Digital Risk and Security Awareness Survey

Transcription

1 KuppingerCole Report ADVISORY NOTE by Martin Kuppinger February 2015 A survey on the awareness of digital risks and security risks run and compiled by KuppingerCole. Providing insight into the current perception of digital and security risks, complemented with analysis and recommendations by KuppingerCole. by Martin Kuppinger mk@kuppingercole.com February 2015

2 Content 1 Management Summary About the Survey Survey Results Changes in digital security risk perception The most frightening attacks Countermeasures Budget changes C-level attention Recommendations Copyright Content Tables Table 1: Changes of technology relevance, based on % of #1-#3 rankings three years from now compared to today Table of Figures Fig. 1: Distribution of respondents across industries Fig. 2: Job titles of the respondents Fig. 3: Results for the changing recognition of digital security threats Fig. 4: Results for the changing recognition of risks... 8 Fig. 5: Comparing changes in threat and risk recognition Fig. 6: Reasons for stable risks, while threats increased (multiple choice allowed) Fig. 7: Reasons for increasing risks, while threats remained stable/decreased... 9 Fig. 8: Reasons for stable/decreasing threats and risks Fig. 9: Reasons for increase in both threats and risks Fig. 10: The most frightening types of attacks Fig. 11: Most-feared types of cyber-crime Fig. 12: Main reasons for internal attacks Fig. 13: Main reasons for nation-state attacks Fig. 14: Main reasons for politically motivated attacks Fig. 15: Most important countermeasures Fig. 16: Three main technologies ranked #1 in countermeasures Fig. 17: Three main technologies ranked #2 in countermeasures Fig. 18: Three main technologies ranked #3 in countermeasures Page 2 of 29

3 Fig. 19: Most important countermeasures in one year from now Fig. 20: Three main technologies ranked #1 in countermeasures one year from today Fig. 21: Three main technologies ranked #2 in countermeasures one year from today Fig. 22: Three main technologies ranked #3 in countermeasures one year from today Fig. 23: Most important countermeasures in one year from now Fig. 24: Information Security budget changes within the past 24 months Fig. 25: Industries with a lack of C-level attention for Information Security Fig. 26: Reasons for C-level attention on Information Security Related Research Advisory Note: Real Time Security Intelligence Advisory Note: Security and the Internet of Everything and Everyone Advisory Note: Security Organization, Governance, and the Cloud Advisory Note: IAM Predictions and Recommendations Executive View: Introduction to Managing Risk Leadership Compass: IAM/IAG Suites Leadership Compass: Access Governance Leadership Compass: Cloud User and Access Management Leadership Compass: Cloud IAM/IAG Leadership Compass: Dynamic Authorization Management Leadership Compass: Identity Provisioning Leadership Compass: Enterprise Key and Certificate Management Leadership Compass: Enterprise Single Sign-On Leadership Compass: Privilege Management Page 3 of 29

4 1 Management Summary In a global online survey, KuppingerCole has asked Information Security professionals about their current perception of Digital Risk and Security. The study shows a significant increase in awareness of both threats, i.e. the potential attacks, and risks. While some participants claim that they were able to keep their risks stable or even mitigate them by investing in countermeasures, the vast majority feels that the risk for their organizations increased over the past 12 months. The most frightening type of attacks comes from organized crime, including attacks that are associated with industrial espionage, blackmailing, and particularly a potential loss of reputation, for instance when large amounts of passwords are stolen and sold on the black market. Internal attackers also are perceived as massive risks. Depending on the industry and the geography, nation-state attackers and politically motivated attackers also are identified as severe risks. In particular, governmental organizations and corporations from industries such as Aerospace & Defense (in the case of nation-state attacks) and Finance (in the case of politically motivated attackers) feel themselves threatened by these groups of attackers. Overall, there appears to be a far better perception of the cyber-security risks than ever before, particularly due to the public attention to these issues today. Looking at the countermeasures allows some interesting observations. While some technologies such as Identity and Access Management & Governance (IAM/IAG) are considered as key technologies, others are gaining momentum and expected to play a far bigger role with the next three years. Somewhat surprising, Mobile Security Solutions are still not widely used but expected to play an important role in the near future. Secure Information Sharing, e.g. Information Rights Management or Secure Data Rooms, already is perceived as one of the most relevant countermeasures, with another uptake expected within the next three years. However, the biggest growth, according to this study, will be seen in the area of Real-Time Security Intelligence1. This includes solutions that provide managed services not only about newly identified attack vectors, but also for analyzing logs and events based on advanced analytical capabilities. While the current and short-term focus is on on-premise solutions, the results show a massive uptake for managed services in that area within the next three years. On the other hand, traditional technologies such as firewalls, IPS/IDS, or endpoint security are on the decline not necessarily in absolute numbers, but in their role as core technologies for cyber-security countermeasures. The study shows a clear focus on Real-Time Security Intelligence and IAM/IAG as strategic elements, complemented by Secure Information Sharing technologies. Gaining comprehensive insight into attacks and integrating prevention, detection and response instead of using point solutions appears to be the strategic focus, according to the survey results. This is combined with protection of the information assets themselves, instead of secondary components such as networks and servers. Overall, the study highlights that there is not only a far better perception of both digital threats and risks, but also a fundamental change towards more holistic, strategic countermeasures, superseding and integrating traditional approaches. 1 Page 4 of 29

5 2 About the Survey The survey was executed in the fourth quarter of 2014 as an online survey. 270 persons participated in the survey. The survey consisted of ten main questions plus a number of additional questions that have been raised depending on the answers provided. Fig. 1: Distribution of respondents across industries. The participants were well distributed across industries. Other includes IT companies, but also a number of manufacturing companies where participants did not associate themselves with Manufacturing or Industry. The fact that recipients are from a broad range of industries allows generalizing the results of the survey. Furthermore, the fact that some industries such as Finance and Government are very well represented allows deducing concrete conclusions for these industries in particular. Page 5 of 29

6 Fig. 2: Job titles of the respondents. Figure 2 shows the job titles of respondents. Over 40% of the participants were C-level, including CIOs, CISO, CEOs, and other types of C-level jobs. Thus, there is a good mix between the C-level view on one side and the view of people from the departmental levels and projects. Page 6 of 29

7 3 Survey Results In the following sections, the results of the survey are released and explained. For many of the answers, you will find further analysis by KuppingerCole. 3.1 Changes in digital security risk perception The first set of questions focused on the changing perceptions of digital security risk. The first question asked whether the recipient has recognized an increase in digital security threats over the past year. The follow-on question then asked whether this recognition has led to growing risks. Basically, there might be an increase in threats and attacks, while risks remain stable. This might be the case when there are no new attacks or when the risk resistance has been improved. Fig. 3: Results for the changing recognition of digital security threats. For the first question, 85.6% of the recipients responded that they have observed an increase in threats. In other words, more than 5 out of 6 participants all of them being IT professionals that deal with IT security issues have seen an increase in threats over the past 12 months, i.e. in the period of Q to Q The answer is not surprising, given the large number of attacks that became public, combined with the echo of the Snowden revelations. Page 7 of 29

8 Fig. 4: Results for the changing recognition of risks. Overall, the perception of the risk exposure increased as well. However, only 77.6% indicated an increase in that area, compared to 85.6% recognizing an increase in threats. Figure 5 provides details on how the answers to these two questions are related. Fig. 5: Comparing changes in threat and risk recognition. For the various areas, we have asked for the specific reasons behind these perceptions. For the 10.8% of participants that indicated an increase in threats, while risks remained more or less stable, we found two major answers. 80% of the respondents named better countermeasures and investments in Information Security Technology as the main reasons why the overall risk exposure did not grow, despite the increase in threats. 40% also identified better alerting for new threats based on real-time services as the reason for their increased threat resistance. This also shows that investing in real-time services is one of the Page 8 of 29

9 common actions organizations take. Based on such services, they learn earlier and more about new types of attacks, particularly zero-day attacks, and thus are better able to react on these attacks. Fig. 6: Reasons for stable risks, while threats increased (multiple choice allowed). Other answers included the hint that the risk picture did not change, i.e. the once identified risks remain while there are no new risks. This is a valid answer, even while the risk rating in the sense of changes in probability and impact might change anyway for existing risks. Fig. 7: Reasons for increasing risks, while threats remained stable/decreased (multiple choice allowed). A small number of participants responded that the risk grew while threats remained stable or even decreased. Figure 7 shows the answers on this question. Due to the small population for this question, this can only give some indications for the generic reasons for such perceptions. Basically, the main reasons come down to concrete incidents and warnings. If something goes wrong within the industry or in the organization itself, the understanding of the real risks might change, despite a stable threat landscape and attack surface. Page 9 of 29

10 Fig. 8: Reasons for stable/decreasing threats and risks (multiple choice allowed). Another 11.6% of the respondents answered that both threats and risks remained unchanged or even decreased during the past 12 months. The main reason mentioned was again investments in Information Security technology. This aligns with 14.8% mentioning faster detection and better understanding of threats as the foundation for targeted countermeasures. 25.9% of the respondents named a changing focus of attackers as the main reason. This appears to be a valid observation. However, the number of concrete attacks might remain stable while the ratio decreases, when as it happens today the overall number of attacks grows. One interesting answer was that the change in threats and risks is hard to rate, given the current hype. While there is hype in the sense of massively increased cyber security awareness in the general public, it also is a fact that the overall trend of a growing number of attacks remains intact. Fig. 9: Reasons for increase in both threats and risks (multiple choice allowed). Finally, we asked for the reasons behind the perception of both increasing threats and risks the perception of the vast majority of 75% of the participants. The main reason mentioned by 58.7% of Page 10 of 29

11 these respondents was that there is more publicly available information about cyber-attacks. The growing attention to this topic has led to an increasing awareness of the risks. Interestingly, more than half of the answers also indicated that information exchange with peers within the industry led to this increased awareness regarding threats and risks. This is interesting because it shows a far better collaboration among different companies in various industries than might have been expected. Again, a significant number of respondents, i.e. 40.9% of the 75% that see an increase in both threats and risks, mentioned that they have done more or better threat and risk analysis. This shows how important it is to have a risk management approach in place that helps understanding the real risks. 3.2 The most frightening attacks The second group of questions dealt with the types of attacks most concerning people today. The initial question in this group was about the most frightening type of attack. Fig. 10: The most frightening types of attacks. Most feared are attacks by organized crime. Nearly half of the participants, 46.6%, named this as the most frightening type of attack from their perspective. This proves the observation that cyber-crime massively gained ground over the past few years, having become a threat for everyone today. Second ranked in this question are internal attackers, which are considered the most challenging type of attack by 29.4% of the respondents. This is still a fairly significant number. If the question would have been a multiple choice question, this type of attack probably would have ranked even higher. Clearly, internal users particularly in the case of privileged users such as administrators that sometimes have extensive entitlements remain a massive challenge for Information Security. Despite the Snowden revelations and other types of nation-state attacks and espionage that have become known, this type of attack only ranks #3, with 11.3% of the respondents rating this as the most severe type of attack they are facing. Page 11 of 29

12 Finally, another 8.6% named politically motivated attacks as their biggest concern. In the light of recent incidents such as the DDoS attack on the website of the German chancellor, this clearly is a real issue these days. Among the answers indicating others, there were some interesting results. Some mentioned industrial espionage as their biggest threat. This might be subsumed within organized crime (being heavily involved in such activities) or nation-state attacks (based on the fact that several nation-state are very actively spying on other nation s corporations). Fig. 11: Most-feared types of cyber-crime (multiple choice allowed). When looking in more detail at the various types of attacks, the respondents which feel most challenged by cyber-crime listed a number of attack types they are frightened by. Roughly 2 out of 3 (65.0%) named theft of information assets that are then sold on the black market as an attack type they are challenged by. This aligns with what has been said above regarding industrial espionage. Also more than half (56.3%) of the respondents to this question listed financial fraud on top. This obviously is one of the types of attacks that are here to stay forever. However, many of the spam mails related to financial topics such as unpaid invoices are constructed to place malware as part of more advanced types of attacks, commonly referred to as APTs (Advanced Persistent Threats). Also, blackmailing in various forms is seen as a massive challenge, with 36.9% mentioning this in the context of access to sensitive data that is only withheld/deleted against payment and another 21.4% being in fear of having to pay for data being encrypted by malware. Other answers in that area include the fear of loss of reputation a major challenge and the loss or corruption of data. When looking at internal attacks, 70.8% of the respondents clicked on the answer option Just a realistic view. In fact, at least a very large portion of really severe incidents has been caused by internal attackers or at least with support by internals. Furthermore, advanced types of attacks commonly hijack internal accounts, thus protection of these accounts and their behavior remains essential. In consequence, the threat created by internal attackers must not be underestimated. Page 12 of 29

13 Fig. 12: Main reasons for internal attacks (multiple choice allowed). Another 50.8% referred to the examples of other organizations, such as sales of customer data by employees of financial organizations, e.g. the sale of tax fraud information from Swiss banks to German tax offices. A quite interesting number are the 24.8% choosing the option that there are concrete indications for such attacks. That is a fairly significant number, given the massive impact internal attacks can have. Notably, several respondents referred either to experiences they already have had within their organizations or the fact that their internal countermeasures such as Privilege Management or Security Analytics are insufficient. Fig. 13: Main reasons for nation-state attacks (multiple choice allowed). Of the respondents rating nation-state attacks as the most frightening type of attack they are facing, more than half (56%) referred to the fact that they are in critical infrastructure industries. These types of industries are considered to be a common attack target of other countries. Some 40% indicated that their assets are (actual or assumed) targets of nation-state industrial espionage. This is particularly true Page 13 of 29

14 for organizations in the IT Security industry and in the Aerospace & Defense industry. Another 16% see their challenges regarding nation-state attacks being caused by the fact that they are governmental or military organizations. Some of the respondents also referred to the geography they are in, being in one of the countries that is a common target of such attacks. Fig. 14: Main reasons for politically motivated attacks (multiple choice allowed). Finally, there is the group of respondents that feels most challenged by politically motivated attackers. Again, the main reason mentioned here were the industries, either being critical infrastructure (36.8%), governance or military (32.6%) or financial (10.5%). Furthermore, a number of respondents again referred to their geography, making them a common target of politically motivated attacks. 3.3 Countermeasures The increase in digital risk and security awareness obviously also means that organizations are spending more time and money for countermeasures. However, the answers to that question provide a very mixed picture regarding the concrete countermeasures taken and the preferred mix of countermeasures. Page 14 of 29

15 Fig. 15: Most important countermeasures (selection of three for rank #1 to rank #3). Overall, IAM (Identity and Access Management) related countermeasures have a significant weight. This might be caused by the fact that there was a higher percentage of respondents from these departments. However, IAM in general is increasingly considered to be one of the most important countermeasures in cyber-security. When adding the selections for either rank #1, rank #2, or rank #3, Identity and Access Management & Governance has been mentioned by 60.4% of all recipients. A very significant number of respondents thus has identified that set of technologies as a key technology for increasing cyber-attack resistance. Page 15 of 29

16 Another 44.2% put Privilege Management on one of these three first ranks, as a specific subset of IAM, focusing on privileged users. This aligns well with the answers indicating that internal attacks still are among the most threatening types of attacks, because both Privilege Management in particular and IAM in general are common and proven countermeasures against internal attacks. Following these two groups of technologies, we find a number of other approaches in a head-to-head competition. Between 23% and 30% of the respondents opted for IDS/IPS (Intrusion Detection/Prevention Systems) [29.9%] SIEM tools (Security Information and Event Management) [27.4%] Endpoint Security [24.9%] Firewalls [24.4%] Secure Information Sharing (Secure File Sync, Data Rooms, Information Rights Management) [23.4%] While the first four groups of technologies are quite common countermeasures against attackers, finding Secure Information Sharing in this group is somewhat surprising. However, this is an indicator of the growing attention and maturity of the various technologies in that space, allowing the protecting of information end-to-end and focusing on protecting the informational assets themselves instead of underlying technology such as networks or servers. Further technologies rated are Real-time Security Intelligence on-premise [18.8%] Building/operating their own SOC or relying on a managed SOC [16.8%] Mobile Security Solutions [13.7%] Real-time threat information as managed service [10.2%] Real-time Security Intelligence as managed service [6.1%] When looking at these choices, all three around real-time threat information and security intelligence fall into the same category. If added, more than 35% of the respondents opted for the one or other of these technologies. Interestingly, Mobile Security Solutions are not rated high as one of the primary means for increasing resistance against cyber-attacks. The assumed reason for this could be the tactical and very focused nature of these technologies, compared to the cross-system and cross-device nature of, for instance, IAM or Real-time Security Intelligence. However, further and detailed analysis of other answers shows that the main reason for that low rating is based on the fact that it is not widely used or required as a primary security measure today. Page 16 of 29

17 Fig. 16: Three main technologies ranked #1 in countermeasures. When looking at the three technologies ranked most often #1 in countermeasures, we find IAM, firewalls, and SOCs (Security Operations Centers). The latter includes technology such as SIEM or, more advanced, Real-time Security Intelligence. Fig. 17: Three main technologies ranked #2 in countermeasures. When looking at the technologies most frequently ranked #2 in countermeasures, we again see IAM slightly in front, directly followed by Privilege Management and IDS/IPS. Page 17 of 29

18 Fig. 18: Three main technologies ranked #3 in countermeasures. Finally, when looking at the technologies most commonly ranked #3, we see Privilege Management, Secure Information Sharing (as the real surprise in that listing), and IAM. Interestingly, some traditional technologies, in particular firewalls, did not make it among the top 3 ranked technologies at all. This appears, despite a potential overweight of IAM, to be an interesting indicator. IDS/IPS clearly outranked traditional firewalls, and when adding the ratings for the various types of real-time analytics, these technologies also are clearly ahead of firewalls. Additionally, we have asked which technologies will most likely become the most important countermeasures in one and three years from now. Page 18 of 29

19 Fig. 19: Most important countermeasures in one year from now (selection of three for rank #1 to rank #3). What is really interesting is to compare the listings of technologies with ranks of #1 to #3 here with the ones of today (see figure 15). The following technologies show the biggest increase in relevance: Mobile Security Solutions [up by 15.2% absolute, 111.1% relative] Real-time Security Intelligence as managed service [up by 10.7% absolute, 175% relative] Real-time Threat Information as managed service [up by 5.6% absolute, 55% relative] Secure Information Sharing [up by 4.6% absolute, 19.6% relative] Real-time Security Intelligence on-premise [up by 3.0% absolute, 16.2% absolute] Page 19 of 29

20 In particular, these numbers allow the prediction that the Real-time Security Intelligence market segments will grow massively, with a shift towards managed services. They also show that Mobile Security Solutions will gain significant momentum, with the increasing need to support enterprise mobility. Two other technologies remained quite stable in the ratings, including Identity and Access Management & Governance [down by 1.5% absolute] Building/operating a SOC or SOC as managed service [down by 1.5% absolute] Finally, a number of other technologies are found less frequent among the top 3 ranked technologies that will be used as countermeasures against cyber-attacks. These include SIEM [down by 5.6%] Endpoint Security [down by 6.1%] Privilege Management [down by 6.1%] IDS/IPS [down by 7.6%] Firewalls [down by 10.7%] These numbers align well with the shift towards Real-time Security Intelligence, i.e. advanced detection combined with prevention and an overall increased insight into what is happening. Fig. 20: Three main technologies ranked #1 in countermeasures one year from today. Again, we can analyze the highest ranked technology. When looking at the #1 rankings, firewalls dropped out of the top 3, with Real-Time Threat Information entering that list now. Page 20 of 29

21 Fig. 21: Three main technologies ranked #2 in countermeasures one year from today. In the top 3 rating for rank #2, we find the same technologies, with Mobile Security Solutions entering the list in a tie for third rank in that listing. This is in line with the increase in relevance of Mobile Security Solutions as a countermeasure against cyber-attacks. Fig. 22: Three main technologies ranked #3 in countermeasures one year from today. The top 3 list for the #3 ranked technologies remains unchanged, compared to the current state. Page 21 of 29

22 Fig. 23: Most important countermeasures in three years from now (selection of three for rank #1 to rank #3). Looking even further into the future, we asked for the main countermeasures against cyber-attacks in three years from now. Again, the most interesting comparison of the results indicated in figure 23 is when comparing them to the current state. Table 1 provides an overview of these changes, ordered by relative change. Page 22 of 29

23 Technology Absolute change Relative change Real time Security Intelligence as managed service 25.4% 416.7% Mobile Security Solutions 18.3% 133.3% 9.6% 95.0% 11.2% 47.8% 3.0% 18.2% -2.5% -13.5% -10.7% -17.6% SIEM tools (Security Information & Event Management) -8.1% -29.6% Privilege Management (Privileged Account/Identity/User Management, Root Account Management) -13.7% -31.0% -9.6% -32.2% Endpoint Security -10.7% -42.9% Firewalls -12.2% -50.0% Real time threat information as managed service Secure Information Sharing (Secure File Sync, Data Rooms, Information Rights Management) Building/operating an own SOC or relying on a SOC as managed service Real time Security Intelligence on-premise Identity and Access Management & Governance IDS/IPS (Intrusion Detection/Prevention Systems) Table 1: Changes of technology relevance, based on % of #1-#3 rankings three years from now compared to today. Table 1 provides some highly interesting insights. Real-time Security Intelligence will be used far more frequent than today. There is a slight tendency of moving towards managed services, in contrast to onpremise solutions which are favored today. Combined with the increase in relevance of Real-Time Threat Information Services, the overall area of Real-time Security Intelligence will become a dominant topic for cyber-security. This also aligns well with the increasing relevance of SOCs, where such technologies commonly are operated. Another winner will be Mobile Security Solutions, with a massively growing relevance due to the fact that most communication in organizations will happen based on mobile devices. Also Secure Information Sharing is expected to massively gain ground, addressing the root of the security challenges by directly protecting information instead of servers, network segments, or endpoints. Identity and Access Management, as well as Privilege Management, shows a slight decrease, however from a very high level. What really is obvious in this table is the loss of relevance of traditional Information Security technologies such as SIEM tools (to be replaced by Real-Time Security Intelligence), IDS/IPS, Endpoint Security, and Firewalls. For the latter three, the obvious trend goes towards more sophisticated, integrated solutions instead of point solutions at the network or endpoint level. Page 23 of 29

24 3.4 Budget changes Regardless of how important Information Security experts consider specific technology investments, at the end it is all about money. Thus, the question about budget changes is of particular interest. Here we asked for the Information Security budget change over the past 24 months. Fig. 24: Information Security budget changes within the past 24 months. While virtually no organization (0.5% of the responses) reported a decrease above 25%, a significant number (5.6%) report a decrease in the range of 5% to 25%. Another 43.7% mentioned that the budget remained more or less stable. However, this also means that a little more than 50% reported significant increases in Information Security budgets, with 8.1% of the organizations showing an increase of more than 50%. Overall, the growing attention on Information Security issues, beyond the experts, started resulting in spending more money for Information Security. 3.5 C-level attention The overall increase in Information Security spending aligns well with the results regarding the question set around C-level attention. On one hand, we asked for the main drivers of C-level attention. We furthermore analyzed in which industries we see an significant lack of C-level attention. Page 24 of 29

25 Fig. 25: Industries with a lack of C-level attention for Information Security. While the average value of a lack of C-level attention for Information Security is at 8.2%, governments show a rate of 26.3%. This means that in more than 1 out of 4 government organizations the C-level - i.e. the leaders of the organizations show no attention for Information Security issues. Given that probably all governments already are under attack, this is a horrible result, indicating an inacceptable level of ignorance. While the manufacturing industry is slightly above average (in a negative sense, indicating that fewer Clevel managers show attention to Information Security than on average), the Finance industry is placed in excellent position with only a very small minority of C-level managers not being aware of and interested in Information Security issues. This is obviously driven by the fact that these organizations are heavily regulated and common targets of attackers it is all about money. Nevertheless, this is the pattern organizations in other industries should follow. Page 25 of 29

26 Fig. 26: Reasons for C-level attention on Information Security. When finally looking at the various reasons for C-level attention, the most important ones are Information Security is part of Enterprise GRC and risks show up in C-level dashboards (26.0%) Incidents in other organizations have been recognized by the C-level (24.0%) Another important driver is the fear of C-level managers of personal penalties due to regulations (15.8%). Tangible audit findings caused the attention of the C-level in another 12.8% of the organizations, particularly in highly regulated industries such as the Finance industry. Another 10.2% mentioned that past incidents within the organization raised C-level attention. Given that virtually all organizations are under attack today, the question remains whether the relatively low number here is due to the higher importance of other drivers or due to the fact that attacks are not reported up to the C-level. Page 26 of 29

27 4 Recommendations Based on the results of this survey, KuppingerCole provides the following recommendations: Perform a Threat and Risk Analysis: Following a structured and standardized approach on Risk Management, identify the relevant threats and potential risks for your organization from internal attacks as well as cyber-attacks of all potential types of attackers. Understand the probability and impact of these risks, identify countermeasures and improve your resilience against attacks. Have a plan in place in case of attacks and build your security organization to identify and react on attacks. Invest in Real-time Security Intelligence: Analyze the emerging field of Real-Time Security Intelligence solutions and plan on deploying adequate solutions on-premise or as managed services. Align this with existing investments in SOCs (Security Operations Centers), SIEM (Security Information and Event Management), and Identity Analytics. Don t forget the internal attackers and do your IAM homework: Even while the threats by external attackers are ever-growing, do not underestimate the risk imposed by internal attacks. Understand that risk and take countermeasures as well, including a well thought-out IAM/IAG (Identity and Access Management & Governance) implementation. Notably, IAM/IAG also must cover other types of identities such as external users or, in the near future, things. Create one security strategy built on a risk analysis to align countermeasures and avoid point investments: Currently, security in many organizations is distributed across various siloes such as network infrastructure, client management, or IAM/IAG. Move towards a consistent Information Security organization which defines and executes a coherent strategy, avoiding point investments in siloes but spending the money focusing on mitigation of the most severe risks. Evaluate and invest in Secure Information Sharing: Address the challenges at the core, which is the information asset that needs to be protected. Secure Information Sharing is mature enough now to be used on a broad scale. Evaluate the current state of the market and start using Secure Information Sharing technologies as a central element within your Information Security strategy. Don t rely on firewalls only: They are only baseline protection. Firewalls will remain relevant, in the context of Real-Time Security Intelligence and as a first line of defense. However, firewalls are by far not sufficient, and they are neither the only nor the most important element to think about when redefining your Information Security strategy. Define your Enterprise Mobility Strategy and combine it with Secure Information Sharing: Everything goes mobile these days. Define your enterprise mobility strategy in a way that is ready to deal with any type of today s and future mobile devices and users. However, put your emphasis on information protection, not on device protection. Thus, combining this strategy with what you do in Secure Information Sharing is highly recommended. Notably, Enterprise Mobility and Mobile Security must never be defined in a siloed approach, but become part of the one overall security strategy. Page 27 of 29

28 Include Information Security in Enterprise GRC and C-level dashboards: The C-level attention for digital risks and security has grown massively. Now is the time to show the changes in threats and risks to the C-level, by integrating into existing or new Enterprise GRC tools. This ensures that attention remains high and will show progress on projects that mitigate such risks. The biggest challenge therein however might be that still a number of these tools do not integrate well with automated and manual IT GRC and thus Information Security controls. Thus, vendor selection has to be performed carefully. Not only the attacks are changing, but also the countermeasures have to change. This appears to be on the agenda of many companies today. Focusing on integrated approaches that address prevention, detection, and response in a comprehensive manner is key to success in these days of ever-increasing cyber-attacks. However, all technical countermeasures must be grounded in a well thought-out Information Security strategy and risk analysis. 5 Copyright 2015 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. Page 28 of 29

29 The Future of Information Security Today KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authorization, Single Sign-On, Federation, User Centric Identity Management, eid cards, Cloud Security and Management, and Virtualization. For further information, please contact clients@kuppingercole.com Kuppinger Cole Ltd. Sonnenberger Strasse Wiesbaden Germany Powered by TCPDF ( Phone +49 (211) Fax +49 (211)