Strategic Technology Report Managing Cyber Security Risk · This Trace3 Strategic Technology Report outlines the future direction of enterprise cyber security in the age of increasing

Research Strategic Technology Report

© 2020 Trace3, Inc. All Rights Reserved

ThisTrace3StrategicTechnologyReportanalysestrendsinthecybersecurity,withaspecificfocuson:

§ EndpointSecurityRiskManagement§ SecureAccessServiceEdge(SASE)§ InternetofThingsintheEraof5G§ EnterpriseITGovernance,RiskandCompliance

Disclaimer–ThisdocumenthasbeenpreparedsolelyforTrace3'sinternalresearchpurposeswithoutanycommitmentorresponsibilityonourpart.Trace3acceptsnoliabilityforanydirectorconsequentiallossarisingfromthetransmissionofthisinformationtothirdparties.ThisreportiscurrentatthedateofwritingonlyandTrace3willnotberesponsibleforinformingofanyfuturechangesincircumstanceswhichmayaffecttheaccuracyoftheinformationcontainedinthisreport.Trace3doesnotofferorholditselfoutasofferinganyadvicerelatingtoinvestment,futureperformanceormarketacceptance.

Strategic Technology Report Managing Cyber Security Risk

April 3rd, 2020

John Filitz, Research Analyst, Trace3



Contents Executive Summary ........................................................................................................................................... 3

Report Scope ...................................................................................................................................................... 3

Research Methods ............................................................................................................................................. 4

About Trace3 Research ..................................................................................................................................... 4

Did you Know? ................................................................................................................................................... 5

Global Risk Landscape ...................................................................................................................................... 6 Risk Escalation ............................................................................................................................................. 6 Cyber Threats ............................................................................................................................................... 6 Regulatory Complexity ................................................................................................................................. 6 Managed Services and Emerging Technology ............................................................................................. 6

Endpoint Security Risk Management ............................................................................................................... 7

Secure Access Service Edge (SASE) ............................................................................................................... 8

IoT in the Era of 5G ........................................................................................................................................... 10

Governance, Risk and Compliance ................................................................................................................ 12

What’s Next? ..................................................................................................................................................... 14

Baseline Forecast (2020 – 2023) ..................................................................................................................... 14 Summary Evidence for Baseline Forecast ................................................................................................. 14 Assumptions ............................................................................................................................................... 15 Market Activity ............................................................................................................................................ 15

Forces Impacting Cyber Security (2020-2023) ............................................................................................... 17 Social Forces .............................................................................................................................................. 17 Technological Forces ................................................................................................................................. 18 Economic Forces ........................................................................................................................................ 18 Political Forces ........................................................................................................................................... 19

Mitigating Information System Risk ............................................................................................................... 19 1. Risk Based Vulnerability Management ............................................................................................... 19 2. Attack Surface Risk ............................................................................................................................ 19 3. Breach and Attack Simulation ............................................................................................................. 20 4. Email Protection and Security Awareness Training ............................................................................ 20

Conclusions and Recommendations ............................................................................................................. 21

Appendix ........................................................................................................................................................... 22 Featured Use Cases ................................................................................................................................... 22 Relevant Links ............................................................................................................................................ 23 Sources ...................................................................................................................................................... 24

Strategic Technology Report Security

Page3of27

ExecutiveSummary Whoshouldreadthis?This report is targetedat strategic technology leaders seeking toaddress thegrowing cyber security challenges inanincreasinglycomplexoperatingenvironment.1

KeyTakeaways

Trace3Researchidentifiesthreekeytrendsinenterprisecybersecurityoverthenextonetothreeyears:

1. Endpointsecurityriskscontinuethetrajectoryofescalationinsophisticationandscope,withphishing,businessemailcompromiseandransomwaretheleadingthreatstotheenterprise.

o Theendpointsecuritymarketisundergoingnecessaryconsolidationduetopoorreturnoninvestment.o EndpointProtectionPlatforms(EPP)increasinglyaddressthechallengeofendpointsecurityvulnerability

andagentsprawl.

2. Thedemand for cloud-native security solutions that address thedissolving networkperimeter1 sees securitysolutionsmovetotheedge.

o SecureAccessServiceEdge(SASE)ismorethanmarketinghypeandgainstractionasthedemandforzerotrustnetworkinggrows.

o 5GrampsupdemandforInternetofThings(IoT)securitysolutions.

3. EnterpriseITGovernance,RiskandCompliance(GRC)willincreasinglymoveoutoftheITsecuritydepartment,requiringdedicatedGRCstrategiesandresources.

o ThekeytoresolvingITGRCchallengesresidesinmanagedservices.o IncumbentGRCsolutionswillfacedisruptionbynextgenerationdatagovernanceandGRCsolutions.

ReportScope ThisTrace3StrategicTechnologyReportoutlinesthefuturedirectionofenterprisecybersecurityintheageofincreasingrisksandregulatorycomplexity.Itshinesaspotlightonthreekeyconsiderationstokeepenterpriseinformationsafeandsecure:

1. Endpointsecurityiscentraltosecuringanincreasinglydistributedworkplace.2. Intheeraof5G,IoTdeviceswillbecomebusinesscriticalfortheenterprise–sotoowillbesecuringthesedevices.3. Escalatingregulatorycomplexitywillnecessitatemoresignificantresourcingtobolsterin-houseGRCcapability.

1Foracomprehensiveanalysisonaddressingsecurityrisksinthecloud,pleaseseeourCloudComputingHorizonreport.


Page4of27

ResearchMethods ThisreportwascompiledandwrittenbytheTrace3Researchteam.Thereport’sresearchareaoffocusisinformedbyavarietyoffactors,includingresearchrequestsfromTrace3customersandfieldteams,emergingtechnologyinvestmenttrends,andsocial/media/newsmomentum.Fromthesefactors,relevantareasofthetechnicallandscapewereanalyzedtodeterminedriversofchange,baselineforecasts,andlikelychallengesanduncertaintiestobeexperienced.Forecastsandrecommendationsweredevelopedreflectingtheconclusionsgeneratedbytheanalysis.Vendorsmentionedinthisreportaremeanttobeusedforrepresentativepurposesonlyanddonotrepresentanexhaustivelistforeachusecase.AboutTrace3Research To solve the IT problems of tomorrow, our research analysts leverage Trace3's unique access across the technologylandscapetoderiveimpartialinsights.Byidentifyingandanalyzingtechnologyandmarkettrends,weenablecustomerstoprepareforandmastertomorrow'schallengesbeforetheyarrive.Trace3Research leveragesourpartnershipswithnumerousestablishedandemerging technologycompanies,ourexperiencedengineers,a largeclientecosystem,anddeeprelationshipswithdozensofthetopSiliconValleyventurecapitalfirmstospottrendsaheadofmostindustrypundits,allowingyoutogainaninsideadvantageontomorrow'strendsandreduceyourtechnicalandbusinessrisk.


Page5of27

DidyouKnow?

• PriortotheCoronavirusDisease2019(COVID-19)pandemic,thecybersecuritymarketwasexpectedtogrowby8%2to12%3CompoundAnnualGrowthRate(CAGR)inthe2020to2023period.

• It is tooearly todetermine the full extentof thepandemic’s impacton thebroadereconomy,and the cybersecuritymarket.4

• In thewake of the COVID-19 crisis and the shift to a fully remoteworkforce, endpoint security vulnerabilitybecomesaleadingsecuritypriorityfortheenterprise.

• Cyber security threats continue the trend of escalation,with phishing, business email compromise (BEC) andransomwaretheleadingthreats.5

• Therewere461,361reportedcyberincidentsin2019, representing$3.5billioninlosses–upfrom$2.7billionin2018and351,937reportedincidents.6

• Theaveragecostofabreachis$3.9million.7• Theaveragecostofaransomwareincidentis$8.1millionandanaverageof280+daysofrecoverytime.8• InternetofThings(IoT)securityvulnerabilityisfastbecomingaleadingthreatvector,withIoTattacksincreasing

by215%in2018.9• Toaddresstherapidlyescalatingregulatorycomplexity,enterpriseITGovernanceRiskandCompliance(GRC)will

moveoutoftheITSecurityDepartment,requiringdedicatedresourcing.• Thirdpartymanagedsecurityserviceswillbecomeanincreasingfeatureoftheenterprisesecuritylandscape as

enterprisesgrapplewithincreasingsecurityriskandregulatorycomplexity.

Source:Statista(2019)


Page6of27

GlobalRiskLandscape Inarapidlyevolvingglobal risk landscape,enterprisesfaceanarduouschallengeofeffectivelymanagingcontinuouslyevolvingcybersecuritythreatswhileattemptingtomeetever-shiftingcompliancebenchmarks.RiskEscalation Resiliencetoriskhasaddedmeaningin2020:Risksarepresentinginamultitudeofarenas,fromthegeopoliticalandtheeconomic,tothebiologicalriskandfall-outassociatedwiththeCOVID-19pandemic.Operatinginanincreasinglyhigh-riskcontextunderscorestheimportanceofhavingaproactivestanceonenterprisecybersecurityandriskmanagement.CyberThreats Cybersecuritythreatsareundergoingasignificanttransformationinscopeandsophistication,withstatisticsofreportedcyber-crimesandtheirfinancialimpactincreasingyear-over-year:TheFBI’sInternetCrimeReport(2019),findsamorethanfour-foldincreaseinthecostofcyber-crimerelateddamages,withbusinessemailcompromiseandransomwaretheleadingthreatstobusinesses.In2019,reporteddamagesfromcyber-crimestoodat$3.5billion–4xthe2014figuresof$800million.Thenumberofreportedcyber-crimeincidentsalsoincreasedsignificantly,at461,361reportedincidentsfor2019comparedto351,937in2018.10TheOnlineTrustAlliance(2019)findsransomwareattacksroseby60percentin2018,representingafinancialimpactof$8billionindamages.Lossesattributedtobusinessemailcompromisedoubled,andcrypto-jackingincidentsmorethantripledyear-on-year.Inlinewiththekeythemeatthisyear’sRSAConference2020TheHumanElement,over95percentoftheseattackswereavoidable,withpoordecision-makingbyusersthesinglegreatestattributingcauseofcompromise.11RegulatoryComplexity Atthesametime,sweepingchangesdominatetheglobalcyberregulatorylandscapewithreferencetodataprivacyanddatasecurityregulations,bringingaboutincreasinglystringentregulatoryframeworks,acrosstheworld.TheEuropeanUnion’s(EU)GeneralDataProtectionRegulation(GDPR)(2018)andtherecentlyenforcedCaliforniaConsumerPrivacyAct(CCPA)(2020),inadditiontoaraftofotherUSstatelegislationcurrentlyunderreview,progressivelyplacemorecybersecurityanddataprivacyregulatoryburdenonbusinesses.ManagedServicesandEmergingTechnology Maintainingcybersecurityresiliencewhileadheringtoevolvingcompliancerequirementscanbechallengingforeventhemostwell-resourcedenterprisesecuritydepartment.Itisherethatthird-partymanagedservicesandemergingtechnologysolutionshavekeyrolestoplay.Notonlycanmanagedservicesaugmententerprisesecuritydepartmentsstrugglingtofindtheexpertiseinatightlabormarket,buttheycanalsoassistinbringingtried-and-testedsecuritystrategiestobare.Emerging technology solutions too have an important role to play. Many of today’s security challenges are poorlyaddressedbyincumbentvendorsolutions.Itiswhyitisessentialforenterprisestoexperimentandinnovateonprotractedsecurity challengeswithemerging technology solutions.Emerging tech solutionsareoftenwellplaced toaddress thesecuritychallengesoftoday,aswellasthoseoftomorrow.


Page7of27

Source:Statista(2019)

EndpointSecurityRiskManagement Ascomputingbecomesincreasingdistributed,thereiswidespreadconsensusendpointvulnerabilityistheleadingthreatvectorwithphishing,BECandransomwareresponsibleforatleasttwo-thirdsofcybersecurityincidents.In2019thecostsassociatedwith ransomware attacks in theUS have been estimated at $7.5billion, affecting 113 state andmunicipalgovernmentagencies,764healthcareproviders,89universitiesandover1,200schools.TheaveragecostofaransomwareincidentaccordingtoEmisoftis$8.1million,averaging287daysforrecovery.12Conventionalendpointsecuritysolutionshavesufferedfromalackofefficacyaswellasnegativelyimpactingtheoperatingsystemperformanceduetoendpoint“agentsprawl.”Onaverage,thereare10agentsinstalledonendpointsinenterpriseenvironmentswhich often conflict with each other, resulting in security lapses presenting.13 An additional weaknessconcernsthefactconventionalendpointsecuritysolutionsarenotdesignedtoaddressthegrowingprominenceofthedissolving network perimeter and edge computing, resulting in significant amounts of business critical data existingbeyondthenetworkperimeter,andoftenoutsidethereachofsecuritycontrols.Next-generation,cloud-nativeEndpointProtectionPlatforms(EPP)addresstheseshortcomingsbyincludingtraditionalportmonitoring,firewallandanti-malwarecapabilities,withadvancedthreatdetectionandresponsecapabilities.EPPsincreasinglyplayanessentialroleinkeepingtheenterprisesecure.14


Page8of27

SomeofthekeyplayersintheEndpointProtectionPlatformspaceinclude:

SecureAccessServiceEdge(SASE) Cloudsecurityisaconcernfor93percentoforganizationsaccordingtoISC2’s2019CloudSecurityReport,withdatalossanddataprivacyroundingupthekeyconcernsforenterprisesinthecloud.15SecureAccessServiceEdge(SASE)aimstoeasecloudnetworksecurityworriesbyenablingzerotrustnetworking.InaGartnerreporttitledTheFutureofNetworkSecurityisintheCloud,SASEisseenasagroundbreakingshifttoaddressingcloudsecurityconcernsbycombiningcloud-hostednetworksecurityandcloudnetworkmanagementtechnologiesinanintegratedsolutionoffering.16ThemovetoSASEisanattempttoaddressthedissolvingnetworkperimeterwithrespecttosecuringnetworktrafficfromtheedge.ThekeytechnologiesenablingSASEinclude:

Ø CloudAccessSecurityBrokers(CASB).Ø Firewallas-a-Service(FWaaS).Ø ZeroTrustNetworkAccess(ZTNA).Ø SoftwareDefined-WAN(SD-WAN).Ø CloudSecureWebGateways(SWG).


Page9of27

Although thematurity level of SASE solutions is still early stage, the incumbent security platforms such as Palo AltoNetworks,CheckPointSoftwareTechnologies,andForcepoint aremovingtowardsconsolidatingcloudhostednetworksecurityandcloudsecuritytechnologiesintointegratedplatformofferings.Similarly,networkserviceproviderssuchasJuniper Networks, Barracuda and Cisco are ramping up security capabilities and cloud integrations of their SoftwareDefined-WANandSecureWebGatewaysofferings.NetworktrafficreceivedfromtheedgepassesthroughaSASE“trafficprocessingengine,”whichinspectsandpassesonallsecuritypoliciestothattraffic,beforeforwardingitontothecloudordatacenter.17

Source:PaloAltoNetworks(2020)

ExpectcloudsecurityandnetworkingvendorstomoveinthedirectionofdevelopingSASEplatformofferingsi.e.PaloAltoNetworksPrismaCloud.SomeofthekeyemergingplayersintheSASEspaceinclude:


Page10of27

IoTintheEraof5GLessthanhalfofsecurityprofessionals(47%)areconfidenttheyhaveadequatelysecuredtheirIoTenvironments.18Intheabsenceof an IoT security strategy, expect IoT security challenges to becomemoreprotracted in theera of 5G. Thesubstantially larger 5G network channels will enable faster speeds of data transmission, while significantly reducingnetwork latency. Forecasts estimating a network connection density of 1million IoT sensors and devices per squarekilometer.19ThevolumeofdeployedIoTendpointsaccordingto451Researchisexpectedtodoubleby2024.

Source:451Research(2019)

IoTsecurityattacksareexpected tocontinue the trendofescalation: In2019,oneKasperskyhoneypotattracted105millionattacksinthefirstsixmonthsof2019,receivedfrom276,000uniqueIPaddresses.Thisiscomparedto12millionattacksreceivedbythehoneypotforsameperiodin2018.20SonicWallrecordeda215percentincreaseinIoTattacksin2018,anda50percentincreaseon2018figuresforthefirsthalfof2019.21


Page11of27

Source:SonicWall(2019)

Given the lightweight nature of IoT sensors and devices, firmware is often years out-of-date, and inmany cases thefirmware cannot be updated or patched. In addition to the exponential growth of IoT sensors and devices currentlyunderway,remoteaccessofphysicalsitesandgeographicsprawlarejustsomeofthefurtherchallengesthataddtoIoTsecuritycomplexity.SecuringIoTdevicesrequiresadefense-in-depthapproachtoimprovingthesecurityposturefortheinformationsystemandtheextendedIoTecosystem.KeysecuritycontrolsnecessarytosecuretheIoTenvironmentinclude:

Ø Establishingnetworkvisibility.Ø Implementingnetworksecuritycontrolsandpolicyenforcement.Ø Maintainingaregularcadenceofvulnerabilitymanagementandpatching(wherepossible).Ø Authorizedandunauthorizeduseranddeviceinventorying,auditingandmanagement.Ø Encryptingdataintransitandatrest.Ø EnsuringeffectiveAPIsecurityisinplace.

Additionalcontrolsincludetheabilitytodetectandrespondinthelikelyeventofanincident,aswellasthecapabilitytorestoretheinformationsystemandrecoverthedataafteranincidentoccurred.


Page12of27

By leveraging an IoT security platform, either with a lightweight agent or with agentlessmonitoring capabilities cansignificantlyimprovethesecuritypostureforanIoTecosystem.BelowaresomeofthekeyplayersthatsecuretheIoTecosystem:

Governance,RiskandCompliance MoreonerousGovernance,RiskandCompliance(GRC)reportingrequirementsdrivedemandforGRCservicesandrelatedofferings.ItisexpectedthattherolloutoftheCaliforniaConsumerPrivacyAct(CCPA)inJanuary2020andaslewofsimilardataprivacylegislationtocomewillramp-updemandforGRCskillsandservices.Resourceandskillsconstraintsattheenterprise-levelwill requiremanagedservicestomake-upfortheshortfall intheshort-to-mediumterm(onetothreeyears).GRCcapacitywithinenterpriseswillslowlybeaugmented,becomingastandalonefunctioninmatureenterprises.Thedemandforbusinesscontinuityanddisasterriskstrategiesisexpectedtogainsignificanttractionduringthisperiod.22Fromatechnologystandpoint,thepast12to18monthshasseensignificantconsolidationinGRCSoftware-as-a-Serviceofferings(SaaS)–indicativeofamaturingmarket.SomeofthenotablemergersandacquisitionsincludetheSAIGlobalacquisitionofBWiseandtheACLGRCandRsammergerandrebrandingunderGalvanize.Althoughtheincumbentshavea strong grip on the market, the growing operational complexity of multi-jurisdictional hybrid and multi-cloudenvironments,combinedwithfastmovingregulatorylandscape,presentsopportunitiesforinnovativesolutionstodisruptthemarketplace,particularlyevidencedinthedatagovernancespace.


Page13of27

BelowaresomeofthekeyincumbentandemergingplayersintheGRCspace: Belowaresomeofthekeyincumbentandemergingplayersinthedatagovernancespace:



What’sNext? BaselineForecast(2020–2023) Prior to theCOVID-19 crisis, the cyber securitymarket capwasexpected to increase from$167.14billion in 2019 to$248.26billionby2023–representingaCompoundAnnualGrowthRate(CAGR)of8.2percentduringthisperiod.23Otherforecastshadgrowthpeggedat12percentCAGRforthe2020-2025period.24GiventhefluidityoftheCOVID-19crisisandhowunprecedenteditis,itistooprematuretomakeinferencesonprojectedgrowthfor2020andbeyond.However,duetothe currenthigh-riskenvironmentandbusiness-criticalnatureofcybersecurityespeciallyduringtheCOVID-19crisis,thedemandforcybersecurityprofessionalservicesisexpectedtoremainresilient.25

Source:Statista2020Inthecontextoftheshifttoafullyremoteworkforce,keysub-sectorsofthecybersecuritymarketincludingendpointsecurity,IoTandcloudsecurityareexpectedtoseesustaineddemand.26SummaryEvidenceforBaselineForecastThekeyassumptionsdrivingthegrowthofthecybersecuritymarketare:

Ø Escalatingcyberthreatsandhighprobabilityofadatabreach.Ø Increasingshifttodistributedcomputingenvironments.Ø IncreaseddemandinIoTsecurity.

167.

14

184.

19 202.

97 223.

68 248.

262 0 1 9 2 0 2 0 2 0 2 1 2 0 2 2 2 0 2 3

PRE-COVID-19,CYBERSECURITYMARKETWORLDWIDE$BILLIONS

CAGR: 8.2%


Page15of27

Ø Moreonerousdatasecurityanddataprivacysecurityandreportingrequirements. Assumptions

1. Theriskprobabilityofacybersecuritybreachhistoricallyincreasesyear-on-year.2. Managedsecurityservicesbecomeanintegralcomponenttosecuringtheenterprisein2020andbeyond:

§ CrisissituationssuchasCOVID-19andtheshifttofullyremoteoperationspresentsarapidescalationofcybersecurityriskastheattacksurfaceareaexpands.

§ EarlyanalysispointstoadramaticescalationincybersecurityincidentsinthewakeofCOVID-19.273. The move to hybrid-cloud and edge computing environments will drive cloud-native cyber security solution

developmentandadoption.4. Therolloutof5GnetworkingwillseeadramaticincreaseinthenumberofIoTsensorsanddevices,increasingthe

demandforIoTsecuritysolutions.5. ThedemandformanagedGRCservicesisexpectedtogrowasmulti-jurisdictionalGRCreportingrequirements

increaseinscopeandcomplexity.

TOPFACTORSLEADINGTOITBUDGETINCREASES2020

Source:Spiceworks(2020)

MarketActivity Cybersecuritymarketdealactivity isexpectedtocontinuethetrendof increasingconsolidation.Venturecapitalseedfundingisexpectedtocooloffsignificantlyin2020.

N = 1005


Page16of27

USCYBERSECURITYMARKETDEALSJANUARY2009TOMARCH2020

Source:CBInsights(March23rd,2020)


Page17of27

ForcesImpactingCyberSecurity(2020-2023) Thesectionbelowconsiders someof themost significant social, technological,economicandpolitical forces thatwillimpactcybersecuritysolutiondevelopmentandadoptionoverthenextonetothreeyears.

SocialForces Thisreportseesunmitigatedriskasadefiningsocialforceshapingtheenterpriselandscapeoverthenextonetothreeyears.Risk isbeingmanifest inamultitudeofways, the first concerns thehighprobabilityofacyberbreachand thechallenges associatedwithmitigating this risk. Several definitive sources point to an alarming escalation in both thevolume of data compromised and the financial costs associated with data exposure.28 It here enterprises willing toinnovatewithemergingtechnologysecuritysolutionsarebetterplacedtomitigateriskmoreeffectively.29The second area of risk concerns having the necessary security controls in place to comply with emerging, multi-jurisdictionaldataprivacyregulatoryframeworks.SeveralUSstates,includingNewYork,MaineandNevadaarefollowingCalifornia’sConsumerPrivacyActinlegislatingdataprivacyregulations.Theneedforeffectiveenforcementandcontroloverdatasecurityandprivacyisadrivingforceshapingcybersecuritysolutiondevelopmentandadoption.Inthisregard,expectmorecomprehensivesolutiondevelopmentandinvestmentingranular-levelDataSubjectRightsprivacysolutions.In addition, as shockwaves from the Coronavirus Disease 2019 (COVID-19) are felt, expect the demand for BusinessContinuityandDisasterRiskservices,anoften-neglectedareaoftheenterpriseriskmanagement,toescalate.

SocialForces- MitigatingRisk- DataPrivacy

TechnologicalForces- Cloud-NativePlatform

- 5G

EconomicForces- Recession- COVID-19

PoliticalForces- Nationalism

- NationStateAPTs

STEPAnalysis


Page18of27

Source:Statista(2020) TechnologicalForces Thetrendofincreasingmarketconsolidationtowardsaplatformbased,singlepaneofglassconsolewillcontinue,withlessandlessappetiteintheenterpriseformultiplesecuritysolutions,offeringnarrowuse-casefunctionality.Thebulkofnew investment in cyber securitydevelopmentwillbecloud-native,whilealso takinghybrid cloudenvironments intoaccount.Therewillbeanincreasingdividebetweenincumbentandcloud-nativesecuritysolutions,particularlyevidencedby the on-premise and hybrid infrastructure incumbents and the cloud-native disruptors. This “forking” among thesolutionswilltakeonanaddedimpetuswiththeroll-outofcloud-enabled5Gedgedatacenterinfrastructure.EconomicForces ConsideringtheimmediatenegativeimpactofCOVID-19onglobaltradewiththeleadingindicesexperiencingtheirmostsignificant declines since the 2008 recession, the likelihood of an economic slowdown and possible global recessionpresentsamedium-to-stronglikelihoodwithinthenext6to12months.30Thefullextentofthedisruptiontotheglobaleconomywillonlybeevidentoncethespreadofthevirusiscurtailedandthreateffectivelymanaged.Supplychainshocks,particularlyrelatedtothesemiconductor industry,areexpectedtodisrupttheglobal ITproductmarket,amongotheradjacentmarkets.31EconomictradetensionsbetweenChinaandtheUSareexpectedtoremainhigh,addingtoglobalmarketuncertainty.Havingbusinesscontinuity,disasterriskandpandemicplans inplacewithanemphasisonsupplychainsecurityandservicescontinuity,willbecomemorebusinesscriticalinthewakeofCOVID-19.


Page19of27

PoliticalForces Thepoliticalfall-outfromCOVID-19isyettobedetermined.However,COVID-19-inducedxenophobiaisalreadystartingtorearitsheadwithinandacrossaffectedcountries.PoliticaltensionbetweentheUnitedStatesandChinaisexpectedtoremainhighastradetalkscontinue.TheupcomingUSnationalelectioninNovember2020isanadditionalfactorexpectedtoweighontheUSdomesticmarket.TheUSalsofacesincreasedcompetitionfromChinainICTtechnologydevelopment,thebedrockoftheUSdominatedInterneteconomy.ThisgrowingdiscordisbestcapturedinthedebateoverHuawei’sdominancein5Gtechnologyadoptioninwesterncountries.TheUSbannedHuaweifromparticipatingin5Ginfrastructuredevelopment.TraditionalUStradealliesinEuropehaveamoreambivalentstancewithreferencetoHuawei,clearlyinabidtonotcreatefall-outwithChina,whichistheEU’ssecondlargesttradingpartner.Nation-stateadvancedpersistentthreat (APTs) attacks and campaigns are expected to continue playing a leading role in propagating cyber espionage(China), critical infrastructure attack campaigns (Iran), cybercrime (North Korea), as well as political misinformationcampaigns (Russia).32 Safeguarding proprietary data and intellectual property at the enterprise should be keyconsiderationsforsecurityinvestment.

MitigatingInformationSystemRisk This section considers additional threat vectors from an information system risk and vulnerability managementperspectiveaswellastheleadingSaaSsolutionsthataddresstheserisks.

1. RiskBasedVulnerabilityManagementIt is essential the enterprise information system be equippedwith an autonomous vulnerability and risk assessmentsolutionthatmonitorstheinformationsystemriskandthreatsinreal-time.Itisequallyimportantthesolutioncandetectandremediateriskastheyarise,forinstancebyisolatingnon-criticalsystemsfromcriticalsystemsuponriskescalation.33Belowaresolutionseffectiveatrisk-basedvulnerabilitymanagement:

2. AttackSurfaceRiskReducingtheattacksurfaceresultsinasignificantdeclineinrisk.Thefirststeptoreducingtheattacksurfaceriskrequiresvisibilityacross theenvironment.Solutions that canautomaticallydetectandclassifyknownandunknownassets isacritical firststeptoattacksurfaceriskreduction.Belowaresolutionsthatplayakeyrole in identifyingandclassifyingassetsintheinformationsystem:


Page20of27

3. BreachandAttackSimulationPenetration testing is oneof the tried-and-testedmethods to improving security controls andmaintaining a resilientinformationsystem.The realityhowever isenterprisescanatbestundertakemanualpenetration testsonce to twiceyearly given the resources andeffort required toperform such tests. It is oneof the reasonswhybreach andattacksolutionshaveanessentialroletoplayinhardeningtheinformationsystem.Augmentingmanualpenetrationtestingwithanattackandbreachplatformcanenableenterprisesecuritydepartmentstocontinuouslyfine-tunesecuritycontrolsaswellastesttherobustnessofcyberdefenses.Real-timeinformationontheresilienceoftheinformationsystemagainstcontinuously evolving threats plays a significant role in information system risk reduction. These solutions are at theforefrontofbreachandattacksimulation:

4. EmailProtectionandSecurityAwarenessTraining Businessemailcompromise(BEC)remainsonethe leadingthreatvectorsforattack.Mimecastreported90percentofhealthcareorganizationsexperiencedan“email-borneattack”in2019.34Inmostcasesofanemail-relatedbreach,itisthehumanelementresponsibleforactivatingamaliciouspayloadbyopeningfilesandclickingonlinksembeddedinemails.Keytoaddressingthechallengeofemail-borneattacksisanemailprotectionsolutionthatproactivelyfiltersoutphishingattempts,maliciouspayloadsandmalware.These solutions createanadditional layerofdefenseagainstemail-borneattacks: Settingaregularcadencewithsecurityawarenesstrainingisconsideredessentialtoimprovingthecybersecuritypostureoforganizations.Makinguseofthird-partysecurityawarenesstrainingresourcescanmakeasometimes-dulltopicmoreengagingforstaff.Thesesolutionsplayakeyroleinfacilitatingandimprovingsecurityawarenesstraining:


Page21of27

ConclusionsandRecommendationsManyenterprisesfindthetaskofaddressingcybersecuritychallengesanoverwhelmingone.Addressingcybersecurityvulnerabilitiescanoftenseeminsurmountableduetotheever-evolvingthreatlandscape.Theaimofthisreportwastoprovidesome insight intofourbusinesscriticalareasthatarecentral lynchpinstosecuringtheenterprise informationsystem,requiringdedicatedresourcingandinvestment.BelowareTrace3Research’stopcybersecuritycentricrecommendationsfortheenterprisein2020andbeyond:1. EndpointSecurityRiskManagement

o Endpointsecurityvulnerabilityisoneoftheleadingpointsoffailure.Addressingthisvulnerabilityisoneofthegreatest security ROI an enterprise can make in reducing risk. By investing in a best-in-class endpointprotectionplatform,whichincludesendpointdetectionandresponsecapabilities,canresultinsignificantlyimprovingtheinformationsystemssecurityposture.

2. SecureAccessServiceEdgeo ThedevelopmentofSecureAccessServiceEdge(SASE)isrepresentativeofamaturingcloud-nativesecurity

offering,combiningcloudnetworkingandcloudsecurityinanintegratedplatformoffering.Itisalsokeytoaddressingthedissolvingnetworkperimeterduetotheproliferationofdistributedcomputing.Althoughatan early stage, this cloud-native network security offering will be key to improving cloud enabled edgesecurity.

3. IoTSecurityVulnerability

o IoTsecuritywilltakeonaddedimpetuswiththeadoptionof5Gnetworkinfrastructure.KeytoaddressingIoTsecurityvulnerabilityistoestablishvisibilityandgovernancewithintheIoTecosystem.HavingdedicatedIoTsecuritysolutionsinplaceareessentialinthisregard.

4. ITGRCo The demand for GRC will increase significantly in the short-to-medium term (1-3 years), driven by the

continuouslyevolvingthreatandrisklandscape.Skillconstraintsintightcybersecuritylaborwillunderscoretheneedforthird-partyGRCmanagedserviceproviders.Fromatechnologystandpoint,theincumbentGRCmarketplace is ripe for disruption, expect emerging technology solutions specifically targeting datagovernancechallengestoofferfreshapproachestosolvingprotractedcompliancereportingchallenges.


Page22of27

Appendix

FeaturedUseCases

1. EdgeComputing–Edgecomputingisdistributedcomputingattheuser-levelofInternetconnecteddevices.

2. Endpoint Security RiskManagement–Managing endpoint security risk by using a next generation endpointprotectionplatformthatincludesportmonitoring,firewall,anti-malware,aswellasthreatdetectionandresponsecapabilities.

3. EnterpriseITGovernance,RiskandCompliance–Activelymanagingtheenterprisedatasecurityandgovernancerisk profile to ensure maintenance of acceptable risk posture as well as maintaining legal and regulatorycompliance.

4. Internet-of-ThingsSecurity–SecuringInternet-connectedsensors,devicesanddatatransmittedacrosstheIoTnetwork.

5. SecureAccessServiceEdge–Combiningtheutilityofcloudnetworkingwithcloud-nativenetworksecurityinasingleplatformsolution.


Page23of27

RelevantLinks Trace3EvolveConference–Atwo-dayleadershipandtechnologyconferencefocusingonforward-thinkingandcutting-edgeITsolutions. HighlightsfromEvolve2019–Atwo-dayleadershipandtechnologyconferencefocusingonforward-thinkingandcutting-edgeITsolutions. Trace3 Research – To solve the problems of tomorrow, our researchers leverage Trace3’s unique access across thetechnologylandscapetoderiveimpartialinsights. Trace3 Security – The Trace3 Security team designs and implements innovative security solutions to protect assets,improveoperationalefficiency,andenablefastergrowth.


Page24of27

Sources


Page25of27

1Fulp.E.W.(2014).PerimeterNetwork.ScienceDirect.https://www.sciencedirect.com/topics/computer-science/perimeter-network


Page26of27

2Statista(2020).CybersecurityMarketWorldwide.https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/3MarketWatch.(2020).ResearchonCyberSecurityasaServiceMarket:GlobalForecastAnalysis2025.https://www.marketwatch.com/press-release/global-cybersecurity-services-market-global-countries-data-analysis-2020-2025-covering-recent-trend-and-market-size-growth-feasibility-regional-outlook-and-future-forecast-2020-01-274ETR+(2020).Covid-19Impact.https://etr.plus/marketplace/covid-19-impact-tsis5ThreatPost.(2020).https://threatpost.com/cynet-the-coronavirus-is-already-taking-effect-on-cyber-security-this-is-how-cisos-should-prepare/153758/6FederalBureauofInvestigation(2020).2019InternetCrimeReport.https://www.fbi.gov/news/stories/2019-internet-crime-report-released-0211207IBMPonemonInstitute(2019).CostofaDataBeach.https://ibm.co/38YL7pa8Emisoft(2019).TheStateofRansomwareintheUS:ReportandStatistics2019.https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/9SonicWall.(2019).SonicWall:EncryptedAttacks,IoTMalwareSurgeasGlobalMalwareVolumeDips.https://blog.sonicwall.com/en-us/2019/10/sonicwall-encrypted-attacks-iot-malware-surge-as-global-malware-volume-dips/10FederalBureauofInvestigation(2020).2019InternetCrimeReport.https://www.fbi.gov/news/stories/2019-internet-crime-report-released-02112011OnlineTrustAlliance.(2019).https://www.internetsociety.org/ota/12Emisoft(2019).TheStateofRansomwareintheUS:ReportandStatistics2019.https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/13Duo.MoreSecurityEndpointTechIsn’tAlwaysBetter.https://duo.com/decipher/more-security-endpoint-tech-isn-t-always-better14Gartner2019MagicQuadrantforEndpointProtectionPlatforms.https://www.gartner.com/reviews/market/endpoint-protection-platforms/vendors15ISC2.(2019).CloudSecurityReport.https://www.isc2.org/resource-center/reports/cloud-security-report16Gartner(2019).TheFutureofNetworkSecurityIsintheCloud.Gartner.https://www.gartner.com/en/documents/3957375/invest-implications-the-future-of-network-security-is-in17CatoNetworks.(2019).TheSecureAccessServiceEdge (SASE):Here’sWhereYourDigitalBusinessNetworkStarts.https://www.catonetworks.com/blog/the-secure-access-service-edge-sase/18Peterson.C.(2019).SurveyFindsMerely47%CybersecurityProsArePreparedforCyberattacksonIoTDevices.https://semiconductorsindustry.com/2019/11/10/survey-finds-merely-47-cybersecurity-pros-are-prepared-for-cyberattacks-on-iot-devices/454/19Deloitte(2020).Private5Gnetworks:Enterpriseuntethered.https://www2.deloitte.com/us/en/insights/industry/technology/technology-media-and-telecom-predictions/2020/private-5g-networks.html20DarkReading(2019).IoTAttacksUpSignificantlyinFirstHalfof2019.https://www.darkreading.com/attacks-breaches/iot-attacks-up-significantly-in-first-half-of-2019/d/d-id/133609621SonicWall.(2019).SonicWall:EncryptedAttacks,IoTMalwareSurgeasGlobalMalwareVolumeDips.https://blog.sonicwall.com/en-us/2019/10/sonicwall-encrypted-attacks-iot-malware-surge-as-global-malware-volume-dips/22RSAWhitepaper.7StepstoBuildaGRCFramework.https://isacaboise.org/home/wp-content/uploads/2017/10/White-Paper-RSA-Archer-7-Steps-to-Build-a-GRC-Framework.pdf23Statista(2020).CybersecurityMarketWorldwide.https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/24MarketWatch.(2020).ResearchonCyberSecurityasaServiceMarket:GlobalForecastAnalysis2025.https://www.marketwatch.com/press-release/global-cybersecurity-services-market-global-countries-data-analysis-2020-2025-covering-recent-trend-and-market-size-growth-feasibility-regional-outlook-and-future-forecast-2020-01-2725Kolochenko,I.(2020).FivereasonswhyCOVID-19willbolsterthecyber-securityindustry.SCMedia.https://www.scmagazine.com/home/security-news/news-archive/coronavirus/five-reasons-why-covid-19-will-bolster-the-cyber-security-industry/26Kolochenko,I.(2020).FivereasonswhyCOVID-19willbolsterthecyber-securityindustry.SCMedia.https://www.scmagazine.com/home/security-news/news-archive/coronavirus/five-reasons-why-covid-19-will-bolster-the-cyber-security-industry/


Page27of27

27ThreatPost.(2020).https://threatpost.com/cynet-the-coronavirus-is-already-taking-effect-on-cyber-security-this-is-how-cisos-should-prepare/153758/28SeetheFBI’s(2019)InternetComplaintCrimeReportandthePonemonInstitute’s(2019)CostofaDataBeachreport29DepartmentofHomelandSecurity.EmergingTechnologyandHomelandSecurity.https://www.researchgate.net/publication/27296519_EMERGING_TECHNOLOGIES_FOR_HOMELAND_SECURITY30WorldEconomicForum.(2020).Thisishowlikelyacoronavirus-drivenrecessionis,accordingtoeconomists.https://www.weforum.org/agenda/2020/03/coronavirus-survey-of-economists-reveals-consensus-on-a-recession31IDC(2020).COVID-19ToHaveSignificantEffectonWorldwideSemiconductorMarketin2020,AccordingtoIDC.https://www.idc.com/getdoc.jsp?containerId=prUS4614492032Stavridis,J.(2020).RSAKeynote:GeopoliticalRisks,ElectionsandCybersecurity.https://www.rsaconference.com/usa/us-2020/agenda/geopolitical-risks-elections-and-cybersecurity33SANS.CriticalSecurityControls.https://www.sans.org/critical-security-controls/guidelines34Mimecast(2020).HowU.S.HospitalsandHealthSystemsApproachEmailSecurityHIMSS2020.https://www.mimecast.com/resources/white-papers/dates/2020/3/how-us-hospitals-and-healthcare-organizations-approach-email-security/

Documents

Strategic Technology Report Managing Cyber Security Risk · This Trace3 Strategic Technology Report outlines the future direction of enterprise cyber security in the age of increasing