© 2014 IBM Corporation
IBM Security
1© 2014 IBM Corporation
Varför traditionella tillvägagångsätt till IT säkerhet inte håller, och vilka riskkonsekvenser det innebär
Stockholm 2015-02-19
Ola WittenbyLinkedIn: se.linkedin.com/pub/ola-wittenby/0/678/10a/en
Twitter: OlaWittenby
© 2014 IBM Corporation
IBM Security
2
© 2014 IBM Corporation
IBM Security
3
© 2014 IBM Corporation
IBM Security
4
A new security reality is here
61%
data theft and cybercrimeare their greatest threats2012 IBM Global Reputational Risk & IT Study
of organizations say
Average cost of adata breach
2014 Cost of Data Breach, Ponemon Institute
$3.5M
70%of security
executives have cloud and mobile security concerns2013 IBM CISO Survey
Mobile malware growthin just one year
2012 - 2013 Juniper Mobile Threat Report
614% security tools from
vendors
8545
IBM client example
83%of enterprises
have difficulty finding the security skills they need2012 ESG Research
© 2014 IBM Corporation
IBM Security
5
© 2014 IBM Corporation
IBM Security
6
Trend: Advanced and sophisticated threats show no signs of slowing down
� More than 95% of CISOs say it’s likely they will be subject to an advanced attack in the next 12 months1
� Nearly 90% of CISOs believe today’s advanced security threats cause substantially more damage than traditional threats2
� Organizations are turning to analytics to help detect advanced threats and drive intelligent security measures3
Point of view: Use analytics and insights to stop advanced threats and create a unified defense
� Detect sophisticated threats in real time with next-generation defenses, reduce operating costs and complexity with integrated controls and managed services
1. CEB Information Risk Leadership Council, 2015 Security Outlook - Ten Imperatives for the Information Security Function, November 2014. 2. Corporate Executive Board, Responding to Advanced Threats, February 2014. 3. IDC, Worldwide Specialized Threat Analysis and Protection 2013-2017 Forecast and 2012 Vendor Shares, August 2013.
© 2014 IBM Corporation
IBM Security
7
Trend: Security awareness is heightened at every level of the organization; it’s now a C-Level executive priority
� 76% of CISOs say they are asked to present to the board at least once a year; this figure continues to grow as senior executives’ concern over data breaches and hacks increases4
� When broken out by technology, spending on security is the highest priority for CIOs5
Point of view: Optimize security programs across the enterprise; integrate security silos, reduce complexity, and lower costs
� Benchmark your security maturity, treat security as a path to reduce risk and grow your business, and engage professionals across the enterprise
4. CEB Information Risk Leadership Council, 2015 Security Outlook - Ten Imperatives for the Information Security Function, November 2014. 5. UBS Equities, IT Hardware CIO Survey, July 2013.
© 2014 IBM Corporation
IBM Security
8
Trend: Intelligent detection of security threats and protecting data is becoming more important than just prevention
� By 2020, 75% of enterprises’ information security budgets will be allocated to rapid detection and response approaches, up from 10% in 20126
� Clients’ vendor-selection criteria is increasingly focused on security vendors that understand threat intelligence/predictive security, complexity, and regulatory issues7
� Threat intelligence security services spending will reach $905.5 million in 2014 and is expected to grow to $1.4 billion by 20188
Point of view: Protect critical assets; use context-aware and role-based controls to prevent unauthorized access
� Discover and classify critical data assets and applications; validate “who is who” to defend against unauthorized access and identify and remediate vulnerabilities
6. Gartner, Top Security Trends and Takeaways for 2014,(webinar), November 2014. 7. IDC Analyst Briefing with Christina Richmond, 2014. 8. IDC, Worldwide Threat Intelligence Security Services 2014–2018 Forecast: "Iterative Intelligence" — Threat Intelligence Comes of Age, March 2014.
© 2014 IBM Corporation
IBM Security
9
Trend: The increasing number of infrastructure entry points created by cloud, mobility, and social networks is straining traditional security models
� Privacy and security of data in a cloud environment is the No. 1 concern of CISOs9
� 76% of CISOs see theft/loss of device or loss of sensitive data on a device as a major concern10
� Organizations indicate that the lack of internal security skills is preventing them from responding to data breaches efficiently; many are willing to pay a 20% premium to hire qualified security candidates11
Point of view: Safeguard cloud and mobile; employ cloud and mobile initiatives to build a new, stronger security posture
� Address security at the beginning of cloud and mobile initiatives; maintain cloud visibility and control by monitoring attack activity and implementing compliance in the cloud; protect devices, applications, and data in the mobile enterprise
9. IBM MDI, Chief Information Security Officer Survey, 2013. 10. IBM MDI, Chief Information Security Officer Survey, 2013. 11. Ponemon Institute, Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness, September 2014.
© 2014 IBM Corporation
IBM Security
10
To address security, leaders must avoid common myths
Your company’s not infected (it is).
There’s a silver bullet to protect you (there’s not).
You need to put your company on lock-down (you don’t).
Your company is not infected. (It is.)
Whatever you’ve done is enough. (It is not.)
You need to put your company in lock-down. (You don’t.)
There’s a silver bullet to protect you (there’s not).There’s a silver bullet to protect you. (There isn’t.)
© 2014 IBM Corporation
IBM Security
11
Use five fundamental security principles to help guide you
(incidents will happen)
Prepare to respond, faster
(train, test, trick)
Increase the security IQ of every employee
(analytics = threat insights)
Leverage security intelligence
Protect your crown jewels
(define, protect, monitor) (the vanishing perimeter)
SafeguardMobile & Cloud
© 2014 IBM Corporation
IBM Security
12
Make security education a continuous process – for everyone
Increase the security IQ of every employee
Make training a priority from the start, then provide annual education
– keep it fun and engaging
Require testing for all employees, and spell out the consequences
for non-compliance
Provide real-life scenarios that catch your employees off-guard
with learning traps – “phish” them
Nearly 60% of security incidents are caused internally1
1,2014 Cost of a Data Breach, Ponemon Institute
Train Test Trick
Your help needed for IBM Cloud opportunityChristina Martin to: Daniel Allen Please respond to chris.martyn.ibm.executive
Hi Daniel Allen,Your manager recommended you to contribute to a proposal for an important new client opportunity that I am working on. This is a great opportunity for IBM with large commissions likely when we win this account. Please review the material posted on CloudFile and provide your feedback by EOD. We’re counting on you!
http://fileinthesky.com/IBMClientOpportunity
Thanks,
© 2014 IBM Corporation
IBM Security
13
Prepare to respond more quickly and effectively to attacks
Prepare to respond, faster
12013 IBM CISO Assessment, 2Verizon 2013 Data Breach Investigations Report3 Surviving the Technical Security Skills Crisis: a commissioned study conducted by Forrester Consulting on behalf of IBM, May 2013
Constantly monitor to see if someone has breached your defenses
of data breaches took months or more to discover266%
Have an emergency response and forensics partner
of security decision-makers say that staffing issues contribute to a heightened level of risk3
92%
Keep your incident response plan updated
of incident response plans are outdated150%
© 2014 IBM Corporation
IBM Security
14
Get ahead of with a formal program
Safeguard Mobile & Cloud
Mobile workers use at least one business-focused app in a year2
200M
of employed adults use at least one personally-owned device for business1
81%
of users surveyed had corporate security on their personal devices1
<1%
1) Harris Interactive, 2012; 2) Global Mobile Enterprise 2011-2017 Forecast, Strategy Analytics
Protect the data
Protect the apps
Manage the device
Protect the transaction
Corporate container
© 2014 IBM Corporation
IBM Security
15
Identify your most critical data and protect these vital assets
Protect your crown jewels
12013 Commission on the Theft of American Intellectual Property
of publicly traded corporations’ value1
is represented by intellectual propertyand other enterprise-critical data
1
Define Protect Monitor
your organization’s “crown jewels”
these valuable assets at all stages
the access and usage of the data
© 2014 IBM Corporation
IBM Security
16
Use analytics and insights for smarter prevention and defense
Leverage security intelligence
Prioritized incidents
Endpoints
Mobile devices
Cloud infrastructure
Data center devices
Threat intelligence
Network activity
Automated offense
identification
Real-time correlation and analytics
Anomaly detection
Industry and geo trending
© 2014 IBM Corporation
IBM Security
17
Make security an enabler, not an inhibitor.
Take an active role in policy – even if it’s unpopular.
Cybersecurity is a business risk that you need to manage actively
Everyone is part of the solution in a risk aware culture,and effective security starts at the top
Get involved. Set the tone and develop a governance model.
Security Principles for CEOs
Engage the senior leadership.
© 2014 IBM Corporation
IBM Security
18
Learn more about IBM Security
Visit our websiteIBM Security Website
Watch our videosIBM Security YouTube Channel
Read new blog postsSecurityIntelligence.com
Follow us on Twitter@ibmsecurity
IBM SecurityIntelligence. Integration. Expertise.
© 2014 IBM Corporation
IBM Security
19
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.