Post on 16-Aug-2015
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved.
Earl Perkins
Research VP
May 8, 2013
Top Security Trends and Take-Aways for 2013
@GARTNER_INC
Gartner at a Glance
902 Analysts
13,000 Client
Organizations
290,000 Client
Interactions
Vertical Coverage
in Nine Industries
5,500 Benchmarks
10,200 Media
Inquiries
World's Largest
Community of CIOs
64 Conferences
74% of Global 500
1,700 Consulting
Engagements
Clients in 85 Countries
72% of Fortune 1000
500 Consultants
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Earl Perkins
Research VP
May 8, 2013
Top Security Trends and Take-Aways for 2013
Requirement: Increased Depth in Two Technology Dimensions
Transport
Internet
Application
Link
WAF
FW
IPS
Host/OS VA/M
Data
DLP
DAP
HIPS
FW2 FW3 FW1 IPS1
Web Zone App Zone Database Zone
VM: Web
VM: ftp
VM: app1
VM: app2
VM: db1
VM: db2
ADC
WAF
DLP
HIPS
VA/M
DAP
De
pth
of in
sp
ectio
n
Depth of application path
The Four Phases of BYOD
Accommodate
Focus: Data
Protection, Cost
• BYO Policies
• Formal Mobile
Support Roles
• MDM
• NAC
• Limited Support
• Extend Existing
Capabilities
Avoid
Don't Ask, Don't Tell
Corporate-Owned
Devices Only
Adopt
Focus: Productivity
• Desktop Virtualization
• Adoption of New
Enterprise-grade
Services
• Enterprise 'App
Stores'
• Self-Service and P2P
Platforms
Assimilate
Realization of the
Personal Cloud
• Context awareness
• Identity-Aware NAC
• Workspace
Aggregators
• 'Walk Up' Services
Managed Diversity — A Framework for BYOD
Service Levels
User Categories (defined by attributes below)
Managed Diversity Matrix
Key Goals
Cost control
Auditable
security
Defined
Responsibilities
A Complex Mobile Device Landscape
Basic media tablet
Premium media tablet
Ultramobile notebook
Mobile PC
Smartphone
Feature phone
Predicted global mobile
device shipments
0.0
500 million
1 billion
1.5 billion
2 billion
2.5 billion
3 billion
3.5 billion
2012 2013 2014 2015 2016 6 billion
4 billion
2 billion
0 billion
Predicted handset installed
base
Scoping the Mobility Security Problem
The User
• No security standards
• Incomplete management
• Bring your own device challenges
• Multiple devices
• Travel distractions
• Uncontrolled environments
• Exceptions and surprises
• Business process rebellion
• User experience trumps accountability
• Personal productivity focus
• Process, data fragmentation
• Unmanaged, nonstandard apps
Security Intelligence: Overview
Advanced Security
High Accuracy
Breadth of Coverage
New Capabilities
Optimal Risk and Business Decisions
Resource Allocation, Prioritization Based on Contextual Assessments
High
Accuracy
Input
Post- factum
Long Term
Manual
Information Integration and
Correlation
Repositories, Queries, Contextual Assessments
IT, CISO, Biz Staff
Automated
Technology Interaction
Scanners, Monitors
Detection, Protection
Software, Hardware
Real Time
Application Security SWOT
Opportunities • Security intelligence (SI)
• Cloud and SaaS
Threats • Dual-purpose technologies for all
• Changing nature of attacks
• New languages,
frameworks, platforms
• Hackers' industry
• Extreme openness, collaboration
Strengths • Some "good enough"
technologies
• Increasing awareness
• Pressure from government,
regulators
Weaknesses • Users are less mature than tools
• Developers' reluctance
• Misconceptions about:
- Inward-facing applications
- Role of QA
- Network security
Hype Cycle for Application Security, 2012
Technology Trigger
Peak of
Inflated Expectations
Trough of Disillusionment
Slope of Enlightenment Plateau of
Productivity
time
expectations
Plateau will be reached in:
less than 2 years 2 to 5 years 5 to 10 years more than 10 years
obsolete
before plateau
As of July 2012
Mobile Fraud Detection
Runtime Application Self-Protection
Visual Watermarking
Application Shielding
Dynamic Data Masking Interactive Application Security Testing
Mobile Application Security Testing
Privacy Management Tools
Model-Driven Security (DevOpsSec) Security Intelligence
Context-Aware Security
Application Security Professional Services
Tokenization
Application Security as a Service Identity and Access Intelligence
Fraud Detection
Software Composition Analysis
Mobile Data Protection
Application Control
Application-to-Application Password Management Tools Application Obfuscation Database Audit and Protection (DAP)
Static Application Security Testing
Static Data Masking
Web Application Firewalls
SIEM XML Firewalls
Dynamic Application Security Testing
ERP SOD Controls
Web Access Management
Application Security Road Map
Technology Trigger
Peak of
Inflated Expectations
Trough of Disillusionment
Slope of Enlightenment Plateau of
Productivity
time
expectations
Plateau will be reached in:
less than 2 years 2 to 5 years 5 to 10 years more than 10 years
obsolete
before plateau
As of July 2012
Runtime Application Self-Protection
Dynamic Data Masking Interactive Application Security Testing
Mobile Application Security Testing
Mobile Data Protection
Application Obfuscation Database Audit and Protection (DAP)
Static Application Security Testing
Static Data Masking
Web Application Firewalls
Dynamic Application Security Testing
WAF + IAST RASP
Program Maturity: ITScore Overview for Security and Risk Management
Level 1 Initial
Level 2 Developing
Level 3 Defined
Level 4 Managed
Level 5 Optimizing
No visibility into critical risks; very
technology -focused and
reactive
Initiator such as data
loss or regulatory concern
Governance committees
formed
Control gaps
closed
(Re-) Formulate
team to address concerns
Policy development
Formalize processes and create process
catalog
Risk assessments proactively executed
Executive-level reporting
Key risk indicators
are mapped into key
performance indicators
Continuous assessment
Enterprise- wide risk-
aware culture
Assess current state
Create charter
No risk and security policy
Lines of business
engaged in addressing security and risk issues
Formal residual risk sign-
off
Risk fully integrated with
strategic business-level
decision making; governance
driven by executive
management; board-level
visibility into and commitment to
security and risk management
Operational metrics to benefit operational efficiency
Executive Decision Makers
IT Operations
• Percentage of YTD spending of security budget
• Percentage of completion of annual objectives
• Percentage of confidence of completing objectives
• Number of new processes created and implemented
• Project status (major, per project)
• Percentage completed
• Percentage of confidence of completion
• Number of compliance deficiencies, last audit
• Number of remaining open compliance deficiencies
Effective Communication With Non-IT Executive Decision Makers
Mapping KRIs and KPIs
Revenue Loss
Miss the
Quarter
Leading Indicator That…
Leading Indicator That…
Leading Indicator That…
Critical Application
Fault
Supply Chain
Support Application
Key Risk Indicator
Open Incidents
Poor Patching
Negative Impact KPI
Supply Chain Slows
CRO/CISO CIO The Business
IT GRCM Market Placement In Relation to the Enterprise GRC Market
19
IT GRCM Dashboards Executive Decision Support
Integrated IT Risk
Assessment and
Reporting
IT Policy Management
and Reporting
IT Vendor Risk
Management
IT Internal Audit
Reporting
EGRC
Finance GRC
Legal GRC
Operations GRC
IT GRCM
20
From Control-Centric Security to People-Centric Security
Policy Rules
People
Punishment
Control
Rights Principles
Policy
Responsibilities
People
Monitor
Educate
Requirement: Access the Enterprise Securely
22
Process Execution
Reliable Infrastructure
Employee
Identity Access
Customer
Citizen
Partner
The Death (and Rebirth) of Identity Governance
Identity & Access
Governance (IAG)
User Administration & Provisioning
Identity Governance & Administration
(IGA)
Identity Analytics
& Intelligence
Authorization Management
(Data & Application)
By the end of 2015, 50% of all new retail customer identities will be based on social network identities.
Strategic Planning Assumption
End-2012 End-2015
Cloud Computing Drives IAM Decisions, Offers New Delivery Options
Workforce
Customers and
Partners
Administration Intelligence Access
Customer- Facing
Applications
Enterprise Applications Outsourced
Enterprise Applications
SaaS
Partner Application
Action Plan for Security & Risk Leaders
Monday Morning
- Assess how well the strategic vision of your security & risk program addresses the Nexus of Forces and specific trends
Next 90 Days
- Educate your IT delivery and executive stakeholders on the challenges and opportunities of the Nexus of Forces.
- Assess the maturity of the major elements of your risk and security program and decompose gaps into projects.
- Map key risk indicators into business key performance indicators and use this to engage the business in risk discussions.
Next 12 Months
- Develop a long-term strategy for continuous improvement.
- Develop and deliver an executive reporting scheme that addresses the needs of a business audience.
Recommended Gartner Research
Agenda Overview for Security and Risk Management Leaders, 2013
Carsten Casper | Roberta J. Witty | Paul E. Proctor | Tom Scholtz | John A.
Wheeler (G00238845)
Agenda Overview for Information Security Technology and Services,
2013
Andrew Walls (G00239321)
Agenda Overview for Identity and Access Management, 2013
Earl Perkins | Gregg Kreizman (G00245842)
Define the Structure and Scope for an Effective Information Security
Program
Tom Scholtz (G00238280)
A Guide to Security and Risk-Related Hype Cycles, 2012
Ray Wagner (G00230394)
For more information, stop by Experience Gartner Research Zone.
29
Events for
Security &
Risk Management
Professionals
Experience live analyst expertise plus much more at a Gartner event
Identity & Access Management Summit
November 18 – 20, Los Angeles, CA
Security & Risk Management Summit
June 10 – 13, National Harbor, MD
July 1 – 2, Tokyo, Japan
August 19 – 20, Sydney, Australia
September 18 – 20, London, U.K.
Catalyst Conference
July 29 – August 1, San Diego, CA
Visit gartner.com/events
• Visit gartner.com/webinars
– Today's presentation is available to download on the Attachment
Tab of our webinar portal or will be available shortly on our
webinar page
– Check out the schedule of upcoming Gartner webinars (plus on-
demand webinars) and don‘t forget to share these resources with
your colleagues
• Contact your Gartner account executive with any additional
questions, comments or for a complimentary copy of today's
presentation
Simple steps for increasing the value
of today's webinar experience
31