Top 10 Security Projects for 2019...5 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. 2018

© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form

without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should not be construed as statements of fact. While the information contained in this

publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research

may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are

governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or

influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity."

Brian Reed

Top 10 Security Projects

for 2019

Gartner Security & Risk Management Summit17 – 20 June 2019 / National Harbor, MD

https://www.gartner.com/technology/about/policies/usage_policy.jsp#_blank

https://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp

1 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.

Do You Have Atelophobia?

Atelophobia is defined as the fear of not

doing something right or the fear of not

being good enough.

In other words, it’s a fear

of imperfection.


How Were These Top 10 Security

Projects Selected?


We Looked at Where Gartner Clients Are Spending

46.2

23.7

20.6

17.0

14.2

14.2

13.4

13.1

12.4

10.5

10.2

9.4

9.3

0 20 40 60

Cloud Access Security Broker Software

Encryption Software

Threat Intelligence Software

Privileged Access Management Software

Tokenization Software

SIEM Software

Vulnerability Assessment Software

Enterprise Data Loss Prevention Software

IT Outsourcing

Web Application Firewall Software

Application Security Testing Software

Consulting

Other Information Security Software

8.5

8.3

8.1

7.8

7.4

7.4

5.8

5.4

4.1

3.7

1.8

-5.8

-10 10 30 50

Integrated Risk Management Solution Software

Firewall Equipment

Secure Web Gateway Software

Identity Governance and Administration Software

Implementation

User Authentication Software

Endpoint Protection Platform (Enterprise) Software

Hardware Support

Consumer Security Software

Access Management Software

Secure Email Gateway Software

Intrusion Detection and Prevention Systems

ID: 386713

© 2019 Gartner, Inc.

Information Security Spending, CAGR by Segment, 2017-2022


We Looked at Where Gartner Clients Are Spending

North America

Eastern Europe

Western Europe

Eurasia

Middle East and North Africa

Sub-Saharan Africa

Greater China

Mature Asia/Pacific

Emerging Asia/Pacific

Japan

Latin America

6

11

16

5 10 15

Information Security Spending Growth Outlook by Region

2017-2022 CAGR (%)

2018 G

row

th (

%)

ID: 386713



2018 Top 10 Security Projects

Privileged Access

Management

Detection

and Response

Cloud Security

Posture

Management

(CSPM)

Cloud Access

Security Broker

(CASB)

CARTA-Inspired

Vulnerability

Management

Active Anti-

Phishing Project

Software-

Defined Perimeter

Micro-

Segmentation

and Flow Visibility

Automated

Security Scanning

Application

Control on

Server Workloads


2019 Top 10 Security Projects

Privileged Access

Management

Detection

and Response

Cloud Security

Posture

Management

(CSPM)

Cloud Access

Security Broker

(CASB)

CARTA-Inspired

Vulnerability

Management

Business

Email Compromise

Security

Ratings Services

Container

Security

Security

Incident Response

Dark

Data Discovery


Some New, Some Changes, Some Same … Why?

• It’s tough to start and complete three to four new projects in a year.

• For 2019, five repeat projects, five new or modified projects.

• The new projects focus heavily on risk reduction and understanding

process breakdowns.

• Don’t just buy a security tool, understand what that tool can help you

do to reduce risk.

• Projects were not decided based upon 10 biggest spend areas!

– Or the 10 loudest Gartner analysts.


Still Need to Do “the Basics” Before the “Top 10”

Information Handling

Email Security Controls

Security Awareness Training

SystemProtection

Latest Endpoint Protection Platform and Unified Endpoint Management

Server Protection

SecurityInfrastructure

Log Monitoring

Backup/Restore

Patch/Vulnerability Management

Perimeter Security Controls

UserControls

Remove Administrative Rights From Windows Users

IAM program With Automated Provisioning/Deprovisioning


How Should You Define Project Success?

• We can’t do everything, so what should we be doing?

• What are the top new projects we recommend CISOs and their teams look at in 2019?

– Projects, not programs (for example, IAM is a program).

– Real with supporting technologies, not science projects. Budgetable and staffable in 2019.

– Enterprise adoption less than 50%.

– Supported by available technologies, many times new but not required.

• Prioritized:

– Where can security better enable our business?

– Where can I reduce the most risk for amount of resources required?

– Support a CARTA (Continuous Adaptive Risk and Trust Assessment) strategic approach.


Prioritize Business Enablement

and Risk Reduction

High

High

Business

Impact

Risk Reduced

Low

2019 Targets


Business Enablement for Project Success

Remember your organization decides whether to take on the risk;

our job in security is to provide all known data points to support a

business decision.

Make this directly relatable to your organization:

Communicate with business leads to validate risk reduction.

Do you have a lot of third-party

relationships and share a lot of data?

If so, security risk ratings and dark

data discovery might be of interest.

Do you have employees who look at email

as the single source of truth and trust?

If so, look into business

email compromise.


What Are the Top 10 Security

Projects for 2019?


Privileged Access Management (PAM) Project

Privileged Account

and Session

Management

(PASM)

Privilege Elevation

and Delegation

Management

(PEDM)


Privileged Access Management Project

All organizations deal with root,

administrative and highly empowered

accounts and these will be primary targets

for attackers to gain access.

Criteria and Prerequisites for Success

Support cloud, hybrid and on-prem.

PASM/PEDM use cases desired with recording.

API automation capabilities.

Human and machine access management.

Advise

MFA for all admins, PAM for third-party

access. Apply risk-based approach.

“Magic Quadrant for Privileged

Access Management”

Project Difficulty:

Medium.

Requires both tools and process adjustments.

Sample Vendors

ARCON Hitachi ID

BeyondTrust Lieberman2

Broadcom-CA One Identity

Centrify Osirium

CyberArk senhasegura

Fox Technologies1 Thycotic

Fudo Security WALLIX

1 Acquired by HelpSystems; 2 Acquired by BeyondTrust

https://www.gartner.com/document/3894154?ref=solrAll&refval=222344580&qid=9d890884ad96c791c7341594


CARTA-Inspired Vulnerability Management Project

All patches are not equal. This project

takes a risk-based approach to patch

management by focusing on systems and

vulnerabilities with higher risk.


Acknowledge we will never be 100% patched.

Joint initiative with IT operations = win/win

Leverage existing scanning data and process.

Advise

Focus on vulnerabilities with exploits.

Factor in compensating controls. “Market

Guide for Vulnerability Assessment”

Project Difficulty:

Easy. Apply context and threat intel to

vulnerability data.

Sample Vendors

Core Security1 Skybox Security

Kenna SecurityTenable.io

NopSec

Qualys

RedSeal

RiskSense

Risk Based Security

1 Acquired by HelpSystems; 2 Acquired by BeyondTrust

https://www.gartner.com/document/3879572?ref=TypeAheadSearch&qid=60e8ef7e0a89e46d92bc48f4


Detection and Protection Techniques

IOC/Policy/Configuration Behavior

Internet Outlook Word Macro GitHub.com Unknown.exe LSASS* New Logon Network


Detection and Response Project

Mean time to detect and respond is the

new standard for effective security against

attackers. Only 20% of endpoints have

deployed EDR.


Commitment to reviewing and resolving alerts.

Skilled operators that can interpret low

confidence alerts. Operations and security hand-

offs for remediation.

Advise

Type A, invest in EDR and incident

response processes.

Type B, C consider premium support

and outsourcing.

Sample Vendors

BlackBerry Cylance McAfee

Carbon Black Microsoft

Cisco Sophos

CrowdStrike Symantec

Cybereason Tanium

Endgame Trend Micro

FireEye

Project Difficulty:

Easy. Solutions offer cloud-based deployments.

Operator skill level is key.


Applicability of CSPM and CASB


ID: 361411

Illustration of Potential Deployment Patterns for CASB, CSPM and CWPP Into IaaS

Enterprise Users External Users

CS

PM

CA

SB

Compliance

Assessment

Adaptive

Access Control

Data Loss

Prevention

UEBA

Policy

Enforcement

Threat

Protection

Compliance

Assessment

Operational

Monitoring

DevSecOps

Integration

Risk

Identification

Policy

Enforcement

Threat

Protection

Load Balancing

Web Servers

Application Servers

Database &

Storage

IaaS Subscription

Web APINSG

API Integration

to Cloud APIs

1

3

API Integration

to Cloud APIs

2

NSG

NSG

Network Proxying

CWPP

Work

loa

d

Con

firgu

ratio

n

Syste

m

Mo

nito

ring

Netw

ork

Se

gm

en

tatio

n

Syste

m

Inte

grity

Ap

plic

atio

n

White

listin

g

Exp

loit

Pro

tectio

n

4

Agents deployed

to workloads


Control Coverage of CSPM and CASB

CASB = Cloud Access

Security Broker

CSPM = Cloud Security

Posture Management

CWPP = Cloud Workload

Protection Platforms


ID: 361515

Control Coverage of CSPM vs. CASBs and CWPPs

SaaS

IaaSPaaS

CASB

CWPP

CSPM


Cloud Security Posture Management Project

Organizations looking for an automated

assessment and remediation across

multicloud IaaS/PaaS environments on

control plane.


Support for multiple cloud providers.

Sensitive data discovery and risky exposure.

Support for all IaaS and PaaS services.

Remediation and not just assessment.

Advise

For single cloud provider look for native

capabilities or CASB

For multi cloud, prioritize remediation,

sign 1-2 year contracts, reassess often.

Sample Vendors

Alert Logic Microsoft Azure

Amazon Qualys

Bitglass Symantec

CloudAware Tenable.io

CloudCheckr

Google Cloud

McAfee

Project Difficulty:

Medium

Process and culture changes are also needed.


Cloud Access Security Broker Project

Enterprises aspiring a central location for policy

and governance concurrently across multiple

cloud services; for users and devices and

visibility of user activities and sensitive data.


Visibility via forward/reverse proxy? APIs?

Vendor provides risk ratings database?

Sensitive data monitoring and

UEBA capabilities.

Advise

Start with cloud application discovery.

Favor multimode CASB (proxy + APIs).

Data discovery and cloud + on-prem.

Protection; sign 1 to 2 year contracts.

Sample Vendors

Bitglass Microsoft

CensorNet Palo Alto Networks

CipherCloud Proofpoint

Cisco Symantec

Forcepoint

Fortinet

McAfee

Project Difficulty:

Medium. Discovery project and prioritization of

use cases.


A BEC attack steals funds or sensitive data by exploiting normalbusiness processes using pure social engineering tactics(not malicious URLs or attachments).

Business Email Compromise (BEC) Project

Why it works:

• Bypasses traditional security products that are only looking for a malicious payload.

• A combination of social engineering tactics cons users and overrides their better judgment.

How to stop it:

• Fix loopholes in business processes.

• Employ technology that can inspect message context by looking at the trustability and authenticity ofthe sender.

• Actively monitor your email systems and provide end users an easy path to report suspicious email communications.


Business Email Compromise Project

Phishing and BEC are not the same.

Addressing process breakdowns where

organizations trust the text of an email as

the “single source of truth.”


Technical controls using ML that can integrate

with your current email security systems.

Customize based on your specific workflow and

business operations.

Advise

Combine technical controls for BEC,

security awareness training and web

browser isolation.

“Fighting Phishing — 2020 Foresight”

Sample Vendors

Abnormal Security Mimecast

Agari PhishLabs

Area 1 Security Proofpoint

GreatHorn Terranova

Graphus Trend Micro

INKY Valimail

IRONSCALES

Project Difficulty:

Medium.

Communication between security and users.

https://www.gartner.com/document/3883275?ref=TypeAheadSearch&qid=4b6937aa8f894e49efe2$q=Fighting Phishing %E2%80%94 2020 Foresight


Dark Data

Discovery Project

Do you know where all of your

sensitive data resides?

Do you have data that is taking

up space with zero value?


Dark Data Discovery Project

All organizations deal with data that was

once operationally valuable, however over

time has become “dark,” meaning it has

unknown risks and no value.


Address data that resides across multiple data

silos — such as file shares, databases, and big

data and cloud repositories.

Integrate with data classification.

Advise

Implement defensible deletion or other

effective data management strategies.

“Market Guide for File Analysis Software”

Sample Vendors

Active Navigation Micro Focus

Adlib SailPoint

Druva Spirion

Formpipe STEALTHbits

Ground Labs TITUS

IBM Varonis

Index Engines

Project Difficulty:

Medium to Difficult.

Tools complexity and changes to behavior.

https://www.gartner.com/document/3869701?ref=TypeAheadSearch&qid=ef9eaace99297c72afbcae87c


Level of Preparedness for Security Incidents

Base: Risk and Security Management, Excluding “Have no plans” and “Don't Know,” n = 290Q: Which of the following statements best characterizes your organization's preparedness for a security incident?Note: Percentage may not add up to 100% due to rounding.

Percentage of Respondents

We have a plan. Security and/or IT will manage the entire incident. We test it regularly, at least annually.

46%

We have a comprehensive security incident response plan covering all possible business impacts.

37%

We have a plan. Security and/or IT will manage the entire incident. We test it occasionally at best.

15%

We have a plan documented somewhere. We will consult it if we ever have an incident.

3%


Security Incident Response Project

Security incidents are a matter of “when”

not “if.” An IR retainer is not a replacement

for good security processes and

preparedness.


Planning and preparation before an incident.

Detection and triage processes critical.

Capabilities for containment, eradication.

Feedback lessons learned into preparedness.

Advise

Look for IRR provider who understands

your operations and processes

“Market Guide for Digital Forensics and

Incident Response Services”

Project Difficulty:

Medium. Not just a vendor selection exercise,

also process changes and communication.

Sample Vendors

AT&T Kroll

Blackberry Cylance Kudelski Security

Booz Allen Hamilton McAfee

Cisco Rapid7

Crowdstrike Secureworks

FireEye (Mandiant) Stroz Friedberg1

IBM Verizon

1 An Aon company

https://www.gartner.com/document/3894769?ref=solrAll&refval=222356549&qid=f69c9e8d469b99d6a58268bb4


Container Security Project

In 2019, more than 50% of enterprises will

have a container-based application in

development or production. Make sure

these are secured from inception.


Start container security in development.

Make security seamless to the developer.

Balance the need for security with speed.

Advise

Integrate/Automate natively into

development, scan for known vulns. “Container Security — From Image Analysis to

Network Segmentation, Options Are Maturing”

Sample Vendors

Aqua Security Trend Micro

McAfee Twistlock

NeuVector

Qualys-Layered Insight

StackRox

Symantec

Project Difficulty:

Medium.

Integration into DevSecOps required.

https://www.gartner.com/document/3888664?ref=solrAll&refval=222356634&qid=6b20a0aed52f9adc4594b1


Security Ratings Services Project

Focus on risks associated with digital

ecosystems. Look beyond internal

security posture, to supply chain,

regulators, customers and partners.


Not a one stop shop. Need a traditional third-

party risk program in place first.

Do not collect unnecessary amounts of

information on non-strategic partners.

Advise

Evaluate multiple SRS offerings; make

SRS part of a comprehensive program.

“Innovation Insight for Security

Rating Services”

Project Difficulty:

Easy to Medium. Use cases: Third-party risk,

M&A, internal reporting, cyber insurance.

Sample Vendors

BitSight NormShield

CORAX PANORAYS

Cyence RiskRecon

CORAX Security Scorecard

Cyence UpGuard

CyRating

FICO

https://www.gartner.com/document/3884271?ref=solrAll&refval=222356865&qid=d1d0857c98dbc9580ef87e


Here’s a List of Projects We Also Reviewed

• Threat intelligence services enhancements

• Threat attribution services

• Cyber insurance technology support systems

• Ai-driven MSS/MDR/threat hunting

• Biometric credential protection

• Quantum encryption

• Chaos security engineering – deliberate flaws to test devsecops

• SIEM-as-a-service

• Hire a digital risk manager

• Data-centric deception

• Drone detection and mitigation


Recommendations

If you can do only two things in 2019, implement an intelligent,

CARTA-inspired approach to vulnerability management project and

MFA for admins.

Don’t make the mistake of only focusing on risk reduction when

choosing projects for 2019 – think about enablement.

If you have privacy concerns or migrating large amounts of data to

cloud/third-party, consider dark data discovery and security

ratings services.

Implement a default deny posture on servers, network and

application access.


For information, please contact your Gartner representative.

Recommended Gartner Research

Top 10 Security Projects for 2019

Brian Reed, Neil MacDonald, Peter Firstbrook, Sam Olyaei and

Prateek Bhajanka (G00378651)

Top Security and Risk Management Trends

Peter Firstbrook, Brian Reed, Sam Olyaei, Gorka Sadowski, David

Mahdi, Prateek Bhajanka and Earl Perkins (G00378361)

Zero Trust Is an Initial Step on the Roadmap to CARTA

Neil MacDonald (G00377791)

https://www.gartner.com/document/3900996?ref=TypeAheadSearch&qid=ad6c91e7ef2a6edaef1a299d6$q=Top 10 Security Projects for 2019

https://www.gartner.com/document/3899683?ref=TypeAheadSearch&qid=e6a1ac89df91e3a1e2b2810$q=Top Security and Risk Management Trends

https://www.gartner.com/document/3895267?ref=TypeAheadSearch&qid=b2abe9eee8a2c80d693adafc$q=Zero Trust Is an Initial Step on the Roadmap to CARTA

Documents

Top 10 Security Projects for 2019...5 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. 2018