Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘information security’

NASDAQ Hack Just Another Example of Cyber Security Vulnerabilities

Monday, February 7th, 2011

In a weekend highlighted by banal football chatter, a critical news story received minimal attention. Beyond Packers, Steelers, and new Bud Light commercials, the Wall Street Journal reported a security breach of NASDAQ last Friday. Apparently, hackers penetrated the NASDAQ OMX Group which runs a service providing “secure” communications between public companies and their boards. The target application known as “Directors Desk” is a privately-run collaboration system for corporate mucky-mucks.

This breach is yet another example of what cyber security is all about. These guys knew what they wanted (i.e., insider information) and found a way to get it. I read through a number of stories about this breach and none of them indicated when this breach took place. The bad guys could have been intercepting confidential communications for months or years. Imagine how much money you could have made if you had access to board of direction-level banter for the past 6 months? That’s likely what took place here.

In the recently-published ESG Research report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the US Critical Infrastructure” (available for free download at www.enterprisestrategygroup.com), 68% of the critical infrastructure organizations surveyed had experienced at least one security breach over the past 12 months. As of Friday, we can officially add NASDAQ to this list. I hope that this breach scares the heck out of CEOs, corporate boards, Wall Street, and congress. Many public and private organizations are sitting ducks in an increasingly insidious cyber security landscape.

Does anyone else hear a ticking time-bomb?

Public Cloud Concerns

Monday, January 31st, 2011

Whenever IT professionals are asked about cloud computing, they say that their organization is interested but cautious. Yes, they are doing a lot of research and planning and some are using public cloud services for software development and test or publicly-facing web applications. What about mission-critical applications or private data? No way, too risky!

ESG Research recently surveyed 611 North American and European IT professionals working at mid-market (i.e., 100-1000 employees) and enterprise (i.e., more than 1000 employees) organizations and asked them questions about their IT plans for 2011 and beyond. Of those surveyed, 42% said that public cloud computing would have little to no impact on their organizations’ IT strategies over the next 5 years. When asked why, security and privacy was their primary concern but there were others as well. Here are the top 5 reasons stated:

  • Data security/privacy concerns: 43%
  • Feel like we are giving up too much control: 32%
  • Too much invested in current IT infrastructure and staff: 32%
  • Cloud computing offerings need to mature: 29%
  • Satisfied with existing infrastructure and processes: 28%

Times and attitudes will change and IT professionals may indeed feel threatened by cloud computing. Nevertheless, the ESG data indicates that cloud computing hesitation goes beyond security, privacy, and compliance issues alone. These attitudes will only change with time, experience, and real metrics demonstrating cloud ROI and business benefits.

Attention RSA Conference: Let’s Not Dwell on Cloud Security!

Monday, January 24th, 2011

The 2011 RSA Conference is only three weeks away, so the entire security industry is gearing up for this annual gathering of paranoid geeks. As an analyst, I’ve been getting lots of e-mail about what vendors will discuss at the event and I’ve also spent a bit of time perusing the conference website.

This activity leaves me a bit concerned. Why? There seems to be a tremendous focus on cloud security at this year’s event: all kinds of “voyage to the cloud” rhetoric, how security is the biggest hurdle, and a plethora of tools, technologies, and services aimed at addressing cloud security.

Now don’t get me wrong; cloud security is an important topic. There is a tremendous amount of brainpower and investment going into cloud computing. Yes, we will get to a cloud computing model over time and security is truly a stumbling block. This issue is being addressed by organizations like the Cloud Security Alliance (CSA) and NIST’s Federal Risk and Authorization Management Program (FedRAMP). My issue isn’t with the topic per se; it is with the prioritization of the topic. When ESG asked 611 European and North American IT professionals to define their top IT initiatives for 2011, 16% responded with “increase the use of cloud computing services.” This was the 12th most popular answer, well below such things as “increase use of server virtualization” (30%), “manage data growth” (24%), and “major application or deployment” (23%).

We certainly need to be proactive with cloud security, but let’s not get carried away with addressing future risks when we are swimming in so many currently. In the recently published ESG Research Report, Assessing Cyber Supply Chain Security Risks Within the US Critical Infrastructure, 68% of cyber security professionals working at critical infrastructure organizations believed that the threat landscape is worse today than it was two years ago. When the entire security community gets together at RSA, shouldn’t we be focused on why security professionals feel this way and what we can do to address this increasing threat landscape?

If I were running the show, here are some of the things I’d focus on:

  1. Sophisticated and evolving threats. We all need a better understanding of our adversaries–who they are, what they do, and how they think. A new piece of malware is created every 1.5 seconds. Shouldn’t we dedicate security brainpower to this real problem?
  2. Creating, monitoring, and enforcing security controls. The security industry is too hung up on products. We need more discussion on sound policies, processes, and controls–not just the latest threat management widget du jour.
  3. Security management. Closely related to number two, we need better ways of collecting, analyzing, and reacting to an avalanche of IT data.
  4. Identity. This issue gets more dicey each year. We need to talk more about the people and devices that interact in cyberspace and how to better control these relationships.

I understand that security vendors want to make money and that PR and hype are a big part of the technology market. That said, we as a security industry must recognize that we aren’t selling PCs, gaming software, or disk drives. If we can’t secure our existing networks and databases, will any responsible organization ever move to cloud computing?

Top IT Priorities for 2011

Thursday, January 13th, 2011

According to the ESG’s 2011 IT Spending Intentions survey, here are the five IT priorities for enterprise (i.e., more than 1,000 employees) and midmarket (100 to 999 employees) organizations over the next 12-18 months:

  • 30% Increase use of server virtualization
  • 24% Manage data growth
  • 24% Information security initiatives
  • 23% Major application deployments or upgrades
  • 22% Improve data backup and recovery

Note that the hyperbolic topic of cloud computing is conspicuously absent from the list. It does make an eventual appearance: 16% of the 611 global IT professionals surveyed responded that “increase use of cloud computing services,” was a 2011 priority, making this the 12th most popular response. There may be lots of interest in cloud computing, but the top five list is composed of more immediate priorities.

Will There Be A Shortage of Cyber Security Professionals in 2011?

Monday, January 3rd, 2011

Happy New Year everyone!

In my last blog of 2010, I wrote about the multitude of opportunities for skilled security professionals.  According to ESG Research, cyber security jobs should continue to grow at a healthy pace in 2011.  For example:

  1. 58% of large mid-market (i.e., 500-1000 employees) and enterprise (i.e., 1000 employees or more) will increase spending on cyber security in 2011.  This is up from 2010 (55% said they would increase cyber security spending) and 2009 (36% said they would increase cyber security spending).
  2. 27% of the organizations surveyed as part of ESG’s 2011 IT Spending Intentions research indicated that “information security initiatives” are a top IT priority for the next 12-18 months.
  3. 35% of organizations plan on hiring IT security professionals in 2011.

Certainly good news for cyber security professionals seeking jobs but this could also be bad news for the overall state of cyber security.  Why?  Ironically (given the fact that unemployment still hovers around 10%), we will likely face a shortage of skilled cyber security professionals in 2011.  This may already be happening.  Leading cyber security institutions like Carnegie Mellon University, Purdue University, and Norwich University already report full placement for cyber security graduates and there is a plethora of unfilled federal cyber security jobs.  Organizations located in small markets and rural areas also report difficulty in recruiting.

We will need a focus on training, federal funding, and security services in 2011 or face a growing cyber security skills deficit.  If this happens, everyone will suffer.

Need A Job? Try Information Security

Monday, December 20th, 2010

If you are an out-of-work IT person looking for your next challenge, I have a suggestion: Go study information security and pursue some sort of certification like a CISSP.

According to ESG Research, 22% of mid-market (i.e., 500-1000 employees) and enterprise (i.e., 1000 employees or more) believe that they have a problematic shortage of information security skills within their IT organizations. Furthermore, of those organizations planning on hiring new IT staff positions in 2011, 35% plan to hire for information security positions.

This data doesn’t surprise me one bit. Security professionals are always in demand, even during the depths of the recent global recession. Combine today’s malicious threat landscape, multiple security vulnerabilities, and IT complexity, and we need all the security help we can get.

Security Spending Segmentation

Thursday, February 25th, 2010

According to ESG’s 2010 IT Spending Intentions data, 55% of midsized (i.e., less than 1,000 employees) and enterprise (i.e., more than 1,000 employees) organizations will increase spending on information security products and services in 2010.

Great news for the industry, but further analysis provides a more succinct picture: while 61% of enterprises will increase spending, less than half (48%) of midsized companies will do so. Marketing VPs should take note and filter budget dollars toward enterprise sales and marketing programs.

Furthermore, information security spending intentions vary widely by industry. The industries most likely to increase spending include financial services (69% of organizations), health care (57% of organizations), and federal government agencies (56% of organizations). State/local government (47% of organizations), education (42% of organizations), and manufacturing (41% of organizations) are less apt to increase information security spending.

As for sales of individual security products, financial services, health care, and the federal government are looking at big enterprise security projects like identity management and information assurance, while state/local government, education, and manufacturing are more focused in tactical areas like network or endpoint security.

ESG’s data backs a theory I’ve had for a while: there are no more horizontal markets. Rather, different companies and industries use technology very differently.

Smart security vendors understand this and apply these lessons to their go-to-market execution. Others continuously struggle.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site