Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Risk Management in 2007 and beyond: The only constant thing is change Thomas Raschke Senior Analyst Forrester Research Berlin, 6 November.

Similar presentations


Presentation on theme: "Security and Risk Management in 2007 and beyond: The only constant thing is change Thomas Raschke Senior Analyst Forrester Research Berlin, 6 November."— Presentation transcript:

1

2

3 Security and Risk Management in 2007 and beyond: The only constant thing is change Thomas Raschke Senior Analyst Forrester Research Berlin, 6 November 2007

4 4 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Theme Demystifying security is paramount when wanting to deliver business relevant IT.

5 5 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #1: We’ve got everything under control… “Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!” E.J. Smith, Captain of the Titanic

6 6 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #2: Security needs to be confusing… Identity mgmt SSO Provisioning Access and authentication Biometrics TokensSmart cards FirewallsVPNsIDP Content security SpywareAV Threat protection Spam ILP IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Data IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII ServersCD-RomsDBsAppsClientsUSB-Sticks Network C o n t e x t

7 7 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Security is moving from a technical discipline to one with a business focus New job requirements are different »e.g. need to understand regulations and be able to talk to lawyers Reduce complexity – both technical and organizational »E.g. fewer products, people, and resources Address new threats and compliance »Need solutions that proactively ensure threat protection, business continuity, network availability, and secure remote workers Improve cost efficiency: contribute to corporate efficiency Unchanged imperative: “Be 100% secure!” Myth #3: The CSO job role is not changing…

8 8 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Password guessing Self-replicating code Password cracking Exploiting known vulnerabilities Disabling audits Back doors Hijacking sessions Stealth diagnostics Packet forging/ spoofing Tools Skill - Amateurs Anti- detection Specialized technical knowledge required High Low Reverse-engineering Machine-level programming Encryption knowledge OS knowledge Virus & hacker script writing Vulnerability knowledge Limited programming (macros, scripts, VBS) Automated programming Skill - Insiders Skill - Professionals Myth #4: The threat race can be won…

9 9 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Security software (40%, 10% growth) »Content security and AV: Symantec, McAfee, Trend, MS »FW and IDS/IPS: Check Point, ISS »Access and authentication: CA, IBM, HP, Novell, Sun »Security mgmt: NetIQ, CA, Symantec Security hardware (15%, 20% growth) »Appliances: Cisco, Juniper, Nokia »Hardware authentication: RSA, VASCO, Gemalto Security services (45%, 12% growth) »MSS: BT/Counterpane, Verizon/Cybertrust, VeriSign, Unisys, etc. »Integration/consulting: IBM GS, Deloitte, Accenture, etc. Myth #5: It’s only about FW and AV software…

10 10 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #6: Access & IDM is for big companies only… Why Access & Identity Management? »Perimeter evaporates, data and identity theft: Information protection becomes paramount, market dynamics and complexity, cost and time savings, regulations  Primary driver for enterprise investment in identity management shifts from compliance to information protection What does IDM? »Allow the right people to have access to the right information at the right time! »Single sign-on, provisioning, strong authentication, also: password & user management, legacy products (e.g. authorization), PKI, Directory or meta directory »  Result: Cost savings and simplicity – also for small companies Who? »IBM, CA, Sun, HP, Oracle, BMC, Novell, Microsoft, NetIQ

11 11 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #7: There is no insider threat in my company… Why Information Leak Prevention? »Data classification = what is sensitive and where does it sit/travel? »Sensitive information is leaking via USBs, also CDs/DVDs, print outs, , zip files, encrypted file, etc  Disclosure, also: regulations, theft, and espionage What does ILP? »Monitor, measure, and protect information assets »Identify: (A) Structured information: database records, PII/PHI; (B) Unstructured information: document fragments, conversations, web postings; (C) Semi-structured information: CAD files, source code »Scan multiple vectors through which sensitive information may travel Who? »Oakley, Orchestria, Port Authority  Websense, Proofpoint, SecureWave  PatchLink, Tablus  RSA/EMC, Verdasys, Vericept, Vontu

12 12 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #8: Mobile security is futuristic stuff…

13 13 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #9: Compliance is not an issue yet… Why governance, risk, and compliance? »Regulatory pressure: If non-compliant  fines, etc »Positive: Better business processes »Also: Marketing tool What is compliance? »(1) Adhering to internal rules, restrictions, standards, and policies »(2) Adhering to external regulations (e.g. SOX)  Powerful communications and business process improvement mechanism Who? »Generalists: IBM, HP, MS, Oracle, etc. »Security vendors: Symantec, McAfee, Trend micro, VeriSign, CheckPoint, ISS, Cisco, RSA, NetIQ, etc. »GRC specialists: ERM dashboards, GRC platforms, other

14 14 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #10: Ultimately, it’s all reactive chaos anyway… 1. Define security & corporate assets; Evaluate risks and regulations Update security policy and establish delta of “is/want” 3 3. Specify investment and implementation strategy 4 4. Act: Educate, enforce, audit, update, and comply Security Action Cycle

15 15 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #11: So, Security Managers can relax now… Implement key strategic technologies Anticipate changes to your S&RM role Learn to balance business, organization, and technology as a means to raising S&RM’s profile within the organization  Business-focused information risk management

16 16 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Thomas Raschke Thank you

17


Download ppt "Security and Risk Management in 2007 and beyond: The only constant thing is change Thomas Raschke Senior Analyst Forrester Research Berlin, 6 November."

Similar presentations


Ads by Google