Post on 05-Jun-2018
© 2017 FORRESTER. REPRODUCTION PROHIBITED.
We work with business and
technology leaders to develop
customer-obsessed strategies
that drive growth.
2© 2017 FORRESTER. REPRODUCTION PROHIBITED.
© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Security Trends and Predictions:2017 Demands a New Approach
Joseph Blankenship, Senior Analyst
February 10, 2017
4© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Source: @malwareunicorn
Abandon all hope?
5© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Security Trends2016 Was Another Turbulent Year For Cybersecurity
6© 2017 FORRESTER. REPRODUCTION PROHIBITED.
“Be careful what you wish for,
you may receive it.”
- W.W. Jacobs
7© 2017 FORRESTER. REPRODUCTION PROHIBITED.
We got what we wished for…
Cybersecurity is now a mainstream
topic, and it’s not going away anytime
soon.
8© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Three industries accounted for 95% of
all customer breached records in 2016
Technology 68%
Government 16%
Retail 11%
Source: see the “Lessons Learned From The World's Biggest Data Breaches And Privacy Abuses, 2016” Forrester report.
Hackers Compromised 1 Billion Records In Just 12 Months
9© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Top Breached As A Records Percentage Worldwide Of Internet Users
Source: see the “Top Cybersecurity Threats In 2017” Forrester report.
10© 2017 FORRESTER. REPRODUCTION PROHIBITED.
53% of firms were breached in the past 12 months.
44% of Enterprise Firms Suffered 2+ Breaches in 2016
11© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Authentication Credentials And Intellectual Property Are The Top Two Targets
12© 2017 FORRESTER. REPRODUCTION PROHIBITED.
In 2016, Our “Things” Turned Against Us
› Blogger Brian Krebs hit with a record DDoS
attack starting on 9/20
› A botnet running on IoT devices – web
cameras, printers, DVRs and routers –
carried out the attack
› Average DDoS attack size predicted to grow
to 1.2 Gbps by the end of 2017
Source: krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
www.forbes.com/sites/thomasbrewster/2016/09/25/brian-krebs-overwatch-ovh-smashed-by-largest-ddos-attacks-ever/#3f4504f46fb6
Arbor Networks Worldwide Infrastructure Security Report
13© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Security leaders are concerned about IoT
are “concerned with the
risk that IoT technologies
could introduce” to their
firm*
54%
14© 2017 FORRESTER. REPRODUCTION PROHIBITED.
IoT Security Technologies Are Still Relatively Immature
Source: see the TechRadar™: Internet Of Things Security, Q1 2017” Forrester report.
15© 2017 FORRESTER. REPRODUCTION PROHIBITED.
The Results of High-profile Cyberattacks on IT Security
Base: 3,588 Global Security Technology and Business Decision-makers from Enterprises with 1,000+ employees
Source: Forrester Business Technographics Global Security Survey, 2016
16© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Identity and Authentication Management (IAM) Adoption Trends
Source: Understand The State Of Identity And Access Management: 2016 To 2017 Forrester report
17© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Security's Share Of The IT Budget Continues Its Incredible Rise
18© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Network Security Still Gets The Largest Budget Share
Source: Forrester’s Security Budgets 2017: Increases Help But Remain Reactionary report
19© 2017 FORRESTER. REPRODUCTION PROHIBITED.
The Cybersecurity Talent Gap Remains A Top Concern
› Security teams are understaffed
• 62% of enterprises report not having
enough security staff
› Finding the right skills is also a
challenge
• 65% of enterprises state finding employees
with the right skills is a challenge
Source: Forrester Business Technographics Global Security 2016
Image: www.flickr.com/photos/dt10111/2901811351
20© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Security Leaders Turning To Services
*Base: Global security decision-makers whose firms' IT department has a security budget (1,000+ employees)
**Base: 852 Global security decision-makers whose firms outsource infrastructure and security functions (1,000+ employees)
Source: Forrester’s Global Business Technographics Security Survey, 2014, 2015 & 2016
48%
49%
49%
2014(N=1,172)
2015(N=1,354)
2016(N=1,358)
Approximately what percent of your security budget is spent on security services?*
21© 2017 FORRESTER. REPRODUCTION PROHIBITED.
The Enterprise Security Team Taking On More Customer Risk
Base: 1,543 to 1,550 Security decision-makers responsible for security activities (1,000+ employees)
Source: Forrester’s Global Business Technographics Security Survey, 2015 & 2016
Activities YoY Growth
Ensuring the security and privacy of customer data sold/exchanged to partners +22%
Identifying new sources of data-driven revenue +21%
Protecting data warehouses and other data repositories typically used in customer intelligence +18%
Embedding security into your organization's end products or services +16%
Enabling rapid adoption new technologies and/or services to help acquire and maintain
customers+15%
Responding to breaches of customer Pll in a responsible and timely way +13%
Developing secure customer-facing mobile and web applications +12%
API management and security +10%
Managing the risks around social media engagement +10%
Protecting our customers' personal information from privacy abuses +10%
Authenticating customers across channels +9%
Protecting our customers' personal information from cybercriminals and fraudsters +7%
2015 2016
26% 48%
23% 44%
33% 50%
31% 47%
31% 47%
29% 42%
31% 43%
34% 45%
34% 44%
45% 54%
31% 41%
45% 52%
“Which of the following activities are you and your team actively working on?”
22© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Security Leaders Reporting Lines Shifting
Base: 2,121 security technology decision-makers (20= employees) and 1,165 at enterprises (1,000- employees)
Source: Forrester’s Global Business Technographics Security Survey 2016
3%
6%
11%
18%
26%
33%
3%
7%
10%
23%
24%
32%
Cross-department steering committee
Enterprise risk/CRO
Board of directors
CIO
IT
CEO/president
Into which department or office does the senior-most security decision-maker directly report?
Enterprise All
Last year, IT
topped the list at
55% and (57%)
for Enterprises!
23© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Top 5 security priorities in 2016 compared with prioritization in 2015
Source: Understand The State Of Identity And Access Management: 2016 To 2017 Forrester report
24© 2017 FORRESTER. REPRODUCTION PROHIBITED.
2017 PredictionsAre things going to get better?
25© 2017 FORRESTER. REPRODUCTION PROHIBITED.
#1) External Threat Actors Diversify
› 2017 is different…
› Political climate is ripe for hacktivists and nation state
actors
› 57% of .onion sites facilitate criminal activity (a.k.a.
the dark web)*
› Because of the anonymity of cryptocurrency and
accessibility of the dark web, anyone can learn how
to become a cybercriminal
› Credentials, credit cards, PII, medical records, and IP
are sold on the dark web
› Ransomware depends on cryptocurrency
Source: “Cryptopolitik and the Darknet,” Daniel Moore and Thomas Rid, Survival Vol. 58 , Iss. 1,2016
Action: Prepare for hacktivists, nation-states and ideologies looking to disrupt and degrade.
26© 2017 FORRESTER. REPRODUCTION PROHIBITED.
#2) Healthcare Breaches Will Become As Large And Common As Retail Breaches
Why?
• Healthcare/public sector only spends
23% of IT budget on security
• Lots of M&A in healthcare space
• Increasing value of patient data (PHI,
biometrics, etc.)
• Ransomware trend in healthcare
22% 23% 24% 24%26% 27% 27%
35%
Me
dia
, e
nte
rtain
me
nt,
and
leis
ure
Pu
blic
secto
r a
nd
hea
lthca
re
Reta
il an
d w
ho
lesa
le
Fin
an
cia
l serv
ice
s a
nd
insu
ran
ce
Oth
er
Bu
sin
ess s
erv
ice
s a
nd
con
str
uctio
n
Ma
nu
factu
rin
g
Utilit
ies a
nd
tele
co
mm
unic
atio
ns
“How much does your firm's Information/IT security spending for 2016 represent as a percentage of overall
2016 IT budget?”
Base: 72-712 (depending on industry) security decision-makers (20+ employees)
Source: Forrester’s Global Business Technographics Security Survey, 2016
Action: Prioritize data protection for PHI
and sensitive systems. Regularly back up
systems to guard against ransomware.
27© 2017 FORRESTER. REPRODUCTION PROHIBITED.
#3) More than 500,000 IoT Devices Will Suffer A Compromise — Dwarfing Heartbleed
› 66% of security technology decision-makers at
enterprise firms rate securing Internet of Things
(IoT)/M2M within the enterprise as a high priority
over the next year*
› Millions of consumer devices with no security,
updates or patches have proved to be an
effective channel of attack
Source: Forrester’s Global Business Technographics Security Survey, 2016
Action: Require quick remediation and fully
automated, scripted security testing.
28© 2017 FORRESTER. REPRODUCTION PROHIBITED.
#4) The Talent Gap Will Force CISOs To Allocate 25% To External Expertise, Automation
› CISOs will turn to external services
and automation tools for relief
› 25% spending includes security
outsourcing, managed security
services, security consultants and
integrators, and security automation
technologies
› Develop rules of engagement for
automated response
Base: 1,632 security decision-makers (1,000+ employees)
Source: Forrester’s Global Business Technographics Security Survey, 2016
Action: Embrace automation and orchestration.
10% 24% 38% 27%
Unavailability of security employees with the right skills
Not a challenge Minor challenge Challenge Major challenge
29© 2017 FORRESTER. REPRODUCTION PROHIBITED.
33%
37%
39%
45%
46%
46%
46%
48%
48%
49%
Risk management expertise
Fraud management expertise
Penetration testing
Programming, scripting knowledge
Application security
Digital forensics and incident response
Virtualization, cloud infrastructure expertise
Malware analysis/reverse engineering
Security operations
Mobile security
What specific types of skills and experience are most needed in your organization today?
Base: 1,064 security decision-makers who indicate unavailability of security employees with the right skills is a challenge for their firm (1,000+ employees)
Source: Forrester’s Global Business Technographics Security Survey, 2016
30© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Base: 1,165 security technology decision-makers (1,000+ employees)
Source: Forrester’s Global Business Technographics Security Survey 2016
31© 2017 FORRESTER. REPRODUCTION PROHIBITED.
#5) The US President Entered Office IN A Cybercrisis, And Will Face Many More
› Nation state involvement in US elections
fosters a sense of distrust
› People could begin to lose faith in the integrity
of global institutions
› We must lead the shift to a culture of security;
protect customer and corporate data and
reinstate inherent trust in our systems
Action: Identify the cybersecurity risks that have the biggest impact on your firm. Instill a
culture of security in your staff and your users.
32© 2017 FORRESTER. REPRODUCTION PROHIBITED.
2017 Will Be A Heck Of A Ride
FORRESTER.COM
Thank you© 2017 FORRESTER. REPRODUCTION PROHIBITED.
Joseph Blankenship
www.forrester.com/Joseph-Blankenship
@infosec_jb