Doing More With Less: Security

and Risk Management in

Economically Challenging Times

John Pescatore

Notes accompany this presentation. Please select Notes Page view.

These materials can be reproduced only with written approval from Gartner.
Such approvals must be requested via e-mail: vendor.relations@gartner.com.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
Welcome!
Here’s how to participate in today’s webinar
• You can listen to the presentation using your
computer’s speaker system as the default
(VoIP).

• Or dial the conference line by selecting Use

Telephone in the webinar audio pane.

• Have a question for the presenter(s)? Type it

into the Questions pane—we will answer as
many as time permits.

• A recording of this presentation will be sent

to you within 48 hours.

• If you would like a copy of today’s

presentation, contact your Gartner Account
Executive or e-mail us at:
GartnerWebinars@gartner.com.
Our world-class, objective insight is drawn
from thousands of daily client interactions

10,000
60,000 Client
Clients
Enterprises

5,500 100,000
Benchmarks IT End-User
Inquiries

65% of
Fortune 1000; 2 Million+
85% of IT End-User
Global 500 Searches

60+ 650 Analysts

Conferences Across 80
Countries

10,000
3,700 Media
CIOs Inquiries

© 2009 Gartner, Inc. and/or its affiliates. All rights reserved.

Gartner is a registered trademark of Gartner, Inc. or its affiliates. 2
Aha Slide
2.0
North American -2.7

Latin America and 1.6

Caribbean -0.4

0.7
EMEA -0.5

2.1
Asia/Pacific 0

-3 -2 -1 0 1 2 3
Percent

As of December 2008 Percentage Change Decrease Percentage Change Increase

• Really, not that much security budget-cutting is going on.

• Many, if not most, security budgets could use a good haircut.
• First, do the same for less; then, do more for the same.
There is No Threat Recession
• Latest "largest ever" — Heartland Payment Systems
• DoD Bans USB after trojan on thumb drive
• Security incidents rise 24.7% at educational institutes
• Conficker hits medical machinery
• Worms hit Twitter, Facebook, LinkedIn, MySpace
• "Chinese attackers" steal jet fighter data
• DNS attacks in Puerto Rico, Brazil,
New Zealand, U.S.
• Google, others targeted
Security Is Still In the CIO Top Ten
Cybercrime as a Service
$$Data$$

www.news.com

Customers,
Rentahack
Command/control employees
Targeted Threat Growth

Source: Microsoft Malicious Software Removal Tool disinfections by category, 2H06–2H08'

Management 101: Defend Your Budget

1. Fight the cuts. If not, then…

2. Move costs to someone else's budget. If not, then…
3. Protect vital organs and the "good" leg, then…
4. Tactical steps toward efficiency
5. Strategic steps toward effectiveness
Where's the Sweet Spot?
Very High
(>5% of rev)
Good work, Security Cost =
Go directly
if you can Security
to jail
get it Expenditures
+
Incident Costs
Security
cost to +
business Bus. Restraint Costs

Best of
Flying blind, Breed
without a
? Or
net Really,
Very Low Really Lucky
(<.1% of rev)

Too Low Too High

Level of Protection
Spending More Doesn't Always Mean
More Secure
• Even within the same
industry, security spending Percent
varies widely 35

- Efficiency 30

- Effectiveness 25
20
• Avoiding an incident is
generally less expensive 15
than surviving one 10
5.96
• Steering nonsecurity 5
spending in the right 0
direction has high leverage As of December 2008
How Much Should You Spend on
Information Security?

5.4 % of Revenue (2008) IT Budget

(Operations/Capital Expenses)

0.16% to 0.38% of Information Security Budget

Revenue (3% to 7% of IT Budget)

0.138% to 0.232% of Revenue Primary Casualty Risks

Key Issues

1. How can organizations tactically change their

security processes and technologies to quickly
spend less and become more secure?
2. How can organizations strategically change
their security processes and technologies to
reduce spending and improve security over
the long term?
 Evolving for Efficiency and Effectiveness
Users Attacks

Network
Phased Intrusion
Access Evolve to Platforms
Deployment Prevention
Control

Include in ID/Access Vulnerability Avoid and Transfer

Business Process Management Management

Defend Data Security

IT Infrastructure
Stop Chasing Rainbows and Unicorns
• Unless you're an early
adopter/Type A, kill projects
that are chasing mirages.
• Require 18-month payback
periods — incremental results
are OK!
• If service costs are greater than
50% of product costs, think
twice and maybe wait, or
descope:
Someday …
- Single sign-on
- Digital rights management
- Security/risk dashboards
- "De-perimeterization"
Transferring Security Spending to
Other Budgets
Security Function
Web Application Firewall
Application Vulnerability Testing
Security Configuration Auditing
Data Center Firewall
Network Access Control
Network Behavior Analysis
Network Forensics
Web Application Firewall
• Best: To own it and control it
• Worst: To not have it at all
• Interim: To lose control but still have the security applied
IT Budget Opportunity
Application Delivery Controller
C&A/Application Development
Configuration Management
Data Center Virtualization
Guest Networking
Network Performance Monitoring
eDiscovery, DMCA
Application Delivery Controller
Take a Platform Approach
• The biggest single element in a
security control budget is usually
desktop security — and it is often
the least effective spending.
• Next-generation firewalls vs.
firewalls and IPS
• E-mail security as a service
• Defend the Web security
gateway budget
• Other platforms:
- Security configuration assessment
- Security info/event management
- Identity/access management
Endpoint:
- Host firewall
- AV, AS,
- DLP, encryption, port control
- HIPS/application control
Network:
- Firewall
- Attack-facing IPS
- Vulnerability-facing IPS
E-Mail gateway
- Antivirus/antispam
- DLP
- Security as a service
Web security gateway
- URL filtering
- In-bound malware prevention
- Security as a service
Do It Yourself
• Cuts can apply to staff levels, too —
trading labor for products can be a
stop gap:
- Open source: firewalls, penetration
testing, vulnerability assessment, IPS,
proxy/URL blocking
- Built-ins: firewalls, disk encryption,
file encryption, antimalware
- Services: DNS-based Web filtering,
anti-DDoS, in the cloud
• Higher TCO brings risks, but
hiring may come back before
procurement funds.
 Take Advantage of “The Cloud”
Elastic Internet
Dedicated Hardware managed resources Security as a
resources by other than you Service

Off-Premises Cloud

Native Cloud
Applications
Outsourcing
Web Hosting
SecaaS
AIaaS
Hosting Web Platform APaaS
IaaS

Infrastructure Utility

size of the cloudlets and overlap shown is not to scale Shared application
infrastructure (AI)
Dedicated Web Applications, Commodity
Web Content (industrialized) APaaS -Application
Programmable or computing resources Platform as a service
Dedicated applications Programmatically accessible IaaS – Integration as
resources a Service
Leverage Big Infrastructure Migration
Projects as a Catalyst for Change
• Run users as standard user
Windows 7 migration • Switch to IE8
• Switch AV vendors for better pricing

Data center virtualization • Virtual firewalls

• Baked-in secure images

ERP migration • Static and proactive

separation of duties analysis

X as a Service • Security as a service

• Network access protection/control

Windows Server 2008 • MIIS for simple provisioning
The No-Brainer: Avoid Vulnerabilities

Detection

SDLC
Analysis Design Construction Testing Operations

Prevention Correction

• In the long term, security must be integrated into all

application development and procurement.
• In the short term, find the "gates" and move upstream:
- Final QA, certification/accreditation
- Build integration and test
- Design sign-off/RFPs
Point Sources for Cutting Spending
Without Reducing Security
9 Require ISPs to provide you "clean bits" and protect against denial of service.
9 Leverage endpoint, network, e-mail and Web security platforms.
9 Utilize outsourcing or alternative sources on a trial basis.
9 Take advantage of overlap with operational efforts in configuration management
and application testing.
9 Reduce emergency patching. Network-based and host-based IPS solutions enable
you to schedule fewer machine updates.
9 Use open-source security software or what comes for free in the operating system
with Windows, Mac and Linux.
9 Leverage Active Directory for reduced sign-on. Consider IDM for low-cost user
provisioning and self-service password reset.
9 Use "big bang" infrastructure projects to improve security. Use the transition to
incorporate reduced user admin. rights, moving up to application control,
deploying "gold" images, etc.
9 Buy more-secure applications, services and software as a service (SaaS). Make
security questions a standard part of evaluation and procurement processes.
9 Don't be afraid to change vendors to reduce procurement costs —
switching costs are highly over-hyped.
Thanks for participating!
Do you have any questions?

• If you haven’t done so already, please

type your questions into the Questions
pane.
• We will answer as many of your
questions as time permits.
Get daily insight focused on your role
Security and Risk Management

• Gartner advice in the

context of your role
• Dedicated portal focused
on what you need to know
from Gartner or the media
• Analysts as coaches
• Peer connection and input
• Toolkit content helps you
be more efficient and
effective
• Access to all eight roles

Let Gartner be your indispensable resource—follow up with your

account executive today!
Two simple steps for increasing the value of
today’s webinar experience

• Contact your Gartner account executive

(or e-mail GartnerWebinars@gartner.com) with
any additional questions, comments or
requests—or to order a complimentary copy of
today’s presentation
• Visit gartner.com/webinars for a schedule of
upcoming Gartner webinars (plus replays of
previous webinars) and share these resources
with your colleagues
Doing More With Less: Security
and Risk Management in
Economically Challenging Times

John Pescatore

Notes accompany this presentation. Please select Notes Page view.

These materials can be reproduced only with written approval from Gartner.
Such approvals must be requested via e-mail: vendor.relations@gartner.com.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.