SlideShare une entreprise Scribd logo

Assessing and Managing IT Security Risks

Chris Ross
Chris Ross

Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.

Technologie
1  sur  20
Télécharger pour lire hors ligne
22
Assessing and Managing IT Security Risks 2 CONTENTS Introduction ............................................................................................................................. 3   IT Security Environment in the Business................................................................................. 4   Risks and Tech Trends Drive Security Programs ................................................................... 5   Risks at the Forefront .............................................................................................................. 6   Top Trends Affecting IT Security ............................................................................................ 7   Top 5 Risks ............................................................................................................................. 9   Enterprise Security: Definitely Data-Driven ........................................................................... 11   Information Protection and Control: Top-Ranked Across the Board .................................... 12   Automated, Integrated Controls ............................................................................................ 13   Old Threats Never Die (And New Ones Keep Appearing) ................................................... 16   Metrics are a Problem ........................................................................................................... 17   Top Risks are Growing.......................................................................................................... 17   But Where Are The Metrics? ................................................................................................. 18   The Bottom Line.................................................................................................................... 19   About the Author ................................................................................................................... 20   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
Top Takeaways from the Wisegate Survey 3 Introduction In June of 2014, Scale Venture Partners and Wisegate collaborated to conduct a member- driven, member-developed research initiative to gauge what meaningful IT security risks are growing, as well as which (if any) are shrinking. We wanted to understand what senior IT professionals identify as top risks, how confident they are in existing controls, and how they’re measuring the significance of these risks. We wanted to understand what industry trends and opportunities will affect respondents’ company's security efforts in the near future, and how security programs are being affected by evolving security issues—where opportunities are both increasing and decreasing for security professionals in IT. We gathered data using a hybrid approach: first, by personally meeting with leading CISOs across approximately 15 industries. We asked what trends and externalities affected their security programs, and what areas security teams are focusing on to protect their evolving enterprise risks. These conversations revealed common themes driving InfoSec program prioritization and spending.
Assessing and Managing IT Security Risks 4 We then expanded this study to a larger audience, conducting an online survey among a large cross-section of senior IT professionals, to get a broader perspective and stronger conviction on the trends observed in the in-person conversations. Overall we saw strong consistencies between both data sets: large numbers got larger, and the gaps between lowest and highest security priorities increased as more survey participants chimed in. We did see some “spreading” amongst priorities, implying that both program maturity and product choice is alive and well within the Information Security market. We also collected attributes about InfoSec programs and heard glimpses of makes programs successful. IT Security Environment in the Business In order to get a sense of the business context in which IT security professionals are working, this survey asked a few questions about the line of business to which the security function reports, how IT security is organized, and who is responsible for day-to-day security operations. As shown in Figure 1, security teams are aligned either centrally (55%) or with some blending of accountability (37%). A purely decentralized approach is an outlier (5%). Figure 1. Survey Question: How is your company's security function organized? Source: Wisegate, June 2014
Top Takeaways from the Wisegate Survey 5 Having a bias toward more centralization typically enables a security team to have tighter coordination and response times within itself, at the expense of local optimization with its internal customers. When asked who handles operational security tasks, the vast majority of security teams (82%) handle some or all of the operational security duties necessary to secure their enterprise (see Figure 2). Nearly half of IT security departments handle all of the IT-focused tasks such as endpoint patching, antivirus updates and network firewall maintenance. Figure 2. Survey Question: Who handles operational security tasks at your company? Source: Wisegate, June 2014 It’s interesting to note that, as Figure 2 shows, more than half (54%, combining “shared” and “exclusively other teams”) of the security teams rely on partners to implement security controls into their business’ operations. A final important point to observe in Figure 2 is that only 18% of security departments function in a purely non-operational capacity, instead focusing on security policies, training, governance, audits, oversight and reviews, security consultation, and so forth. Risks and Tech Trends Drive Security Programs IT security is in the press with increasing—and, sadly, distressing— frequency. There seems to be no lack of serious examples of company data being compromised, nor of ways these kinds of attacks and thefts can be accomplished. With so many possible ways for harm to affect a company and its data, how do information security programs prioritize what to focus on, what threats to address first, and when to change their focus?
Assessing and Managing IT Security Risks 6 Risks at the Forefront As shown in Figure 3, respondents to the recent Wisegate / ScaleVP survey overwhelmingly follow “Risk-Based” approaches as their primary criteria for prioritization in their security program. Twice as many teams chose “risk-based approach” over “business strategy changes” as their first priority, which is likely because to security teams, business strategy changes are just another risk for the security team to consider. Figure 3. Survey Question: Indicate how you most often determine what to prioritize in your security program. Source: Wisegate, June 2014 Changes to business strategy are the second-most common guide security professionals use to prioritize their security program, particularly when considering first and second choices. As Figure 3 demonstrates, security organizations aren’t prioritizing their program’s maturity. Nearly three-quarters (70%) are primarily focused on meeting external demands such as risks and business strategies instead of improving the operational excellence of their own security efforts. This raises concerns about building up security technical debt, either because the business’s strategies and risks change so fast, it becomes difficult to focus on maturity. It’s worth considering that if a solution is presented (tech or otherwise) that is aligned to business priorities and addresses an important business risk, it almost doesn’t matter what the fix costs. Budget isn’t the limiting factor.
Top Takeaways from the Wisegate Survey 7 In terms of setting plans and priorities, this reactive approach to prioritization is manifested in the length of the roadmap, as shown in Figure 4. Figure 4. Survey Question: How far out does your department and / organization build its strategic roadmap? Source: Wisegate, June 2014 Most security teams look forward 1-3 years when reviewing their strategic roadmap. Only 19% look out further than three years, and 12% forecast out even less than a year. While this tendency toward short-term planning might look near-sighted to many of those in the business side of an enterprise, the fact is that attacks and technology itself are changing so fast—and so unexpectedly—that planning much beyond two or three years is simply pure guesswork, and will have to be revised multiple times. As business objectives shift and external threats morph, IT must adjust its own priorities. So while there is often little security teams can do to predict long-term shifts in external threats, IT security professionals must understand—and be a part of—business context and trends. Top Trends Affecting IT Security Businesses and security programs are under serious pressure from external threats, which is often forcing them to change direction or add new controls to manage these new risks. IT is rapidly losing control over endpoints, applications, and even networks when accessing corporate information. This has shattered many security controls that are based on traditional strategies such as passive traffic inspection, signature-matching signatures, and restricting specific applications endpoints can use.
Assessing and Managing IT Security Risks 8 In Figure 5, leading technology trends and other forcing functions are displayed around a circle, showing what trends security professionals find both most and least impactful to a security team’s program (participants could choose multiple options). Figure 5. Survey Question: Which of these trends most / least affect your security program? Source: Wisegate, June 2014 Top areas of concern to security teams included Cloud technologies (both IaaS and SaaS), the consumerization of IT technology and services, and the proliferation of mobile devices such as smartphones and tablets. Security teams tend to be sensitive to changes in regulations and compliance mandates, so it’s not surprising that this category had widespread agreement among participants. This reflects the increased granularity in controls from contractual obligations such as the payment card industry’s PCI-DSS v.3.0, the impact of EU Data Protection Directive as companies expand globally, and growing interest from the U.S. Securities and Exchange Commission over corporate cyber risk. However, the most-affected and least-affected ratings aren’t necessarily opposed to each other, likely because of differences in regulatory mandates, corporate culture, or the business’ mission itself.
Top Takeaways from the Wisegate Survey 9 For example, businesses that do not frequently write online applications are unaffected by advances in Agile methodologies, whereas security teams at engineering-focused firms find Agile & DevOps growth disruptive to how they do application security reviews. Smart teams are looking to integrate security into these development processes (e.g. “SecDevOps”), becoming more effective and secure than ever. A highly regulated company might be able to enforce stricter network admission controls, prohibiting IoT devices and enforcing MDM-like controls on mobile devices. Such security policies would be counter to “open access” companies that encourage innovation and freedom on their corporate networks. It’s also worth noting that some low rankings of the importance of different trends may have to do with lack of knowledge or understanding of that trend. When asked follow-up questions about Internet of Things, for example, most respondents indicated that IoT was still confusing to them—not yet fully-backed and therefore not yet impactful to strategic security program decision-making. Other businesses that rely on remote sensors for data acquisition, for example, are actively investigating this technology and engaging their security teams to understand the implications to enterprise risk. As consumer electronics such as wearable sensors continue to grow in popularity, enterprise security teams will be faced with a huge array of new networkable devices attempting to join their corporate wireless networks. Finally, it’s not clear why Weaponization of the Internet / State-sponsored cyber-espionage ranked low overall, and equally scored in both sides of the “impactful” equation. As the next section points out malware, external threat actors and APT score highly as top-risks. As the Verizon Data Breach Report 2014 points out, attackers are more efficiently breaking in than defenders are at detecting them. Top 5 Risks Wanting to get a sense of what is keeping security practitioners up at night—what they perceive as the top risks to their companies – we asked survey respondents to list their top three security concerns. As shown in the word cloud in Figure 6, the words data, security, malware, outbreak, and breach were especially prominent. We then grouped these responses into general categories to find larger themes, which revealed themselves in Figure 7. A few categories gathered the most votes and quickly degenerated into a long-tail. Identified risks beyond the top 10 or so tended to be organization—and implementation-specific.
Assessing and Managing IT Security Risks 10 The top two identified risks—Malware Outbreak and Sensitive Data Breach—comprise nearly a third of all participants’ attention. They were more important to participants than the next 6 identified risks combined. Figure 6. Survey Question: What are your top three security risks? Source: Wisegate, June 2014 Figure 7. Survey Question: What are your top three security risks? Source: Wisegate, June 2014
Top Takeaways from the Wisegate Survey 11 Malicious Outsider Threat was slightly more important to participants than Malicious Insider Threat. Although Malicious Insider Threat continues to receive a lot of press, and it was ranked in our survey’s top five responses, it was a “top of mind” concern for only 6% of our participants. Because malicious insiders tend to be more insidious than attacks from external threat actors, they are high-impact events but one of the hardest to detect. Verizon’s 2014 Data Breach Incident Report indicated that only 8% of reported data breaches involved malicious insiders, and while our data suggests that the “insider threat” is definitely a concern, it doesn’t break into the top three of practitioners’ perceived risks. Enterprise Security: Definitely Data-Driven Taking a “data-driven” approach was one of the most common themes that cut across all of questions we asked about security controls and methods of controlling enterprise risk. Teams hope to address enterprise security concerns more strategically by focusing on the data that needs to be protected, applying these types of controls at every enforcement point. Figure 8. Survey Question: Which endpoint-targeted security controls will be a top- 3 priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014
Assessing and Managing IT Security Risks 12 Information Protection and Control: Top-Ranked Across the Board Based on top-priority choices among asset type, Information Protection and Control products (“IPC”, including DLP/DRM/masking/encryption technologies) was the single most-desired control to apply at computers (see Figure 8), Mobile/IoT endpoints (see Figure 9), within applications (see Figure 10), at the infrastructure layer (see Figure 11). Figure 9. Which mobility / IoT security control will be most important to your company in the next 3-5 years? Source: Wisegate, June 2014 Figure 10. Which of these Messaging, File/Doc Sharing controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014
Top Takeaways from the Wisegate Survey 13 Figure 11. Survey Question: Which of these Infrastructure controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 This movement towards data-centric security is especially important as emerging companies grow up with “Cloud Always” enterprise stacks, established enterprises adopt “Cloud First” technology refresh initiatives, and even “Cloud Cautious” companies realize the benefits of SaaS and IaaS options. IT organizations are losing control over the devices their end users want to use, the networks over which they communicate, and the applications and infrastructure they use. The acceleration of technology innovation will make the typical “security review” process harder for security teams to keep up with change, or else be seen as stifling creativity. By focusing on capabilities and adherence to data-centric security controls (instead of specific device types and protocols) security teams can more comfortably support a wider range of endpoints (including BYOD) and applications. Automated, Integrated Controls Security teams frequently track three areas of growth: 1. Enterprise size and complexity 2. Changes in the capabilities of adversaries looking to harm their company 3. Relevant regulatory compliance mandates
Assessing and Managing IT Security Risks 14 Growth in any of these areas increases the need to implement new security controls, streamline and integrate them into existing security controls, and create tighter feedback loops between the security team and their partners. This ultimately reduces the window of opportunity for accidental data loss or malicious activity. Managing the increased complexity and dealing with interoperability and manageability of technical security controls was another common theme expressed both during the in- person interviews and in the comments section within the online survey. Several examples follow: 1. Almost one-third (31%) are making DevOps security controls a top priority, as shown in Figure 12. Figure 12. Survey Question: What is your top priority for Development / SDLC Controls? Source: Wisegate, June 2014 2. Over half (59%) of respondents marked either proactive threat/misuse detection or automated orchestration as a top choice to streamline their incident response plans and limit their exposure windows (see Figure 13). 3. 31% are planning to participate in threat intelligence feeds and sharing platforms, to get a broader view of the risks they and their peers face, as seen in Figure 13. 4. Nearly half (46%) list risk-based authentication/authorization as a top-three Identity and Access Management security controls priorities (see Figure 14).
Top Takeaways from the Wisegate Survey 15 Figure 13. Survey Question: Which Incident Response security controls will be most relevant to you during the next 3 - 5 years in your organization? Source: Wisegate, June 2014 Figure 14. Survey Question: Indicate which of these Identity and Access Management security controls will be a top-3 priority during the next 3 - 5 years in your organization (multiple selections allowed). Source: Wisegate, June 2014
Assessing and Managing IT Security Risks 16 Old Threats Never Die (And New Ones Keep Appearing) When asked which components and controls of their security program could be decommissioned, only a tiny fraction of survey (less than 8%) respondents indicated anything at all. Remarkably, nearly nine times as many participants (approximately 70%) mentioned a part of their security program that was growing. Many respondents noted that they seem to be always adding new controls to address new threats, but aren’t able to turn anything down. However, even if security teams could easily find qualified staff to run these new controls, focusing on control integration and automation always pays off. Participants mentioned the need to drive security products and services via APIs, combining results from one service to power and feed other services. To address their most important security risk, more than three-quarters of the security teams needed to build a custom solution/integration, as shown in Figure 15. Even for their third-most important security risk, 39% of security teams were building something in-house. Figure 15. Survey Question: For which risks (if any) did you need to build something in-house because there were no acceptable commercial alternatives available? Source: Wisegate, June 2014 In fact, more than three-quarters of respondents indicated needing to build a custom solution to address their top area of risk, indicating either a demand for programmatic interoperability between security controls or possibly a need for new solutions in the marketplace.
Top Takeaways from the Wisegate Survey 17 Metrics are a Problem Information Security programs and their effectiveness at managing enterprise risk are quickly becoming Board-level discussions. Unfortunately, security products are doing a poor job at providing actionable, high-level metrics to prioritize a security team’s efforts and to communicate to executive management the business impact of their programs. Top Risks are Growing Survey respondents strongly indicated that their top three risks were increasing for their company (72% agree) and their particular industry (82% agree), as shown in Figure 16. Figure 16. Survey Question: Which risks are growing for your specific company and industry? Source: Wisegate, June 2014 With risks growing for all top risks—both company- and industry-wide—we were of course interested in how confident respondents are in the efficacy of the controls they have in place to address the risks they had identified as being important. Overall, teams were optimistic but not overwhelmingly confident. Figure 17 shows that on a scale of 0 (no confidence) to 3 (high confidence), the average rating was just under 2, which could be described as “somewhat confident.”
Assessing and Managing IT Security Risks 18 Figure 17. Survey Question: What is your confidence that your current controls are effectively managing that risk? Source: Wisegate, June 2014 But Where Are The Metrics? However, the real problem with security risk management in the enterprise isn’t of confidence—it’s of measurement; survey respondents don’t really have a good way of indicating the effectiveness (or lack thereof) of existing programs. Simply put, for all of their top three risks, approximately half said they didn’t have a way to measure these risks, as shown in Figure 18. Figure 18. Survey Question: Do you have a metric to measure the risk in your top three areas of concerns? Source: Wisegate, June 2014
Top Takeaways from the Wisegate Survey 19 This is concerning, implying that security teams can’t easily measure if their top risks are increasing or declining, or if their efforts are having an effect on the risk. Many security products have built-in dashboards based on the specific threat they address, but aggregating and mapping these back to a holistic business impact appears to be elusive and part of evolving security program maturity. This is like flying a plane with the three most important cockpit indicators taped over while you try to navigate over complex terrain and weather conditions. There’s also a clear need for holistic risk measurement systems to help security teams prioritize their resources and communicate their impact to their executive management and Boards of Directors. The Bottom Line IT is giving up control over most devices and infrastructure. This has profound implications to risk models and the types of controls that are effective going forward. In exchange, security programs are moving their controls closer to the business data and applications. Enlightened security teams are focusing on data-centric controls such as encryption and DLP, working closely with DevOps teams to “bake in” security controls into the orchestration layer and cloud hosting systems, and leveraging APIs and cloud computing capabilities to build scalable security solutions that meet the unique needs of their enterprise and address the sprawl of point solutions. As concerns of security and compliance rise, teams struggle to map their security programs’ efforts to business impact. Growing interest from Boards of Directors and increased scrutiny from compliance regulations has placed more emphasis on identifying the right security metrics and finding ways to increase the efficiency and efficacy of security programs. In order to be competitive against increasingly-sophisticated adversaries, security teams must look for ways to streamline their operational capabilities and provide actionable insights from an ever-growing set of security event data.
Assessing and Managing IT Security Risks 20 About the Author Bill Burns is a well-known and well-respected security professional, having held leadership positions Director of Information Security for Netflix where his teams migrated critical business workloads and infrastructure to Amazon’s cloud. Most recently Bill held the role of Executive-In-Residence at Scale Venture Partners, where he created their InfoSec investment strategy. Bill is a founding member and active advisor to Wisegate, and is member of the RSA Conference Program Committee, ISSA CISO Forum Advisory Committee and ISSA CISO Career Lifecycle Committee. Bill has 20 years of experience in security, specializing in cryptography and communications, and graduated from Michigan Technological University with electrical engineering and business degrees. PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.

Recommandé

Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaper
rickkaun
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
Chris Ross
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
Mike McMillan
 
The state of incident response
The state of incident responseThe state of incident response
The state of incident response
Abhishek Sood
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
Hiten Sethi
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Marcello Marchesini
 

Recommandé

Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaper
rickkaun
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
Chris Ross
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
Mike McMillan
 
The state of incident response
The state of incident responseThe state of incident response
The state of incident response
Abhishek Sood
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
Hiten Sethi
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Marcello Marchesini
 
StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - Published
James Blake
 
Trends in Information Security
Trends in Information SecurityTrends in Information Security
Trends in Information Security
CompTIA
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
patmisasi
 
EMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-SecurityEMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-Security
Enterprise Management Associates
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
IBM India Smarter Computing
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
Sergey Erohin
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
Hank Eng, CISSP, CISA, CISM
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
SelectedPresentations
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
Tam Nguyen
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
Rahul Tyagi
 
Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...
Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...
Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...
Precisely
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
Redspin, Inc.
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
Security results of_the_wqr_2015_16
Security results of_the_wqr_2015_16Security results of_the_wqr_2015_16
Security results of_the_wqr_2015_16
Emily Brady
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
Simone Luca Giargia
 
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
AGILLY
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
Joseph DeFever
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
Tim Grieveson
 

Contenu connexe

Tendances

StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - Published
James Blake
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
patmisasi
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
Sergey Erohin
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
SelectedPresentations
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
Tam Nguyen
 
Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...
Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...
Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...
Precisely
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
AGILLY
 

Tendances (19)

StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - Published
 
Trends in Information Security
Trends in Information SecurityTrends in Information Security
Trends in Information Security
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
 
EMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-SecurityEMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-Security
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
 
Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...
Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...
Taking the Pulse of IT Security for 2019: Results from Syncsort's Security Su...
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
Security results of_the_wqr_2015_16
Security results of_the_wqr_2015_16Security results of_the_wqr_2015_16
Security results of_the_wqr_2015_16
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
 
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?
 

Similaire à Assessing and Managing IT Security Risks

State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
Tim Grieveson
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The Economist Media Businesses
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
IBM Security
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
Ben Browning
 
SANS 2013 Critical Security Controls Survey Moving From A.docx
SANS 2013 Critical Security Controls Survey Moving From A.docxSANS 2013 Critical Security Controls Survey Moving From A.docx
SANS 2013 Critical Security Controls Survey Moving From A.docx
anhlodge
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 

Similaire à Assessing and Managing IT Security Risks (20)

Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
 
CYBER SECURITY audit course report
CYBER SECURITY audit course reportCYBER SECURITY audit course report
CYBER SECURITY audit course report
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
Security Priorities Sample Slides 2023.pdf
Security Priorities Sample Slides 2023.pdfSecurity Priorities Sample Slides 2023.pdf
Security Priorities Sample Slides 2023.pdf
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
R if security_priorities_03.08.22
R if security_priorities_03.08.22R if security_priorities_03.08.22
R if security_priorities_03.08.22
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
 
2014 Secure Mobility Survey Report
2014 Secure Mobility Survey Report2014 Secure Mobility Survey Report
2014 Secure Mobility Survey Report
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 
SANS 2013 Critical Security Controls Survey Moving From A.docx
SANS 2013 Critical Security Controls Survey Moving From A.docxSANS 2013 Critical Security Controls Survey Moving From A.docx
SANS 2013 Critical Security Controls Survey Moving From A.docx
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...
 
Cybersecurity report-vol-8
Cybersecurity report-vol-8Cybersecurity report-vol-8
Cybersecurity report-vol-8
 

Plus de Chris Ross

Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft Skills
Chris Ross
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next Steps
Chris Ross
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
Chris Ross
 

Plus de Chris Ross (7)

Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest Threat
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
 
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
 
Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft Skills
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next Steps
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
 
5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know
 

Dernier

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Assessing and Managing IT Security Risks

  • 1. 22
  • 2. Assessing and Managing IT Security Risks 2 CONTENTS Introduction ............................................................................................................................. 3   IT Security Environment in the Business................................................................................. 4   Risks and Tech Trends Drive Security Programs ................................................................... 5   Risks at the Forefront .............................................................................................................. 6   Top Trends Affecting IT Security ............................................................................................ 7   Top 5 Risks ............................................................................................................................. 9   Enterprise Security: Definitely Data-Driven ........................................................................... 11   Information Protection and Control: Top-Ranked Across the Board .................................... 12   Automated, Integrated Controls ............................................................................................ 13   Old Threats Never Die (And New Ones Keep Appearing) ................................................... 16   Metrics are a Problem ........................................................................................................... 17   Top Risks are Growing.......................................................................................................... 17   But Where Are The Metrics? ................................................................................................. 18   The Bottom Line.................................................................................................................... 19   About the Author ................................................................................................................... 20   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
  • 3. Top Takeaways from the Wisegate Survey 3 Introduction In June of 2014, Scale Venture Partners and Wisegate collaborated to conduct a member- driven, member-developed research initiative to gauge what meaningful IT security risks are growing, as well as which (if any) are shrinking. We wanted to understand what senior IT professionals identify as top risks, how confident they are in existing controls, and how they’re measuring the significance of these risks. We wanted to understand what industry trends and opportunities will affect respondents’ company's security efforts in the near future, and how security programs are being affected by evolving security issues—where opportunities are both increasing and decreasing for security professionals in IT. We gathered data using a hybrid approach: first, by personally meeting with leading CISOs across approximately 15 industries. We asked what trends and externalities affected their security programs, and what areas security teams are focusing on to protect their evolving enterprise risks. These conversations revealed common themes driving InfoSec program prioritization and spending.
  • 4. Assessing and Managing IT Security Risks 4 We then expanded this study to a larger audience, conducting an online survey among a large cross-section of senior IT professionals, to get a broader perspective and stronger conviction on the trends observed in the in-person conversations. Overall we saw strong consistencies between both data sets: large numbers got larger, and the gaps between lowest and highest security priorities increased as more survey participants chimed in. We did see some “spreading” amongst priorities, implying that both program maturity and product choice is alive and well within the Information Security market. We also collected attributes about InfoSec programs and heard glimpses of makes programs successful. IT Security Environment in the Business In order to get a sense of the business context in which IT security professionals are working, this survey asked a few questions about the line of business to which the security function reports, how IT security is organized, and who is responsible for day-to-day security operations. As shown in Figure 1, security teams are aligned either centrally (55%) or with some blending of accountability (37%). A purely decentralized approach is an outlier (5%). Figure 1. Survey Question: How is your company's security function organized? Source: Wisegate, June 2014
  • 5. Top Takeaways from the Wisegate Survey 5 Having a bias toward more centralization typically enables a security team to have tighter coordination and response times within itself, at the expense of local optimization with its internal customers. When asked who handles operational security tasks, the vast majority of security teams (82%) handle some or all of the operational security duties necessary to secure their enterprise (see Figure 2). Nearly half of IT security departments handle all of the IT-focused tasks such as endpoint patching, antivirus updates and network firewall maintenance. Figure 2. Survey Question: Who handles operational security tasks at your company? Source: Wisegate, June 2014 It’s interesting to note that, as Figure 2 shows, more than half (54%, combining “shared” and “exclusively other teams”) of the security teams rely on partners to implement security controls into their business’ operations. A final important point to observe in Figure 2 is that only 18% of security departments function in a purely non-operational capacity, instead focusing on security policies, training, governance, audits, oversight and reviews, security consultation, and so forth. Risks and Tech Trends Drive Security Programs IT security is in the press with increasing—and, sadly, distressing— frequency. There seems to be no lack of serious examples of company data being compromised, nor of ways these kinds of attacks and thefts can be accomplished. With so many possible ways for harm to affect a company and its data, how do information security programs prioritize what to focus on, what threats to address first, and when to change their focus?
  • 6. Assessing and Managing IT Security Risks 6 Risks at the Forefront As shown in Figure 3, respondents to the recent Wisegate / ScaleVP survey overwhelmingly follow “Risk-Based” approaches as their primary criteria for prioritization in their security program. Twice as many teams chose “risk-based approach” over “business strategy changes” as their first priority, which is likely because to security teams, business strategy changes are just another risk for the security team to consider. Figure 3. Survey Question: Indicate how you most often determine what to prioritize in your security program. Source: Wisegate, June 2014 Changes to business strategy are the second-most common guide security professionals use to prioritize their security program, particularly when considering first and second choices. As Figure 3 demonstrates, security organizations aren’t prioritizing their program’s maturity. Nearly three-quarters (70%) are primarily focused on meeting external demands such as risks and business strategies instead of improving the operational excellence of their own security efforts. This raises concerns about building up security technical debt, either because the business’s strategies and risks change so fast, it becomes difficult to focus on maturity. It’s worth considering that if a solution is presented (tech or otherwise) that is aligned to business priorities and addresses an important business risk, it almost doesn’t matter what the fix costs. Budget isn’t the limiting factor.
  • 7. Top Takeaways from the Wisegate Survey 7 In terms of setting plans and priorities, this reactive approach to prioritization is manifested in the length of the roadmap, as shown in Figure 4. Figure 4. Survey Question: How far out does your department and / organization build its strategic roadmap? Source: Wisegate, June 2014 Most security teams look forward 1-3 years when reviewing their strategic roadmap. Only 19% look out further than three years, and 12% forecast out even less than a year. While this tendency toward short-term planning might look near-sighted to many of those in the business side of an enterprise, the fact is that attacks and technology itself are changing so fast—and so unexpectedly—that planning much beyond two or three years is simply pure guesswork, and will have to be revised multiple times. As business objectives shift and external threats morph, IT must adjust its own priorities. So while there is often little security teams can do to predict long-term shifts in external threats, IT security professionals must understand—and be a part of—business context and trends. Top Trends Affecting IT Security Businesses and security programs are under serious pressure from external threats, which is often forcing them to change direction or add new controls to manage these new risks. IT is rapidly losing control over endpoints, applications, and even networks when accessing corporate information. This has shattered many security controls that are based on traditional strategies such as passive traffic inspection, signature-matching signatures, and restricting specific applications endpoints can use.
  • 8. Assessing and Managing IT Security Risks 8 In Figure 5, leading technology trends and other forcing functions are displayed around a circle, showing what trends security professionals find both most and least impactful to a security team’s program (participants could choose multiple options). Figure 5. Survey Question: Which of these trends most / least affect your security program? Source: Wisegate, June 2014 Top areas of concern to security teams included Cloud technologies (both IaaS and SaaS), the consumerization of IT technology and services, and the proliferation of mobile devices such as smartphones and tablets. Security teams tend to be sensitive to changes in regulations and compliance mandates, so it’s not surprising that this category had widespread agreement among participants. This reflects the increased granularity in controls from contractual obligations such as the payment card industry’s PCI-DSS v.3.0, the impact of EU Data Protection Directive as companies expand globally, and growing interest from the U.S. Securities and Exchange Commission over corporate cyber risk. However, the most-affected and least-affected ratings aren’t necessarily opposed to each other, likely because of differences in regulatory mandates, corporate culture, or the business’ mission itself.
  • 9. Top Takeaways from the Wisegate Survey 9 For example, businesses that do not frequently write online applications are unaffected by advances in Agile methodologies, whereas security teams at engineering-focused firms find Agile & DevOps growth disruptive to how they do application security reviews. Smart teams are looking to integrate security into these development processes (e.g. “SecDevOps”), becoming more effective and secure than ever. A highly regulated company might be able to enforce stricter network admission controls, prohibiting IoT devices and enforcing MDM-like controls on mobile devices. Such security policies would be counter to “open access” companies that encourage innovation and freedom on their corporate networks. It’s also worth noting that some low rankings of the importance of different trends may have to do with lack of knowledge or understanding of that trend. When asked follow-up questions about Internet of Things, for example, most respondents indicated that IoT was still confusing to them—not yet fully-backed and therefore not yet impactful to strategic security program decision-making. Other businesses that rely on remote sensors for data acquisition, for example, are actively investigating this technology and engaging their security teams to understand the implications to enterprise risk. As consumer electronics such as wearable sensors continue to grow in popularity, enterprise security teams will be faced with a huge array of new networkable devices attempting to join their corporate wireless networks. Finally, it’s not clear why Weaponization of the Internet / State-sponsored cyber-espionage ranked low overall, and equally scored in both sides of the “impactful” equation. As the next section points out malware, external threat actors and APT score highly as top-risks. As the Verizon Data Breach Report 2014 points out, attackers are more efficiently breaking in than defenders are at detecting them. Top 5 Risks Wanting to get a sense of what is keeping security practitioners up at night—what they perceive as the top risks to their companies – we asked survey respondents to list their top three security concerns. As shown in the word cloud in Figure 6, the words data, security, malware, outbreak, and breach were especially prominent. We then grouped these responses into general categories to find larger themes, which revealed themselves in Figure 7. A few categories gathered the most votes and quickly degenerated into a long-tail. Identified risks beyond the top 10 or so tended to be organization—and implementation-specific.
  • 10. Assessing and Managing IT Security Risks 10 The top two identified risks—Malware Outbreak and Sensitive Data Breach—comprise nearly a third of all participants’ attention. They were more important to participants than the next 6 identified risks combined. Figure 6. Survey Question: What are your top three security risks? Source: Wisegate, June 2014 Figure 7. Survey Question: What are your top three security risks? Source: Wisegate, June 2014
  • 11. Top Takeaways from the Wisegate Survey 11 Malicious Outsider Threat was slightly more important to participants than Malicious Insider Threat. Although Malicious Insider Threat continues to receive a lot of press, and it was ranked in our survey’s top five responses, it was a “top of mind” concern for only 6% of our participants. Because malicious insiders tend to be more insidious than attacks from external threat actors, they are high-impact events but one of the hardest to detect. Verizon’s 2014 Data Breach Incident Report indicated that only 8% of reported data breaches involved malicious insiders, and while our data suggests that the “insider threat” is definitely a concern, it doesn’t break into the top three of practitioners’ perceived risks. Enterprise Security: Definitely Data-Driven Taking a “data-driven” approach was one of the most common themes that cut across all of questions we asked about security controls and methods of controlling enterprise risk. Teams hope to address enterprise security concerns more strategically by focusing on the data that needs to be protected, applying these types of controls at every enforcement point. Figure 8. Survey Question: Which endpoint-targeted security controls will be a top- 3 priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014
  • 12. Assessing and Managing IT Security Risks 12 Information Protection and Control: Top-Ranked Across the Board Based on top-priority choices among asset type, Information Protection and Control products (“IPC”, including DLP/DRM/masking/encryption technologies) was the single most-desired control to apply at computers (see Figure 8), Mobile/IoT endpoints (see Figure 9), within applications (see Figure 10), at the infrastructure layer (see Figure 11). Figure 9. Which mobility / IoT security control will be most important to your company in the next 3-5 years? Source: Wisegate, June 2014 Figure 10. Which of these Messaging, File/Doc Sharing controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014
  • 13. Top Takeaways from the Wisegate Survey 13 Figure 11. Survey Question: Which of these Infrastructure controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 This movement towards data-centric security is especially important as emerging companies grow up with “Cloud Always” enterprise stacks, established enterprises adopt “Cloud First” technology refresh initiatives, and even “Cloud Cautious” companies realize the benefits of SaaS and IaaS options. IT organizations are losing control over the devices their end users want to use, the networks over which they communicate, and the applications and infrastructure they use. The acceleration of technology innovation will make the typical “security review” process harder for security teams to keep up with change, or else be seen as stifling creativity. By focusing on capabilities and adherence to data-centric security controls (instead of specific device types and protocols) security teams can more comfortably support a wider range of endpoints (including BYOD) and applications. Automated, Integrated Controls Security teams frequently track three areas of growth: 1. Enterprise size and complexity 2. Changes in the capabilities of adversaries looking to harm their company 3. Relevant regulatory compliance mandates
  • 14. Assessing and Managing IT Security Risks 14 Growth in any of these areas increases the need to implement new security controls, streamline and integrate them into existing security controls, and create tighter feedback loops between the security team and their partners. This ultimately reduces the window of opportunity for accidental data loss or malicious activity. Managing the increased complexity and dealing with interoperability and manageability of technical security controls was another common theme expressed both during the in- person interviews and in the comments section within the online survey. Several examples follow: 1. Almost one-third (31%) are making DevOps security controls a top priority, as shown in Figure 12. Figure 12. Survey Question: What is your top priority for Development / SDLC Controls? Source: Wisegate, June 2014 2. Over half (59%) of respondents marked either proactive threat/misuse detection or automated orchestration as a top choice to streamline their incident response plans and limit their exposure windows (see Figure 13). 3. 31% are planning to participate in threat intelligence feeds and sharing platforms, to get a broader view of the risks they and their peers face, as seen in Figure 13. 4. Nearly half (46%) list risk-based authentication/authorization as a top-three Identity and Access Management security controls priorities (see Figure 14).
  • 15. Top Takeaways from the Wisegate Survey 15 Figure 13. Survey Question: Which Incident Response security controls will be most relevant to you during the next 3 - 5 years in your organization? Source: Wisegate, June 2014 Figure 14. Survey Question: Indicate which of these Identity and Access Management security controls will be a top-3 priority during the next 3 - 5 years in your organization (multiple selections allowed). Source: Wisegate, June 2014
  • 16. Assessing and Managing IT Security Risks 16 Old Threats Never Die (And New Ones Keep Appearing) When asked which components and controls of their security program could be decommissioned, only a tiny fraction of survey (less than 8%) respondents indicated anything at all. Remarkably, nearly nine times as many participants (approximately 70%) mentioned a part of their security program that was growing. Many respondents noted that they seem to be always adding new controls to address new threats, but aren’t able to turn anything down. However, even if security teams could easily find qualified staff to run these new controls, focusing on control integration and automation always pays off. Participants mentioned the need to drive security products and services via APIs, combining results from one service to power and feed other services. To address their most important security risk, more than three-quarters of the security teams needed to build a custom solution/integration, as shown in Figure 15. Even for their third-most important security risk, 39% of security teams were building something in-house. Figure 15. Survey Question: For which risks (if any) did you need to build something in-house because there were no acceptable commercial alternatives available? Source: Wisegate, June 2014 In fact, more than three-quarters of respondents indicated needing to build a custom solution to address their top area of risk, indicating either a demand for programmatic interoperability between security controls or possibly a need for new solutions in the marketplace.
  • 17. Top Takeaways from the Wisegate Survey 17 Metrics are a Problem Information Security programs and their effectiveness at managing enterprise risk are quickly becoming Board-level discussions. Unfortunately, security products are doing a poor job at providing actionable, high-level metrics to prioritize a security team’s efforts and to communicate to executive management the business impact of their programs. Top Risks are Growing Survey respondents strongly indicated that their top three risks were increasing for their company (72% agree) and their particular industry (82% agree), as shown in Figure 16. Figure 16. Survey Question: Which risks are growing for your specific company and industry? Source: Wisegate, June 2014 With risks growing for all top risks—both company- and industry-wide—we were of course interested in how confident respondents are in the efficacy of the controls they have in place to address the risks they had identified as being important. Overall, teams were optimistic but not overwhelmingly confident. Figure 17 shows that on a scale of 0 (no confidence) to 3 (high confidence), the average rating was just under 2, which could be described as “somewhat confident.”
  • 18. Assessing and Managing IT Security Risks 18 Figure 17. Survey Question: What is your confidence that your current controls are effectively managing that risk? Source: Wisegate, June 2014 But Where Are The Metrics? However, the real problem with security risk management in the enterprise isn’t of confidence—it’s of measurement; survey respondents don’t really have a good way of indicating the effectiveness (or lack thereof) of existing programs. Simply put, for all of their top three risks, approximately half said they didn’t have a way to measure these risks, as shown in Figure 18. Figure 18. Survey Question: Do you have a metric to measure the risk in your top three areas of concerns? Source: Wisegate, June 2014
  • 19. Top Takeaways from the Wisegate Survey 19 This is concerning, implying that security teams can’t easily measure if their top risks are increasing or declining, or if their efforts are having an effect on the risk. Many security products have built-in dashboards based on the specific threat they address, but aggregating and mapping these back to a holistic business impact appears to be elusive and part of evolving security program maturity. This is like flying a plane with the three most important cockpit indicators taped over while you try to navigate over complex terrain and weather conditions. There’s also a clear need for holistic risk measurement systems to help security teams prioritize their resources and communicate their impact to their executive management and Boards of Directors. The Bottom Line IT is giving up control over most devices and infrastructure. This has profound implications to risk models and the types of controls that are effective going forward. In exchange, security programs are moving their controls closer to the business data and applications. Enlightened security teams are focusing on data-centric controls such as encryption and DLP, working closely with DevOps teams to “bake in” security controls into the orchestration layer and cloud hosting systems, and leveraging APIs and cloud computing capabilities to build scalable security solutions that meet the unique needs of their enterprise and address the sprawl of point solutions. As concerns of security and compliance rise, teams struggle to map their security programs’ efforts to business impact. Growing interest from Boards of Directors and increased scrutiny from compliance regulations has placed more emphasis on identifying the right security metrics and finding ways to increase the efficiency and efficacy of security programs. In order to be competitive against increasingly-sophisticated adversaries, security teams must look for ways to streamline their operational capabilities and provide actionable insights from an ever-growing set of security event data.
  • 20. Assessing and Managing IT Security Risks 20 About the Author Bill Burns is a well-known and well-respected security professional, having held leadership positions Director of Information Security for Netflix where his teams migrated critical business workloads and infrastructure to Amazon’s cloud. Most recently Bill held the role of Executive-In-Residence at Scale Venture Partners, where he created their InfoSec investment strategy. Bill is a founding member and active advisor to Wisegate, and is member of the RSA Conference Program Committee, ISSA CISO Forum Advisory Committee and ISSA CISO Career Lifecycle Committee. Bill has 20 years of experience in security, specializing in cryptography and communications, and graduated from Michigan Technological University with electrical engineering and business degrees. PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.