This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved.

Ray Wagner

Managing VP

August 29, 2013

Top Security Trends and Take-Aways for 2013/2014

@GARTNER_INC

Gartner at a Glance

935+ Analysts

13,000 Client

Organizations

290,000 Client

Interactions

Vertical Coverage

in Nine Industries

5,500 Benchmarks

10,200 Media

Inquiries

World's Largest

Community of CIOs

64 Conferences

72% of Global 500

2,100 Consulting

Engagements

Clients in 85 Countries

71% of Fortune 1000

500 Consultants

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2012 Gartner, Inc. and/or its affiliates. All rights reserved.

Ray Wagner

Managing VP

August 29, 2013

Top Security Trends and Take-Aways for 2013/2014

Top Trends and Takeaways

The State of the (crumbling) State

Data Loss Prevention

Secure Web Gateway

Secure Web Gateway

Risk

Security Application Testing

Security Information &

Event Management

Cryptography

Firewalls

Managed Security Services

Intrusion Prevention

Mobile Security

Endpoint Protection

Social Media Security

Monitoring

Digital Surveillance

Information Security and the Nexus of Forces

Identity & Access Management

Traditional Security Models Are Strained: Increasingly We Don't Own or Control Much of IT

Security Inflection Points in Our Business and IT Infrastructure

• Socialization and Collaboration

• Mobilization

• Consumerization

• Virtualization

• Cloudification

• Industrialization of Hackers

• Nationalization of Hackers

Everything You Know About Security Changes

• Common thread is a loss of control

- "Trustability" replaces the misguided notion that ownership = trust

• All entities must be considered potentially hostile

- All packets, URLs, devices, applications, users are suspect

• Huge number of resource usage combinations

- Context becomes critical to making real-time security decisions

• Increasing ineffectiveness of traditional security controls

- Antivirus, perimeter firewalls increasingly ineffective

• Need to shift up the stack to protect information

- The final frontier, beyond networks and devices

• Extremely hard to detect compromises/ATAs

- You are already infected, you just don't realize it

Top Trends and Takeaways

CIOs and CISOs: What Are They

Thinking?

Top 2012-2014 Security Priorities

1. Mobile Device Management

2. Data Loss Prevention

TIED for Third Place:

3. Security information and Event Management

3. IT Governance Risk and Compliance

3. Strong User Authentication

Source: Gartner North America-EMEA Security Summits surveys

Top Trends and Takeaways

IT Security Jobs: (Your Resume

Here)

Prosper, Survive or Leave

Business Expertise

Technology Expertise

In-house people Business analyst, user acceptance tester

Vaporize into cloud (partially) Programmer, security tester, database administrator

Best

• Visionaries

• Technologists

• Business people

will be cloud creators and providers

Don't even think it CTO, senior architect, project liaison

Creativity and Vision

Top Trends and Takeaways

Monitor, Monitor, and Monitor

Some More

User Activity and Resource Access Monitoring — Targeted Attack Detection

Perfect defenses are not achievable — better detection is also required

Find and fix

vulnerabilities

Shield

vulnerable

applications

Network

defenses

Shield

vulnerable

systems

Steal data

Compromise accounts

Target user

Install malware

Surveillance

Steal user's credentials

Compromise servers

Compromise applications

Targeted Attacks

Monitoring

Information Security in 2020: Detection More Important Than Prevention

Seek vendors that focus on virtualization and cloud security controls, and support feature parity on x86-based compute fabrics.

Begin the transformation to context-aware and adaptive security infrastructure now as you replace static security infrastructure, such as firewalls, and Web security gateway and endpoint protection platforms.

Consider cloud security brokers to enforce enterprise security policy as public cloud-based services are consumed.

Look for cost reductions in increasingly ineffective perimeter and signature-based security controls to fund investments in monitoring and analytics.

Begin experimentation with big data analytics for the next-generation of security problems. Don't assume your SIEM takes this role.

Persistent threats must be met with persistent security; therefore, focus on uplifting older security technology and enabling the latest features that include context-aware security technologies.

By 2020, 75% of enterprises' information security budgets will be

allocated for rapid detection and response approaches, up from

less than 10% in 2012.

Top Trends and Takeaways

Cloudy with a Chance of…

Dispelling the Three Major Cloud Security Myths

• Cloud services are inherently riskier than what we are already doing:

- Cloud does combine new technology and new processes

- Risks are different, not necessarily greater

• Cloud service providers are professionals and are more secure than we are:

- Many cloud service providers have consumer roots

- Risks are different, not necessarily lower

• Cloud is global, we can't even assess risk:

- Locations do and will matter

- Cloud services do not have to be global

Growing

opportunity for

more secure SaaS

Cloud Risk Appetite Spectrum

Low High

Large and highly-regulated

•Have much sensitive data

•Sophisticated IT capability

•Usually start with IaaS

Small and non-regulated orgs

•Have minimal sensitive data

•Primitive IT capability

•Usually start with SaaS

Sensitivity of Data Typical of External Cloud Use

Fortune 500

Finance

Individual

Small to Medium Business

Civilian Government

Military

Top Trends and Takeaways

Bring Your Own:

A) Device

B) Disaster

Mobile Device Security and BYOD

In 2011, Gartner conducted a survey and found that 62% of our clients either had, or planned for an IT funded BYOD project.

Driving following markets:

• Mobile Device Management

• Network Access Control

• Secure Web Gateways

• Mobile Data Protection

• Containerization Tools

• Strong Authentication

• SSL VPN

• Application Security

• Data Loss Prevention

The Four Phases of BYOD

Accommodate

Focus: Data

Protection, Cost

• BYO Policies

• Formal Mobile

Support Roles

• MDM

• NAC

• Limited Support

• Extend Existing

Capabilities

Avoid

Don't Ask, Don't Tell

Corporate-Owned

Devices Only

Adopt

Focus: Productivity

• Desktop Virtualization

• Adoption of New

Enterprise-grade

Services

• Enterprise 'App

Stores'

• Self-Service and P2P

Platforms

Assimilate

Realization of the

Personal Cloud

• Context awareness

• Identity-Aware NAC

• Workspace

Aggregators

• 'Walk Up' Services

Top Trends and Takeaways

OT = Over Time

Until 2015, more than 70% of enterprises will need to take urgent action over the risks of serious operational and strategic failure caused by ineffective management of OT or of IT/OT convergence.

Strategic Planning Assumption

A Wakeup Call for OT Security and Risk

• The type, frequency, and quality of OT security threats are increasing

• The visibility of the threats is also increasing, placing pressure on OT industries to respond quickly

• While IT security architecture, principles, and practices can help, OT security has unique issues in those areas that must be addressed

• OT security will require a significant “inflection point” change in culture, organization, and process to address properly

"The greatest obstacle to discovery is not ignorance; it is the illusion

of knowledge." — Daniel Boorstin

Top Trends and Takeaways

IAM…and how the CISO should be

thinking

By the end of 2015, 50% of all new retail customer identities will be based on social network identities.

Strategic Planning Assumption

End-2012 (<5%)

End-2015

25

Security Risks

Concern Commentary

Identity proofing Social networks generally ask for

no proofs of real-world identity.

Risk is not significantly higher

than allowing self-assertion for

new account creation.

User authentication

Social network login typically

relies on a legacy password with

variable ―strength‖ requirements.

Most retail customer login relies

on legacy passwords too.

Risk arises from relatively poor

―strength‖ requirements (but

these are overrated anyway).

Underlying protocols

OAuth and OpenID are less

robust than SAML.

Historically a barrier, but

RESTful social networks compel

enterprises to accept the risk.

OpenID Connect promises to

raise the bar.

• Do you want Facebook and so on to know who your customers are?

• Do your customers want Facebook and so on to know that they‘re your customers — and what they do/buy/view?

Is it creepy?

• Is it reliable? (No SLAs!)

• Will it persist?

Is it strategic?

• Will a focus on social network login detract from other customer experience initiatives?

• Will customers without social network logins feel disenfranchised?

Is there a net benefit?

26

Business Risks

Top Trends and Takeaways

The (Security) Free State…?

If We Can Reduce Security Controls

• Less bureaucracy

• Cost reduction

• Improved staff morale

• A truly agile IT environment with

reduced barriers to business flexibility

• Better security:

- Less "underground activity"

- Focus on monitoring and reactive processes

“Bad things do happen; how I respond to them defines my character

and the quality of my life…”

— Walter Anderson

29

From Control-Centric Security to People-Centric Security

Policy Rules

People

Punishment

Control

Rights Principles

Policy

Responsibilities

People

Monitor

Educate

Action Plan

Top Security Trends and

Takeaways

Top Security Trends — 2013&2014

The State of the (crumbling) State

CIOs and CISOs

IT Security Jobs: (Your Resume Here)

Monitor, Monitor, and Monitor Some More

Cloudy with a Chance of…

BYOD

OT = Over Time

IAM and CISO Thinking

The (Security) Free State

• The Security Scenario

• Board Communications

• Risk, Riskier, Riskiest

• Program Maturity

• Encryption ≠ Security

• If not passwords, then what?

• App Security Grows Up

Action Plan for Security & Risk Leaders

Monday Morning

- Assess how well the strategic vision of your security & risk program addresses the Nexus of Forces and specific trends

Next 90 Days

- Educate your IT delivery and executive stakeholders on the challenges and opportunities of the Nexus of Forces.

- Assess the maturity of the major elements of your risk and security program and decompose gaps into projects.

- Map key risk indicators into business key performance indicators and use this to engage the business in risk discussions.

Next 12 Months

- Develop a long-term strategy for continuous improvement.

- Develop and deliver an executive reporting scheme that addresses the needs of a business audience.

Recommended Gartner Research

Agenda Overview for Security and Risk Management Leaders, 2013

Carsten Casper | Roberta J. Witty | Paul E. Proctor | Tom Scholtz | John A.

Wheeler (G00238845)

Agenda Overview for Information Security Technology and Services,

2013

Andrew Walls (G00239321)

Agenda Overview for Identity and Access Management, 2013

Earl Perkins | Gregg Kreizman (G00245842)

Define the Structure and Scope for an Effective Information Security

Program

Tom Scholtz (G00238280)

A Guide to Security and Risk-Related Hype Cycles, 2012

Ray Wagner (G00230394)

For more information, stop by Experience Gartner Research Zone.

34

Events for

Security &

Risk Management

Professionals

Experience live analyst expertise plus much more at a Gartner event

Identity & Access Management Summit

November 18 – 20, Los Angeles, CA

Security & Risk Management Summit

July 1 – 2, Tokyo, Japan

August 19 – 20, Sydney, Australia

September 18 – 20, London, U.K.

Catalyst Conference

July 29 – August 1, San Diego, CA

Visit gartner.com/events

• Visit gartner.com/webinars

– Today's presentation is available to download on the Attachment

Tab of our webinar portal or will be available shortly on our

webinar page

– Check out the schedule of upcoming Gartner webinars (plus on-

demand webinars) and don‗t forget to share these resources with

your colleagues

• Contact your Gartner account executive with any additional

questions, comments or for a complimentary copy of today's

presentation

Simple steps for increasing the value

of today's webinar experience

36