IREC165473PR RP 2017 Security Outlook

CEB Information Risk
Leadership Council
2017 Security
Outlook
10 Imperatives
for the Information
Security Function

© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com2
2017 SECURITY OUTLOOK
Contents
Letter from CEB 3
10 Imperatives for 2017 4
1. Pivot CISO–Board Conversations to Enabling 5
Business Growth
2. Formalize IT Risk Management 6
in Your Organization
3. Help the Business Reassess the Value 7
of Its Data Relative to Risks
4. Reduce Time and Effort on 8
Operational-Level Activities
5. Find New Ways for Information Security 9
to Support Continuous Delivery
6. Prepare for an Expanded Definition 10
of Critical Infrastructure
7. Advocate a Consumer-Centric Approach 11
to Product Security
8. Establish a Formal Bug Bounty Program 12
9. Focus Fourth-Party Risk Management 13
on Detection and Response
10. Anticipate Instability Among Large 14
Cybersecurity Vendors

Each year, we publish Security Outlook as a compilation of the top 10 business, risk, and
technology trends CISOs should anticipate in the coming year. In many ways, the trends that
define 2017 will resemble those in past years: the scarcity of cyber talent will remain pervasive,
gaps in controls hygiene and employee awareness will represent CISOs’ greatest risks, and
advanced attacks aren’t going anywhere. But in other ways, 2017 represents an inflection point.
Information Security’s current model, spanning strategy, governance, and security operations, will
be strained by the demands of digitization. CISOs, in turn, will face a myriad of new challenges
and responsibilities, such as facilitating secure development, managing high-risk vendors, and
marketing Information Security as a growth enabler.
We have identified 10 imperatives Information Security should prepare to address in the coming
year. These imperatives draw from hundreds of conversations with members over the last year as
well as extensive qualitative and quantitative research. CISOs can use Security Outlook to inform
conversations with their teams, provide business partners with insight on the evolving risk landscape,
and prepare for the year ahead with confidence.
Our 2017 imperatives for Information Security fall into three broad categories:
1. Strategy Over Governance…
In the digital age, an organization’s success or failure will depend on its ability to take smart risks
with new technologies. As innovation and security become increasingly linked, Information
Security is poised to become a key growth enabler. But first, CISOs must look beyond threats and
risks and start addressing areas where fragmented risk ownership, cumbersome processes, and
misaligned policies create roadblocks along the path to digitization.
2. …Management Over Operations
With digitization pushing more organizations to embrace continuous delivery, Information
Security can expect the growth of business demand to outpace the resources to meet it. Because
scaling Information Security’s capabilities is simply not an option, CISOs must deliver security
beyond scale. This means automating and devolving operational-level activities to free delivery
teams and business partners from cumbersome governance stage gates and manual processes
operated by Information Security.
3. Greater Focus Outside the Enterprise
Organizations can no longer think of their security in isolation from that of their vendors, their
employees, or even their customers. They must anticipate the Internet of Things’ potential
to reshape society; the introduction of technologies such as self-driving cars, web-connected
medical devices, and device-enabled surveillance are all likely to infuse Information Security with
public health and safety implications. Similarly, CISOs must account for the emergent risks raised
by the increasingly tangled web of third and fourth parties with access to their systems and their
customers’ personal information.
Letter from CEB

1. Pivot CISO–Board Conversations to Enabling Business Growth
CISOs need to shift their board’s focus from risks they should avoid to risks they should take in
pursuit of digital innovation.
2. Formalize IT Risk Management in Your Organization
Reliance on technology-driven products and services underscores the need for more robust IT risk
management, which is currently fragmented across multiple functions.
3. Help the Business Reassess the Value of Its Data Relative to Risks
With new data protection regulations on the horizon, organizations must ensure that the value of
the consumer data they collect outweigh the risks of disclosure.
10 Imperatives for 2017
Strategy Over
Governance…
4. Reduce Time and Effort on Operational-Level Activities
To preserve its strategic focus in the face of mounting business demand, Information Security must
automate, devolve, or eliminate governance and operations activities.
5. Find New Ways for Information Security to Support Continuous Delivery
Digitization and speed-to-market demands are expanding the use of Agile and DevOps for IT
solutions delivery, forcing CISOs to abandon the traditional stage-gate process.
…Management Over
Operations
6. Prepare for an Expanded Definition of Critical Infrastructure
In a world where information security increasingly has public health and safety implications,
industries must prepare to self-regulate or be regulated.
7. Advocate a Consumer-Centric Approach to Product Security
As information security concerns begin to shape consumer preferences, organizations must factor
consumers’ risk appetites into strategic decision making.
8. Establish a Formal Bug Bounty Program
Organizations should incentivize hackers to help them identify and remediate software
vulnerabilities rather than monetizing them in harmful ways.
9. Focus Fourth-Party Risk Management on Detection and Response
Organizations should shift the focus of fourth-party risk management from preventing breaches to
detecting and responding to them.
10. Anticipate Instability Among Large Cybersecurity Vendors
As the cybersecurity industry witnesses unprecedented restructuring, Information Security must
reassess the relative benefits of mature and emerging technologies.
Greater Focus Outside
the Enterprise

1. Pivot CISO–Board Conversations to
Enabling Business Growth
With 94% of corporate directors more concerned with cybersecurity than they were in 2014, CISOs
are presenting to the board with greater frequency and greater urgency than ever before. 1
Most CISOs
currently focus these conversations on the industry threat landscape, information risks facing the
organization, and a status assessment of the security program. However, as executives and boards
increasingly rely on digitization for future growth (Figure 1), board members’ cybersecurity interests
are shifting from just risk and assessment of the security program to opportunities for CISOs to consult
on business strategy.
CISOs must offer their unique expertise to advise the board on digital opportunities, not just potential
threats and risks. However, with data breaches dominating the conversation in newsrooms and
boardrooms alike, digitization’s perils may appear more tangible, while its promise may seem abstract.
Thus, CISOs must be prepared to proactively discuss how policies geared toward risk avoidance,
rather than risk management, create business drag that can cost more than total spend on information
security or the residual risk itself.
For example, business leaders may choose to forego the benefits of adopting an innovative CRM
platform because the cloud vendor is deemed too risky or to delay introducing new product features
due to cybersecurity concerns, resulting in lost market share to competitors.
In such scenarios, CISOs can play a key role in helping their boards understand what business
strategies are possible, where real cybersecurity concerns may lie, and how changes in security
processes and capabilities can help remove obstacles to business growth.
Three Ways CISOs Can Shift Boardroom Conversations to Growth
Enablement
1. Demonstrate understanding of the organization’s digitization strategy inside and out.
CISOs need to not only deeply understand their organization’s digitization strategy but also
consciously demonstrate their knowledge to the board. When presenting risk information,
contextualize it in the organization’s larger digital strategy. CISOs can further help executives
and the board understand which aspects of their current strategies are possible from a security
perspective.
2. Identify and address potential security roadblocks to digital growth. Identify areas where
existing security policies or processes stifle innovation because of factors such as talent shortages,
project interdependencies, or misalignment with the organization’s risk appetite.
3. Develop a roadmap to enable the business’s digital strategy. CISOs need to identify a set of
digitization risks and pair them with solutions. Highlight examples of how digitization is forcing
Information Security to reassess its approach to delivering core services. Then, outline how
investments in people, processes, and technology are helping eliminate choke points and enable
growth while providing a set of key milestones and metrics for success.
Figure 1: Executive Priorities Dependent
on Technology
n = 2,976.
Source: CEB 2016 Agenda Setting Polls.
Have You Done the Following Things?
Standardize recurring board reporting activities, such as risk updates and program
assessment, to maximize efficiency and create time for discussing business strategy
issues.
Meet with other senior executives before board presentations to ensure alignment on
strategy and explore what role Security may play.
Benchmark presentation agendas against those of CISOs at peer organizations to
assure directors of industry alignment.
23%
Not Technology
Dependent
77%
Technology
Dependent
1
CEB 2015 Peer Perspectives Polling.
What Your Peers Are Saying
“While minimizing risk is an important
part of the equation, boards also
want to think about technology
in the context of the business to
consider appropriate trade-offs
between risk and innovation and
growth.”
Timothy Campos
CIO
Facebook
“Previously, the board could delegate
or avoid IT-related decisions, but
technology is now at the core of how
we operate and grow in the future,
so digitization issues are increasingly
being felt at the board level.”
CISO
Professional Services Company
Recommended CEB Resources
ƒƒ Research: Five Principles of
Effective Cybersecurity Board
Presentations
ƒƒ Tool: Board Presentation Template:
Making a Strong First Impression
ƒƒ Tool: Board Presentation Template:
Providing Recurring Assurance
ƒƒ Topic Center: Governance

2. Formalize IT Risk Management in Your
Organization
In the past 10 years, not one Fortune 1000 company has gone out of business as a result of a data
breach. Meanwhile, countless dozens have fallen by the wayside for failing to adapt to today’s
technology-driven environment. According to our analysis, 77% of all business priorities are now
technology dependent, a figure that will only rise as organizations progress along the path to
digitization. 1
In this context, effective management of IT risk (i.e., the potential for unexpected
outcomes associated with the use, ownership, and adoption of IT) isn’t just important—it’s essential to
survival. For example:
■■ The bankruptcy of a startup SaaS vendor leaves an organization without an alternative provider of
key CRM services,
■■ Unforeseen difficulties integrating software-defined infrastructure produce delays, cost overruns,
and downtime, and
■■ The inability to acquire and retain data science talent negates the business value of acquiring an
expensive big data analytics tool.
Twenty-nine percent of CISOs report that they formally own IT risk management, while 46% say
roles and responsibilities remain fragmented among multiple functions. This lack of clear ownership
creates blind spots in the full scope of risks the organization faces. Without robust IT risk governance
processes, Information Security may continue to take on these responsibilities piecemeal without the
resources needed to meet the challenge.
The CISO’s Role in Formalizing Effective IT Risk Management
■■ Start focusing on the right risks. CISOs should first collaborate with leaders from IT, Audit,
ERM, and other risk functions to create a common understanding of IT risk and its components.
Building an IT risk taxonomy (Figure 2) can help stakeholders begin developing IT risk
management processes and assigning roles and responsibilities.
■■ Clarify IT risk management roles and responsibilities. Once organizations create a common
definition of IT risk, they can start to formalize governance of risk management processes. CISOs
can lead this conversation and propose existing information risk management processes that the
organization could easily adapt for IT risk. Whether Information Security is best positioned to
take on responsibility for IT risk management will vary depending on the organization. Well-
resourced organizations may shift ownership to a separate IT risk function under the CIO, while
others may elect to assemble a governance committee.
■■ Help IT staff manage risk more effectively. The IT department’s typical aversion to risk
can inhibit taking the bold steps necessary to keep pace with the evolving business landscape
and pushes business leaders to seek technology solutions outside IT. Information Security can
serve as an unofficial ERM function for IT, providing useful guidance on how to align IT with
the business’s risk appetite while ensuring risk information flows from those informed to those
empowered to make risk decisions.
Figure 2: IT Risk Is Broader Than
Information Risk
Partial IT Risk Taxonomy
Source: CEB analysis.
Improve communication and build support from the board of directors for IT risk
management.
Provide guidance for redesigning risk governance to make the true owners of risk
accountable for risk decisions.
Incorporate an assessment of productivity drag into risk decisions.
Work with leaders from IT, Audit, and ERM to prioritize risks in your IT risk taxonomy.
“The ‘not my job’ mind-set that’s
historically surrounded IT risk
means we don’t have the people,
governance structures, or processes
we need to manage it effectively.”
CISO
Pharmaceuticals Manufacturer
1
CEB 2016 Agenda Setting Polls.
IT Talent
ƒƒ Insufficient staff
ƒƒ Ineffective staff
IT Capacity
ƒƒ Network/bandwidth limitations
ƒƒ Insufficient storage
Reliability/Quality
ƒƒ Loss of integrity
ƒƒ Unacceptable latency
Legal/Compliance
ƒƒ Audit findings and remediation
costs
ƒƒ Civil lawsuits
Security/Privacy
ƒƒ Breach of confidentiality
ƒƒ Breach of privacy
Delivery
ƒƒ Late delivery
ƒƒ Over budget
ƒƒ User under-adoption
Business Enablement
ƒƒ Insufficient business
responsiveness
ƒƒ Decreased employee productivity
Vendor Support
ƒƒ End of vendor support
ƒƒ Technology obsolescence
ƒƒ Case Study: Managing Shared
Risks
ƒƒ Case Study: Set the Stage
for Business Ownership and
Engagement
ƒƒ Topic Center: Governance
ƒƒ Study: Getting Serious About IT
Risk Management

14%
Easier
10%
The Same
3. Help the Business Reassess the Value of
Its Data Relative to Risks
CISOs and their counterparts in ERM and Legal have been aware of the risks posed by unchecked
accumulation of customer data for several years now but have been unable to make much progress in
mitigating them. However, in 2017 the convergence of several business environment and regulatory
changes will force organizations to reevaluate the risks and rewards of the data they collect and retain.
These changes include the following:
■■ Increased reliance on third parties for data storage and analysis reduces organizations’ control
over how their data is handled.
■■ New regulations, such as the General Data Protection Regulation (GDPR) in Europe, dramatically
increase the financial penalties for mishandling customer data—up to 4% of annual gross revenue.
■■ Highly networked workplaces relying on cloud-based productivity tools and “bring your own
device” policies increase the chances that employees might accidentally (or purposefully)
disclose data.
These factors substantially raise the likelihood and potential costs of data breaches (Figure 3) and
should prompt CISOs to renew discussions with business leaders and other risk functions to ensure
that clear guidelines are set and followed.
Seven Questions to Help the Business Reconsider Its Big Data Risks
While authority and accountability for risk decisions will ultimately lie with business leaders, CISOs
must arm them with a more holistic understanding of the risks associated with the data they collect.
Asking the following questions can help business leaders recalibrate their risk tolerances accordingly:
1. What is the business value of the information we collect? Business leaders should have a
quantifiable understanding of how the data affects growth or reduces costs rather than employ a
“collect now; analyze later” mind-set.
2. Do we currently have the tools and talent we need to use the data? Without the right set
of tools and talent, organizations are taking on all the risks of retaining customer data without
realizing any of the benefits.
3. How would the public react to the information we collect and how we use it? Even if it is
legal, organizations should avoid data collection that may violate cultural norms and present
significant reputational risks if disclosed.
4. What information needs to be protected (and at what level and cost)? The rise in data
volume and variety available to organizations makes it increasingly challenging—and vital—to
ensure each type of data receives the appropriate level of security.
5. How long should sensitive data be retained? The value of most customer data declines over
time. The business should identify its data’s “shelf life” and delete it beyond a certain age.
6. Who should have access to our customers’ information? Business leaders must strike a
delicate balance between making data available to those who can derive value from it and
preventing unauthorized access.
7. Who outside the organization touches our customers’ information? As organizations
increasingly rely on third parties for data storage analysis, business leaders must have visibility
into how the data is handled and how the third party will respond in the event of a crisis.
For more details on this topic, please read Executive Guidance for 2016: Managing the Hidden Causes
of Data Breaches.
Revisit your organization’s data classification scheme.
Assess the effect of new regulations such as the GDPR.
Explore the option of a chief data protection officer.
Integrate third- and fourth-party data breach scenarios into your crisis response
planning.
“The challenge is that in a lot of
places now, customers have a ‘right
to be forgotten’ and can sue us for
not deleting their data. We can do
that. But I can never be 100% sure
that data isn’t still out there on a
server belonging to a vendor we
did business with three years ago,
waiting to get breached.”
Global Data Security Manager
Consumer Retail Company
ƒƒ Case Study: Business-Oriented
Information Use Decisions (Air
Products)
ƒƒ Tool: CEB Ignition™ Guide to Data
Classification
ƒƒ Topic Center: Audit, Compliance,
Legal, and Privacy
Figure 3: Compared to Two Years Ago,
How Would You Rate the Difficulty in
Preventing a Data Breach Today?
Percentage of Respondents
n = 31.
Source: CEB May 2015 Information Risk Peer
Perspectives Poll.
24%
Significantly
Harder
52%
Harder
1
Bernard Marr, “Why Data Minimization Is an Important Concept in the Age of Big Data,” Forbes, 16 March 2016, http://
www.forbes.com/sites/bernardmarr/2016/03/16/why-data-minimization-is-an-important-concept-in-the-age-of-big-
data/#ca7b625327fd.

4. Reduce Time and Effort on Operational-
Level Activities
Five years ago, we predicted Information Security’s shift from back-office security operations to a
more strategic role specializing in true risk management, governance, and understanding of business
partners’ security needs. Information Security was among the first governance functions to embrace
the transition to a more strategic role. Yet at the same time, in most companies, Information Security
retained ownership over the same kinds of operational-level activities that were once its primary
responsibility.
But with the rise of Agile development and DevOps, the increased demands of continuous delivery,
and a rising number of third parties to manage, the status quo is unsustainable. Information Security
functions that try to balance their old responsibilities with the new will inevitably create drag on the
business. To preserve Information Security’s capacity to think and act strategically, in 2017 CISOs must
automate, delegate, devolve, or outsource governance and operations from their workflows (Figure 4).
Three Imperatives to Building a More Strategic Function
1. Automate routine tasks to boost productivity and bridge the cyber talent gap. With the
cybersecurity talent shortage expected to reach 1.5 million by 2019, 1
help is not on the way. CISOs
increasingly recognize that automating operations and governance activities offers the best
chance to meet the demands of continuous delivery. Security operations—everything from firewall
monitoring and spam filtering to malware analysis—are a prime target for automation. Further, by
using tools such as APIs to provide developers with the building blocks of secure development,
CISOs can empower Agile teams and free them from the conventional stage-gate process. Doing
so can dramatically reduce the time it takes to accomplish routine tasks and allow a limited pool
of security staff to graduate to more strategic activities.
2. Delegate and devolve operations to IT and the business. Although CISOs were early adopters
of the shift to a risk management role, difficulties in educating and engaging business leaders
impede Information Security’s ability to devolve risk ownership. To address the current education
gap, Information Security should embrace a variety of roles in engaging business leaders in ways
that correspond to the organization’s digital ambitions. CISOs need to be effective evangelists,
consultants, and brokers in their organizations, able to educate business partners on how
Information Security can help them deliver value, to provide project guidance and forge internal
connections. CISOs also need to coach security staff to help them build the skills and experience
they need to provide guidance for business leaders at the scale required by continuous delivery.
3. Outsource new kinds of security activities. While automating and devolving activities will
help Information Security be more strategic, in the long term CISOs must be prepared to broaden
the portfolio of activities they outsource. Today, CISOs spend roughly 8%–9% of their budgets on
outsourcing; however, the majority goes toward staff augmentation. 2
Instead, CISOs can leverage
a rapidly maturing market for managed security services for a wider range of activities, including
advanced security incident and event management (SIEM), vulnerability management, and real-
time compliance monitoring. In tandem, security functions must develop more robust program
evaluation and vendor management capabilities to ensure the providers are held accountable for
delivering high-quality services.
Figure 4: Shifting Operations to
Management
Partial List
Invest in robust program evaluation capabilities to assess security activities
according to their business value and identify opportunities to automate, devolve,
and eliminate.
Identify business partners’ progress toward digitization, and assess their need for
education and engagement from Information Security.
Develop an initial list of high-value MSSPs to be considered for more comprehensive
evaluation.
“Automation can help address the
talent gap by reducing the pressure
to hire and retain ‘unicorns’ who have
multiple high-demand skills, like a
security engineer who also does data
science. Right now it’s like trying
to find a lawyer who’s also a brain
surgeon.”
Global Security Director
Food and Beverage Retailer
1
Cybersecurity Ventures, Cybersecurity Market Report, Q3 2016, http://cybersecurityventures.com/
cybersecurity-market-report/.
2
CEB 2017 Information Security Budget and Staffing Outlook, https://www.cebglobal.com/member/
information-risk/events/replays/16/outlook-for-2017-information-security-budget-and-staffing.html/.
ƒƒ Study: A Blueprint for a New
Information Security Function
ƒƒ White Paper: Adaptive Business
Engagement
ƒƒ Topic Center: Security Function
Management
From Operations To Management
Information
Security
performs a risk
assessment and
provides control
recommendations.
Process is designed
into a GRC tool to
enable project owner
self-service and
automated controls
recommendations.
(Automation)
Information
Security
performs periodic
assessments of
all third-party
vendors.
Ownership of third-
party risk is shifted
to the business;
Information Security
assesses only the
highest-risk vendors.
(Delegation)
Information
Security routinely
monitors firewalls
and perimeter
defenses.
Perimeter defenses
have decreasing
value in the current
threat environment;
activity is reduced
and shifted to a third-
party provider.
(Elimination/
Outsourcing)

ƒƒ Webinar: Adaptive Delivery and
Operations
ƒƒ Research Report: Implementing
DevOps
ƒƒ Key Findings: Information
Security’s New Opportunities to
Support Digitization
ƒƒ Case Study: Self-Service Project
Risk Assessments (BP)
5. Find New Ways for Information Security
to Support Continuous Delivery
Speed-to-market demands are reshaping expectations for Corporate IT. Two-thirds of business leaders
believe their companies must significantly speed up digitization to remain competitive, while 63% are
dissatisfied with the time it takes IT to respond to new technology opportunities. 1
In response, many
IT organizations are expanding the use of Agile and DevOps methods (Figure 5) to support continuous
solutions delivery.
Figure 5: Agile and DevOps Adoption
Agile
DevOps
n = 132 organizations (Agile); 31 (DevOps).
Source: CEB 2016 Agenda Setting Poll (Agile); CEB 2015
DevOps Survey (DevOps).
Note: Totals may not equal 100% due to rounding.
Evaluate the extent to which your organization is using Agile and DevOps.
Provide development teams tools and training to self-identify security-significant
decisions.
Provide just-in-time security guidance to give timely guidance to development teams.
Identify and communicate a handful of triggers for Agile and DevOps teams to
require deeper security team involvement.
14%
No Projects
29%
Less Than
10% of
Projects
10%
Don’t Plan
to Use
DevOps
10%
DevOps
Is Primary
Method
45%
Evaluating
DevOps
13%
Piloting DevOps
28%
10%–30%
of Projects
16%
31%–50%
of Projects
22%
Scaling
DevOps
Enterprise-
Wide
14%
Greater
Than 50% of
Projects
“The best way to drive more secure
coding and product development
is to make the right way the easy
way. Information Security is writing
commonly used pieces of code
(e.g., authentication, logging), and
developers can easily locate and
access these through a self-service
code shopping cart.”
Roland Cloutier
VP and CSO
ADP
Infrequent, Waterfall Releases Continuous, Automated Delivery
Scope Complete applications; large batches of
enhancements
Minimum releasable units (MRUs)—
smallest amount of functionality that will
independently provide business value
Timelines Occur roughly quarterly; planned and
locked down months in advance
Occur as soon as new functionality is
ready; usually every two weeks
Quality Rigorous testing for weeks after
development to eliminate defects
Testing as you go using automation so
software is always production-ready
Release
Process
Take systems offline; “all hands on deck”
to ensure release goes smoothly
Release automation; low effort with zero
downtime
As organizations move toward iterative development methods (see table above), it becomes
unsustainable and unacceptably slow for governance functions such as Information Security to be
hands on in development efforts. Information Security’s traditional stage-gate reviews won’t work well
with these new workflows, and CISOs can’t simply scale up resources to support the growing number
of distributed development teams.
Adapting Information Security to Support Continuous Delivery
Information Security must make the following key changes to support continuous delivery:
■■ Federate responsibility for good security. As use of Agile and DevOps expands, Security
doesn’t have the capacity to be engaged in all projects. Security must enable Agile and DevOps
teams to make sound security decisions more autonomously and significantly scale back their own
role in direct reviews.
■■ Start automating governance. Federating responsibility is a good place for Security to start.
However, the most progressive CISOs are working to eliminate the need for developers to think
about good security altogether. They’re making good security the fastest, easiest, default option
for project teams by automating as many standards as possible using patterns loaded directly into
environment builds.
■■ Prepare security staff for supporting secure development. To support continuous delivery,
Information Security must embed governance (not people) in IT automation. This approach
requires changes at two levels. First, as one CISO put it, security staff need to be comfortable that
they can’t touch every project, and the team can still achieve good security. Second, Information
Security will need to hire or train more staff with applications development and design skills to
build APIs, containers, and microservices to automate security governance.
■■ Come to a common, explicit understanding of risk appetite. Many information security
processes and policies seek to reduce risk but often are addressing risks that pale in comparison
to slower speed to market or failing to meet the imperative of digital transformation itself for
the organization.
1
CEB 2020 Digital Enterprise 2020 Survey (n = 578).

6. Prepare for an Expanded Definition of
Critical Infrastructure
Critical infrastructure organizations in industries ranging from energy to financial services must
navigate additional government regulations, closer industry coordination, and heightened risk
profiles—all of which create more cost and complexity.
However, the definition of “critical infrastructure” 1
is often ambiguous and at best evolving. For
example, US presidents have redefined critical infrastructure every two-and-a-half years between 1998
and 2013, and the United Kingdom is creating a new National Cyber Security Centre designed, in part,
to protect critical infrastructure. 2
Clearly, governments’ understanding of critical infrastructure is likely to further expand as more
industries embrace digitization in the form of Internet-connected products, autonomous machines,
automated business processes, etc., and as the implications on public security, health, and safety
become clearer.
For example, consider the following scenarios:
■■ An attacker inserts malicious code into self-driving cars via an over-the-air update to launch
coordinated car crashes, resulting in significant loss of life and injury.
■■ An attacker modifies metadata in a major foodstuff company’s automated manufacturing process
such that customers receive tainted food nationwide.
■■ An attacker gains remote access to a national network of Internet-enabled thermostats to disable
air-conditioning during a heatwave, resulting in loss of life on a national scale.
These examples aren’t just limited to the auto, foodstuff, and household appliance industries. Broader
use of technology transcends most industries, paving the way for additional threats to national
security, economic security, and personal safety—all grounds for reclassifying industries as critical
infrastructure.
Three Implications to Prepare For
Being reclassified as critical infrastructure will force new-in-kind activities on information security
functions and their organizations. Here are three implications to prepare for today.
Figure 6: Frequency of Change in
Critical Infrastructure Definition
Illustrative
Work with industry peers to define product security standards at the industry level.
Identify and mitigate potential ecosystem risks that affect products and services.
1
The US Department of Homeland Security currently defines 16 sectors that compose the “assets, systems, and
networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would
have a debilitating effect on security, national economic security, national public health or safety, or any combination
thereof.”
2
Government Communications Headquarters, Prospectus: Introducing the National Cyber Security Centre, 25 May 2016,
https://www.gov.uk/government/publications/national-cyber-security-centre-prospectus.
Implication How to Prepare
New-in-Kind
Regulations
Expect new government regulations and standards as critical infrastructure is
reclassified and threats evolve. Consider lobbying to move government action and
regulations in a productive direction.
Industry-Wide
Ecosystem
Risks
Begin identifying industry-wide risks that affect products and services in shared
ecosystems, and prepare for mandatory, industry-wide security testing. Work with
industry groups to set and communicate shared product security standards now to
avoid leaving a gap that government regulators may try to fill.
Expansion
of Fiduciary
Duties
Anticipate an expansion of the board’s fiduciary duties, and think through how
this might affect the CISO’s role and the information security function’s mandate.
Network with CISOs at organizations already classified as critical infrastructure
to better understand and prepare for challenges on the horizon.
United States presidents
redefined critical
infrastructure every 2.5 years
between 1998 and 2013.
ƒƒ Research: Preparing Your
Organization for Cyber Crises
ƒƒ Tool: CEB Ignition™ Guide to
Building a Cyber Crisis Testing
Program
ƒƒ Infographic: Understanding the
Digital Landscape
“If we fail to get ahead of the Internet
of Things as an industry, then the
government is going to lay down
prescriptive regulations for us. We
need to come together as an industry
to take the lead in figuring out how
to manage the cyber risks that will
soon affect automobile technologies.”
John Bingham
CISO
Delphi Automotive PLC
“I firmly believe that Information
Security’s focus will soon increase
from enterprise systems to physical
systems. With this, we’ll see an
expansion of risk from traditional
data loss and denial of service to
harm to physical infrastructures that
could impact personal safety. We
have to prepare now for this future.”
Mike Papay
CISO
Northrop Grumman Corporation

7. Advocate a Consumer-Centric Approach
to Product Security
Until recently, consumers have valued the information security of products they use less than other
product characteristics. 1
But this is about to change as the outcomes of cybersecurity attacks start
to shift from low-cost annoyances to life-changing events. For example, it’s already been shown that
perpetrators can remotely take control of a car, manipulate a patient’s pacemaker, or take over a home
security system—scenarios made possible by network connectivity of everyday objects. Next year could
be the year of a large-scale trigger event, such as a remote hijacking of a plane, which could put product
security into the spotlight. This will result in organizations seeing products’ security factor in more
strongly into consumers’ purchasing decisions. 2
Consumers’ shifting expectations regarding product security require organizations to factor in
consumers’ appetite for risk as an input into their strategic decision making more directly. Information
Security is uniquely positioned to help business partners see this shift and prepare for it based on its
experience conducting risk assessments, technical expertise, and knowledge of products’ security
controls. Information security functions can work with marketing and product development teams,
drawing on their knowledge of consumer behaviors, to clarify potential implications of consumers’
changing security preferences and enable business partners to potentially recalibrate their overall
risk appetite.
Assist Business Partners in Recalibrating Their Risk Appetite
■■ Inform business partners of the potential implications of shifting consumer attitudes
toward product security. Information Security needs to impress upon its business partners
that consumers’ growing emphasis on product security can have strategic implications for the
enterprise. Whereas before a change in consumers’ risk appetite translated into changes to
existing controls, today it can affect business strategy. For example, patients becoming more
concerned with an attack that holds their medical information for ransom could necessitate
a medical device company to significantly alter a product’s design, like changing the way it
transmits or stores data.
■■ Help clarify consumers’ security trade-off decisions. To assess consumers’ risk appetite,
organizations need to understand product security trade-offs consumers are willing to make.
By contributing its technical expertise, Information Security can aid marketing and product
development teams (functions that conduct consumer behavior research) in analyzing when
consumers choose to sacrifice product security for features like connectivity to other products
or ease of access. This analysis will allow business partners to better understand consumers’
risk appetite.
■■ Set consumers’ risk appetite as the upper bound of the enterprise risk appetite. When
recalibrating the business risk appetite, Information Security can ensure that consumers’ risk
appetite remains the upper bound. In most cases, the business may want to more closely align
with the risk appetite of its consumers but remain more risk averse due to regulation and the high
impact of potential loss events.
■■ Evaluate implications of a potential change in the enterprise risk appetite. To make
educated decisions on changing the risk appetite for the organization, business leaders require
information on potential implications. Information Security’s experience conducting risk
assessments will enable the function to lead an effort to more robustly evaluate risk introduced by
business decisions with input from business leaders.
Figure 7: Top Three Emerging
Enterprise Risks
Ratings by Overall Risk Score and
Frequency
Work with ERM to establish and communicate an organization-level risk appetite,
which will be compared to consumers’ appetite for risk.
Identify key business leaders who make risk appetite decisions for the organization.
Coordinate reporting risk taxonomies and measurement scales to more effectively
measure risk implications of potentially changing the organization’s risk appetite.
“We work hard to balance the
friction between security needs
and consumer preferences. Security
brings this friction to light by closely
collaborating with business teams
to help ensure risk-informed and
balanced business decisions are
made.”
Jim Gottsacker
Information Security Officer
State Farm
1
Underwriters Laboratories, The 2012 Product Mindset, Quality Insider, 7 December 2012, http://www.qualitydigest.
com/inside/quality-insider-article/2012-product-mindset.html.
2
Deloitte, Executives Underestimate Importance of Security, Privacy to Consumers, Wall Street Journal, 22 April 2015,
http://deloitte.wsj.com/riskandcompliance/2015/04/22/executives-underestimate-importance-of-security-privacy-to-
consumers/.
ƒƒ Research: Executive Guidance:
Reducing Risk Management’s
Organizational Drag
ƒƒ Tool: Risk Appetite Learning Tool
ƒƒ Topic Center: Risk Management
and Assessment
Rank
1
2
3
Q1 2016 Q2 2016 Q3 2016
Business Quarter
Evolving Customer
Expectations
Unpredictable
Political Landscape
Technical
Disruption
Vendor
Relationship
Management
Strategic Change
Management

8. Establish a Formal Bug Bounty Program
Hackers are always finding new ways to exploit vulnerabilities for financial gain. Today, more than 80%
of data breaches have a financial motive (Figure 8). 1
As more and more companies introduce digital
products and services—all prone to software vulnerabilities—the number of potential targets will rise
exponentially. In fact, the past 12–18 months have already witnessed a proliferation of sophisticated
monetization strategies targeting consumer products and services that go beyond traditional data theft
or even ransomware. Take for example the following:
■■ “Hacktivist investing”: In August 2016, the security firm MedSec demonstrated that it was
possible to make a profit by short selling a target company’s stock and then publicizing discovery
of vulnerabilities in its products or services in such a way as to maximize market unease. 2
■■ “Bug poaching”: In May 2016, IBM reported a series of incidents in which hackers exploited
unknown vulnerabilities to steal data from organizations and then used the stolen data to
blackmail those organizations into purchasing information on the vulnerabilities. 3
No amount of investment in product security or penetration testing can eliminate software
vulnerabilities entirely. Therefore, CISOs need to build new capabilities to detect latent vulnerabilities
once their products reach the market and to remediate them before they pose a real threat. Bug bounty
programs can help CISOs do just that.
The Logic of Establishing a Bug Bounty Program
Bug bounty programs, (i.e., rewarding hackers or researchers for reporting vulnerabilities) have been
standard practice at large tech firms for at least a decade. In the future, bug bounty programs will
likely become a more attractive tool for a broader range of companies exploring new digital offerings.
The goal is to transform the same hackers and researchers who might otherwise pose a threat to your
organization into an effective vulnerability detection mechanism. 4
Bug bounties can help CISOs accomplish two key objectives:
■■ Maximize the chances of identifying vulnerabilities. Bug bounty programs allow organizations
to effectively crowdsource their penetration testing. More eyes searching for critical
vulnerabilities translates to greater likelihood that they’re identified and remediated before
being exploited.
■■ Neutralize the economic incentives to commit cyber crime. CISOs need to recognize that
their attackers are rational actors and that most cyber crime is driven by financial incentives. By
offering hackers and researchers a low-risk, legitimate way to monetize their skills, organizations
can provide mutually beneficial, financial alternatives to those who might otherwise sell
vulnerabilities on the Dark Web or engage in illicit activities themselves.
Hackers will never stop looking for vulnerabilities. But with a small investment in a bug bounty
program, CISOs can refocus a portion of malicious activity into an early vulnerability detection
mechanism.
Figure 8: Rise of Financially Motivated
Cyber Crime
Source: CEB analysis; Verizon, 2016 Data Breach
Investigation Report, 2016, http://www.
verizonenterprise.com/verizon-insights-lab/
dbir/2016/.
Evaluate your organization’s ability to remediate reported vulnerabilities in customer-
facing products and services.
Network with peers who already manage bug bounty programs to identify
implementation tips and tricks.
Communicate your bug bounty program to appropriate researchers and hacking
communities.
“We have 40 engineers on staff
whose sole job is to break software.
But opening up your code to the
research community provides
you with a very different, very
rigorous kind of test. In that sense,
bug bounties are something
organizations should consider.”
Roland Cloutier
VP and CSO
ADP
“We did it because our overriding
concern in everything we do is to
ensure our customers’ information
is well secured and that their private
data is in good hands with us.”
Arlan McMillan
CISO
United Airlines 5
1
Verizon, 2016 Data Breach Investigation Report, 2016, http://www.verizonenterprise.com/verizon-insights-lab/
dbir/2016/.
2
Jim Finkle and Dan Burns, “St. Jude Stock Shorted on Heart Device Hacking Fears; Shares Drop,” Reuters, 25 August
2016, http://www.reuters.com/article/us-stjude-cyber-idUSKCN1101YV.
3
John Kuhn, “Bug Poaching: A New Extortion Tactic Targeting Enterprises,” SecurityIntelligence, 27 May 2016, https://
securityintelligence.com/bug-poaching-a-new-extortion-tactic-targeting-enterprises/.
4
Aidan Knowles, “How Black Hats and White Hats Collaborate to be Successful,” SecurityIntellignece, 4 May 2016,
https://securityintelligence.com/how-black-hats-and-white-hats-collaborate-to-be-successful/.
5
Steven Melendez, “As Airlines Digitize, They Are Confronted With Increased Cybersecurity Risks,” Fast Company, 11
October 2016, https://www.fastcompany.com/3063252/mind-and-machine/as-airlines-digitize-they-are-confronted-
with-increased-cybersecurity-risks.
ƒƒ Research: Preparing Your
Organization for Cyber Crises
ƒƒ Topic Center: BCP/DR and Incident
Response
0%
50%
100%
2013 2014 2015 2016
(Projected)
75%
24%
77%
22%
80%
19%
83%
16%
Financially Motivated
State-Sponsored Espionage

9. Focus Fourth-Party Risk Management on
Detection and Response
With organizations operating in increasingly complex vendor ecosystems, most CISOs recognize
that fourth parties pose significant risks. However, given limited resources and the need to prioritize
effective third-party risk management, fourth parties often receive little more than due diligence or
go unaddressed altogether. The sheer number of fourth parties each organization would have to keep
track of makes effective risk management a daunting proposition. Rather than investing in fourth-party
breach prevention efforts that are likely to fail, organizations should focus on fourth-party breach
detection and response so they can mitigate damages from and address the unique challenges of a
fourth-party breach once one inevitably occurs.
When mobilizing the organization against fourth-party breaches, there are three unique challenges
that CISOs must overcome to ensure effective detection and response:
■■ Fourth-party breaches are hard to detect. Since organizations do not directly work with fourth
parties, they often don’t receive timely notification of fourth-party breaches affecting their data.
■■ Fourth parties have no legal obligation to work with enterprises during breach situations.
Fourth parties are not legally bound to work with companies with whom they do not have
contracts (Figure 9).
■■ Fourth parties tend to prioritize supporting only their key clients during breaches. When
breaches occur, fourth parties will tend to support clients with the largest contracts or long-
standing relationships.
To address these challenges, CISOs can take the following key steps to prepare for fourth-party
breaches:
■■ Identify the organization’s highest-risk fourth parties. Work with the organization’s third
parties to identify the fourth parties to whom they subcontract. Focus on fourth parties that
present the highest risk to the organization (Figure 10).
■■ Implement lightweight approaches to monitor select fourth parties. To lower the burden of
fourth-party risk management on the organization, monitor high-risk fourth parties with low-
effort strategies to enable the quick detection of breaches. For example, third-party monitoring
services, such as BitSight, provide solutions for monitoring fourth parties and detecting fourth-
party breaches on the organization’s behalf.
■■ Create and implement fourth-party risk scenarios into the cyber crisis testing portfolio.
Integrate fourth-party breach scenarios into your organization’s crisis management planning,
and conduct crisis exercises with key members of your information security, legal, and privacy
teams. Where possible, conduct joint crisis exercises with one or more third parties to improve
your ability to coordinate response efforts and minimize the potential damage from a fourth-party
breach.
■■ Highlight fourth-party risks to senior executives. Since most of the participants in the fourth-
party risk scenarios are business and functional leaders as well as senior executives, who are just
starting to learn about third-party risk, Information Security will need to educate them on fourth-
party risk to get their support.
Figure 9: Organizations’ Lack of
Confidence in Fourth-Party Breach
Disclosure
Figure 10: High-Risk Fourth Parties
Include clauses in third-party contracts to hold fourth parties liable for handling the
organization’s data.
Assess the information security function’s capability to monitor fourth parties.
“We can put the contractual
measures in place to be legally
protected against a fourth-party
breach. However, to be prepared
and mitigate potential reputation
damage, we need to create a fourth-
party risk scenario that involves all
parties to be able to quickly respond
in a breach situation.”
Patrick McGuinness
SVP, Technology Governance, Risk,
and Compliance
Starwood Hotels
73% of organizations do not
believe a fourth party would
notify them during a breach.
Source: Ponemon Institute, Data Risk in the Third-Party
Ecosystem, 2016, http://www.buckleysandler.
com/uploads/1082/doc/Data_Risk_in_the_
Third_Party_Ecosystem_BuckleySandler_LLP_
and_Treliant_R....pdf.
ƒƒ Research: Third-Party Risk
Management in the Modern
Enterprise
ƒƒ Topic Center: Third-Party Risk
Assessments
Building a Cyber Crisis Testing
Program
Developing a Security Incident
Response Plan
ƒƒ Fourth parties that have access
to the organization’s sensitive or
critical data
ƒƒ Fourth parties that are commonly
used by third parties and present
centralized risk
ƒƒ Fourth parties that help operate
important activities in the supply
chain

10. Anticipate Instability Among Large
Cybersecurity Vendors
In the past, products from large cybersecurity vendors with revenue over $500 million, (e.g., FireEye,
McAfee, Symantec) seemed like safe bets relative to volatile startup vendors. Large vendors often
offer proven technologies with large client bases, robust customer support, implementation-friendly
configurations, and the promise of incremental updates over time.
Unfortunately, this stability may deteriorate. In fact, evidence suggests it already has (Figure 11).
The Driver of Vendor Instability: A Changing Threat Landscape
Large vendor offerings’ effectiveness can quickly diminish with fast changes in the threat landscape.
Although the threat landscape has always evolved, attackers have used remarkably more-creative
monetization strategies in the past year that bypass mature technologies. These shifts can render
existing tools less useful and leave Information Security scrambling to find replacement tools or other
mitigating controls.
Evidence of More Instability on the Horizon
Recent news from large vendors signals deeper changes in the business and threat environment that
will cause even more instability in the near future.
Figure 11: Signs of Instability Among
Large Cybersecurity Vendors
Recent News Headlines
Monitor disruptive events among your cybersecurity vendors, including MA activity
and leadership transitions.
Rethink assumptions about the effectiveness of mature cybersecurity vendor
technologies.
Consider startup cybersecurity vendors when identifying new technology purchases.
“I could see companies bringing in
more stand-alone, emerging tools
and loosely integrating them into
their environments, especially if
mature security technologies decline
in effectiveness.”
Jim Gottsacker
VP and CISO
State Farm Insurance
Source: https://www.fireeye.com/company/
leadership.html; https://www.symantec.
com/about/newsroom/press-releases/2016/
symantec_0801_01; http://www.forbes.com/
sites/antoinegara/2016/09/08/tpg-makes-a-
big-cyber-security-bet-on-mcafee-as-intel-
refocuses-under-ceo-krzanich/#69c512d41d06;
http://www.businessinsider.com/intel-spins-off-
mcafee-2016-9; http://www.reuters.com/article/
us-fireeye-results-idUSKCN10F2HD.
In the News What It Means
CEO Turnover Faster Innovation, New Strategies: Large vendors (e.g., McAfee, FireEye,
Symantec) have new CEOs who are likely to push faster innovation, new products,
and strategic shifts that affect existing customers. CEOs may be faster to cut
losses, leaving customers to replace unsupported technologies.
MA Activity Compressed Product Lifecycles: Large vendors, including Symantec and IBM,
are acquiring emerging technologies to advance growth—a strategy that renders
existing products obsolete more quickly. Technology retirement schedules may
compress, and information security roadmaps will likely face greater uncertainty.
Two Ways to Brace for More Instability Among Large Vendors
Information security functions can prepare today for increasing volatility among large cybersecurity
vendors:
■■ Resign yourself to continuous integration of tools. Security can no longer expect effective
tools to come packaged in tightly integrated suites. In fact, full tool integration itself is no longer
a realistic goal; technologies will change at a rate such that there are never periods of technology
stability. Integration will become a continuous process of improvement with no start date,
completion date, or defined end state.
■■ Rethink your vendor cost–benefit calculus. Mature cybersecurity vendors’ declining
effectiveness may shift vendor cost–benefit analyses in favor of relying on smaller, less mature
vendors for innovative products and services. If instability among mature vendors persists—while
their offerings remain just as expensive—it may make more sense to explore the benefits of startup
technologies before their own success inevitably renders them less effective as they mature.
Note: Last year, we outlined the benefits of being a laggard in new technology adoption (2016 Security
Outlook, p. 10). This is an important reminder that technology adoption decisions are nuanced.
Essential considerations include the following:
■■ Adopting bleeding-edge technologies typically requires a large, highly skilled team. Security
functions without these resources may not fully realize the benefits of some emerging technologies.
■■ Bleeding-edge technologies are not a substitute for diligent security controls hygiene. Security
functions may rightfully elect to be a technology laggard and focus more resources on improving
controls hygiene.Recommended CEB Resources
ƒƒ Blog Post: Lessons from FireEye’s
Fall from Grace
ƒƒ Infographic: Emerging Technology
Roadmap 2015–2018
ƒƒ White Paper: Prioritize Financial
Viability and MA Likelihood in
Security Vendor Selection (p. 9)
News
FireEye Welcomes New CEO
June 2016
Symantec Purchases Blue
Coat, Inherits New CEO
Aug. 2016
Intel Spins off McAfee,
Announces New CEO
May 2016
FireEye Plans 10%
Workforce Reduction
Aug. 2016

© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com
Contact Us to Learn More
Phone: +1-866-913-8101
E-Mail: InformationRisk.Support@cebglobal.com
Web: cebglobal.com/information-risk
About CEB
CEB is a best practice insight and technology company. In partnership with
leading organizations around the globe, we develop innovative solutions to drive
corporate performance. CEB equips leaders at more than 10,000 companies with
the intelligence to effectively manage talent, customers, and operations. CEB is a
trusted partner to nearly 90% of the Fortune 500 and FTSE 100, and more than
70% of the Dow Jones Asian Titans. More at cebglobal.com.

IREC165473PR RP 2017 Security Outlook

More Related Content

What's hot

Viewers also liked

Similar to IREC165473PR RP 2017 Security Outlook

IREC165473PR RP 2017 Security Outlook