisioning and self-service password reset.
Use "big bang" infrastructure projects to improve security. Use the transition toincorporate reduced user admin. rights, moving up to application control,deploying "gold" images, etc.Buy more-secure applications, services and software as a service (SaaS). Makesecurity questions a standard part of evaluation and procurement processes.Don't be afraid to change vendors to reduce procurement costs switching costs are highly over-hyped.
Th k f i i i !
8/8/2019 Security and Risk Management Jpescatore
23/26
Thanks for participating!Do you have any questions?
If you havent done so already, pleasetype your questions into the Questionspane.
We will answer as many of yourquestions as time permits.
G d il i i h f d l
8/8/2019 Security and Risk Management Jpescatore
24/26
Get daily insight focused on your roleSecurity and Risk Management
Gartner advice in thecontext of your role
Dedicated portal focusedon what you need to knowfrom Gartner or the media
Analysts as coaches Peer connection and input Toolkit content helps you
be more efficient and
effective Access to all eight roles
Let Gartner be your indispensable resourcefollow up with your
account executive today!
Two simple steps for increasing the value of
8/8/2019 Security and Risk Management Jpescatore
25/26
Two simple steps for increasing the value oftodays webinar experience
Contact your Gartner account executive(or e-mail [email protected]) with
any additional questions, comments orrequestsor to order a complimentary copy oftodays presentation
Visit gartner.com/webinars for a schedule ofupcoming Gartner webinars (plus replays ofprevious webinars) and share these resources
with your colleagues
8/8/2019 Security and Risk Management Jpescatore
26/26
Notes accompany this presentation. Please select Notes Page view.These materials can be reproduced only with written approval from Gartner.Such approvals must be requested via e-mail: [email protected] is a registered trademark of Gartner, Inc. or its affiliates.
Doing More With Less: Securityand Risk Management inEconomically Challenging Times
John Pescatore