What kept your CISO up last night? What market forces and threats are most impactful to your peers? How will these shape the future of enterprise security? Bill Burns, Informatica CISO and former Scale Venture Partners Executive-in-Residence, formed an InfoSec investment thesis by combining his 20+ years of domain expertise with over 100 CISO peer interviews and online survey responses. In this session Bill will share his results and perspectives on what's ahead for practical enterprise security.
2. Today’s Goals
n What trends affect your security program?
n What are other CISOs doing about them?
n What should you focus on going forward?
Public 2
3. Who and Why am I here?
n Goal: Invest in InfoSec, share back to security community
n Background in Security @ scale
– Co-developed Amazon CloudHSM for IaaS hardware roots of trust
– Deployed one of the largest distributed, hybrid cloud WAFs
– Corporate IT “all-cloud”, mobile-first security strategy
– Public Root CAs, PKIs
n Active advisor: RSA Conference Committee, ISSA CISO Forum, ISSA
CISO Career Lifecycle, Startup Technical Advisory Boards
n Previously:
Public 3
5. Research Methodology
1. Scale Venture Partners: 35-question survey
2. In-person interviews: 22 peer CISOs, across 15 industries
3. Expanded survey via (Wisegate : Total data set: n=102
4. Only small variations between both datasets
5. Not statistically rigorous, Margin of Error= +/-7% @ 90% confidence
Public 5
6. Demographics – Reporting Structure
Public 6
Other:
• COO
• CTO
• Managing Director
• EVP
• Strategy
Impacts budget approval,
project prioritization,
implementation friction
CRO/Risk
10%
CIO
63%
CFO
7%
CEO/
President
5%
Legal/
Privacy
4%
Other
11%
Who does Security Lead / CISO report to?
7. How is Security Organized within your company?
Centralized
55%
By LoB
5%
Hybrid
37%
Other
3% Impact to project approval,
implementation processes,
ability to execute
Public 7
8. Who handles operational security tasks?
Security
Dept
46%
Exclusively
Other
Teams
18%
Shared
36%
Examples:
• Firewall rules, maintenance
• System Patching
• Vulnerability Scanning
• Configuration Management
Impact to budget approval,
implementation processes,
operational ownership, mean
time to resolution
Public 8
9. HOW DID WE GET HERE?
Top Trends: Where are we headed?
Public 9
10. Security Forcing Functions – Mobility & BYOD
(1) Pew Research, Jan 2014 | (2)
Gartner May 2013, (3) Nov 2013
Smartphones: 58%
Tablets: 42%
By 2017, 50% of employers
will require you to BYOD[2]
for work.
By 2018, 25% of enterprise
traffic will flow directly
mobile-to-cloud.[3]
Public 10
11. Security Forcing Function – Cloud-IaaS
n Clouds are
compelling for
businesses, hard
for old security
controls to match
pace
n AWS Example:
– ~Quadrupled # of
services in past 4 years
– Reduced pricing 42
times in 8 years as they
age equipment out
Source: AWS
Public 11
4,000,000
3,000,000
2,000,000
1,000,000
0
5/2010
11/2010
4/2011
10/2011
5/2012
10/2012
Toal Amazon Elastic Map Reduce (EMR) Clusters Launched by Customers
3.7 M Clusters
Launched since May 2010
Q4
2006Q1
2007Q2
2007Q3
2007Q4
2007Q1
2008Q2
2008Q3
2008Q4
2008Q1
2009Q2
2009Q3
2009Q4
2009Q1
2010Q2
2010Q3
2010Q4
2010Q1
2011Q2
2011Q3
2011Q4
2011Q1
2012Q2
2012
Amazon S3: Total Objects
1.3 Trillion
total objects
835,000 peak
requests/sec
12. Even Security Products Are Embracing Cloud Services
Public 12
0
500
1000
1500
2000
2500
3000
3500
4000
2010 2011 2012 2013 2014 2015 2016 2017
Global Cloud-Based Security Forecast
18
19
19
20
21
21
23
23
26
27
0 5 10 15 20 25 30
Email security services
Web security services
Website protection (fraud, DoS)
Application security testing
Identity and access management
Security intelligence engines
Vulnerability assessment services
Web application firewall as a service
SIEM as a service
Tokenization/encryption as a service
% of respondents
Cloud security services consumed
over the next 12 months
14. What did we learn?
n Cloud usage at companies falls into three
buckets. Which describes yours?
– Cloud Always: New companies. Born with the Cloud.
No desire for on-prem infrastructure.
– Cloud First: Existing companies. Pick Cloud-based
alternatives first.
– Cloud Cautious: Laggards or Heavily-regulated. See the
benefits in limited use cases.
Public 14
15. What did we learn?
For CISOs:
n Cloud, Mobility and Compliance put
pressure on their security programs
Public 15
16. CISOs: Externalities and Forcing Functions
Q: “What top trends most/least affect your security program?”
CISOs are most concerned about
Maintaining security and
compliance while losing direct
control of the underlying
infrastructure.
0
10
20
30
40
50
Agile/DevOps
BYOD
Consumerization
of IT / Shadow
IT
Increased regs
or compliance
Mobile/IoT
IT Automation /
API-level
integrations
Mobility
(smartphones
and tablets)
Cloud-SaaS
Ubiquitous
Internet Access
Cloud-IaaS
Weaponization
of the Internet /
State-sponsored
espionage
Work / Life
Integration
Sum - Affected
Sum -
Unaffected
Public 16
Most Affects
Least Affects
17. What did we learn?
For CISOs:
n Cloud, Mobility and Compliance put
pressure on their security programs
n Their top concerns are growing…
Public 17
18. CISOs: What kept you up last night?
(Q: “What are your top 3 risks right now?”)
Public 18
19. Malware Outbreak
16%
Breach of sensitive
information
16%
Malicious Outsider
Threat
8%
Malicious Insider
Threat
6%
Advanced
Persistent Threats
5%
BYOD Management
& Security
5%
CISOs: What kept you up last night?
(Q: “What are your top 3 risks right now?”)
Top 20:
• Malware Outbreak
• Breach of sensitive information
• Malicious Outsider Threat
• Malicious Insider Threat
• Advanced Persistent Threats
• BYOD Management & Security
• Social Engineering
• Privacy & Regulatory Compliance
• Identity Management
• Threat & Vulnerability Management
• 3rd Party / Supply Chain Security
• End User Training
• Asset Management
• Cloud Security
• IT Continuity
• People Security
• Server security
• Cyber Threat Intelligence
• Governance
• Insider Unintentional threat
32%
51%
Public 19
20. 10%
18%
23%
50%
14%
20%
33%
34%
26%
45%
24%
5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
I decide based on how much
money we have in our budget
I look at what parts of the
program we need to mature
I look at changes to our
business strategy
I use a risk-based approach
1
2
3
Priority
Programs based on risk, business alignment, maturity, cost
Public 20
21. Top risks are growing for my company
Public 21
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Top Risk #3
Top Risk #2
Top Risk #1
GROWING for Your Company SHRINKING for Your Company
22. Top risks are growing for my industry, but even more!
Public 22
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Top Risk #3
Top Risk #2
Top Risk #1
GROWING for Your Industry SHRINKING for Your Industry
23. What did we learn?
For CISOs:
n Cloud, Mobility and Compliance put
pressure on their security programs
n Their top concerns are growing, but
n They aren’t confident in their current
controls …
Public 23
24. Q: How confident your current controls working?
A: Slightly more than 50% L
Public 24
0%
25%
50%
75%
100%
Top Risk #1 Top Risk #2 Top Risk #3
25. What did we learn?
For CISOs:
n Cloud, Mobility and Compliance put pressure on
their security programs
n Their top concerns are growing, but
n They lack confidence in their current controls, and
n They struggle to measure impact on the business
Public 25
26. Lack of Metrics, Unable to Map to Business Impact
Q: Do you have metrics to track your top risks? A: Half do NOT have metrics (!)
Public 26
No
Yes
0%
10%
20%
30%
40%
50%
60%
Top Risk #1 Top Risk #2 Top Risk #3
27. WHAT ARE THEY PLANNING
TO DO ABOUT IT?
Survey Results
Public 27
28. Protecting Corporate Data – At Every Enforcement Point
Data-centric controls to protect enterprise
information are hot. Most desired control for any
enforcement point.
As IT hands off infrastructure control, CISOs focus
on the data. Shared risk models – a nod to the
expanding universe of user devices and the
dissolving enterprise perimeter.
Public 28
31. Messaging, Collaboration, File Sync/Sharing Security Controls
Public 31
41%
16%
24%
13%
6%
22%
22%
18%
21%
18%
15%
28%
21%
26%
10%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Information protection and control
(DLP, tracking, masking, encryption)
Antispam / Antiphishing / Brand Reputation
Antivirus / Antimalware
Encryption / Encryption Key Management
Social Media / Social Networks
Content filtering
1
2
3
Priority
32. 21%
26%
13%
7%
32%
29%
15%
21%
15%
21%
21%
29%
22%
12%
16%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Encryption / Encryption
Key Management
Web application firewall
Database Firewall / Activity Monitoring
Sandboxing / Process isolation
lightweight containers
Information protection and control
(DLP, tracking, masking, encryption)1
2
3
Priority
Infrastructure Security Controls
Public 32
33. 4. Automate All the Things
CISOs want automation, orchestration to manage
point solution sprawl.
APIs: Three-quarters of CISOs are building or
integrating solutions to address their top risks.
Public 33
34. Q: Did you need to build something custom to address?
A: Yes, we had to build something to address our top risks.
Public 34
0%
25%
50%
75%
100%
Top Risk #1 Top Risk #2 Top Risk #3
35. 4. Automate All the Things
Anecdotes:
n “I’m always adding new controls, I can’t turn
anything off!”
n “When tool X finds something wrong, why can’t
system Y apply a fix or contain the risk?”
n “I can’t afford to keep adding staff to monitor GUIs
and consoles. Why can’t tools automate this?”
Public 35
40. 9%
6%
22%
26%
28%
9%
0% 5% 10% 15% 20% 25% 30%
Software-Defined Networking
& Security Automation
Network Admission Control
Firewall
Unified threat management
(UTM)
Intrusion detection
and prevention
Cloud Service Brokers /
Cloud Application Gateways1
Priority
Network Security Controls – don’t address top externalities
Public 40
41. 0% 5% 10% 15% 20% 25% 30%
Software-Defined Networking
& Security Automation
Network Admission Control
Firewall
Unified threat management
(UTM)
Intrusion detection
and prevention
Cloud Service Brokers /
Cloud Application Gateways1
Priority
…But implementing Cloud gateways would
Public 41
42. IAM – Still biased towards basic controls
Public 42
9%
3%
6%
25%
22%
10%
25%
12%
9%
9%
26%
13%
18%
13%
9%
25%
12%
12%
13%
18%
12%
0% 10% 20% 30% 40% 50% 60% 70%
Converged physical / logical security
PKI, Digital Certificates
Social Media Indentity Management
User provisioning and identity
management especially Cloud, SaaS,
social media
Web SSO (includes federation)
Risk-, behavior-, context-based
authentication, authorization
Advanced authentication &
identification schemes
1
2
3
Priority
43. 31%
10%
15%
44%
22%
9%
28%
41%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Threat Feeds, Intelligence, Sharing
Forensics and incident investigation
(includes "Mandiant In A Box")
Incident Response Automation,
Orchestration
Proactive detection, automated /
real-time response
1
2
Priority
Incident Response – Need actionable data, not more feeds
Public 43
44. INSIGHTS – CALL TO ACTION
Information Security Market
Public 44
45. Insights & Calls to Action
1. IT handing off infrastructure control of endpoints and networks
– Shared risk requires *aaS vendors to have security and auditability core features
– Authentication and Data become the new perimeters; controls move closer to data
– User endpoints are typical attack vector; focus on intel, orchestration, encrypt/wipe
– Build “right to audit”, security best practices in your partner agreements; test them
2. Predictive, behavioral analytics become standard security features
– Broad, horizontal function applicable everywhere (logs, app execution, network)
– Potential to increase confidence, faster remediation, lower false positives
– Early market, room for maturity. Start building simple metrics to measure efficacy.
Public 45
46. Insights & Calls to Action
3. Teams embrace automation, SecDevOps, cloud security services
– Integrating security into dev workflows improves visibility, consistency, efficacy
– Security products will offload compute, storage to cloud to keep up with attackers
– Buy/build products based on APIs not GUIs, data interoperability
– Worry less about threat feeds, focus on incident response and automation
4. Virtuous Cycle to focus on improving your security program maturity
– Mature security programs have more confidence in their controls
– Measurability leads to better insights, confidence, prioritization
5. CISOs, exec mgmt, Boards need broad security metrics, risk insights
– Aggregate your security point solutions to build holistic risk scores
– Identify, create metrics that show security program’s impact on business
Public 46
47. Insights & Calls to Action
6. Future Look: Enterprise security controls respect user privacy
– End users are becoming their own Chief Privacy and Security Officers.
– Confluence of forces: Work/Life Integration, Mobility, BYOD, Privacy
– Mutually beneficial: Users trust security teams to protect their BYOD, still protect
corporate data
– New class of vendors observing a personal/work separation in usage, flows
Public 47
48. Bill Burns | CISO | Informatica | BBurns@Informatica.com | @x509v3
Thank you!
Security-Research@ScaleVP.com
Public 48