Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ScaleVP CISO Research:
Investing in Information Security
Bill Burns, CISO
Today’s Goals
n  What trends affect your security program?
n  What are other CISOs doing about them?
n  What should you...
Who and Why am I here?
n  Goal: Invest in InfoSec, share back to security community
n  Background in Security @ scale
– ...
ABOUT THE SURVEY
Survey Results: InfoSec Organizational Structure
Public 4
Research Methodology
1.  Scale Venture Partners: 35-question survey
2.  In-person interviews: 22 peer CISOs, across 15 ind...
Demographics – Reporting Structure
Public 6
Other:
•  COO
•  CTO
•  Managing Director
•  EVP
•  Strategy
Impacts budget ap...
How is Security Organized within your company?
Centralized
55%
By LoB
5%
Hybrid
37%
Other
3% Impact to project approval,
i...
Who handles operational security tasks?
Security
Dept
46%
Exclusively
Other
Teams
18%
Shared
36%
Examples:
•  Firewall rul...
HOW DID WE GET HERE?
Top Trends: Where are we headed?
Public 9
Security Forcing Functions – Mobility & BYOD
(1) Pew Research, Jan 2014 | (2)
Gartner May 2013, (3) Nov 2013
Smartphones: ...
Security Forcing Function – Cloud-IaaS
n  Clouds are
compelling for
businesses, hard
for old security
controls to match
p...
Even Security Products Are Embracing Cloud Services
Public 12
0
500
1000
1500
2000
2500
3000
3500
4000
2010 2011 2012 2013...
WHAT DID WE LEARN?
Survey Results
Public 13
What did we learn?
n  Cloud usage at companies falls into three
buckets. Which describes yours?
–  Cloud Always: New comp...
What did we learn?
For CISOs:
n Cloud, Mobility and Compliance put
pressure on their security programs
Public 15
CISOs: Externalities and Forcing Functions
Q: “What top trends most/least affect your security program?”
CISOs are most co...
What did we learn?
For CISOs:
n Cloud, Mobility and Compliance put
pressure on their security programs
n Their top conce...
CISOs: What kept you up last night?
(Q: “What are your top 3 risks right now?”)
Public 18
Malware Outbreak
16%
Breach of sensitive
information
16%
Malicious Outsider
Threat
8%
Malicious Insider
Threat
6%
Advanced...
10%
18%
23%
50%
14%
20%
33%
34%
26%
45%
24%
5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
I decide based on how much
mone...
Top risks are growing for my company
Public 21
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Top Risk #3
Top Risk #2
Top Ris...
Top risks are growing for my industry, but even more!
Public 22
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Top Risk #3
To...
What did we learn?
For CISOs:
n  Cloud, Mobility and Compliance put
pressure on their security programs
n  Their top con...
Q: How confident your current controls working?
A: Slightly more than 50% L
Public 24
0%
25%
50%
75%
100%
Top Risk #1 Top...
What did we learn?
For CISOs:
n  Cloud, Mobility and Compliance put pressure on
their security programs
n  Their top con...
Lack of Metrics, Unable to Map to Business Impact
Q: Do you have metrics to track your top risks? A: Half do NOT have metr...
WHAT ARE THEY PLANNING
TO DO ABOUT IT?
Survey Results
Public 27
Protecting Corporate Data – At Every Enforcement Point
Data-centric controls to protect enterprise
information are hot. Mo...
Endpoint Security Controls
Public 29
12%
15%
9%
19%
13%
16%
16%
6%
9%
6%
29%
13%
5%
22%
12%
12%
13%
15%
10%
19%
19%
0% 10%...
Mobile/IoT Security Controls
Public 30
22%
13%
16%
46%
28%
31%
24%
18%
21%
29%
31%
19%
0% 10% 20% 30% 40% 50% 60% 70% 80% ...
Messaging, Collaboration, File Sync/Sharing Security Controls
Public 31
41%
16%
24%
13%
6%
22%
22%
18%
21%
18%
15%
28%
21%...
21%
26%
13%
7%
32%
29%
15%
21%
15%
21%
21%
29%
22%
12%
16%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Encryption / Encryption
Key ...
4. Automate All the Things
CISOs want automation, orchestration to manage
point solution sprawl.
APIs: Three-quarters of C...
Q: Did you need to build something custom to address?
A: Yes, we had to build something to address our top risks.
Public 3...
4. Automate All the Things
Anecdotes:
n  “I’m always adding new controls, I can’t turn
anything off!”
n  “When tool X fi...
SURPRISES
AND OPEN QUESTIONS
What did we learn?
Public 36
Agile/DevOps: Equally impactful and not impactful
Public 37
Top Forcing Functions
Are APT and State-Sponsored Espionage a top concern?
No: Top Forcing Functions Yes: Top RisksVersus
Public 38
Advanced
Per...
Long-tail of individual “top concerns”
Top Risks, Categorized
Public 39
9%
6%
22%
26%
28%
9%
0% 5% 10% 15% 20% 25% 30%
Software-Defined Networking
& Security Automation
Network Admission Control...
0% 5% 10% 15% 20% 25% 30%
Software-Defined Networking
& Security Automation
Network Admission Control
Firewall
Unified thr...
IAM – Still biased towards basic controls
Public 42
9%
3%
6%
25%
22%
10%
25%
12%
9%
9%
26%
13%
18%
13%
9%
25%
12%
12%
13%
...
31%
10%
15%
44%
22%
9%
28%
41%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Threat Feeds, Intelligence, Sharing
Forensics and in...
INSIGHTS – CALL TO ACTION
Information Security Market
Public 44
Insights & Calls to Action
1.  IT handing off infrastructure control of endpoints and networks
–  Shared risk requires *aa...
Insights & Calls to Action
3.  Teams embrace automation, SecDevOps, cloud security services
–  Integrating security into d...
Insights & Calls to Action
6.  Future Look: Enterprise security controls respect user privacy
–  End users are becoming th...
Bill Burns | CISO | Informatica | BBurns@Informatica.com | @x509v3
Thank you!
Security-Research@ScaleVP.com
Public 48
Upcoming SlideShare
Loading in …5
×

Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst

878 views

Published on

What kept your CISO up last night? What market forces and threats are most impactful to your peers? How will these shape the future of enterprise security? Bill Burns, Informatica CISO and former Scale Venture Partners Executive-in-Residence, formed an InfoSec investment thesis by combining his 20+ years of domain expertise with over 100 CISO peer interviews and online survey responses. In this session Bill will share his results and perspectives on what's ahead for practical enterprise security.

Published in: Technology
  • Be the first to comment

Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst

  1. 1. ScaleVP CISO Research: Investing in Information Security Bill Burns, CISO
  2. 2. Today’s Goals n  What trends affect your security program? n  What are other CISOs doing about them? n  What should you focus on going forward? Public 2
  3. 3. Who and Why am I here? n  Goal: Invest in InfoSec, share back to security community n  Background in Security @ scale –  Co-developed Amazon CloudHSM for IaaS hardware roots of trust –  Deployed one of the largest distributed, hybrid cloud WAFs –  Corporate IT “all-cloud”, mobile-first security strategy –  Public Root CAs, PKIs n  Active advisor: RSA Conference Committee, ISSA CISO Forum, ISSA CISO Career Lifecycle, Startup Technical Advisory Boards n  Previously: Public 3
  4. 4. ABOUT THE SURVEY Survey Results: InfoSec Organizational Structure Public 4
  5. 5. Research Methodology 1.  Scale Venture Partners: 35-question survey 2.  In-person interviews: 22 peer CISOs, across 15 industries 3.  Expanded survey via (Wisegate : Total data set: n=102 4.  Only small variations between both datasets 5.  Not statistically rigorous, Margin of Error= +/-7% @ 90% confidence Public 5
  6. 6. Demographics – Reporting Structure Public 6 Other: •  COO •  CTO •  Managing Director •  EVP •  Strategy Impacts budget approval, project prioritization, implementation friction CRO/Risk 10% CIO 63% CFO 7% CEO/ President 5% Legal/ Privacy 4% Other 11% Who does Security Lead / CISO report to?
  7. 7. How is Security Organized within your company? Centralized 55% By LoB 5% Hybrid 37% Other 3% Impact to project approval, implementation processes, ability to execute Public 7
  8. 8. Who handles operational security tasks? Security Dept 46% Exclusively Other Teams 18% Shared 36% Examples: •  Firewall rules, maintenance •  System Patching •  Vulnerability Scanning •  Configuration Management Impact to budget approval, implementation processes, operational ownership, mean time to resolution Public 8
  9. 9. HOW DID WE GET HERE? Top Trends: Where are we headed? Public 9
  10. 10. Security Forcing Functions – Mobility & BYOD (1) Pew Research, Jan 2014 | (2) Gartner May 2013, (3) Nov 2013 Smartphones: 58% Tablets: 42% By 2017, 50% of employers will require you to BYOD[2] for work. By 2018, 25% of enterprise traffic will flow directly mobile-to-cloud.[3] Public 10
  11. 11. Security Forcing Function – Cloud-IaaS n  Clouds are compelling for businesses, hard for old security controls to match pace n  AWS Example: –  ~Quadrupled # of services in past 4 years –  Reduced pricing 42 times in 8 years as they age equipment out Source: AWS Public 11 4,000,000 3,000,000 2,000,000 1,000,000 0 5/2010 11/2010 4/2011 10/2011 5/2012 10/2012 Toal Amazon Elastic Map Reduce (EMR) Clusters Launched by Customers 3.7 M Clusters Launched since May 2010 Q4 2006Q1 2007Q2 2007Q3 2007Q4 2007Q1 2008Q2 2008Q3 2008Q4 2008Q1 2009Q2 2009Q3 2009Q4 2009Q1 2010Q2 2010Q3 2010Q4 2010Q1 2011Q2 2011Q3 2011Q4 2011Q1 2012Q2 2012 Amazon S3: Total Objects 1.3 Trillion total objects 835,000 peak requests/sec
  12. 12. Even Security Products Are Embracing Cloud Services Public 12 0 500 1000 1500 2000 2500 3000 3500 4000 2010 2011 2012 2013 2014 2015 2016 2017 Global Cloud-Based Security Forecast 18 19 19 20 21 21 23 23 26 27 0 5 10 15 20 25 30 Email security services Web security services Website protection (fraud, DoS) Application security testing Identity and access management Security intelligence engines Vulnerability assessment services Web application firewall as a service SIEM as a service Tokenization/encryption as a service % of respondents Cloud security services consumed over the next 12 months
  13. 13. WHAT DID WE LEARN? Survey Results Public 13
  14. 14. What did we learn? n  Cloud usage at companies falls into three buckets. Which describes yours? –  Cloud Always: New companies. Born with the Cloud. No desire for on-prem infrastructure. –  Cloud First: Existing companies. Pick Cloud-based alternatives first. –  Cloud Cautious: Laggards or Heavily-regulated. See the benefits in limited use cases. Public 14
  15. 15. What did we learn? For CISOs: n Cloud, Mobility and Compliance put pressure on their security programs Public 15
  16. 16. CISOs: Externalities and Forcing Functions Q: “What top trends most/least affect your security program?” CISOs are most concerned about Maintaining security and compliance while losing direct control of the underlying infrastructure. 0 10 20 30 40 50 Agile/DevOps BYOD Consumerization of IT / Shadow IT Increased regs or compliance Mobile/IoT IT Automation / API-level integrations Mobility (smartphones and tablets) Cloud-SaaS Ubiquitous Internet Access Cloud-IaaS Weaponization of the Internet / State-sponsored espionage Work / Life Integration Sum - Affected Sum - Unaffected Public 16 Most Affects Least Affects
  17. 17. What did we learn? For CISOs: n Cloud, Mobility and Compliance put pressure on their security programs n Their top concerns are growing… Public 17
  18. 18. CISOs: What kept you up last night? (Q: “What are your top 3 risks right now?”) Public 18
  19. 19. Malware Outbreak 16% Breach of sensitive information 16% Malicious Outsider Threat 8% Malicious Insider Threat 6% Advanced Persistent Threats 5% BYOD Management & Security 5% CISOs: What kept you up last night? (Q: “What are your top 3 risks right now?”) Top 20: •  Malware Outbreak •  Breach of sensitive information •  Malicious Outsider Threat •  Malicious Insider Threat •  Advanced Persistent Threats •  BYOD Management & Security •  Social Engineering •  Privacy & Regulatory Compliance •  Identity Management •  Threat & Vulnerability Management •  3rd Party / Supply Chain Security •  End User Training •  Asset Management •  Cloud Security •  IT Continuity •  People Security •  Server security •  Cyber Threat Intelligence •  Governance •  Insider Unintentional threat 32% 51% Public 19
  20. 20. 10% 18% 23% 50% 14% 20% 33% 34% 26% 45% 24% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% I decide based on how much money we have in our budget I look at what parts of the program we need to mature I look at changes to our business strategy I use a risk-based approach 1 2 3 Priority Programs based on risk, business alignment, maturity, cost Public 20
  21. 21. Top risks are growing for my company Public 21 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Top Risk #3 Top Risk #2 Top Risk #1 GROWING for Your Company SHRINKING for Your Company
  22. 22. Top risks are growing for my industry, but even more! Public 22 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Top Risk #3 Top Risk #2 Top Risk #1 GROWING for Your Industry SHRINKING for Your Industry
  23. 23. What did we learn? For CISOs: n  Cloud, Mobility and Compliance put pressure on their security programs n  Their top concerns are growing, but n  They aren’t confident in their current controls … Public 23
  24. 24. Q: How confident your current controls working? A: Slightly more than 50% L Public 24 0% 25% 50% 75% 100% Top Risk #1 Top Risk #2 Top Risk #3
  25. 25. What did we learn? For CISOs: n  Cloud, Mobility and Compliance put pressure on their security programs n  Their top concerns are growing, but n  They lack confidence in their current controls, and n  They struggle to measure impact on the business Public 25
  26. 26. Lack of Metrics, Unable to Map to Business Impact Q: Do you have metrics to track your top risks? A: Half do NOT have metrics (!) Public 26 No Yes 0% 10% 20% 30% 40% 50% 60% Top Risk #1 Top Risk #2 Top Risk #3
  27. 27. WHAT ARE THEY PLANNING TO DO ABOUT IT? Survey Results Public 27
  28. 28. Protecting Corporate Data – At Every Enforcement Point Data-centric controls to protect enterprise information are hot. Most desired control for any enforcement point. As IT hands off infrastructure control, CISOs focus on the data. Shared risk models – a nod to the expanding universe of user devices and the dissolving enterprise perimeter. Public 28
  29. 29. Endpoint Security Controls Public 29 12% 15% 9% 19% 13% 16% 16% 6% 9% 6% 29% 13% 5% 22% 12% 12% 13% 15% 10% 19% 19% 0% 10% 20% 30% 40% 50% 60% 70% (Consumer) Patching, field upgrades Sandboxing / Containerization (Enterprise/Consumer) Incident Response Automation, Orchestration Information protection and control Enterprise endpoint management (proactive, reactive) Server Security Anti-malware1 2 3 Priority
  30. 30. Mobile/IoT Security Controls Public 30 22% 13% 16% 46% 28% 31% 24% 18% 21% 29% 31% 19% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Enterprise endpoint / App / Security Posture management Vulnerability Management Threat management Information protection and control (DLP, tracking, masking, encryption) 1 2 3 Priority
  31. 31. Messaging, Collaboration, File Sync/Sharing Security Controls Public 31 41% 16% 24% 13% 6% 22% 22% 18% 21% 18% 15% 28% 21% 26% 10% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Information protection and control (DLP, tracking, masking, encryption) Antispam / Antiphishing / Brand Reputation Antivirus / Antimalware Encryption / Encryption Key Management Social Media / Social Networks Content filtering 1 2 3 Priority
  32. 32. 21% 26% 13% 7% 32% 29% 15% 21% 15% 21% 21% 29% 22% 12% 16% 0% 10% 20% 30% 40% 50% 60% 70% 80% Encryption / Encryption Key Management Web application firewall Database Firewall / Activity Monitoring Sandboxing / Process isolation lightweight containers Information protection and control (DLP, tracking, masking, encryption)1 2 3 Priority Infrastructure Security Controls Public 32
  33. 33. 4. Automate All the Things CISOs want automation, orchestration to manage point solution sprawl. APIs: Three-quarters of CISOs are building or integrating solutions to address their top risks. Public 33
  34. 34. Q: Did you need to build something custom to address? A: Yes, we had to build something to address our top risks. Public 34 0% 25% 50% 75% 100% Top Risk #1 Top Risk #2 Top Risk #3
  35. 35. 4. Automate All the Things Anecdotes: n  “I’m always adding new controls, I can’t turn anything off!” n  “When tool X finds something wrong, why can’t system Y apply a fix or contain the risk?” n  “I can’t afford to keep adding staff to monitor GUIs and consoles. Why can’t tools automate this?” Public 35
  36. 36. SURPRISES AND OPEN QUESTIONS What did we learn? Public 36
  37. 37. Agile/DevOps: Equally impactful and not impactful Public 37 Top Forcing Functions
  38. 38. Are APT and State-Sponsored Espionage a top concern? No: Top Forcing Functions Yes: Top RisksVersus Public 38 Advanced Persistent Threats 5%
  39. 39. Long-tail of individual “top concerns” Top Risks, Categorized Public 39
  40. 40. 9% 6% 22% 26% 28% 9% 0% 5% 10% 15% 20% 25% 30% Software-Defined Networking & Security Automation Network Admission Control Firewall Unified threat management (UTM) Intrusion detection and prevention Cloud Service Brokers / Cloud Application Gateways1 Priority Network Security Controls – don’t address top externalities Public 40
  41. 41. 0% 5% 10% 15% 20% 25% 30% Software-Defined Networking & Security Automation Network Admission Control Firewall Unified threat management (UTM) Intrusion detection and prevention Cloud Service Brokers / Cloud Application Gateways1 Priority …But implementing Cloud gateways would Public 41
  42. 42. IAM – Still biased towards basic controls Public 42 9% 3% 6% 25% 22% 10% 25% 12% 9% 9% 26% 13% 18% 13% 9% 25% 12% 12% 13% 18% 12% 0% 10% 20% 30% 40% 50% 60% 70% Converged physical / logical security PKI, Digital Certificates Social Media Indentity Management User provisioning and identity management especially Cloud, SaaS, social media Web SSO (includes federation) Risk-, behavior-, context-based authentication, authorization Advanced authentication & identification schemes 1 2 3 Priority
  43. 43. 31% 10% 15% 44% 22% 9% 28% 41% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Threat Feeds, Intelligence, Sharing Forensics and incident investigation (includes "Mandiant In A Box") Incident Response Automation, Orchestration Proactive detection, automated / real-time response 1 2 Priority Incident Response – Need actionable data, not more feeds Public 43
  44. 44. INSIGHTS – CALL TO ACTION Information Security Market Public 44
  45. 45. Insights & Calls to Action 1.  IT handing off infrastructure control of endpoints and networks –  Shared risk requires *aaS vendors to have security and auditability core features –  Authentication and Data become the new perimeters; controls move closer to data –  User endpoints are typical attack vector; focus on intel, orchestration, encrypt/wipe –  Build “right to audit”, security best practices in your partner agreements; test them 2.  Predictive, behavioral analytics become standard security features –  Broad, horizontal function applicable everywhere (logs, app execution, network) –  Potential to increase confidence, faster remediation, lower false positives –  Early market, room for maturity. Start building simple metrics to measure efficacy. Public 45
  46. 46. Insights & Calls to Action 3.  Teams embrace automation, SecDevOps, cloud security services –  Integrating security into dev workflows improves visibility, consistency, efficacy –  Security products will offload compute, storage to cloud to keep up with attackers –  Buy/build products based on APIs not GUIs, data interoperability –  Worry less about threat feeds, focus on incident response and automation 4.  Virtuous Cycle to focus on improving your security program maturity –  Mature security programs have more confidence in their controls –  Measurability leads to better insights, confidence, prioritization 5.  CISOs, exec mgmt, Boards need broad security metrics, risk insights –  Aggregate your security point solutions to build holistic risk scores –  Identify, create metrics that show security program’s impact on business Public 46
  47. 47. Insights & Calls to Action 6.  Future Look: Enterprise security controls respect user privacy –  End users are becoming their own Chief Privacy and Security Officers. –  Confluence of forces: Work/Life Integration, Mobility, BYOD, Privacy –  Mutually beneficial: Users trust security teams to protect their BYOD, still protect corporate data –  New class of vendors observing a personal/work separation in usage, flows Public 47
  48. 48. Bill Burns | CISO | Informatica | BBurns@Informatica.com | @x509v3 Thank you! Security-Research@ScaleVP.com Public 48

×