irec165473pr rp 2017 security outlook
TRANSCRIPT
CEB Information Risk Leadership Council
2017 Security Outlook
10 Imperatives for the Information Security Function
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com2
2017 SECURITY OUTLOOK
ContentsLetter from CEB 3
10 Imperatives for 2017 4
1. Pivot CISO–Board Conversations to Enabling 5 Business Growth
2. Formalize IT Risk Management 6 in Your Organization
3. Help the Business Reassess the Value 7 of Its Data Relative to Risks
4. Reduce Time and Effort on 8 Operational-Level Activities
5. Find New Ways for Information Security 9 to Support Continuous Delivery
6. Prepare for an Expanded Definition 10 of Critical Infrastructure
7. Advocate a Consumer-Centric Approach 11 to Product Security
8. Establish a Formal Bug Bounty Program 12
9. Focus Fourth-Party Risk Management 13 on Detection and Response
10. Anticipate Instability Among Large 14 Cybersecurity Vendors
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com3
2017 SECURITY OUTLOOK
Each year, we publish Security Outlook as a compilation of the top 10 business, risk, and technology trends CISOs should anticipate in the coming year. In many ways, the trends that define 2017 will resemble those in past years: the scarcity of cyber talent will remain pervasive, gaps in controls hygiene and employee awareness will represent CISOs’ greatest risks, and advanced attacks aren’t going anywhere. But in other ways, 2017 represents an inflection point. Information Security’s current model, spanning strategy, governance, and security operations, will be strained by the demands of digitization. CISOs, in turn, will face a myriad of new challenges and responsibilities, such as facilitating secure development, managing high-risk vendors, and marketing Information Security as a growth enabler.
We have identified 10 imperatives Information Security should prepare to address in the coming year. These imperatives draw from hundreds of conversations with members over the last year as well as extensive qualitative and quantitative research. CISOs can use Security Outlook to inform conversations with their teams, provide business partners with insight on the evolving risk landscape, and prepare for the year ahead with confidence.
Our 2017 imperatives for Information Security fall into three broad categories:
1. Strategy Over Governance… In the digital age, an organization’s success or failure will depend on its ability to take smart risks with new technologies. As innovation and security become increasingly linked, Information Security is poised to become a key growth enabler. But first, CISOs must look beyond threats and risks and start addressing areas where fragmented risk ownership, cumbersome processes, and misaligned policies create roadblocks along the path to digitization.
2. …Management Over Operations With digitization pushing more organizations to embrace continuous delivery, Information Security can expect the growth of business demand to outpace the resources to meet it. Because scaling Information Security’s capabilities is simply not an option, CISOs must deliver security beyond scale. This means automating and devolving operational-level activities to free delivery teams and business partners from cumbersome governance stage gates and manual processes operated by Information Security.
3. Greater Focus Outside the Enterprise Organizations can no longer think of their security in isolation from that of their vendors, their employees, or even their customers. They must anticipate the Internet of Things’ potential to reshape society; the introduction of technologies such as self-driving cars, web-connected medical devices, and device-enabled surveillance are all likely to infuse Information Security with public health and safety implications. Similarly, CISOs must account for the emergent risks raised by the increasingly tangled web of third and fourth parties with access to their systems and their customers’ personal information.
Letter from CEB
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com4
2017 SECURITY OUTLOOK
1. Pivot CISO–Board Conversations to Enabling Business Growth CISOs need to shift their board’s focus from risks they should avoid to risks they should take in pursuit of digital innovation.
2. Formalize IT Risk Management in Your Organization Reliance on technology-driven products and services underscores the need for more robust IT risk management, which is currently fragmented across multiple functions.
3. Help the Business Reassess the Value of Its Data Relative to Risks With new data protection regulations on the horizon, organizations must ensure that the value of the consumer data they collect outweigh the risks of disclosure.
10 Imperatives for 2017
Strategy Over Governance…
4. Reduce Time and Effort on Operational-Level Activities To preserve its strategic focus in the face of mounting business demand, Information Security must automate, devolve, or eliminate governance and operations activities.
5. Find New Ways for Information Security to Support Continuous Delivery Digitization and speed-to-market demands are expanding the use of Agile and DevOps for IT solutions delivery, forcing CISOs to abandon the traditional stage-gate process.
…Management Over Operations
6. Prepare for an Expanded Definition of Critical Infrastructure In a world where information security increasingly has public health and safety implications, industries must prepare to self-regulate or be regulated.
7. Advocate a Consumer-Centric Approach to Product Security As information security concerns begin to shape consumer preferences, organizations must factor consumers’ risk appetites into strategic decision making.
8. Establish a Formal Bug Bounty Program Organizations should incentivize hackers to help them identify and remediate software vulnerabilities rather than monetizing them in harmful ways.
9. Focus Fourth-Party Risk Management on Detection and Response Organizations should shift the focus of fourth-party risk management from preventing breaches to detecting and responding to them.
10. Anticipate Instability Among Large Cybersecurity Vendors As the cybersecurity industry witnesses unprecedented restructuring, Information Security must reassess the relative benefits of mature and emerging technologies.
Greater Focus Outside the Enterprise
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com5
2017 SECURITY OUTLOOK
1. Pivot CISO–Board Conversations to Enabling Business Growth
With 94% of corporate directors more concerned with cybersecurity than they were in 2014, CISOs are presenting to the board with greater frequency and greater urgency than ever before. 1 Most CISOs currently focus these conversations on the industry threat landscape, information risks facing the organization, and a status assessment of the security program. However, as executives and boards increasingly rely on digitization for future growth (Figure 1), board members’ cybersecurity interests are shifting from just risk and assessment of the security program to opportunities for CISOs to consult on business strategy.
CISOs must offer their unique expertise to advise the board on digital opportunities, not just potential threats and risks. However, with data breaches dominating the conversation in newsrooms and boardrooms alike, digitization’s perils may appear more tangible, while its promise may seem abstract. Thus, CISOs must be prepared to proactively discuss how policies geared toward risk avoidance, rather than risk management, create business drag that can cost more than total spend on information security or the residual risk itself.
For example, business leaders may choose to forego the benefits of adopting an innovative CRM platform because the cloud vendor is deemed too risky or to delay introducing new product features due to cybersecurity concerns, resulting in lost market share to competitors.
In such scenarios, CISOs can play a key role in helping their boards understand what business strategies are possible, where real cybersecurity concerns may lie, and how changes in security processes and capabilities can help remove obstacles to business growth.
Three Ways CISOs Can Shift Boardroom Conversations to Growth Enablement
1. Demonstrate understanding of the organization’s digitization strategy inside and out. CISOs need to not only deeply understand their organization’s digitization strategy but also consciously demonstrate their knowledge to the board. When presenting risk information, contextualize it in the organization’s larger digital strategy. CISOs can further help executives and the board understand which aspects of their current strategies are possible from a security perspective.
2. Identify and address potential security roadblocks to digital growth. Identify areas where existing security policies or processes stifle innovation because of factors such as talent shortages, project interdependencies, or misalignment with the organization’s risk appetite.
3. Develop a roadmap to enable the business’s digital strategy. CISOs need to identify a set of digitization risks and pair them with solutions. Highlight examples of how digitization is forcing Information Security to reassess its approach to delivering core services. Then, outline how investments in people, processes, and technology are helping eliminate choke points and enable growth while providing a set of key milestones and metrics for success.
Figure 1: Executive Priorities Dependent on Technology
n = 2,976. Source: CEB 2016 Agenda Setting Polls.
Have You Done the Following Things?
Standardize recurring board reporting activities, such as risk updates and program assessment, to maximize efficiency and create time for discussing business strategy issues.
Meet with other senior executives before board presentations to ensure alignment on strategy and explore what role Security may play.
Benchmark presentation agendas against those of CISOs at peer organizations to assure directors of industry alignment.
23% Not Technology Dependent
77% Technology Dependent
1 CEB 2015 Peer Perspectives Polling.
What Your Peers Are Saying“While minimizing risk is an important part of the equation, boards also want to think about technology in the context of the business to consider appropriate trade-offs between risk and innovation and growth.”
Timothy CamposCIOFacebook
“Previously, the board could delegate or avoid IT-related decisions, but technology is now at the core of how we operate and grow in the future, so digitization issues are increasingly being felt at the board level.”
CISOProfessional Services Company
Recommended CEB Resources
� Research: Five Principles of Effective Cybersecurity Board Presentations
� Tool: Board Presentation Template: Making a Strong First Impression
� Tool: Board Presentation Template: Providing Recurring Assurance
� Topic Center: Governance
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com6
2017 SECURITY OUTLOOK
2. Formalize IT Risk Management in Your Organization
In the past 10 years, not one Fortune 1000 company has gone out of business as a result of a data breach. Meanwhile, countless dozens have fallen by the wayside for failing to adapt to today’s technology-driven environment. According to our analysis, 77% of all business priorities are now technology dependent, a figure that will only rise as organizations progress along the path to digitization. 1 In this context, effective management of IT risk (i.e., the potential for unexpected outcomes associated with the use, ownership, and adoption of IT) isn’t just important—it’s essential to survival. For example:
■ The bankruptcy of a startup SaaS vendor leaves an organization without an alternative provider of key CRM services,
■ Unforeseen difficulties integrating software-defined infrastructure produce delays, cost overruns, and downtime, and
■ The inability to acquire and retain data science talent negates the business value of acquiring an expensive big data analytics tool.
Twenty-nine percent of CISOs report that they formally own IT risk management, while 46% say roles and responsibilities remain fragmented among multiple functions. This lack of clear ownership creates blind spots in the full scope of risks the organization faces. Without robust IT risk governance processes, Information Security may continue to take on these responsibilities piecemeal without the resources needed to meet the challenge.
The CISO’s Role in Formalizing Effective IT Risk Management ■ Start focusing on the right risks. CISOs should first collaborate with leaders from IT, Audit,
ERM, and other risk functions to create a common understanding of IT risk and its components. Building an IT risk taxonomy (Figure 2) can help stakeholders begin developing IT risk management processes and assigning roles and responsibilities.
■ Clarify IT risk management roles and responsibilities. Once organizations create a common definition of IT risk, they can start to formalize governance of risk management processes. CISOs can lead this conversation and propose existing information risk management processes that the organization could easily adapt for IT risk. Whether Information Security is best positioned to take on responsibility for IT risk management will vary depending on the organization. Well-resourced organizations may shift ownership to a separate IT risk function under the CIO, while others may elect to assemble a governance committee.
■ Help IT staff manage risk more effectively. The IT department’s typical aversion to risk can inhibit taking the bold steps necessary to keep pace with the evolving business landscape and pushes business leaders to seek technology solutions outside IT. Information Security can serve as an unofficial ERM function for IT, providing useful guidance on how to align IT with the business’s risk appetite while ensuring risk information flows from those informed to those empowered to make risk decisions.
Figure 2: IT Risk Is Broader Than Information RiskPartial IT Risk Taxonomy
Source: CEB analysis.
Have You Done the Following Things?
Improve communication and build support from the board of directors for IT risk management.
Provide guidance for redesigning risk governance to make the true owners of risk accountable for risk decisions.
Incorporate an assessment of productivity drag into risk decisions. Work with leaders from IT, Audit, and ERM to prioritize risks in your IT risk taxonomy.
What Your Peers Are Saying“The ‘not my job’ mind-set that’s historically surrounded IT risk means we don’t have the people, governance structures, or processes we need to manage it effectively.”
CISOPharmaceuticals Manufacturer
1 CEB 2016 Agenda Setting Polls.
IT Talent � Insufficient staff � Ineffective staff
IT Capacity � Network/bandwidth limitations � Insufficient storage
Reliability/Quality � Loss of integrity � Unacceptable latency
Legal/Compliance � Audit findings and remediation
costs � Civil lawsuits
Security/Privacy � Breach of confidentiality � Breach of privacy
Delivery � Late delivery � Over budget � User under-adoption
Business Enablement � Insufficient business
responsiveness � Decreased employee productivity
Vendor Support � End of vendor support � Technology obsolescence
Recommended CEB Resources
� Case Study: Managing Shared Risks
� Case Study: Set the Stage for Business Ownership and Engagement
� Topic Center: Governance � Study: Getting Serious About IT
Risk Management
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com7
2017 SECURITY OUTLOOK
14% Easier
10% The Same
3. Help the Business Reassess the Value of Its Data Relative to Risks
CISOs and their counterparts in ERM and Legal have been aware of the risks posed by unchecked accumulation of customer data for several years now but have been unable to make much progress in mitigating them. However, in 2017 the convergence of several business environment and regulatory changes will force organizations to reevaluate the risks and rewards of the data they collect and retain. These changes include the following:
■ Increased reliance on third parties for data storage and analysis reduces organizations’ control over how their data is handled.
■ New regulations, such as the General Data Protection Regulation (GDPR) in Europe, dramatically increase the financial penalties for mishandling customer data—up to 4% of annual gross revenue.
■ Highly networked workplaces relying on cloud-based productivity tools and “bring your own device” policies increase the chances that employees might accidentally (or purposefully) disclose data.
These factors substantially raise the likelihood and potential costs of data breaches (Figure 3) and should prompt CISOs to renew discussions with business leaders and other risk functions to ensure that clear guidelines are set and followed.
Seven Questions to Help the Business Reconsider Its Big Data RisksWhile authority and accountability for risk decisions will ultimately lie with business leaders, CISOs must arm them with a more holistic understanding of the risks associated with the data they collect. Asking the following questions can help business leaders recalibrate their risk tolerances accordingly:
1. What is the business value of the information we collect? Business leaders should have a quantifiable understanding of how the data affects growth or reduces costs rather than employ a “collect now; analyze later” mind-set.
2. Do we currently have the tools and talent we need to use the data? Without the right set of tools and talent, organizations are taking on all the risks of retaining customer data without realizing any of the benefits.
3. How would the public react to the information we collect and how we use it? Even if it is legal, organizations should avoid data collection that may violate cultural norms and present significant reputational risks if disclosed.
4. What information needs to be protected (and at what level and cost)? The rise in data volume and variety available to organizations makes it increasingly challenging—and vital—to ensure each type of data receives the appropriate level of security.
5. How long should sensitive data be retained? The value of most customer data declines over time. The business should identify its data’s “shelf life” and delete it beyond a certain age.
6. Who should have access to our customers’ information? Business leaders must strike a delicate balance between making data available to those who can derive value from it and preventing unauthorized access.
7. Who outside the organization touches our customers’ information? As organizations increasingly rely on third parties for data storage analysis, business leaders must have visibility into how the data is handled and how the third party will respond in the event of a crisis.
For more details on this topic, please read Executive Guidance for 2016: Managing the Hidden Causes of Data Breaches.
Have You Done the Following Things?
Revisit your organization’s data classification scheme. Assess the effect of new regulations such as the GDPR. Explore the option of a chief data protection officer. Integrate third- and fourth-party data breach scenarios into your crisis response planning.
What Your Peers Are Saying“The challenge is that in a lot of places now, customers have a ‘right to be forgotten’ and can sue us for not deleting their data. We can do that. But I can never be 100% sure that data isn’t still out there on a server belonging to a vendor we did business with three years ago, waiting to get breached.”
Global Data Security ManagerConsumer Retail Company
Recommended CEB Resources
� Case Study: Business-Oriented Information Use Decisions (Air Products)
� Tool: CEB Ignition™ Guide to Data Classification
� Topic Center: Audit, Compliance, Legal, and Privacy
Figure 3: Compared to Two Years Ago, How Would You Rate the Difficulty in Preventing a Data Breach Today?Percentage of Respondents
n = 31. Source: CEB May 2015 Information Risk Peer
Perspectives Poll.
24% Significantly Harder
52% Harder
1 Bernard Marr, “Why Data Minimization Is an Important Concept in the Age of Big Data,” Forbes, 16 March 2016, http://www.forbes.com/sites/bernardmarr/2016/03/16/why-data-minimization-is-an-important-concept-in-the-age-of-big-data/#ca7b625327fd.
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com8
2017 SECURITY OUTLOOK
4. Reduce Time and Effort on Operational-Level Activities
Five years ago, we predicted Information Security’s shift from back-office security operations to a more strategic role specializing in true risk management, governance, and understanding of business partners’ security needs. Information Security was among the first governance functions to embrace the transition to a more strategic role. Yet at the same time, in most companies, Information Security retained ownership over the same kinds of operational-level activities that were once its primary responsibility.
But with the rise of Agile development and DevOps, the increased demands of continuous delivery, and a rising number of third parties to manage, the status quo is unsustainable. Information Security functions that try to balance their old responsibilities with the new will inevitably create drag on the business. To preserve Information Security’s capacity to think and act strategically, in 2017 CISOs must automate, delegate, devolve, or outsource governance and operations from their workflows (Figure 4).
Three Imperatives to Building a More Strategic Function 1. Automate routine tasks to boost productivity and bridge the cyber talent gap. With the
cybersecurity talent shortage expected to reach 1.5 million by 2019, 1 help is not on the way. CISOs increasingly recognize that automating operations and governance activities offers the best chance to meet the demands of continuous delivery. Security operations—everything from firewall monitoring and spam filtering to malware analysis—are a prime target for automation. Further, by using tools such as APIs to provide developers with the building blocks of secure development, CISOs can empower Agile teams and free them from the conventional stage-gate process. Doing so can dramatically reduce the time it takes to accomplish routine tasks and allow a limited pool of security staff to graduate to more strategic activities.
2. Delegate and devolve operations to IT and the business. Although CISOs were early adopters of the shift to a risk management role, difficulties in educating and engaging business leaders impede Information Security’s ability to devolve risk ownership. To address the current education gap, Information Security should embrace a variety of roles in engaging business leaders in ways that correspond to the organization’s digital ambitions. CISOs need to be effective evangelists, consultants, and brokers in their organizations, able to educate business partners on how Information Security can help them deliver value, to provide project guidance and forge internal connections. CISOs also need to coach security staff to help them build the skills and experience they need to provide guidance for business leaders at the scale required by continuous delivery.
3. Outsource new kinds of security activities. While automating and devolving activities will help Information Security be more strategic, in the long term CISOs must be prepared to broaden the portfolio of activities they outsource. Today, CISOs spend roughly 8%–9% of their budgets on outsourcing; however, the majority goes toward staff augmentation. 2 Instead, CISOs can leverage a rapidly maturing market for managed security services for a wider range of activities, including advanced security incident and event management (SIEM), vulnerability management, and real-time compliance monitoring. In tandem, security functions must develop more robust program evaluation and vendor management capabilities to ensure the providers are held accountable for delivering high-quality services.
Figure 4: Shifting Operations to ManagementPartial List
Source: CEB analysis.
Have You Done the Following Things?
Invest in robust program evaluation capabilities to assess security activities according to their business value and identify opportunities to automate, devolve, and eliminate.
Identify business partners’ progress toward digitization, and assess their need for education and engagement from Information Security.
Develop an initial list of high-value MSSPs to be considered for more comprehensive evaluation.
What Your Peers Are Saying“Automation can help address the talent gap by reducing the pressure to hire and retain ‘unicorns’ who have multiple high-demand skills, like a security engineer who also does data science. Right now it’s like trying to find a lawyer who’s also a brain surgeon.”
Global Security DirectorFood and Beverage Retailer
1 Cybersecurity Ventures, Cybersecurity Market Report, Q3 2016, http://cybersecurityventures.com/cybersecurity-market-report/.
2 CEB 2017 Information Security Budget and Staffing Outlook, https://www.cebglobal.com/member/information-risk/events/replays/16/outlook-for-2017-information-security-budget-and-staffing.html/.
Recommended CEB Resources
� Study: A Blueprint for a New Information Security Function
� White Paper: Adaptive Business Engagement
� Topic Center: Security Function Management
From Operations To Management
Information Security performs a risk assessment and provides control recommendations.
Process is designed into a GRC tool to enable project owner self-service and automated controls recommendations. (Automation)
Information Security performs periodic assessments of all third-party vendors.
Ownership of third-party risk is shifted to the business; Information Security assesses only the highest-risk vendors. (Delegation)
Information Security routinely monitors firewalls and perimeter defenses.
Perimeter defenses have decreasing value in the current threat environment; activity is reduced and shifted to a third-party provider. (Elimination/Outsourcing)
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com9
2017 SECURITY OUTLOOK
Recommended CEB Resources
� Webinar: Adaptive Delivery and Operations
� Research Report: Implementing DevOps
� Key Findings: Information Security’s New Opportunities to Support Digitization
� Case Study: Self-Service Project Risk Assessments (BP)
5. Find New Ways for Information Security to Support Continuous Delivery
Speed-to-market demands are reshaping expectations for Corporate IT. Two-thirds of business leaders believe their companies must significantly speed up digitization to remain competitive, while 63% are dissatisfied with the time it takes IT to respond to new technology opportunities. 1 In response, many IT organizations are expanding the use of Agile and DevOps methods (Figure 5) to support continuous solutions delivery.
Figure 5: Agile and DevOps AdoptionAgile
DevOps
n = 132 organizations (Agile); 31 (DevOps).Source: CEB 2016 Agenda Setting Poll (Agile); CEB 2015
DevOps Survey (DevOps).
Note: Totals may not equal 100% due to rounding.
Have You Done the Following Things?
Evaluate the extent to which your organization is using Agile and DevOps. Provide development teams tools and training to self-identify security-significant decisions.
Provide just-in-time security guidance to give timely guidance to development teams. Identify and communicate a handful of triggers for Agile and DevOps teams to require deeper security team involvement.
14% No Projects
29% Less Than 10% of Projects
10% Don’t Plan to Use DevOps
10% DevOps
Is Primary Method
45% Evaluating DevOps
13% Piloting DevOps
28% 10%–30%
of Projects
16% 31%–50%
of Projects
22% Scaling
DevOps Enterprise-
Wide
14% Greater
Than 50% of Projects
What Your Peers Are Saying“The best way to drive more secure coding and product development is to make the right way the easy way. Information Security is writing commonly used pieces of code (e.g., authentication, logging), and developers can easily locate and access these through a self-service code shopping cart.”
Roland CloutierVP and CSOADP
Infrequent, Waterfall Releases Continuous, Automated Delivery
Scope Complete applications; large batches of enhancements
Minimum releasable units (MRUs)—smallest amount of functionality that will independently provide business value
Timelines Occur roughly quarterly; planned and locked down months in advance
Occur as soon as new functionality is ready; usually every two weeks
Quality Rigorous testing for weeks after development to eliminate defects
Testing as you go using automation so software is always production-ready
Release Process
Take systems offline; “all hands on deck” to ensure release goes smoothly
Release automation; low effort with zero downtime
As organizations move toward iterative development methods (see table above), it becomes unsustainable and unacceptably slow for governance functions such as Information Security to be hands on in development efforts. Information Security’s traditional stage-gate reviews won’t work well with these new workflows, and CISOs can’t simply scale up resources to support the growing number of distributed development teams.
Adapting Information Security to Support Continuous DeliveryInformation Security must make the following key changes to support continuous delivery:
■ Federate responsibility for good security. As use of Agile and DevOps expands, Security doesn’t have the capacity to be engaged in all projects. Security must enable Agile and DevOps teams to make sound security decisions more autonomously and significantly scale back their own role in direct reviews.
■ Start automating governance. Federating responsibility is a good place for Security to start. However, the most progressive CISOs are working to eliminate the need for developers to think about good security altogether. They’re making good security the fastest, easiest, default option for project teams by automating as many standards as possible using patterns loaded directly into environment builds.
■ Prepare security staff for supporting secure development. To support continuous delivery, Information Security must embed governance (not people) in IT automation. This approach requires changes at two levels. First, as one CISO put it, security staff need to be comfortable that they can’t touch every project, and the team can still achieve good security. Second, Information Security will need to hire or train more staff with applications development and design skills to build APIs, containers, and microservices to automate security governance.
■ Come to a common, explicit understanding of risk appetite. Many information security processes and policies seek to reduce risk but often are addressing risks that pale in comparison to slower speed to market or failing to meet the imperative of digital transformation itself for the organization.
1 CEB 2020 Digital Enterprise 2020 Survey (n = 578).
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com10
2017 SECURITY OUTLOOK
6. Prepare for an Expanded Definition of Critical Infrastructure
Critical infrastructure organizations in industries ranging from energy to financial services must navigate additional government regulations, closer industry coordination, and heightened risk profiles—all of which create more cost and complexity.
However, the definition of “critical infrastructure” 1 is often ambiguous and at best evolving. For example, US presidents have redefined critical infrastructure every two-and-a-half years between 1998 and 2013, and the United Kingdom is creating a new National Cyber Security Centre designed, in part, to protect critical infrastructure. 2
Clearly, governments’ understanding of critical infrastructure is likely to further expand as more industries embrace digitization in the form of Internet-connected products, autonomous machines, automated business processes, etc., and as the implications on public security, health, and safety become clearer.
For example, consider the following scenarios:
■ An attacker inserts malicious code into self-driving cars via an over-the-air update to launch coordinated car crashes, resulting in significant loss of life and injury.
■ An attacker modifies metadata in a major foodstuff company’s automated manufacturing process such that customers receive tainted food nationwide.
■ An attacker gains remote access to a national network of Internet-enabled thermostats to disable air-conditioning during a heatwave, resulting in loss of life on a national scale.
These examples aren’t just limited to the auto, foodstuff, and household appliance industries. Broader use of technology transcends most industries, paving the way for additional threats to national security, economic security, and personal safety—all grounds for reclassifying industries as critical infrastructure.
Three Implications to Prepare ForBeing reclassified as critical infrastructure will force new-in-kind activities on information security functions and their organizations. Here are three implications to prepare for today.
Figure 6: Frequency of Change in Critical Infrastructure DefinitionIllustrative
Have You Done the Following Things?
Work with industry peers to define product security standards at the industry level. Identify and mitigate potential ecosystem risks that affect products and services.
1 The US Department of Homeland Security currently defines 16 sectors that compose the “assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
2 Government Communications Headquarters, Prospectus: Introducing the National Cyber Security Centre, 25 May 2016, https://www.gov.uk/government/publications/national-cyber-security-centre-prospectus.
Implication How to Prepare
New-in-Kind Regulations
Expect new government regulations and standards as critical infrastructure is reclassified and threats evolve. Consider lobbying to move government action and regulations in a productive direction.
Industry-Wide Ecosystem Risks
Begin identifying industry-wide risks that affect products and services in shared ecosystems, and prepare for mandatory, industry-wide security testing. Work with industry groups to set and communicate shared product security standards now to avoid leaving a gap that government regulators may try to fill.
Expansion of Fiduciary Duties
Anticipate an expansion of the board’s fiduciary duties, and think through how this might affect the CISO’s role and the information security function’s mandate. Network with CISOs at organizations already classified as critical infrastructure to better understand and prepare for challenges on the horizon.
Source: CEB analysis.
United States presidents redefined critical infrastructure every 2.5 years between 1998 and 2013.
Recommended CEB Resources
� Research: Preparing Your Organization for Cyber Crises
� Tool: CEB Ignition™ Guide to Building a Cyber Crisis Testing Program
� Infographic: Understanding the Digital Landscape
What Your Peers Are Saying“If we fail to get ahead of the Internet of Things as an industry, then the government is going to lay down prescriptive regulations for us. We need to come together as an industry to take the lead in figuring out how to manage the cyber risks that will soon affect automobile technologies.”
John BinghamCISODelphi Automotive PLC
“I firmly believe that Information Security’s focus will soon increase from enterprise systems to physical systems. With this, we’ll see an expansion of risk from traditional data loss and denial of service to harm to physical infrastructures that could impact personal safety. We have to prepare now for this future.”
Mike PapayCISONorthrop Grumman Corporation
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com11
2017 SECURITY OUTLOOK
7. Advocate a Consumer-Centric Approach to Product Security
Until recently, consumers have valued the information security of products they use less than other product characteristics. 1 But this is about to change as the outcomes of cybersecurity attacks start to shift from low-cost annoyances to life-changing events. For example, it’s already been shown that perpetrators can remotely take control of a car, manipulate a patient’s pacemaker, or take over a home security system—scenarios made possible by network connectivity of everyday objects. Next year could be the year of a large-scale trigger event, such as a remote hijacking of a plane, which could put product security into the spotlight. This will result in organizations seeing products’ security factor in more strongly into consumers’ purchasing decisions. 2
Consumers’ shifting expectations regarding product security require organizations to factor in consumers’ appetite for risk as an input into their strategic decision making more directly. Information Security is uniquely positioned to help business partners see this shift and prepare for it based on its experience conducting risk assessments, technical expertise, and knowledge of products’ security controls. Information security functions can work with marketing and product development teams, drawing on their knowledge of consumer behaviors, to clarify potential implications of consumers’ changing security preferences and enable business partners to potentially recalibrate their overall risk appetite.
Assist Business Partners in Recalibrating Their Risk Appetite ■ Inform business partners of the potential implications of shifting consumer attitudes
toward product security. Information Security needs to impress upon its business partners that consumers’ growing emphasis on product security can have strategic implications for the enterprise. Whereas before a change in consumers’ risk appetite translated into changes to existing controls, today it can affect business strategy. For example, patients becoming more concerned with an attack that holds their medical information for ransom could necessitate a medical device company to significantly alter a product’s design, like changing the way it transmits or stores data.
■ Help clarify consumers’ security trade-off decisions. To assess consumers’ risk appetite, organizations need to understand product security trade-offs consumers are willing to make. By contributing its technical expertise, Information Security can aid marketing and product development teams (functions that conduct consumer behavior research) in analyzing when consumers choose to sacrifice product security for features like connectivity to other products or ease of access. This analysis will allow business partners to better understand consumers’ risk appetite.
■ Set consumers’ risk appetite as the upper bound of the enterprise risk appetite. When recalibrating the business risk appetite, Information Security can ensure that consumers’ risk appetite remains the upper bound. In most cases, the business may want to more closely align with the risk appetite of its consumers but remain more risk averse due to regulation and the high impact of potential loss events.
■ Evaluate implications of a potential change in the enterprise risk appetite. To make educated decisions on changing the risk appetite for the organization, business leaders require information on potential implications. Information Security’s experience conducting risk assessments will enable the function to lead an effort to more robustly evaluate risk introduced by business decisions with input from business leaders.
Figure 7: Top Three Emerging Enterprise RisksRatings by Overall Risk Score and Frequency
Have You Done the Following Things?
Work with ERM to establish and communicate an organization-level risk appetite, which will be compared to consumers’ appetite for risk.
Identify key business leaders who make risk appetite decisions for the organization. Coordinate reporting risk taxonomies and measurement scales to more effectively measure risk implications of potentially changing the organization’s risk appetite.
What Your Peers Are Saying“We work hard to balance the friction between security needs and consumer preferences. Security brings this friction to light by closely collaborating with business teams to help ensure risk-informed and balanced business decisions are made.”
Jim GottsackerInformation Security OfficerState Farm
1 Underwriters Laboratories, "The 2012 Product Mindset," Quality Insider, 7 December 2012, http://www.qualitydigest.com/inside/quality-insider-article/2012-product-mindset.html.
2 Deloitte, "Executives Underestimate Importance of Security, Privacy to Consumers, Wall Street Journal, 22 April 2015, http://deloitte.wsj.com/riskandcompliance/2015/04/22/executives-underestimate-importance-of-security-privacy-to-consumers/.
Recommended CEB Resources
� Research: Executive Guidance: Reducing Risk Management’s Organizational Drag
� Tool: Risk Appetite Learning Tool � Topic Center: Risk Management
and Assessment
Ran
k
1
2
3
Q1 2016 Q2 2016 Q3 2016Business Quarter
Evolving Customer Expectations
Unpredictable Political Landscape
Technical Disruption
Vendor Relationship Management
Strategic Change Management
Source: CEB analysis.
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com12
2017 SECURITY OUTLOOK
8. Establish a Formal Bug Bounty ProgramHackers are always finding new ways to exploit vulnerabilities for financial gain. Today, more than 80% of data breaches have a financial motive (Figure 8). 1 As more and more companies introduce digital products and services—all prone to software vulnerabilities—the number of potential targets will rise exponentially. In fact, the past 12–18 months have already witnessed a proliferation of sophisticated monetization strategies targeting consumer products and services that go beyond traditional data theft or even ransomware. Take for example the following:
■ “Hacktivist investing”: In August 2016, the security firm MedSec demonstrated that it was possible to make a profit by short selling a target company’s stock and then publicizing discovery of vulnerabilities in its products or services in such a way as to maximize market unease. 2
■ “Bug poaching”: In May 2016, IBM reported a series of incidents in which hackers exploited unknown vulnerabilities to steal data from organizations and then used the stolen data to blackmail those organizations into purchasing information on the vulnerabilities. 3
No amount of investment in product security or penetration testing can eliminate software vulnerabilities entirely. Therefore, CISOs need to build new capabilities to detect latent vulnerabilities once their products reach the market and to remediate them before they pose a real threat. Bug bounty programs can help CISOs do just that.
The Logic of Establishing a Bug Bounty ProgramBug bounty programs, (i.e., rewarding hackers or researchers for reporting vulnerabilities) have been standard practice at large tech firms for at least a decade. In the future, bug bounty programs will likely become a more attractive tool for a broader range of companies exploring new digital offerings. The goal is to transform the same hackers and researchers who might otherwise pose a threat to your organization into an effective vulnerability detection mechanism. 4
Bug bounties can help CISOs accomplish two key objectives:
■ Maximize the chances of identifying vulnerabilities. Bug bounty programs allow organizations to effectively crowdsource their penetration testing. More eyes searching for critical vulnerabilities translates to greater likelihood that they’re identified and remediated before being exploited.
■ Neutralize the economic incentives to commit cyber crime. CISOs need to recognize that their attackers are rational actors and that most cyber crime is driven by financial incentives. By offering hackers and researchers a low-risk, legitimate way to monetize their skills, organizations can provide mutually beneficial, financial alternatives to those who might otherwise sell vulnerabilities on the Dark Web or engage in illicit activities themselves.
Hackers will never stop looking for vulnerabilities. But with a small investment in a bug bounty program, CISOs can refocus a portion of malicious activity into an early vulnerability detection mechanism.
Figure 8: Rise of Financially Motivated Cyber Crime
Source: CEB analysis; Verizon, 2016 Data Breach Investigation Report, 2016, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/.
Have You Done the Following Things?
Evaluate your organization’s ability to remediate reported vulnerabilities in customer-facing products and services.
Network with peers who already manage bug bounty programs to identify implementation tips and tricks.
Communicate your bug bounty program to appropriate researchers and hacking communities.
What Your Peers Are Saying“We have 40 engineers on staff whose sole job is to break software. But opening up your code to the research community provides you with a very different, very rigorous kind of test. In that sense, bug bounties are something organizations should consider.”
Roland CloutierVP and CSOADP
“We did it because our overriding concern in everything we do is to ensure our customers’ information is well secured and that their private data is in good hands with us.”
Arlan McMillanCISOUnited Airlines 5
1 Verizon, 2016 Data Breach Investigation Report, 2016, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/.
2 Jim Finkle and Dan Burns, “St. Jude Stock Shorted on Heart Device Hacking Fears; Shares Drop,” Reuters, 25 August 2016, http://www.reuters.com/article/us-stjude-cyber-idUSKCN1101YV.
3 John Kuhn, “Bug Poaching: A New Extortion Tactic Targeting Enterprises,” SecurityIntelligence, 27 May 2016, https://securityintelligence.com/bug-poaching-a-new-extortion-tactic-targeting-enterprises/.
4 Aidan Knowles, “How Black Hats and White Hats Collaborate to be Successful,” SecurityIntellignece, 4 May 2016, https://securityintelligence.com/how-black-hats-and-white-hats-collaborate-to-be-successful/.
5 Steven Melendez, “As Airlines Digitize, They Are Confronted With Increased Cybersecurity Risks,” Fast Company, 11 October 2016, https://www.fastcompany.com/3063252/mind-and-machine/as-airlines-digitize-they-are-confronted-with-increased-cybersecurity-risks.
Recommended CEB Resources
� Research: Preparing Your Organization for Cyber Crises
� Topic Center: BCP/DR and Incident Response
0%
50%
100%
2013 2014 2015 2016 (Projected)
75%
24%
77%
22%
80%
19%
83%
16%
Financially Motivated
State-Sponsored Espionage
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com13
2017 SECURITY OUTLOOK
9. Focus Fourth-Party Risk Management on Detection and Response
With organizations operating in increasingly complex vendor ecosystems, most CISOs recognize that fourth parties pose significant risks. However, given limited resources and the need to prioritize effective third-party risk management, fourth parties often receive little more than due diligence or go unaddressed altogether. The sheer number of fourth parties each organization would have to keep track of makes effective risk management a daunting proposition. Rather than investing in fourth-party breach prevention efforts that are likely to fail, organizations should focus on fourth-party breach detection and response so they can mitigate damages from and address the unique challenges of a fourth-party breach once one inevitably occurs.
When mobilizing the organization against fourth-party breaches, there are three unique challenges that CISOs must overcome to ensure effective detection and response:
■ Fourth-party breaches are hard to detect. Since organizations do not directly work with fourth parties, they often don’t receive timely notification of fourth-party breaches affecting their data.
■ Fourth parties have no legal obligation to work with enterprises during breach situations. Fourth parties are not legally bound to work with companies with whom they do not have contracts (Figure 9).
■ Fourth parties tend to prioritize supporting only their key clients during breaches. When breaches occur, fourth parties will tend to support clients with the largest contracts or long-standing relationships.
To address these challenges, CISOs can take the following key steps to prepare for fourth-party breaches:
■ Identify the organization’s highest-risk fourth parties. Work with the organization’s third parties to identify the fourth parties to whom they subcontract. Focus on fourth parties that present the highest risk to the organization (Figure 10).
■ Implement lightweight approaches to monitor select fourth parties. To lower the burden of fourth-party risk management on the organization, monitor high-risk fourth parties with low-effort strategies to enable the quick detection of breaches. For example, third-party monitoring services, such as BitSight, provide solutions for monitoring fourth parties and detecting fourth-party breaches on the organization’s behalf.
■ Create and implement fourth-party risk scenarios into the cyber crisis testing portfolio. Integrate fourth-party breach scenarios into your organization’s crisis management planning, and conduct crisis exercises with key members of your information security, legal, and privacy teams. Where possible, conduct joint crisis exercises with one or more third parties to improve your ability to coordinate response efforts and minimize the potential damage from a fourth-party breach.
■ Highlight fourth-party risks to senior executives. Since most of the participants in the fourth-party risk scenarios are business and functional leaders as well as senior executives, who are just starting to learn about third-party risk, Information Security will need to educate them on fourth-party risk to get their support.
Figure 9: Organizations’ Lack of Confidence in Fourth-Party Breach Disclosure
Figure 10: High-Risk Fourth Parties
Have You Done the Following Things?
Include clauses in third-party contracts to hold fourth parties liable for handling the organization’s data.
Assess the information security function’s capability to monitor fourth parties.
What Your Peers Are Saying“We can put the contractual measures in place to be legally protected against a fourth-party breach. However, to be prepared and mitigate potential reputation damage, we need to create a fourth-party risk scenario that involves all parties to be able to quickly respond in a breach situation.”
Patrick McGuinness SVP, Technology Governance, Risk,
and ComplianceStarwood Hotels
73% of organizations do not believe a fourth party would notify them during a breach.Source: Ponemon Institute, Data Risk in the Third-Party
Ecosystem, 2016, http://www.buckleysandler.com/uploads/1082/doc/Data_Risk_in_the_Third_Party_Ecosystem_BuckleySandler_LLP_and_Treliant_R....pdf.
Source: CEB analysis.
Recommended CEB Resources
� Research: Third-Party Risk Management in the Modern Enterprise
� Topic Center: Third-Party Risk Assessments
� Tool: CEB Ignition™ Guide to Building a Cyber Crisis Testing Program
� Tool: CEB Ignition™ Guide to Developing a Security Incident Response Plan
� Fourth parties that have access to the organization’s sensitive or critical data
� Fourth parties that are commonly used by third parties and present centralized risk
� Fourth parties that help operate important activities in the supply chain
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com14
2017 SECURITY OUTLOOK
10. Anticipate Instability Among Large Cybersecurity Vendors
In the past, products from large cybersecurity vendors with revenue over $500 million, (e.g., FireEye, McAfee, Symantec) seemed like safe bets relative to volatile startup vendors. Large vendors often offer proven technologies with large client bases, robust customer support, implementation-friendly configurations, and the promise of incremental updates over time.
Unfortunately, this stability may deteriorate. In fact, evidence suggests it already has (Figure 11).
The Driver of Vendor Instability: A Changing Threat LandscapeLarge vendor offerings’ effectiveness can quickly diminish with fast changes in the threat landscape. Although the threat landscape has always evolved, attackers have used remarkably more-creative monetization strategies in the past year that bypass mature technologies. These shifts can render existing tools less useful and leave Information Security scrambling to find replacement tools or other mitigating controls.
Evidence of More Instability on the HorizonRecent news from large vendors signals deeper changes in the business and threat environment that will cause even more instability in the near future.
Figure 11: Signs of Instability Among Large Cybersecurity VendorsRecent News Headlines
Have You Done the Following Things?
Monitor disruptive events among your cybersecurity vendors, including M&A activity and leadership transitions.
Rethink assumptions about the effectiveness of mature cybersecurity vendor technologies.
Consider startup cybersecurity vendors when identifying new technology purchases.
What Your Peers Are Saying“I could see companies bringing in more stand-alone, emerging tools and loosely integrating them into their environments, especially if mature security technologies decline in effectiveness.”
Jim Gottsacker VP and CISO State Farm Insurance
Source: https://www.fireeye.com/company/leadership.html; https://www.symantec.com/about/newsroom/press-releases/2016/symantec_0801_01; http://www.forbes.com/sites/antoinegara/2016/09/08/tpg-makes-a-big-cyber-security-bet-on-mcafee-as-intel-refocuses-under-ceo-krzanich/#69c512d41d06; http://www.businessinsider.com/intel-spins-off-mcafee-2016-9; http://www.reuters.com/article/us-fireeye-results-idUSKCN10F2HD.
In the News What It Means
CEO Turnover Faster Innovation, New Strategies: Large vendors (e.g., McAfee, FireEye, Symantec) have new CEOs who are likely to push faster innovation, new products, and strategic shifts that affect existing customers. CEOs may be faster to cut losses, leaving customers to replace unsupported technologies.
M&A Activity Compressed Product Lifecycles: Large vendors, including Symantec and IBM, are acquiring emerging technologies to advance growth—a strategy that renders existing products obsolete more quickly. Technology retirement schedules may compress, and information security roadmaps will likely face greater uncertainty.
Two Ways to Brace for More Instability Among Large Vendors Information security functions can prepare today for increasing volatility among large cybersecurity vendors:
■ Resign yourself to continuous integration of tools. Security can no longer expect effective tools to come packaged in tightly integrated suites. In fact, full tool integration itself is no longer a realistic goal; technologies will change at a rate such that there are never periods of technology stability. Integration will become a continuous process of improvement with no start date, completion date, or defined end state.
■ Rethink your vendor cost–benefit calculus. Mature cybersecurity vendors’ declining effectiveness may shift vendor cost–benefit analyses in favor of relying on smaller, less mature vendors for innovative products and services. If instability among mature vendors persists—while their offerings remain just as expensive—it may make more sense to explore the benefits of startup technologies before their own success inevitably renders them less effective as they mature.
Note: Last year, we outlined the benefits of being a laggard in new technology adoption (2016 Security Outlook, p. 10). This is an important reminder that technology adoption decisions are nuanced. Essential considerations include the following:
■ Adopting bleeding-edge technologies typically requires a large, highly skilled team. Security functions without these resources may not fully realize the benefits of some emerging technologies.
■ Bleeding-edge technologies are not a substitute for diligent security controls hygiene. Security functions may rightfully elect to be a technology laggard and focus more resources on improving controls hygiene.Recommended CEB Resources
� Blog Post: Lessons from FireEye’s Fall from Grace
� Infographic: Emerging Technology Roadmap 2015–2018
� White Paper: Prioritize Financial Viability and M&A Likelihood in Security Vendor Selection (p. 9)
News
FireEye Welcomes New CEO June 2016
Symantec Purchases Blue Coat, Inherits New CEO Aug. 2016
Intel Spins off McAfee, Announces New CEO May 2016
FireEye Plans 10% Workforce Reduction Aug. 2016
© 2016 CEB. All rights reserved. IREC165473PR cebglobal.com
Contact Us to Learn MorePhone: +1-866-913-8101
E-Mail: [email protected]
Web: cebglobal.com/information-risk
About CEBCEB is a best practice insight and technology company. In partnership with leading organizations around the globe, we develop innovative solutions to drive corporate performance. CEB equips leaders at more than 10,000 companies with the intelligence to effectively manage talent, customers, and operations. CEB is a trusted partner to nearly 90% of the Fortune 500 and FTSE 100, and more than 70% of the Dow Jones Asian Titans. More at cebglobal.com.