We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byGunnar Watton
Modified over 2 years ago
Security and Risk Management in 2007 and beyond: The only constant thing is change Thomas Raschke Senior Analyst Forrester Research Berlin, 6 November 2007
4 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Theme Demystifying security is paramount when wanting to deliver business relevant IT.
5 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #1: We’ve got everything under control… “Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!” E.J. Smith, Captain of the Titanic
6 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #2: Security needs to be confusing… Identity mgmt SSO Provisioning Access and authentication Biometrics TokensSmart cards FirewallsVPNsIDP Content security SpywareAV Threat protection Spam ILP IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Data IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII ServersCD-RomsDBsAppsClientsUSB-Sticks Network C o n t e x t
7 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Security is moving from a technical discipline to one with a business focus New job requirements are different »e.g. need to understand regulations and be able to talk to lawyers Reduce complexity – both technical and organizational »E.g. fewer products, people, and resources Address new threats and compliance »Need solutions that proactively ensure threat protection, business continuity, network availability, and secure remote workers Improve cost efficiency: contribute to corporate efficiency Unchanged imperative: “Be 100% secure!” Myth #3: The CSO job role is not changing…
8 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Password guessing Self-replicating code Password cracking Exploiting known vulnerabilities Disabling audits Back doors Hijacking sessions Stealth diagnostics Packet forging/ spoofing Tools Skill - Amateurs Anti- detection Specialized technical knowledge required High Low Reverse-engineering Machine-level programming Encryption knowledge OS knowledge Virus & hacker script writing Vulnerability knowledge Limited programming (macros, scripts, VBS) Automated programming 1985 1990 1995 2000 2005 2010 Skill - Insiders Skill - Professionals Myth #4: The threat race can be won…
9 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Security software (40%, 10% growth) »Content security and AV: Symantec, McAfee, Trend, MS »FW and IDS/IPS: Check Point, ISS »Access and authentication: CA, IBM, HP, Novell, Sun »Security mgmt: NetIQ, CA, Symantec Security hardware (15%, 20% growth) »Appliances: Cisco, Juniper, Nokia »Hardware authentication: RSA, VASCO, Gemalto Security services (45%, 12% growth) »MSS: BT/Counterpane, Verizon/Cybertrust, VeriSign, Unisys, etc. »Integration/consulting: IBM GS, Deloitte, Accenture, etc. Myth #5: It’s only about FW and AV software…
10 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #6: Access & IDM is for big companies only… Why Access & Identity Management? »Perimeter evaporates, data and identity theft: Information protection becomes paramount, market dynamics and complexity, cost and time savings, regulations Primary driver for enterprise investment in identity management shifts from compliance to information protection What does IDM? »Allow the right people to have access to the right information at the right time! »Single sign-on, provisioning, strong authentication, also: password & user management, legacy products (e.g. authorization), PKI, Directory or meta directory » Result: Cost savings and simplicity – also for small companies Who? »IBM, CA, Sun, HP, Oracle, BMC, Novell, Microsoft, NetIQ
11 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #7: There is no insider threat in my company… Why Information Leak Prevention? »Data classification = what is sensitive and where does it sit/travel? »Sensitive information is leaking via USBs, also CDs/DVDs, print outs, email, zip files, encrypted file, etc Disclosure, also: regulations, theft, and espionage What does ILP? »Monitor, measure, and protect information assets »Identify: (A) Structured information: database records, PII/PHI; (B) Unstructured information: document fragments, email conversations, web postings; (C) Semi-structured information: CAD files, source code »Scan multiple vectors through which sensitive information may travel Who? »Oakley, Orchestria, Port Authority Websense, Proofpoint, SecureWave PatchLink, Tablus RSA/EMC, Verdasys, Vericept, Vontu
12 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #8: Mobile security is futuristic stuff…
13 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #9: Compliance is not an issue yet… Why governance, risk, and compliance? »Regulatory pressure: If non-compliant fines, etc »Positive: Better business processes »Also: Marketing tool What is compliance? »(1) Adhering to internal rules, restrictions, standards, and policies »(2) Adhering to external regulations (e.g. SOX) Powerful communications and business process improvement mechanism Who? »Generalists: IBM, HP, MS, Oracle, etc. »Security vendors: Symantec, McAfee, Trend micro, VeriSign, CheckPoint, ISS, Cisco, RSA, NetIQ, etc. »GRC specialists: ERM dashboards, GRC platforms, other
14 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #10: Ultimately, it’s all reactive chaos anyway… 1. Define security & corporate assets; Evaluate risks and regulations 1 2 2. Update security policy and establish delta of “is/want” 3 3. Specify investment and implementation strategy 4 4. Act: Educate, enforce, audit, update, and comply Security Action Cycle
15 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Myth #11: So, Security Managers can relax now… Implement key strategic technologies Anticipate changes to your S&RM role Learn to balance business, organization, and technology...... as a means to raising S&RM’s profile within the organization Business-focused information risk management
16 Entire contents © 2007 Forrester Research, Inc. All rights reserved. Thomas Raschke email@example.com www.forrester.com Thank you
Increasing customer value through effective security risk management
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
1 Telstra in Confidence Managing Security for our Mobile Technology.
Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.
Identity Assurance Emory University Security Conference March 26, 2008.
Unify and Simplify: Security Management
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Governance, Risk, and Compliance Bill Greene Senior Industry Director.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Or, How to Spend Your Weekends… Fall 2007 Agenda General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Security Controls – What Works
CUTTING COMPLEXITY – SIMPLIFYING SECURITY INSERT PRESENTERS NAME HERE XXXX INSERT DATE OF EVENT HERE XXXX.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
StorTech Security Regulatory compliance provides the business foundation for security Organisations need to tackle all security challenges from a business.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
© 2017 SlidePlayer.com Inc. All rights reserved.