security and risk management jpescatore

8/8/2019 Security and Risk Management Jpescatore

1/26

Notes accompany this presentation. Please select Notes Page view.These materials can be reproduced only with written approval from Gartner.Such approvals must be requested via e-mail: [email protected] is a registered trademark of Gartner, Inc. or its affiliates.

Doing More With Less: Securityand Risk Management inEconomically Challenging Times

John Pescatore


2/26

Welcome!Heres how to participate in todays webinar You can listen to the presentation using your

computers speaker system as the default(VoIP).

Or dial the conference line by selecting UseTelephone in the webinar audio pane.

Have a question for the presenter(s)? Type itinto the Questions panewe will answer asmany as time permits.

A recording of this presentation will be sentto you within 48 hours.

If you would like a copy of todayspresentation, contact your Gartner AccountExecutive or e-mail us at:[email protected].


3/26

Our world-class, objective insight is drawnfrom thousands of daily client interactions

65% ofFortune 1000;

85% ofGlobal 500

60+Conferences

3,700CIOs

650 AnalystsAcross 80Countries

100,000IT End-User

Inquiries

10,000Media

Inquiries

2 Million+IT End-User

Searches

60,000Clients

10,000Client

Enterprises

5,500Benchmarks

2 2009 Gartner, Inc. and/or its affiliates. All rights reserved.Gartner is a registered trademark of Gartner, Inc. or its affiliates.


4/26

Aha Slide

Really, not that much security budget-cutting is going on. Many, if not most, security budgets could use a good haircut. First, do the same for less; then, do more for the same.

0

-0.5

-0.4

-2.7

2.1

0.7

1.6

2.0

-3 -2 -1 0 1 2 3

Asia/Pacific

EMEA

Latin America andCaribbean

North American

Percent

Percentage Change Decrease Percentage Change IncreaseAs of December 2008


5/26

There is No Threat Recession

Latest "largest ever" Heartland Payment Systems DoD Bans USB after trojan on thumb drive Security incidents rise 24.7% at educational institutes Conficker hits medical machinery Worms hit Twitter, Facebook, LinkedIn, MySpace "Chinese attackers" steal jet fighter data

DNS attacks in Puerto Rico, Brazil,New Zealand, U.S. Google, others targeted


6/26

Security Is Still In the CIO Top Ten


7/26

Cybercrime as a Service

Customers,employees

$$Data$$

Command/control

www.news.com

Rentahack


8/26

Targeted Threat Growth

Source: Microsoft Malicious Software Removal Tool disinfections by category, 2H062H08'


9/26

Management 101: Defend Your Budget

1. Fight the cuts. If not, then2. Move costs to someone else's budget. If not, then

3. Protect vital organs and the "good" leg, then4. Tactical steps toward efficiency

5. Strategic steps toward effectiveness


10/26

Where's the Sweet Spot?

Level of Protection

Securitycost to

business

Very High(>5% of rev)

Very Low(


11/26


12/26

How Much Should You Spend onInformation Security?

5.4 % of Revenue (2008)(Operations/Capital Expenses)

IT Budget

Information Security Budget(3% to 7% of IT Budget)

Primary Casualty Risks

0.16% to 0.38% ofRevenue

0.138% to 0.232% of Revenue


13/26

Key Issues

1. How can organizations tactically change theirsecurity processes and technologies to quicklyspend less and become more secure?

2. How can organizations strategically change

their security processes and technologies toreduce spending and improve security overthe long term?


14/26

AttacksUsers

IT Infrastructure

IntrusionPrevention

NetworkAccessControl

ID/AccessManagement

VulnerabilityManagement

PhasedDeployment Evolve to Platforms

Evolving for Efficiency and Effectiveness

Data Security

Avoid and TransferInclude in

Business Process

Defend


15/26

Stop Chasing Rainbows and Unicorns Unless you're an early

adopter/Type A, kill projectsthat are chasing mirages.

Require 18-month paybackperiods incremental resultsare OK!

If service costs are greater than50% of product costs, thinktwice and maybe wait, ordescope:

- Single sign-on

- Digital rights management

- Security/risk dashboards

- "De-perimeterization"

Someday


16/26

Transferring Security Spending toOther Budgets

Security Function IT Budget Opportunity

Web Application Firewall Application Delivery Controller

Application Vulnerability Testing C&A/Application Development

Security Configuration Auditing Configuration Management

Data Center Firewall Data Center Virtualization

Network Access Control Guest NetworkingNetwork Behavior Analysis Network Performance Monitoring

Network Forensics eDiscovery, DMCA

Web Application Firewall Application Delivery Controller

Best : To own it and control it

Worst : To not have it at all Interim : To lose control but still have the security applied


17/26

Take a Platform Approach The biggest single element in a

security control budget is usuallydesktop security and it is oftenthe least effective spending.

Next-generation firewalls vs.firewalls and IPS

E-mail security as a service Defend the Web security

gateway budget Other platforms:

- Security configuration assessment

- Security info/event management- Identity/access management

Web security gateway- URL filtering- In-bound malware prevention

- Security as a service

Endpoint:- Host firewall- AV, AS,- DLP, encryption, port control- HIPS/application control

Network:- Firewall- Attack-facing IPS- Vulnerability-facing IPS

E-Mail gateway- Antivirus/antispam- DLP

- Security as a service


18/26

Do It Yourself

Cuts can apply to staff levels, too trading labor for products can be a

stop gap:- Open source : firewalls, penetration

testing, vulnerability assessment, IPS,

proxy/URL blocking- Built-ins : firewalls, disk encryption,

file encryption, antimalware

- Services : DNS-based Web filtering,anti-DDoS, in the cloud Higher TCO brings risks, but

hiring may come back beforeprocurement funds.


19/26

Take Advantage of The Cloud

Off-Premises Cloud

SecaaS

Infrastructure Utility

Hardware managedby other than you

Elastic Internetresources

Dedicated applications

Security as aService

Dedicated Web Applications,

Web Content

Shared applicationinfrastructure (AI)APaaS -ApplicationPlatform as a service

IaaS Integration asa Service

Programmable orProgrammatically accessibleresources

Commodity

(industrialized)computing resources

Outsourcing

Dedicatedresources

Hosting

Web Hosting

size of the cloudlets and overlap shown is not to scale

AIaaSAPaaSWeb Platform IaaS

Native CloudApplications

L Bi I f t t Mi ti


20/26

Leverage Big Infrastructure MigrationProjects as a Catalyst for Change

Network access protection/control MIIS for simple provisioning

Windows 7 migration

Data center virtualization

ERP migration

X as a Service

Windows Server 2008

Run users as standard user Switch to IE8 Switch AV vendors for better pricing

Virtual firewalls Baked-in secure images

Static and proactiveseparation of duties analysis

Security as a service


21/26

The No-Brainer: Avoid Vulnerabilities

In the long term, security must be integrated into allapplication development and procurement.

In the short term, find the "gates" and move upstream:- Final QA, certification/accreditation- Build integration and test- Design sign-off/RFPs

Analysis Design Construction Testing Operations SDLC

Detection

Prevention Correction

Point Sources for Cutting Spending


22/26

Point Sources for Cutting SpendingWithout Reducing Security

Require ISPs to provide you "clean bits" and protect against denial of service.Leverage endpoint, network, e-mail and Web security platforms.Utilize outsourcing or alternative sources on a trial basis.

Take advantage of overlap with operational efforts in configuration managementand application testing.Reduce emergency patching. Network-based and host-based IPS solutions enableyou to schedule fewer machine updates.

Use open-source security software or what comes for free in the operating systemwith Windows, Mac and Linux.Leverage Active Directory for reduced sign-on. Consider IDM for low-cost userprovisioning and self-service password reset.

Use "big bang" infrastructure projects to improve security. Use the transition toincorporate reduced user admin. rights, moving up to application control,deploying "gold" images, etc.Buy more-secure applications, services and software as a service (SaaS). Makesecurity questions a standard part of evaluation and procurement processes.Don't be afraid to change vendors to reduce procurement costs switching costs are highly over-hyped.

Th k f i i i !


23/26

Thanks for participating!Do you have any questions?

If you havent done so already, pleasetype your questions into the Questionspane.

We will answer as many of yourquestions as time permits.

G d il i i h f d l


24/26

Get daily insight focused on your roleSecurity and Risk Management

Gartner advice in thecontext of your role

Dedicated portal focusedon what you need to knowfrom Gartner or the media

Analysts as coaches Peer connection and input Toolkit content helps you

be more efficient and

effective Access to all eight roles

Let Gartner be your indispensable resourcefollow up with your

account executive today!

Two simple steps for increasing the value of


25/26

Two simple steps for increasing the value oftodays webinar experience

Contact your Gartner account executive(or e-mail [email protected]) with

any additional questions, comments orrequestsor to order a complimentary copy oftodays presentation

Visit gartner.com/webinars for a schedule ofupcoming Gartner webinars (plus replays ofprevious webinars) and share these resources

with your colleagues


26/26

Notes accompany this presentation. Please select Notes Page view.These materials can be reproduced only with written approval from Gartner.Such approvals must be requested via e-mail: [email protected] is a registered trademark of Gartner, Inc. or its affiliates.

Doing More With Less: Securityand Risk Management inEconomically Challenging Times

John Pescatore

security and risk management jpescatore

Documents