TheInfoPro

Written by Daniel Kennedy, Research Director for Information Security

It has long been a subject of discussion in security departments, and entire vendor business offerings are built around it: How do you control and monitor the activities of high-risk users in your system’s environment? But who are the highest risk users? We asked that very question in our Wave 14 Information Security Study, and while most of the results are as expected, at least one might be a surprise.

When it comes to the personnel types security managers are most concerned about, contractors and temporary staff easily top the list, doubling the percentage of responses over the next-highest answer, remote employees.

An equal percentage of respondents, 11%, believe the highest threat to be IT staff with elevated privileges or executive management personnel’s use of computing resources. While that may seem surprising, the idea that technology employees with the “keys to the kingdom” in terms of passwords and production access are only as risky as senior executives, these are both staff types that typically have the authority to bypass security controls if they elect to. The first can simply abuse the privileges they have been issued to do their jobs; the second has the organizational authority to potentially force a bypass of security controls.

When asked if they were more concerned about internal or external security events, security managers recorded a nearly even split. Twenty-two percent (22%) were most concerned about internal, another 22% were concerned about external threats, and the majority, 55%, said they were equally concerned about internal and external security threats.

Reflecting that split, 39% reported that the majority of their security incidents were internal, and 33% said the majority of incidents originated externally. Eleven percent (11%) reported they had not had a security incident, that they were aware of, in the past 12 months.

Possibly Related Posts:

• Unified Communications Solutions
• Heat Index Reveals Hot Infosec Technologies
• The Ascent of 10GigE
• Storage Vendors See Mixed Q4
• Who Can Take On Cisco?

2012 Information Security Forecasts – Who Will be the Winners & Losers?
Wednesday, December 14, 2011 2:00 PM – 2:45 PM EST

Replay Link: 2012 Information Security Forecasts

Some of the key trends we will be discussing from our Information Security study are:

Information Security spend is strong with many diverse drivers:

• Directionally for 2012, Information Security Professionals are not planning a slowdown. Thirty-seven percent are planning an increase in spend, with 16% planning a decrease.
• Thirty-nine percent are spending more in 2011 vs. 2010, and only 15% are spending less – showing the resiliency of the market in challenging economic times.
• In the one-on-one interviews, decision-makers detailed compliance, mobile devices and preventing data loss as the drivers for spending increases.

Data Leakage Prevention (DLP) and Application-Aware Firewalls are products on
the move:

• Data Leakage Prevention (DLP) resides in the top spot of TheInfoPro’s proprietary Information Security Technology Heat Index™, which gauges immediacy of planned implementation for 40 technologies, as the G2000 look to protect custodial and intellectual property data from leaking out of their environment.
• The traditional antivirus vendors, Symantec (SYMC) and Intel’s (INTC) McAfee, look to benefit with rollouts of both endpoint and network DLP on tap.
• Application-Aware Firewalls make a nice jump in the Heat Index, with Palo Alto and Check Point (CHKP) benefiting from the 28% of in-plan implementations.
• Palo Alto will be a vendor to watch as it is beginning to replace some of the major incumbent providers with its application-visibility-based approach.

Possibly Related Posts:

• Unified Communications Solutions
• Heat Index Reveals Hot Infosec Technologies
• The Ascent of 10GigE
• Storage Vendors See Mixed Q4
• High-risk Staff? Executives and IT Are Equally Risky

Written by Daniel Kennedy, Research Director for Information Security

At an information security leadership conference years ago, the debate topic was raised: “Who should the information security head report to?” A number of different reporting structures were represented at the table, and each security lead made his or her impassioned argument as to why it was best that security be situated in IT, legal, compliance, finance, audit, or other arrangement.

To hear it as well as sources in the information security trade press, you would assume there is little alignment organization to organization as to where the information security department sits. Here as with many similar questions, TheInfoPro has an advantage; we can simply ask a critical mass of security managers where information security sits in the organization, to see where the org chart’s evolution is taking us. The response: It is still information technology.

Originally published as a ThursdayTIP to the respondent network of TheInfoPro. Would you like to receive all of the ThursdayTIP reports when they are fist released? Sign up here for TheInfoPro’s respondent network.

Information Security Division

Perhaps concerning, only 70% of enterprises identify information security as its own department within the organization, which one can extrapolate to there being 30% of firms where there is no single dedicated security resource in place. Ninety-two percent (92%) situate information security somewhere within IT, whether it is reporting directly to the chief information officer (CIO), 36%, or the head of IT, 20%, or buried further down the IT management food chain. Of the 8% outside of IT, popular repsonses for who security officers report into included the head of compliance, the COO, internal audit, or to a head of risk management.

Respondents provided the following comments illustrating where the security role fits within their organizations:

• “This is difficult for me to answer. If you count heads, the answer is yes, but of all the people doing security work, do they all fall under security? No. It’s tough to answer this without potentially skewing the data.”
• “Yes – within IS, there are five departments: network services, clinical systems, business operations, and executive info systems, IT governance.”
• “We are part of infrastructure management org, which is part of the business process organization. This will change when we name a CISO, who will report directly to the CIO. We will be a separate function from IT and infrastructure management.”
• “CIO, he is also the CISO.”

Included in this narrative is the final bullet above, which illustrates the somewhat common, but nonetheless dubious arrangement, where the same person is responsible for both IT management and information security. I say dubious because clear separation of duties issues emerge in such an arrangement, where the yin of wanting to deliver on IT projects is not balanced properly against the yang of considering those implementations in a security risk management context, which frequently adds additional requirements and may even close off certain paths of implementation based on incurring too great a risk to the enterprise.

Possibly Related Posts:

• Unified Communications Solutions
• Heat Index Reveals Hot Infosec Technologies
• The Ascent of 10GigE
• Storage Vendors See Mixed Q4
• High-risk Staff? Executives and IT Are Equally Risky

Written by Daniel Kennedy, Research Director for Information Security

Far and away, the choice of both large and midsize enterprises for the most exciting vendor this wave in terms of products and services was next generation firewall maker Palo Alto Networks. The application-aware firewall or next generation firewall, a fusion of the capabilities of stateful and application firewalls, is generating a good buzz amongst respondents: “Palo Alto’s probably the most innovative I’ve dealt with, specifically their application discovery or app[lication] identity.”

The second most exciting vendor in aggregate (full sample) is FireEye with its advanced malware detection solutions, buoyed strongly by responses amongst midsize enterprises. Rounding out the list of exciting vendors are industry stalwarts EMC (RSA), Symantec, and Intel (McAfee).

Originally published as a ThursdayTIP to the respondent network of TheInfoPro. Would you like to receive all of the ThursdayTIP reports when they are fist released? Sign up here for TheInfoPro’s respondent network.

The application-aware firewalls also lead the network security pack with a heat score of 62, and a 28% in use figure that could jump 33% based if pilots and near-term plans come to fruition. Of the respondents with application-aware firewalls on their roadmaps, 39% of respondents see their organizations spending more in 2012, with Palo Alto Networks seeing the lion’s share of the benefit. If the company can convert on long-term implementation plans by respondents’ enterprises, it could carve out a healthy niche of a firewall market currently dominated by Cisco and Check Point in our studies.

Anti-botnet solutions have had a warmer reception amongst the midsize enterprises, while 14% have a solution in place, another 14% have an implementation in their plans down the road, with FireEye looking to benefit. Still, the technology appears not ready for prime time, with 73% of midsized enterprises reporting no plans for integrating these products.

What do respondents have to say on the top two exciting vendors?

• “Palo Alto – I like their mobile solutions.”
• “We’ve looked at FireEye and haven’t formed any opinion about whether to move forward.”
• “Palo Alto – next generation, not tied to traditional monitoring, but threat ID allows you to make rules more granular.”
• “We are very impressed with FireEye’s approach. In that space, other vendors will catch up.”
• “[Palo Alto does] a single pass instead of Fortinet’s multiple proxy, which hammers the resources and doesn’t give enough granularity in reporting. It’s a more cohesive design.”
• “FireEye’s virtual machine-based detection system for malware. It anticipates malware and tells you what may likely be malware before you can get signatures out.”

Possibly Related Posts:

• Unified Communications Solutions
• Heat Index Reveals Hot Infosec Technologies
• The Ascent of 10GigE
• Storage Vendors See Mixed Q4
• High-risk Staff? Executives and IT Are Equally Risky

Written by Daniel Kennedy, Research Director for Information Security

IT consumerization is spreading into the enterprise environment, causing enterprise network managers some pain. As one respondent notes: “It’s common right now, adoption rate and the non-official adoption rate of high technology that can potentially be integrated into our enterprise is just out of control, just like a wildfire. Seems like we’re chasing after it with policy and tools; the end user is leading the pack. We even have some of that denial going on in our organization. Lots of people, technically savvy people, know how to read how to do [technical] things [to mobile devices] on the internet. A huge underground thing going on with mobile devices, everything. BlackBerries [these days], everybody chuckles, you still have a BlackBerry?”

The most common manifestation of this trend as our respondently aptly noted is the smartphone. The table below, you can see there is both an existing mass of non-enterprise issued devices today – to the point where they far outnumber enterprise issued devices – and that in the next 24 months the presences of non-enterprise devices will increase at twice the rate of enterprise-issued devices. Forever gone are the days of managing an environment that consists of a BES server and a handful of executive BlackBerries.

Originally published as a ThursdayTIP to the respondent network of TheInfoPro. Would you like to receive all of the ThursdayTIP reports when they are first released? Sign up here for TheInfoPro’s respondent network.

Current level, and projected growth, of smartphones connected to the enterprise network.

As is often the case, pain is a precursor to possibilities, in this case for mobile device management solutions. Mobile device management, or MDM, software is responsible for securing, monitoring, and assisting in the management of multiple different providers, operating systems, hardware across mobile devices in an environment. The primary goals of implementing such a solution are reducing the provisioning and support costs for dealing with a multitude of devices accessing enterprise data, and to ensure the security controls around having that data accessed by a variety of mobile devices.

When we asked respondents what types of non-enterprise devices were being connected to the network, the top answer at 50% came back as, perhaps not surprisingly, Apple. Forty-three percent (43%) of respondents noted a significant impact of non-enterprise mobile devices to the enterprise network.

In terms of vendors, RIM still leads the space for MDM technology in the enterprise, but according to respondents Good Technology is on its heels, with a number of implementations planned over the next six months.

Below is a sampling of user sentiment about MDM gathered thus far:

• “[We’re] using leading-edge mobile device management, Good Technology.”
• ”McAfee has a new mobile management tool that is pretty cool. It allows you to segregate the device. Good Technology also offers mobile device management for the corporate network.”
• “Support is the greatest pain point. Our management doesn’t understand the impact of mobile to date or the future impacts.”

Of course we’ll have a fuller picture of the MDM space at the close of our ninth Networking Study.

Possibly Related Posts:

• Unified Communications Solutions
• Heat Index Reveals Hot Infosec Technologies
• The Ascent of 10GigE
• Storage Vendors See Mixed Q4
• High-risk Staff? Executives and IT Are Equally Risky