How to Survive and Thrive in Turbulent Times

UNDERSTANDING THE SECURITY BUYER 2014

As security incidents become more prominent,

CSOs need direction on how and where

to focus efforts and resources through the

height of the storm

PAGE 2UNDERSTANDING THE SECURITY BUYER 2014, CSO

Combine the explosive growth of inherently risky

technologies such as mobile, security strategies

strapped by regulatory and technical constraints, and

a fragmented vendor market, and you end up with a

security market that offers technology solutions that

cannot keep up with the threats of tomorrow.

“The bottom line is that organizations are not doing

security well,” says Bob Bragdon, publisher of CSO.

“We are doing a good job at what we’re trying to do,

but we’re trying to do the wrong things, and for the

most part, it’s not the fault of security leaders.”

Existing security technologies and policies are

simply not keeping pace with fast-evolving threats,

and many experts mandate a wholesale change

in companies’ fundamental security posture, from

breach prevention to accurate incident response.

To do so, companies must do a better job of aligning

security investments with business risk, says

Bragdon. “Information security needs to continue to

evolve into enterprise-level risk management to link

security more closely to business impact.”

When it comes to information security,

even Usain Bolt wouldn’t be able to stay ahead of the ever-changing security threat landscape.

The bottom line is that organizations are not doing security well. BOB BRAGDON PUBLISHER, CSO

PAGE 3UNDERSTANDING THE SECURITY BUYER 2014, CSO

The growing number of security breaches provides ample evidence of the need for change. According to the Global State of Information Security Survey 2014, a worldwide survey by CIO, CSO and PwC, security incidents last year increased 33%, even as new secu-rity practices were implemented. Average losses are up 23% over last year, and big liabilities are increasing faster than smaller losses. Respondents reporting losses of $10 million-plus is up 75% from 2011.

Not surprisingly, change will not be easy, particularly given the complex dynam-ics governing buyer actions, technology growth, and vendor market changes. The following issues will significantly impact how security vendors should focus their efforts in the coming 12 months.

Security Buyer ChallengesSecurity investments at many companies are affected by a host of issues that range from poor assessment to budget limitations despite increasing budgets.

l Companies look at their information security practices through rose-colored glasses. “People think they are in better shape than they really are,” says Tim Ryan, managing director of the cyber practice for Kroll Advisory Solutions, a security and risk management company based in New York City. In fact, half of the respondents to the Global State of Information Security Survey consider themselves “front-runners” in terms of strategy and security practices. However, when respondents appraised themselves against four key criteria in use by security leaders, such as having an overall information security strategy, or employing a CISO or equivalent who reports to an executive-level position, the number of real leaders drops to about 17%.

l Information security has been evolving into enter-prise risk management at many companies. This strategy manages security in terms of overall business impact by prioritizing protection ac-cording to the business value of corporate infor-

mation. But many lack the ability to re-work cyber security principles from a risk management point of view. For example, the 2013 US State of Cybercrime Survey, CSO magazine, U.S. Secret Service, Soft-ware Engineering Institute CERT Program at Carnegie Mellon University and Deloitte found that many respondents do not have the policies and tools to assess security risks of third parties, even as corporate in-frastructures grow increasingly connected.

Additionally, half of the respondents collaborate with others to improve security, but many resist sharing information with outsiders, which can impede security in today’s interconnected world.

l Budgets are on the rise, but companies can’t leapfrog their adversaries’ advances. The Global State of Information Security Survey found that security budgets would average $4.3 million this year, a gain of 51% over 2012. This is a clear indication that organizations are reacting to the elevated risk of factors such as advanced persis-tent threats, says Bragdon, but the reality is that enterprise security will never out-sprint the diz-zying evolutionary pace of malicious coders. “We are always putting out fires and finding ourselves one or more steps behind the bad guys,” he says. “For example, the 2013 US State of Cybercrime Survey found that the majority of US organiza-tions lack the capabilities to deal with advanced persistent threats, such as continuous network activity monitoring tools.”

l Regulatory compliance hampers resource alloca-tion. Businesses are forced to spend money on security to ensure compliance with many regula-tions and laws designed to protect information. The problem is, these solutions don’t necessarily increase security. “A lot of security is focused on compliance checklists to make sure you are complying with a certain rule,” says Ryan. “I’m certainly not saying that all regulation is bad, but

SECURITY INCIDENTS

INCREASED

33%LAST YEAR

We are always putting out fires and finding ourselves one or more steps behind the bad guys.BOB BRAGDON, PUBLISHER, CSO

PAGE 4UNDERSTANDING THE SECURITY BUYER 2014, CSO

a lot of reports and audits don’t provide any security—all they do is check a box.”

Additionally, such expenditures hinder many compa-nies’ ability to allocate resources where they are really needed. “I’ve spoken to many CSOs who said they would spend differently if not for regulations,” says Bragdon. “Compliance forces them to spend too many dollars in areas that don’t necessarily mitigate risks.”

Consumerization of IT Changes the GameWorkforce demands for enterprise technologies that are simple and easy to use—such as social media and mobile devices—are driving the consumerization of IT (CoIT), causing IT departments and vendors to relinquish tight IT control as users increasingly drive the next big technology adoption in the enterprise.

IDC believes the third platform for IT will support the next major era of corporate computing. The third platform is comprised of mobile devices, cloud comput-ing, big data, and social networking. Together, these heavily consumerized technolo-gies will account for as much as 20% of total IT spending.

But according to a 2013 IDG Enterprise Consumerization of IT in the Enterprise study many companies lack confidence in the security solutions geared toward CoIT. For example, just 17% of respondents feel very confident they have all the security tools in place to manage the security of consumer devices at their organization.

Mobile devices. According to the Global State of Information Security Survey, “Smart phones, tablets, and the ‘bring your own device’ trend have elevated security risks. Yet efforts to implement mobile secu-rity programs do not show significant gains over last year, and continue to trail the proliferating use of mo-bile devices.” According to the survey, less than half of respondents have implemented a mobile security

strategy, and only 39% use mobile device-manage-ment software. Seventy-five percent of enterprises report greater need to invest in security products and services to support mobile technology use.

Cloud computing. This technology is a little more mature as far as security goes, but it, too, remains vulnerable. Forty-seven percent of respondents to the Global State of Information Security Survey 2014 use cloud computing—and among those who do, 59% say security has improved. Despite that, only 18% include provisions for cloud in their security policy.

Big Data. Big data projects impact security in two ways: Both as an analytical tool and an area in need of securing. IDC expects the big data technology and

services market to grow from $3.2 billion in 2010 to $16.9 bil-lion in 2015. This represents a compound annual growth rate (CAGR) of 39.4%, or about seven times that of the overall information and communication technology (ICT) market.

And big data initiatives are high priority— According to the CSO 2012 Big Data Survey, 63% of respondents with plans for big data say these projects are a critical or high priority—and many think they need to update security in response to deploy-ment. Fifty-eight percent of the big data survey respondents are

either not confident or unsure that existing security technologies will adequately protect big data.

Social Networking. Another edge technology that requires security, especially as it continues to grow into processes throughout the business, is social networking. The Global State of Information Security Survey 2014 reports that 42% of US companies do not have a social media security strategy or are not sure if they do, which poses the risk of confidential documents being shared.

IDC’S 3RD PLATFORM FOR IT

IDC predicts that together, these heavily consumerized technologies will account for as much as 20% of total IT spending.

MO

BILE

DEV

ICES

CLOU

D CO

MPU

TIN

G

BIG

DATA

SOCI

AL N

ETW

ORK

ING

1 2 3 4

PAGE 5UNDERSTANDING THE SECURITY BUYER 2014, CSO

Market in Turmoil All of this is playing out in a crowded information security technology sector, marked by vendor confusion, a proliferation of smaller companies trying to break in, and larger companies competing to maintain market share.

Not surprisingly, there is a fair amount of M-&-A activity as a result, and that doesn’t always work to the customer’s benefit. “There are a lot of great products from small companies, and they often get bought by larger firms—and then, the larger compa-nies have trouble integrating it into their product line, which doesn’t help the customer,” says Bragdon. “You can’t pick up a little company and run it as a separate entity. The products have to work together, and at the other end, produce actionable intelligence.”

For example, there is rapid integration on the net-work side from what used to be stand-alone products into high-performance united threat management (UTM) platforms, says Jeff Wilson, principal analyst, security, at Infonetics Research; but even there, vendors need to step up their speed and efficiency. “It’s a constant transition from stand-alone to in-tegrated,” he says, “But there’s still real frustration amongst the security practioners about whether the stuff really works together.”

Security vendors are also rapidly expanding their service offerings, either in house or through partner-ships with third-party providers, says Ryan. “The level at which this is happening is something new,” he says. “For larger providers, providing services on top of offerings is almost a requirement.”

Cloud adds another wrinkle—users not only want the technology that does the best job, but they want it in any deployment model that works, says Wilson.

“This means that vendors must not only address inte-gration, but they need to figure out their position in offering services and hosted solutions versus purely products.”

Key Action Items So where does this leave security vendors as they plan their product development strategies for 2014? Here are a few crucial takeaways.

1 Integrate the business perspective. As security and risk management becomes an issue for the

CEO and other business leaders, security vendors and service providers must be able to explicitly link their products to business value and enterprise risk man-agement, a process that should start at the earliest conceptual stages. For example, 81% of respondents identified as leaders in the Global State of Information Security Survey have aligned their secu-rity strategy with business need, and many are setting standards with external partners, and streamlining communications.

2 Assume the bad guys are already in the house. Real-

izing that knowledge is power, many organizations are switch-ing their focus from periphery defense to rapid response, prioritizing technologies that can help gain a better understanding of threats as well as improve se-curity for mobile devices. For ex-ample, respondents to the Global State of Information Security Survey cited technolo-gies such as threat-intelligence subscription services, information and event management technologies, incident/event monitoring, and encryption and mobile device management technologies as top priorities over the next 12 months. Analytical tools are also generating interest, says Kroll’s Ryan. “The customers I talk to want something that can accurately correlate events and the triage work needed, while filtering out the white noise on the network,” he says. Vendors who effectively read and respond to this market shift could pick up significant market share.

It’s a constant transition from stand-alone to integrated. But there’s still real frustration amongst the users about whether the stuff really works together.JEFF WILSON, PRINCIPAL ANALYST, SECURITY, INFONETICS RESEARCH

5 KEY ACTION ITEMS

1. Integrate the busi-ness perspective.

2. Assume the bad guys are already in the house.

3. Partner up and build a platform.

4. Find out where your cutting-edge customers are headed next.

5. Expand customer engagement channels.

PAGE 6UNDERSTANDING THE SECURITY BUYER 2014, CSO

3 Partner up and build a platform. “Security tech-nologies don’t always play nicely together, and

that’s got to stop,” says Bragdon.More and more, companies are looking for security

safeguards that protect at an enterprise level or extend past the firewall to work with security technology for external partners, customers, suppliers, and vendors. That means that vendors need to move past a focus on individual products, and concentrate on building an integrated platform that also works with other platforms.

Doing so means paying attention to integration issues early on in the prod-uct cycle, and building strong partner relationships to improve both market position and product integration of solu-tions within your own product set and with other vendor solutions.

Finally, make sure the product plat-form works both on premise and in the cloud. “One aspect of the integration story I’ve been hearing involves radically improving the efficacy of products by connecting to some sort of threat cloud, so you need to know how to take security into the cloud, too,” says Wilson.

4 Find out where your cutting-edge customers are headed next. In order to develop products that

align with business goals, vendors need to discover where those businesses plan to go, both strategi-cally and technically. The smart move is to find the se-curity leaders amongst your client base and ask them about future plans. Otherwise, companies risk their product-development cycle being out of sync with customer needs, says Bragdon, who recalls a round table meeting with technology venture capitalists when mobile technology was heating up. “I asked them where they were putting their venture dollars, and it was all cloud, cloud, cloud. I asked about mobile and they weren’t there yet,” he says. “This is why we are where we are now with regard to weak mobile security.” Bragdon says the same scenario is unfolding again with big data. “Security decision-makers are dying for big data security tools to either leverage the data or secure the output, but nobody has got it,” he says. “Companies need to do a better job listening to customers—they will tell you what they need.”

5 Expand customer engagement channels. Customers today are heavy consumers of

video content and social media, and vendors need to find them where they live. For example, in the IDG Enterprise Role & influence of the Technology Decision-Maker Study, 2014, tech-related videos have influenced IT decision-makers in a variety of ways. Sixty-three percent of respondents who watch

tech-related videos research a product after, and more than half have visited a vendor website or contacted a vendor for more information after watching.

Social media such as LinkedIn offers an even better opportunity to learn from customers: 79% of 2013 IDG Enterprise Customer Engagement Research repondents use social and/or business networking sites and services to engage with technology vendors on a variety of topics, such as product

research, submitting product reviews, customer refer-rals and invoice management.

Moreover, vendors need to make sure their content and apps work just as easily on mobile devices as they do traditional devices, as a large number of IDG Research’s Navigating the Marketing Maze respon-dents view content on mobile devices (tablets and smartphones.) In fact, a third of the time that buyers spend accessing tech-related information online each week is via mobile device.

Given the ingenuity and constantly changing tactics of cyber criminals, the information security technol-ogy market is never going to be calm. The next 12 months, however, should be super-charged with change, as vendors negotiate the security impact wrought by heavily consumerized technologies while simultaneously reinventing fundamental security strategies and principles. Those who engage with their thought-leader customers and build integrated platforms via strong partnerships and information sharing stand the best chance of accurately develop-ing the innovative solutions necessary to help enter-prises effectively manage risk.

For more information about security decision-makers and how to reach them, please contact Bob Bragdon at bbragdon@cxo.com.

72%OF RESPONDENTS

WHO WATCH TECH-RELATED

VIDEOS DO SO FOR RESEARCH.