Stop Thinking IT Security Think Business Risk! Simon Piff, Vice - - PowerPoint PPT Presentation

www.cloudsec.com | #CLOUDSEC

Stop Thinking IT Security – Think Business Risk!

Simon Piff, Vice President, Security Practice IDC Asia Pacific @spiffatidc

IDC FutureScape: IT Security Products and Services ‐ APeJ Implications

IDC FutureScape: Worldwide IT Security Products and Services 2017 Predictions – Asia/Pacific Excluding Japan Implications. Doc #AP42209917

3

1 2 3 4 5 6 7 8 9 10

By 2019, 50% of all online transactions will incorporate biometric authentication driven by a ubiquitous technology infrastructure that enables low implementation costs and broad user acceptance. By 2019, more than 75% of IOT device manufacturers will use security and privacy as competitive positioning to capture the attention of security and privacy advocates and earn consumer trust. By 2019, nearly every major multinational corporation with ties to the U.S. or Europe will face significant cybersecurity attacks aimed at disruption of commodities. Over the next two years, 80% of consumers in developed nations will defect from a business because their personally identifiable information is impacted in a security breach. By 2018, 30% of enterprise cybersecurity environments will incorporate cognitive/AI technologies to assist humans in dealing with the vastly increasing scale and complexity of cyber threats. By 2018, 30% of enterprise customers will leverage analytics‐as‐a‐service to help solve the challenge of combing through security related data and events By 2020, cloud security gateway functionality begins to be integrated as part of web service offerings to entice IT leaders to move offerings to the cloud. By 2020 30% of U.S. broadband homes will have at least one IP enabled home automation

• r security monitoring sensor/device

Reactive security services such as Incident Response and Forensics services will marginally increase by 2020 but still overshadowing proactive services By 2025, on premises security management will be a thing of the past subsumed by SaaS security and Network‐based security. TIME (MONTHS) TO MAINSTREAM ORGANIZATIONAL IMPACT

A single department

• r a business

unit Multiple departments

• r business units

Companywide 0‐12 12‐24 24+ Cloud Security Gateways Biometric Authentication Consumer PII Cloud, Hosted, & SaaS Security Services Analytics‐as‐a‐Service IOT Security and Privacy Incident Response Retainers Cyberattack Disruption IP enabled Home Automation Cognitive Cybersecurity

2 1 4 5 6 9 10 3 7 8

Doc #AP42209917

Getting Past The Eye Test (on Previous Slide)

• Mobile biometrics
• IoT
• Cyber‐terrorism/warfare
• Consumer reaction
• Machine learning/ AI
• Analytics
• Cloud security
• Incident response and

Forensics

• Security as a service

So Much For The Future. What about today?

43.8% 40.2% 9.2% 6.1% 0.7%

Naïve Novice Employ basic operational security measures and act on security needs as they arise

Reactive Responder Full-time staff address most significant security requirements but look to external sources to provide guidance in compliance-

• riented program

Compliant Companion S

• lid security program and control

framework address all regulator needs and internal risk assessments Proactive Partner Robust security program with strong compliance and early exploration of the cost effectiveness of solutions Predictive Professional Risk recognized as an element

• f overall business value

proposition for technology, and the security strategy approach seeks most efficient and effective ways to manage enterprise security

Business Outcome Organization unknowingly accepts large risks that leave it extremely vulnerable Business Outcome Organization keeps auditors at bay but can be challenged in a breach scenario and

• verspends on

ineffective measures Business Outcome Organization invests significant resources and money but has difficulty describing value proposition in strategic terms Business Outcome Organization successfully manages risk but lacks understanding of critical overarching business context Business Outcome Organization has an efficient and effective economics driven security strategy, including risk returned per unit cost, for entire portfolio

n= 852

IDC IT Security MaturityScape Benchmark Report ‐ APeJ

• 84% at

Stage 1&2

42.5% 51.5% 4.6% 1.3% 0.1%

Naïve Novice Employ basic operational security measures and act

• n security needs as they

arise Reactive Responder Full-time staff address most significant security requirements but look to external sources to provide guidance in compliance-

• riented program

Compliant Companion S

• lid security program and

control framework address all regulator needs and internal risk assessments Proactive Partner Robust security program with strong compliance and early exploration of the cost effectiveness of solutions Predictive Professional Risk recognized as an element of overall business value proposition for technology, and the security strategy approach seeks most efficient and effective ways to manage enterprise security Business Outcome Organization unknowingly accepts large risks that leave it extremely vulnerable Business Outcome Organization keeps auditors at bay but can be challenged in a breach scenario and

• verspends on ineffective

measures Business Outcome Organization invests significant resources and money but has difficulty describing value proposition in strategic terms Business Outcome Organization successfully manages risk but lacks understanding of critical

• verarching business

context Business Outcome Organization has an efficient and effective economics driven security strategy, including risk returned per unit cost, for entire portfolio

IDC IT Security MaturityScape Benchmark Report - India

• 94% at

Stages 1&2

8

Source: IDC Asia/Pacific C-suite Barometer Research 2017 India

31.4% 19.4%

The Critical Issue for all organizations

• It’s not about IT security – this limits the view

and places all the resolution onto over‐stretched IT teams.

• It is about Business Risk – this engages the

business units, the executive and the board, and helps define the role IT play in the process.

Attacks are Everywhere!

A Highly Transformed Industry

• Niche engineers design advanced products
• One organization employs hundreds of malware designers, linguists and
• ther professionals
• Key products will the keyboard language before choosing to execute, or not
• Avoidance technology embedded in many “applications” (seeking bare metal, and not a

VM before executing

• Use social engineering for targeted campaigns
• Extensive use of big data and analytics to identify further opportunities
• Delivers 24x7 helpdesk support
• Offers a range of offerings “as a service”
• Leverages Cryptocurrency for global transactions

However … old habits die hard

Distributed Integrity

Endpoint, AV, firewalls, patches, Monitoring, analytics, IDS, DLP, user training, 2FA, gateways, tags and tethers micro-segmentation

Prevention Detection Mitigation

Mesh, Hub & Spoke. More process driven than technological

Response

IT response Crisis Management response Legal mitigation, press & PR strategy

Essential Guidance

Re‐Format the Issue

• It’s not IT security. It’s what IT can do to limit business risk
• Engages other parts of the organization that need to have a stake
• Ensure the CEO/Board understand there is no such thing as being

connected, and 100% secure

• Drives the conversation from protection, to risk management and mitigation
• IT security has at least two distinct mindsets
• Hunters – who are constantly tasked with seeking threats across the internal

systems

• Remediation team – who respond to and remediate the threats that the

Hunters detect

Military Spending

The funding model for IT Security is more akin to Military Spending that traditional IT metrics of ROI

Understand Your Unique Environment

• What is at stake for the business?
• Legislative compliance
• Core Intellectual Property
• Personally Identifiable Information (customers, employees, partners)
• Business Continuity
• Understand the Threatscape
• What do you own that is of value to the hacking community?
• How equipped are you to protect this from a persistent threat?
• How well do you monitor you internal systems and critical employees?
• What level of access do you provide to customers, partners and contractors?

Resourcing!!

• The future is SecDevOps
• Embed security at the outset, no more bolting‐on after the fact
• Chief Security Officer
• Have one!
• Not reporting into IT!
• The “Hunter” team only reports into the CSO (Remediation team is part of

the CIO, COO remit)

• CEO engagement
• If the CEO does not have a KPI for security, then it will never get the attention

it requires

Changing the Rules

• Business continuity and data integrity
• Compliance is not the goal, compliance is part of the journey to excellence
• Risk appetite of the business is in a constant state of flux
• Consider re‐evaluation of key risk indicators for Digital Security
• Control efficacy that leverages well‐established concepts like confusion matrices and

sensitivity and specificity measures to compare controls.

• Infection/compromise rate to identify the number of infections per individual assets, such as

endpoints.

• Controls per transaction that identifies the number of inline security tests performed on

average for every event on the network.

• Incidents per billion events to identify the number of unwanted outcomes that occur for

every billion events evaluated.

• Relative risk ratio of one environment to another, again leveraging established concepts in

epidemiology.

St State Of Of Wa War Has Has Been Been Declar Declared ed

• The bad guys are not playing by the
• rules. This is a particular problem

because security as a whole is too reactive and slow to adapt.

• We need to do a better job at

protecting ourselves.

20

Eric Michael O'Neill is an American former FBI counter‐terrorism and counterintelligence operative

www.cloudsec.com | #CLOUDSEC

THANK YOU

Simon Piff, Vice President, Security Practice IDC Asia Pacific spiff@idc.com