© 2017 FORRESTER. REPRODUCTION PROHIBITED.

We work with business and

technology leaders to develop

customer-obsessed strategies

that drive growth.

2© 2017 FORRESTER. REPRODUCTION PROHIBITED.

© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Security Trends and Predictions:2017 Demands a New Approach

Joseph Blankenship, Senior Analyst

February 10, 2017


Source: @malwareunicorn

Abandon all hope?


Security Trends2016 Was Another Turbulent Year For Cybersecurity


“Be careful what you wish for,

you may receive it.”

- W.W. Jacobs


We got what we wished for…

Cybersecurity is now a mainstream

topic, and it’s not going away anytime

soon.


Three industries accounted for 95% of

all customer breached records in 2016

Technology 68%

Government 16%

Retail 11%

Source: see the “Lessons Learned From The World's Biggest Data Breaches And Privacy Abuses, 2016” Forrester report.

Hackers Compromised 1 Billion Records In Just 12 Months

https://www.forrester.com/report/Lessons+Learned+From+The+Worlds+Biggest+Data+Breaches+And+Privacy+Abuses+2016/-/E-RES127866


Top Breached As A Records Percentage Worldwide Of Internet Users

Source: see the “Top Cybersecurity Threats In 2017” Forrester report.

https://www.forrester.com/report/Top+Cybersecurity+Threats+In+2017/-/E-RES136712


53% of firms were breached in the past 12 months.

44% of Enterprise Firms Suffered 2+ Breaches in 2016


Authentication Credentials And Intellectual Property Are The Top Two Targets


In 2016, Our “Things” Turned Against Us

› Blogger Brian Krebs hit with a record DDoS

attack starting on 9/20

› A botnet running on IoT devices – web

cameras, printers, DVRs and routers –

carried out the attack

› Average DDoS attack size predicted to grow

to 1.2 Gbps by the end of 2017

Source: krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

www.forbes.com/sites/thomasbrewster/2016/09/25/brian-krebs-overwatch-ovh-smashed-by-largest-ddos-attacks-ever/#3f4504f46fb6

Arbor Networks Worldwide Infrastructure Security Report


Security leaders are concerned about IoT

are “concerned with the

risk that IoT technologies

could introduce” to their

firm*

54%


IoT Security Technologies Are Still Relatively Immature

Source: see the TechRadar™: Internet Of Things Security, Q1 2017” Forrester report.

https://www.forrester.com/report/TechRadar+Internet+Of+Things+Security+Q1+2017/-/E-RES117394


The Results of High-profile Cyberattacks on IT Security

Base: 3,588 Global Security Technology and Business Decision-makers from Enterprises with 1,000+ employees

Source: Forrester Business Technographics Global Security Survey, 2016


Identity and Authentication Management (IAM) Adoption Trends

Source: Understand The State Of Identity And Access Management: 2016 To 2017 Forrester report

https://www.forrester.com/report/Understand+The+State+Of+Identity+And+Access+Management+2016+To+2017/-/E-RES127862


Security's Share Of The IT Budget Continues Its Incredible Rise


Network Security Still Gets The Largest Budget Share

Source: Forrester’s Security Budgets 2017: Increases Help But Remain Reactionary report


The Cybersecurity Talent Gap Remains A Top Concern

› Security teams are understaffed

• 62% of enterprises report not having

enough security staff

› Finding the right skills is also a

challenge

• 65% of enterprises state finding employees

with the right skills is a challenge

Source: Forrester Business Technographics Global Security 2016

Image: www.flickr.com/photos/dt10111/2901811351


Security Leaders Turning To Services

*Base: Global security decision-makers whose firms' IT department has a security budget (1,000+ employees)

**Base: 852 Global security decision-makers whose firms outsource infrastructure and security functions (1,000+ employees)

Source: Forrester’s Global Business Technographics Security Survey, 2014, 2015 & 2016

48%

49%

49%

2014(N=1,172)

2015(N=1,354)

2016(N=1,358)

Approximately what percent of your security budget is spent on security services?*


The Enterprise Security Team Taking On More Customer Risk

Base: 1,543 to 1,550 Security decision-makers responsible for security activities (1,000+ employees)

Source: Forrester’s Global Business Technographics Security Survey, 2015 & 2016

Activities YoY Growth

Ensuring the security and privacy of customer data sold/exchanged to partners +22%

Identifying new sources of data-driven revenue +21%

Protecting data warehouses and other data repositories typically used in customer intelligence +18%

Embedding security into your organization's end products or services +16%

Enabling rapid adoption new technologies and/or services to help acquire and maintain

customers+15%

Responding to breaches of customer Pll in a responsible and timely way +13%

Developing secure customer-facing mobile and web applications +12%

API management and security +10%

Managing the risks around social media engagement +10%

Protecting our customers' personal information from privacy abuses +10%

Authenticating customers across channels +9%

Protecting our customers' personal information from cybercriminals and fraudsters +7%

2015 2016

26% 48%

23% 44%

33% 50%

31% 47%

31% 47%

29% 42%

31% 43%

34% 45%

34% 44%

45% 54%

31% 41%

45% 52%

“Which of the following activities are you and your team actively working on?”


Security Leaders Reporting Lines Shifting

Base: 2,121 security technology decision-makers (20= employees) and 1,165 at enterprises (1,000- employees)

Source: Forrester’s Global Business Technographics Security Survey 2016

3%

6%

11%

18%

26%

33%

3%

7%

10%

23%

24%

32%

Cross-department steering committee

Enterprise risk/CRO

Board of directors

CIO

IT

CEO/president

Into which department or office does the senior-most security decision-maker directly report?

Enterprise All

Last year, IT

topped the list at

55% and (57%)

for Enterprises!


Top 5 security priorities in 2016 compared with prioritization in 2015

Source: Understand The State Of Identity And Access Management: 2016 To 2017 Forrester report


2017 PredictionsAre things going to get better?


#1) External Threat Actors Diversify

› 2017 is different…

› Political climate is ripe for hacktivists and nation state

actors

› 57% of .onion sites facilitate criminal activity (a.k.a.

the dark web)*

› Because of the anonymity of cryptocurrency and

accessibility of the dark web, anyone can learn how

to become a cybercriminal

› Credentials, credit cards, PII, medical records, and IP

are sold on the dark web

› Ransomware depends on cryptocurrency

Source: “Cryptopolitik and the Darknet,” Daniel Moore and Thomas Rid, Survival Vol. 58 , Iss. 1,2016

Action: Prepare for hacktivists, nation-states and ideologies looking to disrupt and degrade.

http://dx.doi.org/10.1080/00396338.2016.1142085


#2) Healthcare Breaches Will Become As Large And Common As Retail Breaches

Why?

• Healthcare/public sector only spends

23% of IT budget on security

• Lots of M&A in healthcare space

• Increasing value of patient data (PHI,

biometrics, etc.)

• Ransomware trend in healthcare

22% 23% 24% 24%26% 27% 27%

35%

Me

dia

, e

nte

rtain

me

nt,

and

leis

ure

Pu

blic

secto

r a

nd

hea

lthca

re

Reta

il an

d w

ho

lesa

le

Fin

an

cia

l serv

ice

s a

nd

insu

ran

ce

Oth

er

Bu

sin

ess s

erv

ice

s a

nd

con

str

uctio

n

Ma

nu

factu

rin

g

Utilit

ies a

nd

tele

co

mm

unic

atio

ns

“How much does your firm's Information/IT security spending for 2016 represent as a percentage of overall

2016 IT budget?”

Base: 72-712 (depending on industry) security decision-makers (20+ employees)

Source: Forrester’s Global Business Technographics Security Survey, 2016

Action: Prioritize data protection for PHI

and sensitive systems. Regularly back up

systems to guard against ransomware.


#3) More than 500,000 IoT Devices Will Suffer A Compromise — Dwarfing Heartbleed

› 66% of security technology decision-makers at

enterprise firms rate securing Internet of Things

(IoT)/M2M within the enterprise as a high priority

over the next year*

› Millions of consumer devices with no security,

updates or patches have proved to be an

effective channel of attack


Action: Require quick remediation and fully

automated, scripted security testing.


#4) The Talent Gap Will Force CISOs To Allocate 25% To External Expertise, Automation

› CISOs will turn to external services

and automation tools for relief

› 25% spending includes security

outsourcing, managed security

services, security consultants and

integrators, and security automation

technologies

› Develop rules of engagement for

automated response

Base: 1,632 security decision-makers (1,000+ employees)


Action: Embrace automation and orchestration.

10% 24% 38% 27%

Unavailability of security employees with the right skills

Not a challenge Minor challenge Challenge Major challenge


33%

37%

39%

45%

46%

46%

46%

48%

48%

49%

Risk management expertise

Fraud management expertise

Penetration testing

Programming, scripting knowledge

Application security

Digital forensics and incident response

Virtualization, cloud infrastructure expertise

Malware analysis/reverse engineering

Security operations

Mobile security

What specific types of skills and experience are most needed in your organization today?

Base: 1,064 security decision-makers who indicate unavailability of security employees with the right skills is a challenge for their firm (1,000+ employees)



Base: 1,165 security technology decision-makers (1,000+ employees)

Source: Forrester’s Global Business Technographics Security Survey 2016


#5) The US President Entered Office IN A Cybercrisis, And Will Face Many More

› Nation state involvement in US elections

fosters a sense of distrust

› People could begin to lose faith in the integrity

of global institutions

› We must lead the shift to a culture of security;

protect customer and corporate data and

reinstate inherent trust in our systems

Action: Identify the cybersecurity risks that have the biggest impact on your firm. Instill a

culture of security in your staff and your users.


2017 Will Be A Heck Of A Ride

FORRESTER.COM

Thank you© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Joseph Blankenship

www.forrester.com/Joseph-Blankenship

@infosec_jb

© 2017 FORRESTER. REPRODUCTION PROHIBITED. · © 2017 FORRESTER. REPRODUCTION PROHIBITED. 2 ......

Documents

Transcript of © 2017 FORRESTER. REPRODUCTION PROHIBITED. · © 2017 FORRESTER. REPRODUCTION PROHIBITED. 2 ......