Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

G05.2013 gartner top security trends

1,768 views

Published on

top security trends

Published in: Internet
  • Be the first to comment

G05.2013 gartner top security trends

  1. 1. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Earl Perkins Research VP May 8, 2013 Top Security Trends and Take-Aways for 2013 @GARTNER_INC
  2. 2. Gartner at a Glance 902 Analysts 13,000 Client Organizations 290,000 Client Interactions Vertical Coverage in Nine Industries 5,500 Benchmarks 10,200 Media Inquiries World's Largest Community of CIOs 64 Conferences 74% of Global 500 1,700 Consulting Engagements Clients in 85 Countries 72% of Fortune 1000 500 Consultants
  3. 3. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Earl Perkins Research VP May 8, 2013 Top Security Trends and Take- Aways for 2013
  4. 4. 3 Security and Risk Management and the Nexus of Forces
  5. 5. Top Trends and Takeaways Infrastructure Protection
  6. 6. Requirement: Increased Depth in Two Technology Dimensions Transport Internet Application Link WAF FW IPS Host/OS VA/M Data DLP DAP HIPS FW2 FW3FW1 IPS1 Web Zone App Zone Database Zone VM: Web VM: ftp VM: app1 VM: app2 VM: db1 VM: db2 ADC WAF DLP HIPS VA/M DAP Depthofinspection Depth of application path
  7. 7. The Four Phases of BYOD Accommodate Focus: Data Protection, Cost • BYO Policies • Formal Mobile Support Roles • MDM • NAC • Limited Support • Extend Existing Capabilities Avoid Don't Ask, Don't Tell Corporate-Owned Devices Only Adopt Focus: Productivity • Desktop Virtualization • Adoption of New Enterprise-grade Services • Enterprise 'App Stores' • Self-Service and P2P Platforms Assimilate Realization of the Personal Cloud • Context awareness • Identity-Aware NAC • Workspace Aggregators • 'Walk Up' Services
  8. 8. Managed Diversity — A Framework for BYOD Service Levels User Categories (defined by attributes below) Managed Diversity Matrix Key Goals Cost control Auditable security Defined Responsibilities
  9. 9. A Complex Mobile Device Landscape Basic media tablet Premium media tablet Ultramobile notebook Mobile PC Smartphone Feature phone Predicted global mobile device shipments 0.0 500 million 1 billion 1.5 billion 2 billion 2.5 billion 3 billion 3.5 billion 2012 2013 2014 2015 2016 6 billion 4 billion 2 billion 0 billion Predicted handset installed base
  10. 10. Scoping the Mobility Security Problem The User •No security standards •Incomplete management •Bring your own device challenges •Multiple devices •Travel distractions •Uncontrolled environments •Exceptions and surprises •Business process rebellion •User experience trumps accountability •Personal productivity focus •Process, data fragmentation •Unmanaged, nonstandard apps
  11. 11. Security Intelligence: Overview Advanced Security High Accuracy Breadth of Coverage New Capabilities Optimal Risk and Business Decisions Resource Allocation, Prioritization Based on Contextual Assessments High Accuracy Input Post- factum Long Term Manual Information Integration and Correlation Repositories, Queries, Contextual Assessments IT, CISO, Biz Staff Automated Technology Interaction Scanners, Monitors Detection, Protection Software, Hardware Real Time
  12. 12. Top Trends and Takeaways Application Security
  13. 13. Application Security SWOT Opportunities • Security intelligence (SI) • Cloud and SaaS Threats • Dual-purpose technologies for all • Changing nature of attacks • New languages, frameworks, platforms • Hackers' industry • Extreme openness, collaboration Strengths • Some "good enough" technologies • Increasing awareness • Pressure from government, regulators Weaknesses • Users are less mature than tools • Developers' reluctance • Misconceptions about: - Inward-facing applications - Role of QA - Network security
  14. 14. Hype Cycle for Application Security, 2012 Technology Trigger Peak of Inflated Expectations Trough of Disillusionment Slope of Enlightenment Plateau of Productivity time expectations Plateau will be reached in: less than 2 years 2 to 5 years 5 to 10 years more than 10 years obsolete before plateau As of July 2012 Mobile Fraud Detection Runtime Application Self-Protection Visual Watermarking Application Shielding Dynamic Data Masking Interactive Application Security Testing Mobile Application Security Testing Privacy Management Tools Model-Driven Security (DevOpsSec) Security Intelligence Context-Aware Security Application Security Professional Services Tokenization Application Security as a Service Identity and Access Intelligence Fraud Detection Software Composition Analysis Mobile Data Protection Application Control Application-to-Application Password Management Tools Application Obfuscation Database Audit and Protection (DAP) Static Application Security Testing Static Data Masking Web Application Firewalls SIEM XML Firewalls Dynamic Application Security Testing ERP SOD Controls Web Access Management
  15. 15. Application Security Road Map Technology Trigger Peak of Inflated Expectations Trough of Disillusionment Slope of Enlightenment Plateau of Productivity time expectations Plateau will be reached in: less than 2 years 2 to 5 years 5 to 10 years more than 10 years obsolete before plateau As of July 2012 Runtime Application Self-Protection Dynamic Data Masking Interactive Application Security Testing Mobile Application Security Testing Mobile Data Protection Application Obfuscation Database Audit and Protection (DAP) Static Application Security Testing Static Data Masking Web Application Firewalls Dynamic Application Security Testing WAF + IAST  RASP
  16. 16. Top Trends and Takeaways Risk and Compliance
  17. 17. Program Maturity: ITScore Overview for Security and Risk Management Level 1 Initial Level 2 Developing Level 3 Defined Level 4 Managed Level 5 Optimizing No visibility into critical risks; very technology - focused and reactive Initiator such as data loss or regulatory concern Governance committees formed Control gaps closed (Re-) Formulate team to address concerns Policy development Formalize processes and create process catalog Risk assessments proactively executed Executive-level reporting Key risk indicators are mapped into key performance indicators Continuous assessment Enterprise- wide risk- aware culture Assess current state Create charter No risk and security policy Lines of business engaged in addressing security and risk issues Formal residual risk sign- off Risk fully integrated with strategic business-level decision making; governance driven by executive management; board-level visibility into and commitment to security and risk management
  18. 18. Operational metrics to benefit operational efficiency Executive Decision Makers IT Operations • Percentage of YTD spending of security budget • Percentage of completion of annual objectives • Percentage of confidence of completing objectives • Number of new processes created and implemented • Project status (major, per project) • Percentage completed • Percentage of confidence of completion • Number of compliance deficiencies, last audit • Number of remaining open compliance deficiencies Effective Communication With Non-IT Executive Decision Makers
  19. 19. Mapping KRIs and KPIs Revenue Loss Miss the Quarter Leading Indicator That… Leading Indicator That… Leading Indicator That… Critical Application Fault Supply Chain Support Application Key Risk Indicator Open Incidents Poor Patching Negative Impact KPI Supply Chain Slows CRO/CISO CIO The Business
  20. 20. IT GRCM Market Placement In Relation to the Enterprise GRC Market 19 IT GRCM Dashboards Executive Decision Support Integrated IT Risk Assessment and Reporting IT Policy Management and Reporting IT Vendor Risk Management IT Internal Audit Reporting EGRC Finance GRC Legal GRC Operations GRC IT GRCM
  21. 21. 20 From Control-Centric Security to People-Centric Security Policy Rules People Punishment Control Rights Principles Policy Responsibilities People Monitor Educate
  22. 22. Top Trends and Takeaways Identity and Access Management
  23. 23. Requirement: Access the Enterprise Securely 22 Process Execution Reliable Infrastructure Employee Identity Access Customer Citizen Partner
  24. 24. The Death (and Rebirth) of Identity Governance Identity & Access Governance (IAG) User Administration & Provisioning Identity Governance & Administration (IGA) Identity Analytics & Intelligence Authorization Management (Data & Application)
  25. 25. By the end of 2015, 50% of all new retail customer identities will be based on social network identities. Strategic Planning Assumption End-2012 End-2015
  26. 26. Cloud Computing Drives IAM Decisions, Offers New Delivery Options Workforce Customers and Partners Administration Intelligence Access Customer- Facing Applications Enterprise Applications Outsourced Enterprise Applications SaaS Partner Application
  27. 27. Action Plan Top Security Trends and Takeaways
  28. 28. Action Plan for Security & Risk Leaders Monday Morning - Assess how well the strategic vision of your security & risk program addresses the Nexus of Forces and specific trends Next 90 Days - Educate your IT delivery and executive stakeholders on the challenges and opportunities of the Nexus of Forces. - Assess the maturity of the major elements of your risk and security program and decompose gaps into projects. - Map key risk indicators into business key performance indicators and use this to engage the business in risk discussions. Next 12 Months - Develop a long-term strategy for continuous improvement. - Develop and deliver an executive reporting scheme that addresses the needs of a business audience.
  29. 29. Recommended Gartner Research  Agenda Overview for Security and Risk Management Leaders, 2013 Carsten Casper | Roberta J. Witty | Paul E. Proctor | Tom Scholtz | John A. Wheeler (G00238845)  Agenda Overview for Information Security Technology and Services, 2013 Andrew Walls (G00239321)  Agenda Overview for Identity and Access Management, 2013 Earl Perkins | Gregg Kreizman (G00245842)  Define the Structure and Scope for an Effective Information Security Program Tom Scholtz (G00238280)  A Guide to Security and Risk-Related Hype Cycles, 2012 Ray Wagner (G00230394) For more information, stop by Experience Gartner Research Zone.
  30. 30. 29 Events for Security & Risk Management Professionals Experience live analyst expertise plus much more at a Gartner event Identity & Access Management Summit November 18 – 20, Los Angeles, CA Security & Risk Management Summit June 10 – 13, National Harbor, MD July 1 – 2, Tokyo, Japan August 19 – 20, Sydney, Australia September 18 – 20, London, U.K. Catalyst Conference July 29 – August 1, San Diego, CA Visit gartner.com/events
  31. 31. • Visit gartner.com/webinars – Today's presentation is available to download on the Attachment Tab of our webinar portal or will be available shortly on our webinar page – Check out the schedule of upcoming Gartner webinars (plus on- demand webinars) and don‘t forget to share these resources with your colleagues • Contact your Gartner account executive with any additional questions, comments or for a complimentary copy of today's presentation Simple steps for increasing the value of today's webinar experience 31

×