INFORMATION SECURITY STUDY

Transcription

1 WAVE 16 MARKET DYNAMICS INFORMATION SECURITY STUDY Designed for IT professionals, this report captures highlights from the complete study, and provides business intelligence in the form of technological roadmaps, budget trends, voice of the customer narratives and vendor spending plans and performance ratings.

2 About TheInfoPro Information Security Study TheInfoPro s Information Security Study takes an in-depth look at key industry trends and tracks the performance of individual vendors. Now in its 11th year, this study was finalized in December 2013 and is based on 207 interviews. TheInfoPro s methodology uses extensive interviews with a proprietary network of IT professionals and key decision-makers at large and midsize enterprises. Each interview explores several fundamental areas, including the implementation and spending plans for technologies, evaluations of vendors observed from business and product perspectives, macro IT influences transforming the sector, and factors affecting decision processes. Results are collated into comprehensive research reports providing business intelligence in the form of technological roadmaps, budget trends and vendor spending plans and performance ratings. EXAMPLES OF VENDORS COVERED IN THE STUDY Aruba Networks Blue Coat Systems Check Point Cisco Dell EMC (RSA) FireEye Fortinet Guidance Software Hewlett-Packard Imperva Juniper Networks McAfee Microsoft Palo Alto Networks Qualys Sophos Sourcefire Symantec Websense ABOUT THE AUTHOR This report was written by Daniel Kennedy, Research Director for Networking and Information Security. Daniel Kennedy is an experienced information security professional. Prior to joining 451 Research, he was a partner in the information security consultancy Praetorian Security LLC, where he directed strategy on risk assessment and security certification. Before that, he was Global Head of Information Security for D.B. Zwirn & Co., as well as Vice President of Application Security and Development Manager at Pershing LLC, a division of the Bank of New York. Kennedy has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets, including The New York Times and The Wall Street Journal, and his personal blog, Praetorian Prefect, which was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference. Kennedy holds a master of science degree in information systems from Stevens Institute of Technology, a master of science in information assurance from Norwich University, and a bachelor of science in information management and technology from Syracuse University. He is certified as a CEH (Certified Ethical Hacker) from the EC-Council, is a CISSP, and has a NASD Series 7 license Research, LLC and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication, in whole or in part, in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. 451 Research disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although 451 Research may discuss legal issues related to the information technology business, 451 Research does not provide legal advice or services and their research should not be construed or used as such. 451 Research shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. TheInfoPro and logo are registered trademarks and property of 451 Research, LLC Research, LLC. All Rights Reserved. 20 West 37th Street, 3rd Floor, New York, NY P F E SALES@451RESEARCH.COM

3 INFORMATION SECURITY STUDY 3 Table of Contents ABOUT THEINFOPRO INFORMATION SECURITY STUDY 2 EXECUTIVE SUMMARY 4 MACRO TRENDS 6 BUDGET 6 THE PREDICTING POWER OF PAIN 7 TOP INFORMATION SECURITY PROJECTS 8 SECURITY ORGANIZATION 9 ROLE OF COMPLIANCE 10 THREAT RESPONSE 11 SECURITY AWARENESS 12 SECURITY POLICY 12 TECHNOLOGY ROADMAP 13 INFRASTRUCTURE SECURITY ROADMAP 14 APPLICATION SECURITY 18 NETWORK SECURITY 20 VENDOR PERFORMANCE 22 ENTERPRISE SPENDING 22 CUSTOMER RETENTION 23 PROMISE VS. FULFILLMENT 24 APPENDIX A: DEMOGRAPHICS 26 APPENDIX B: METHODOLOGY AND SCOPE 27 APPENDIX C: INTERPRET THE DATA 28 APPENDIX D: ADDITIONAL INFORMATION ABOUT CHART FOOTNOTES 29

4 Executive Summary INFORMATION SECURITY STUDY, WAVE 16 PCI, SOX, HIPAA, GLBA and other regulations occupy a good chunk of enterprise security managers time, as the requirements are translated into legal/compliance functions within the enterprise. Working out the appropriate level of interplay with compliance is a major concern of managers interviewed for the Wave 16 Security Study, and a continued indicator of the catch-up nature of enterprise security. Thirty-eight percent (38%) of enterprises saw budget increases specifically to deal with compliance projects, the same percentage that said the most common way for security projects to be funded was compliance deciding they needed to be done. Nearly half of security managers (4) have serious concerns about the technical abilities of those conducting internal audits that drive these requirements. Not surprisingly, compliance-related concerns top this year s list of security managers pain points, most notably data security, which is now at number two. Regulatory requirements have risen as a source of consternation from to 8% between studies. The technical offshoot of data security, authorization/access control or maintaining the principle of least privilege in the workplace, was cited by representatives of 10% of interviewed enterprises. INFORMATION SECURITY 2013 BUDGETS CON- TINUED A HEALTHY MULTI-YEAR RUN PROJECTS SIMILARLY POSITIVE, WITH 45% OF RESPONDENTS REPORTING THEIR ENTER- PRISES WILL INCREASE SPENDING ON SECURITY AGAINST ONLY 1 DECREASING THE SAME. THIRTY-EIGHT PERCENT (38%) OF ENTER- PRISES SAW BUDGET INCREASES SPECIFICALLY TO DEAL WITH COMPLIANCE PROJECTS, THE SAME PERCENTAGE THAT REPORTED THE MOST COMMON WAY FOR SECURITY PROJECTS TO BE INITIATED WAS COMPLIANCE DECIDING THEY NEEDED TO BE DONE. YET, REGULATORY RE- QUIREMENTS HAVE RISEN FROM TO 8% BE- TWEEN STUDIES AS A SOURCE OF PAIN. MOBILE DEVICE MANAGEMENT (MDM) IS THE TOP SOURCE OF PAIN AT 18% OF LARGE EN- TERPRISES, BUT PRODUCTS ADDRESSING THIS FUNCTION ARE GROWING, AS THEIR USE ROSE FROM 4 LAST YEAR TO 59% IN THIS STUDY. THE EFFECTS OF LAST YEAR S ACQUISITIONS BECAME EVIDENT IN THIS STUDY, ESPECIALLY IN THE SIEM SPACE, WHERE IBM AND MCAFEE NOW APPEAR AS SERIOUS ENTERPRISE COMPE- TITION FOR HP WITH THE ACQUISITIONS OF Q1 LABS AND NITRO SECURITY RESPECTIVELY. The disrupter technology in the security world continues to be mobile. Mobile device management (MDM) is the top source of pain at 18% of large enterprises. This refers to dealing with the proliferation of employee-owned mobile devices being connected to company resources, most commonly but increasingly file shares and applications. MDM offerings have stepped in to help solve this problem, and the technology has seen incredible growth, moving from 4 in use a year ago to 59% in use now. Expect a further 8% worth of new large enterprises implementing MDM in the next six months. With concerns about keeping data out of the wrong hands, the top project in 2013 was identity management. This project took the slot from data-loss prevention (DLP), which led in 2012 but is now in fourth place. Other projects under the identity management umbrella that cracked the top projects list include authorization/access control and privileged identity management. Thirty-nine percent

5 EXECUTIVE SUMMARY, INFORMATION SECURITY STUDY, WAVE 16 (39%) of security managers cited IT professionals with elevated privileges as the greatest insider threat they deal with. The effects of last year s acquisitions became evident in this study, especially in the SIEM space, where IBM and McAfee now appear as serious enterprise competition for HP with the acquisitions of Q1 Labs and Nitro Security, respectively. This year s changes include security monitoring provider Vigilant becoming part of Deloitte; Solutionary is now a part of NTT Communications; application-aware firewall maker StoneSoft joined McAfee; and in two deals with eye-popping valuations, Cisco acquired Sourcefire and FireEye added incident response provider Mandiant. Looking forward we see the effects of new technology. Cloud insecurity rose as a cited pain point interstudy from to 8% of enterprises. On the technology roadmaps, enterprise security managers reported plans that will double the use of cloud security solutions from 1 now to 28% in the next 18 months.

6 INFORMATION SECURITY STUDY 6 Macro Trends BUDGET, HOT TECHNOLOGIES AND KEY TRENDS BUDGET Information security budgets continue a healthy multi-year run, with 4 of enterprises increasing their security budgets in 2013 against only 15% decreasing security budget allocations projects similarly positive, with 45% of respondents reporting their enterprises will increase spending on security against only 1 decreasing the same. Most of the budget increases are in the 5-10% range next year, while 5% of enterprises see their security budgets decreasing from 25% to 50% less. The highest reported median budgets were in the financial services and business/ accounting/engineering verticals, each averaging $5.5m. Capex on security equipment dwarfs opex 6 to 3. Almost half of all enterprises surveyed (45%) believe spending on third-party services will increase in Information Security Budget Trends 2012 vs. 2011, n=177; 2013 vs. 2012, n=169; 2014 vs. 2013, n=171. Information Security Budget Changes 2014 vs > 50% More 2012 vs (2H '12) 10% 45% 45% 25%-50% More 1-2 More 5%-10% More 45% plan increased spending < 5% More 2013 vs (2H '13) 15% 39% 4 4 plan stable spending < 5% Less 2014 vs (2H '13) % 5%-10% Less 1-2 Less 25%-50% Less 1 plan decreased spending > 50% Less Decreasing No Change Increasing -35% -25% -15% -5% 5% 15% 25% 35% We are on a November budget schedule and in a preliminary budget cycle for Our budget is an always-changing growth. We spend in security/compliance pretty close to $2m a year pretty low overall. As budget controls have been engaged, we re actually spending less this year budgets depend upon our third- and fourth-quarter performance. LE, Consumer Goods/Retail In 2013, we added 40% more security staff. Now that includes DR/BC, security infrastructure, infosec, risk, etc. There was a scope and organization change as well. These functions are now consolidated under the CISO. I represent the old IT security organization. LE, Financial Services

7 INFORMATION SECURITY STUDY MACRO TRENDS 7 THE PREDICTING POWER OF PAIN Mobile device management takes over as the security manager s greatest pain point at 18% of enterprises; this is managing the proliferation of employee-owned mobile devices connecting to company resources (most commonly ) rather than MDM tools themselves. Data security has also seen a serious uptick in concern, rising to number two on the list of pain points, up 8 percentage points from last year, which may coincide with the increase in enterprises citing regulatory requirements as their primary source of pain, up to 8% of enterprises from last year. Authorization/access control can be seen as a similar concern, how employees have access to data in a way that maintains the principle of least privilege, a chief pain point for 10% of enterprises. Rounding out the top four concerns of security managers are problems with administering and the effectiveness of security awareness training at 1 of enterprises, and dealing with organization politics, cited by 1 of enterprises. User behavior, cited by 9% of respondents as the key pain point, is somewhat related to the security awareness ineffectiveness. Cloud insecurity leaped from last year to 8% this year as a key source of pain. Change in attack vectors it s really phishing and the website drive-bys and the hijacking. And there isn t a lot of, no one s caught up with it yet. The government was supposed to do a lot of this, and they haven t, consolidate the lists of who s being bad so I can prophylactically shut them down. LE, Consumer Goods/Retail Not having security on the front burner not enough urgency at this time, but we have the thumbs up to spend on some technologies. LE, Financial Services And inward out is the over-reliance of appliances and physical assets to enable security controls. The lack of virtualization for security controls. So I don t have to deploy a piece of hardware within my environment to get my security controls. Because my environment is changing too quickly and actually becoming more SDN than physical, and security is behind. LE, Consumer Goods/Retail Information Security Pain Points What are your top information security-related pain points? Select up to three. n=206. Mobile Device Management Data Security Security Awareness Training Organizational Politics Authorization/Access Control Hackers Compliance/Auditing User Behavior Regulatory Requirements Cloud Malware Monitoring Resource Constraints Application Security Identity Management Budget Third Party Security Vulnerability Management Policy Management Incident Response Security Organization Tool Management Risk Assessment Patch Management Mobile Device Security Keeping Up With New Technology Firewall Endpoint Security 18% 15% % 9% 9% 9% 8% 8% Other Pain Points Mentioned Asset Management Outsourcing Attack Surface Password Management Business Continuity Phishing 5% Change Management Physical Security 5% Data Classification Portable Storage 5% DDoS Privileged Access Management Directory Services Remote Access Documentation Resiliency Dual Factor Authentication Security Architecture Encryption Security Operations Intellectual Property Protection SIEM Intrusion Management Social Media Key Management Spam Log Management Threat Intelligence Mergers and Acquisitions User/Business Requirements Metrics Virtualization Security NAC Web Content Filtering Network Security Wireless Security

8 INFORMATION SECURITY STUDY MACRO TRENDS 8 TOP INFORMATION SECURITY PROJECTS Identity management took over as the top security project in 2013, deposing data-loss prevention (DLP), which slipped to fourth place. Add in related projects such as authentication, authorization/access control, and privileged identity management, and the gap is more pronounced. Many identity management projects are compliancedriven; the case is similar with SIEM and DLP, meaning three out of the top four security projects have roots in compliance spending. This coincides with how projects are approved, at 38% of enterprises compliance decides, dwarfing the next most common approval mechanism with some manner of ROI calculation present at 10% of enterprises. Demonstrating an increased attention to monitoring over prevention, both SIEM and intrusion management have seen upticks in the number of enterprise project implementations. Outside vendor access and relations how to ensure the people we re doing business with are themselves a measure of secure. Are they subcontracting, and if so, are they [the subcontractors] secure? We re gonna hold you responsible for the security. LE, Consumer Goods/Retail Identity as a service. In those instances where we deal with people from other companies, what identities are we using. Or if we wanted to do something with alumni, people that used to work with us, how to identify with them. LE, Consumer Goods/Retail Information Security Projects What are your organization s top information security-related projects in the next 12 months? Select up to three. n=204. Identity Management SIEM Firewall Management DLP Intrusion Management Mobile Device Management Authorization/Access Control Policy Management Log Management Keeping Up With New Technology Security Awareness Vulnerability Assessment Monitoring Improvements Encryption Application Security Web Content Filtering Data Classification PCI Compliance Data Security Cloud Computing Control VPN/Remote Access GRC Directory Services Datacenter Expansion/Consolidation Anti-DDoS 5% 8% 8% 8% % 9% 9% Other Projects Mentioned Alignment to Best Practices Network Segmentation AML Requirements Operating System Security Anti-fraud Outsourcing Anti-malware Password Management Anti-phishing Patch Management Anti-spam PKI Anti-virus Privileged Identity Management Application Blacklisting Risk Assessment Application Whitelisting Secure File Transfer Authentication Security Architecture Configuration Management Security Operations Disaster Recovery Security Organization Dual Factor Authentication Segregation of Duties E-discovery Single Sign On Endpoint Security SSL File Integrity Monitoring Third Party Security HIPAA Compliance Threat Intelligence Incident Response Tokenization Insider Security Tool Management Managed Security Services UTM Mergers and Acquisitions Virtualization Metrics Virtualization Security NAC WAF Network Security Wireless Security

9 INFORMATION SECURITY STUDY MACRO TRENDS 9 SECURITY ORGANIZATION The greatest percentage of enterprises in the Wave 16 Study, 5, employ 10 or fewer full-time information security professionals. Growth is in the cards, though; of the 5 of respondents who stated there were structural changes to their teams, the greatest numbers of those (2) were additions to staff. The information security team is a separate division in only 4 of enterprises. The majority of information security professionals are still embedded within information technology, creating an obvious conflict of interest when security and IT clash over project requirements or delivery. Physical security reporting into the same leadership structure as information security occurs in only 1 of enterprises. Even in the 4 of organizations where security is a separate division, 65% of those divisions reported up to the head of information technology, typically a CIO. Twelve percent (1) reported to a risk managementbased position. There is very little consistency in the way information security professionals are measured by enterprises: project management, compliance, issue or ticket resolution, vulnerability metrics, and the number of breaches or incidents all feed into the perception of security s effectiveness at different large enterprises. Infosec officer (me) reports to risk management for the organization. The operations and implementation folks are all part of IT and are not segregated per se. LE, Healthcare/Pharmaceuticals I report to the CIO and dotted line to the chief risk officer. It s through the CRO that I have visibility to the board of directors. LE, Financial Services Information Security Organizational Structure Is information security a separate division or department at your enterprise? n=194. See Appendix for full set of questions and sample sizes. Is Security a Separate Division? If So, Who Does It Report To? Information Technology 65% Yes 4 Risk Management 1 No 58% Directly to CISO or Equivalent Finance 5% If Not, Where Does It Lie? Directly to CEO/Chairman Business Unit Information Technology Business Unit 9 Executive Committee Finance Directly to COO Privacy Department Legal Compliance Directly to Board of Directors Other

10 INFORMATION SECURITY STUDY MACRO TRENDS 10 ROLE OF COMPLIANCE PCI, SOX, HIPAA and GLBA are cited most often as having regulatory requirements for information security, and 38% of information security managers saw their budget increase specifically to deal with regulatory or legal compliance requirements, usually in the 1-20% range of increase. The majority of enterprises are conducting between one and 30 internal and external assessments annually. When considering these internal audits, security managers found the greatest strength of their company s auditors to be their process orientation (3 of enterprises). The greatest weakness, cited by 4 of security managers, was a lack of technology knowledge impeding the quality of audit results or findings. Strategy rather than participating in an arms race in which I must come in with the new controls. Rather get rid of the data that is in question. New point of sale required 4,000 servers being encrypted to protect data. Let s not store SS, year of birth with point of sales system. De-scope for PCI. LE, Financial Services It s just consistent increasing capabilities. I know it sounds stupid, but honestly, when you re out there in the world, people still can t patch their [expletive]. Everybody s looking for a silver bullet. There isn t one. You have to do work, dumbass. Everybody s working hard not to do the work. And non-technical CSOs are so involved in the process that they don t get s--- done. LE, Consumer Goods/Retail People have really brittle infrastructure and they re so wound up answering checklists that they re actually not providing security. And the new generation doesn t give a s--- about security, not one iota. You get this wild divergence. [They say] I just wanna be able to do anything I need to do my job, or if I just feel like it. It s almost like communism. [You see] Really rigid adherence to auditors rather than providing security. Auditors have a really hard time with me. They re not technical, don t understand what you re saying to them, they say show me the checklist. LE, Consumer Goods/Retail Approval Methodology How are security projects approved within your organization? n=248. Compliance Decides 38% ROI Calculation 10% Risk Assessment Committee Approval CIO Decides Senior Management Decides Business Group Driven Strategic Plan Ad Hoc Sacred Cow Reaction to Security Problem Operations Decides Holding Company Driven CISO Decides Various Approval Methodologies 5% 5% None 1

11 INFORMATION SECURITY STUDY MACRO TRENDS 11 THREAT RESPONSE Sixty-three percent (6) of information security managers are most concerned with external threats to their enterprises, while 3 believe their focus should be on internal threats such as employee malfeasance. Considering that internal threat, 5 of security managers said contractors and temporary staff were a population that posed the greatest risk of insider threat. Thirty-nine percent (39%) said information technology professionals with elevated privileges such as root or domain admin were a serious source of insider threat. Functionally, those who have a need to get to the member data, rather than client data, application tool set. LE, Financial Services It s about company culture. The programmer who believes that they are invincible. LE, Financial Services Threat Rankings Personnel Type Which of the personnel types below do you consider to be the greatest internal IT security risk to your organization? n=197. Contractors and Temporary Sta Technical Sta Elevated Privilege (Including IT Systems Administrators) Business Unit Sta (Non-IT Technical) Management/Executive Team Outsourced Service Provider Personnel Remote Employees Business Partners Technical Sta Without Elevated Privilege Students Visitors The Uninformed Programmers Overeager Hosting Partners High Ranked O cials Field Workers Engineers Departing Employees BYOD % 1 39% 5

12 INFORMATION SECURITY STUDY MACRO TRENDS 12 SECURITY AWARENESS Eleven percent (1) of enterprises cited security awareness training as the top pain point in their enterprises, with a further 9% citing user behavior as the chief issue. While 4 of enterprises invested more than 150 hours building and administering coursework to employees per year, a quarter spent only between one and 50 hours a year doing the same. End User Security Training How many hours per year does your team spend on security awareness programs and training for end users? n=162. > Continuing security awareness, especially as attack factors change. Client-side, via phishing, is changing. As users engage on the Internet more than they had, they need to be educated about how to recognize and handle attacks. LE, Healthcare/Pharmaceuticals It s not. The way that I am measured against my goals and performance management plan initiated two years ago with the newest HR director. The firm has goals which are aligned with the company s five strategic initiatives. GRC system, SOX compliance are examples of these goals/projects. The two metrics in the IT strategic plans are 1) audit deficiencies and 2) percentage of employees who take the security awareness training we rolled it out in the last year. LE, Healthcare/Pharmaceuticals H ours per Y ear None % SECURITY POLICY Sixty-two percent (6) of information security departments are tasked with setting policies for their organizations, whereas 38% of security managers see their primary role as the implementation of policies decided upon elsewhere. Thoughts on policy enforcement or effectiveness split nearly evenly: 4 of enterprise security managers believe their policies are little more than paper tigers, while 4 believe policy enforcements are effective. A much greater 65% of enterprises believe they have a strong business continuity plan in place ready for the next minor or major disaster. Thoughts on Policy Enforcement What are your thoughts on the enforcement of your organization s formal written security policies? n=188. Neutral I think it s [expletive] stupid. We are totally around prophylactics. Don t let them hurt themselves. If it s written, it s automatic. It s disallowed. Only thing is porn hey, dumbass. Once people know we watch it, [porn usage] just literally went away. I ll call people, and say, seriously, how can you watch porn on your BlackBerry? LE, Consumer Goods/Retail Can I lie? We have some very good policies that don t get enforced as well as they should be. I think we need to be more even-handed, and handle everybody the same way. LE, Consumer Goods/Retail Ine ective 4 E ective 4

13 INFORMATION SECURITY STUDY 13 Technology Roadmap According to TheInfoPro s proprietary Heat Index, a measure of the immediacy of user needs around a security technology, endpoint data-loss prevention (DLP) takes the pole position. Compliance concerns around both customer custodial information and intellectual property continue to drive DLP adoption, currently led by endpoint security titans Symantec and Intel s McAfee. The aforementioned phenomenon of employees connecting personal devices to the company network, bring your own device (BYOD), sees mobile device management (MDM) climb to third in the Heat Index and has also driven network access control (NAC) from a more stagnant technology to sixth place. Pre-integration of security technologies into a SIEM or other security dashboard would influence 50% of enterprise security managers buying decisions, a marked advantage for larger vendors with portfolios of security technologies as long as those technologies form a part of a coherent whole. Information Security Technologies: Heat Index vs. Adoption Index n=207. Heat Rank Heat Adoption Heat Heat Technology Score Score Rank Technology Score 1 Endpoint Data-loss Prevention Solutions Information or Digital Rights Management Application-aware Firewall Laptop Encryption Mobile Device Management Tokenization /Messaging Archiving/Compliance Security Information Event Management (SIEM) Adoption Score 5 Identity Management Multifactor Authentication for Web-based Applications Network Access Control (NAC) Hard Drive Encryption Event Log Management System Key Management and/or Public Key Infrastructure Network Data-loss Prevention Solutions Database Security Unified Threat Management (UTM) Single Sign-on Application Security Testing Code or Binary Network Firewalls Analysis-based Vulnerability Assessment 11 IT GRC (Governance, Risk, Compliance) Web Content Filtering Policy and Configuration Management Application Security Testing External Interface Fuzzing or Testing Vulnerability Assessment 13 Two-factor (Strong) Authentication for File Integrity Monitoring Infrastructure (e.g., VPN, Remote Access) 13 IT Security Training/Education/Awareness Vulnerability/Risk Assessment/Scanning (of Infrastructure) 15 Advanced Anti-malware Response Secure File Transfer Network Intrusion Detection and/or SSL VPNs Prevention (NIDS/NIPS) 17 Virtualization Security Penetration Testing Encryption Computer Forensics Web Application Firewall (WAF) Secure Instant Messaging Mobile Device Security (Not MDM) Anti-spyware Anti-botnet Host Intrusion Detection and/or Prevention (HIDS/HIPS) Threat Intelligence Patch Management Cloud Security Anti-virus Managed Security Service Provider (MSSP) Anti-spam/ Security 0 82 Technology Heat Index : measures user demand for a technology based on several factors including: usage or planned usage, changes in planned spending, an organization s budget for the relevant IT sector, and future changes in the organization s budget. A high score means a technology is expected to see significant growth. A! vendor has at least twice the number of selections as the closest competitor. Technology Adoption Index: measures aggregate investment in a technology based on several factors including: usage or planned usage, changes in planned spending, and an organization s budget for the relevant IT sector. A high score means the technology is already experiencing healthy adoption.

14 INFORMATION SECURITY STUDY TECHNOLOGY ROADMAP 14 Mobile device management had the strongest spending intentions in 2013; 4 of respondents stated their enterprises increased spending as a management response to employees bringing their own devices (BYOD) to work. Spending on MDM only improves in 2014, with 4 of respondents indicating an intent to increase spending. Cloud-specific security solutions are implemented in less than 15% of enterprises now, but expect that to change, potentially doubling over the next 18 months. Forty-three percent (4) of security managers say that securing the hybrid cloud is the priority. Firewalls, both standard stateful ones and newer application-aware products, had healthy spending allocations in 2013, placing second and third respectively in the list of technologies the greatest percentage of security managers increased spending on. Next year, security information and event management (SIEM) climbs to second place behind only MDM in spending change, as security managers continue their renewed focus on proactive monitoring and reaction to security incidents in addition to preventative controls. INFRASTRUCTURE SECURITY ROADMAP The infrastructure security category serves as a catchall for technologies from vulnerability assessment and Infrastructure Security Technology Roadmap What is your status of implementation for this technology? n= V ulnerab ility/risk A ssessment/scanning ( of Infrastructure) Tw Penetration Testing A nti- spyw H ost Intrusion Detection and/or Prevention ( H IDS/H IPS) are Laptop Encryption o- factor ( Strong) A uthentication for Infrastructure H ard Drive Encryption % 88% % 1 15% 1 5% K ey Management and/or Pub lic K ey Infrastructure Managed Security Service Provider ( MSSP) 38% Endpoint Data- loss Prevention Solutions File Integrity Monitoring V irtualiz ation Security 28% 3 3 5% 5% 8% 60 % 58% 4 Netw ork Data- loss Prevention Solutions Mob ile Device Security ( Not MDM) Tokeniz ation Information or Digital Rights Management Cloud Security % 18% 1 1 9% 5 58% 69% 70 % 68% ( ( H A A ( ( ( K In Use Now Not Including Pilots) In Pilot/Evaluation Budget as lready Been llocated) In Near- term Plan In Next 6 Months) In Long- term Plan 6-18 Months) Past Long- term Plan Later Than 18 Months Out) Not in Plan Don' t now 5% [Virtualization security:] I don t know of any product, do you? We are 95% virtualized in our datacenter... we re still depending on the hypervisor layer for our security. If it can break through that, we re in trouble. Some things you just have to trust. LE, Education We re supposed to be doing that [laptop encryption] but people are resistant. Never gets off the ground, crashes on the pad. The security office sets it up, but there s not enough people to carry it through, not enough resource. Even the pilot sorta fizzled. They talk about it, but nobody enforces it. Even us techies don t like to do it. LE, Education

15 W W Wave 16 INFORMATION SECURITY STUDY TECHNOLOGY ROADMAP 15 penetration testing to data protection technologies like encryption and DLP. Both flavors of DLP, endpoint and network, continue an upward growth trajectory, poised to grow 16 and 14 percentage points respectively in the next 18 months. Cloud security solutions are implemented at only 1 of enterprises but could grow another 1 in the next 18 months as enterprise security managers look for ways to properly secure hybrid cloud implementations. Vulnerability testing/risk assessment solutions are now implemented at 88% of enterprises, with Qualys out to a large lead over contenders including Rapid7 and Tenable. Laptop encryption is increasingly common, implemented at 80% of enterprises with Microsoft, McAfee and Symantec leading the choices of vendor solutions. Information rights or digital rights management (DRM) products continue to be a niche solution; 18% of enterprises rely mainly on solutions from Microsoft. Symantec has for the first time ranked ahead of Dell (SecureWorks) in the managed security service provider category, however growth projections show Dell may reacquire the top slot next year. Tripwire remains completely dominant in File Integrity Monitoring. While endpoint security providers Symantec and Intel s McAfee lead the data-loss prevention (DLP) list of vendors, Websense has risen to take third place. When it comes to a second factor for authentication, EMC/RSA tokens continue to be the dominant choice capturing 40% of enterprises. Endpoint Data-loss Prevention Solutions 2H 11, n=176; 2H 12, n=200; 2H 13, n=205. Spending Change: 2013 vs. 2012, n=107; 2014 vs. 2013, n=108. Symantec McA fee eb sense EMC Check Point Microso V erdasys Sophos Fortinet ave Sys Treadstone 71 Iron Mountain Code G reen Ntw ks Cisco CA Tech BeyondTrust Trend Micro Citrix V oltage Sec V end or Im pl em entation 0 % 10 % 20 % 30 % In Use Now In Pilot/Evaluation ( Budget H as A lready Been A llocated) Near- term Plan ( In Next 6 Months) Long- term Plan ( 6-18 Months) Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now 2H ' 11 2H ' 12 2H ' vs vs % Im pl em entation Road m ap 28% 3 19% 1 5% 8% Spend ing C hang e 5 69% 1 45% % 2 Less Spending A b out the Same More Spending 5% Symantec [has exciting] offerings the DLP. We have almost stopped business with them because we find McAfee superior in the antivirus space, but they seem to know the DLP space well with Vontu, and they ve enhanced that technology quite a bit. LE, Materials/Chemicals We ve got a big PII initiative we re trying to take on, to really secure any information that could be related to personal identifiable, from policy point of view and encryption. It will probably bring in other things such as DLP. MSE, Other

16 INFORMATION SECURITY STUDY TECHNOLOGY ROADMAP 16 SECURITY MANAGEMENT The security management category includes such long-term standbys as antivirus and patch management alongside increasingly ubiquitous log management and SIEM solutions. Security Management Technology Roadmap What is your status of implementation for this technology? n= A nti- virus 10 0 % Patch Management 9 Event Log Management System 7 8% 1 Security Information Event Management ( SIEM) 6 2 /Messaging A rchiving/compliance 6 29% Mob ile Device Management 59% 5% 8% 2 Computer Forensics 59% 3 Identity Management 5 5% 9% 2 Single Sign- on 55% 5% 3 Policy and Con guration Management 50 % 5% 3 IT Security Training/Education/A w areness 4 4 Secure Instant Messaging 4 5 IT G RC ( G overnance, Risk, Compliance) 3 48% Threat Intelligence 3 5 ( ( H A A ( ( ( K In Use Now Not Including Pilots) In Pilot/Evaluation Budget as lready Been llocated) In Near- term Plan In Next 6 Months) In Long- term Plan 6-18 Months) Past Long- term Plan Later Than 18 Months Out) Not in Plan Don' t now Mobile device management (MDM) is being driven quickly into use by the security conditions created when employees bring their own devices to work (BYOD). A fast rise from 4 in use last year to 59% in use this year will continue to grow a further 8 percentage points in the next six months. About a third (3) of enterprises noted greater spending on their SIEM solutions in 2013, a figure that balloons to 4 in 2014 based on the predictions of interviewed security managers. SIEM, besides being a compliance-driven solution around log review, also continues to grow based on security managers focus on reactionary controls as a supplement to preventative measures. Another key compliance initiative, the catchall identity management, captures increased spending intentions among 40% of interviewed enterprises seeking to get their hands around proper implementation of the principle of least privilege. No technology is more ubiquitous in this category than antivirus, implemented at 100% of the enterprises interviewed in the study, and led largely by security stalwarts Symantec and Intel s McAfee. Close behind are patch management solutions, implemented at 9 of interviewed enterprises. This is a bit of a false indicator, though, as the majority of enterprises cite Microsoft management tools as their primary patch management solution, indicating they do not have a dedicated third-party patch management solution (rather they are using Microsoft tools to manage a Microsoft environment) such as that provided by IBM (BigFix).

17 W Wave 16 INFORMATION SECURITY STUDY TECHNOLOGY ROADMAP 17 Threat intelligence is the least implemented technology under the security management umbrella. However, at 3 of enterprises and with an ever-changing definition of what constitutes a threat intelligence solution, expect future focus in this area. Good Technology has taken the lead in MDM implementations but faces serious competition from both MobileIron and AirWatch, all continuing to take share from the leader of a few years ago, BlackBerry. The SIEM space remains contested even as solutions become commonplace in the enterprise. HP with ArcSight retains the lead. However, IBM (acquired Q1Labs), EMC with Envision, and McAfee (acquired NitroSecurity) battle it out with the pure-play Splunk a log management tool being used as a SIEM. Oracle s identity management solutions continue to see potential for growth as the only major vendor outside of using Microsoft s standard tools (Active Directory) seeing significant enterprise penetration. The IT GRC space continues to be dominated by EMC with the RSA Archer product. Guidance Software (maker of EnCase) faces serious competition in the enterprise forensics space for the first time from AccessData. Mobile Device Management 2H 12, n=200; 2H 13, n=204. Spending Change: 2013 vs. 2012, n=157; 2014 vs. 2013, n=156. G ood Tech Mob ileiron A irw atch BlackBerry Fib erlink Comm Citrix Microso Cisco McA fee SA P Symantec atchdox Open Source J A MF S w IBM H omegrow n G oogle Dell A ppsense Dropb ox A rub a Ntw ks V eriz on Sprint Motorola Fortinet A T& T V end or Im pl em entation 0 % 10 % 20 % In Use Now In Pilot/Evaluation ( Budget H as A lready Been A llocated) Near- term Plan ( In Next 6 Months) Long- term Plan ( 6-18 Months) Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now 2H ' 12 2H ' vs vs Im pl em entation Road m ap 4 59% Spend ing C hang e % 2 5% 8% Less Spending A b out the Same More Spending 5% We tried AirWatch and weren t too happy. However, they ve made some more advances, may look at it again. I wasn t impressed with it. Biggest issue, it depended on version as to whether it would work with an iphone. LE, Services: Business/Accounting/Engineering 2H ' 12, n= 20 0 ; 2H 13, n= Spending Change: vs , n= 157; vs , n= 156. We have implemented Good Technologies, but to implement beyond , contact and tasks costs much more money. We don t have the money to address these additional features, since it is not business critical. LE, Telecom/Technology Absence of good device-centric controls; also, the BYO aspect in many cases the platform is no longer owned by us, so regulating and securing becomes that much harder. Android devices are harder than Apple to secure, it seems. LE, Materials/Chemicals Both network and server log management done with envision, and we change for all functions to something. We re considering McAfee as frontrunner, but IBM and HP are in the mix. We want to look at an ISSP as well. LE, Industrial/Manufacturing

18 INFORMATION SECURITY STUDY TECHNOLOGY ROADMAP 18 APPLICATION SECURITY Application security solutions continue to get attention from enterprises as specific countermeasures to application-based attacks. However, with none above 50% implemented, it continues to be a category that is not receiving enough attention. Application Security Technology Roadmap What is your status of implementation for this technology? n= W eb A pplication Firew all ( W A F) 40 % 5% 4 A pplication Security Testing Code or Binary A nalysis- b ased V ulnerab ility A ssessment 38% 50 % Datab ase Security 3 5 A pplication Security Testing External Interface Fuz z ing or Tes ting V ulnerab ility A ssessment 35% 5 9% Multifactor A uthentication for W eb - b ased A pplications 3 58% ( ( H A A ( ( ( K In Use Now Not Including Pilots) In Pilot/Evaluation Budget as lready Been llocated) In Near- term Plan In Next 6 Months) In Long- term Plan 6-18 Months) Past Long- term Plan Later Than 18 Months Out) Not in Plan Don' t now Code or binary assessment, currently implemented at 38% of enterprises, is poised to grow 8 percentage points in the next 18 months, as enterprises seek to harden the applications written by their development teams from the inside out. No technology under the application security umbrella is mainstream; none have cracked the 50% in-use mark in interviewed enterprises. The closest is Web application firewalls (WAFs) at 40% in use, driven largely by the technology s prominent mention in the PCI application security requirements. The implementation of dual-factor authentication for Web-based applications is implemented in only 3 of enterprises. Driven largely in financial institutions by guidance released by the Federal Financial Institutions Examination Council, it has yet to see widespread adoption. Foundstone/McAfee, Qualys and Nexpose/Rapid7 for vulnerability and pen testing as well. LE, Financial Services A lot of interest in pen-testing and Web application assessments today. We ve spoken with WhiteHat Security, NetSPI about pen-testing assessments. LE, Other

19 W Wave 16 INFORMATION SECURITY STUDY TECHNOLOGY ROADMAP 19 HP and IBM have long led the code/binary assessment category via prior acquisitions, but Veracode is poised to become a threat to its supremacy. Similarly IBM remains in the lead in external application security testing, but HP has fallen to third place amid a serious challenge by WhiteHat Security. F5 Networks continues to complete with Imperva in the WAF space, but is showing signs of potentially pulling away. Application Security Testing Code or Binary Analysis-based Vulnerability Assessment 2H 12, n=200; 2H 13, n=205. Spending Change: 2013 vs. 2012, n=91; 2014 vs. 2013, n=91. H P IBM V eracode Q ualys hiteh at Sec Checkmarx H omegrow n Open Source Tenab le Security Compass InfoSecurus Coverity Core Security CA Tech A cunetix Cigital Symantec V eriz on Onapsis Cenz ic V end or Im pl em entation 0 % 5% 10 % 15% In Use Now In Pilot/Evaluation ( Budget H as A lready Been A llocated) Near- term Plan ( In Next 6 Months) Long- term Plan ( 6-18 Months) Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now 2H ' 12 2H ' vs vs Im pl em entation Road m ap 4 4 8% 38% 50 % Spend ing C hang e 70 % 2 58% 3 Less Spending A b out the Same More Spending Checkmarx offers very good code coverage. They cover just about everything around here. Downside when it works, it is great; however, we have had improper scanning of code take place. They expect us to do too much work. This is something they should do as part of their service. LE, Consumer Goods/Retail [Veracode:] Static analysis, they do a good job on that. They need to make their results a little bit more easy to understand. It can be a little difficult trying to discern exactly, you get a report, what exactly, what does that mean, and what do I need to do? To be fair, they ll help you with that, but there s always room for improvement. LE, Financial Services So deep in the layers that we may not bother with it we re not increasing budget. Unless an examiner says it must be done. LE, Services: Business/Accounting/Engineering

20 W Wave 16 INFORMATION SECURITY STUDY TECHNOLOGY ROADMAP 20 NETWORK SECURITY Network security continues to be a mix of old standby perimeter security tools such as the firewall, newer versions of the same in the form of the application-aware firewall, and perimeter monitoring via intrusion management and newer network security options including network-based DLP and anti-botnet services. Network Security Technology Roadmap What is your status of implementation for this technology? n= Netw ork Firew alls 10 0 % A nti- spam/ Security 98% SSL V PNs 90 % 8% Netw ork Intrusion Detection and/or Prevention ( NIDS/NIPS) 88% eb Content Filtering 8 1 Encryption 68% 5% 2 Secure File Transfer 65% 28% A pplication- aw are Firew all 4 5% 39% A nti- b otnet 40 % 49% A dvanced A nti- malw are Response 3 55% Netw ork A ccess Control ( NA C) 30 % 10 % 5 Uni ed Threat Management ( UTM) 2 10 % 6 ( ( H A A ( ( ( K In Use Now Not Including Pilots) In Pilot/Evaluation Budget as lready Been llocated) In Near- term Plan In Next 6 Months) In Long- term Plan 6-18 Months) Past Long- term Plan Later Than 18 Months Out) Not in Plan Don' t now Application-aware firewalls remain a top growth technology in terms of new installations, rising to 4 in use in 2013 with a further 9 percentage points of projected growth over the next six months. Palo Alto Networks continues to be the standard bearer in a technology 3 of security managers reported spending more on in 2013, and Check Point for the first time shows significant growth potential for its application-aware offering. Network access control (NAC) seemed to have plateaued in recent years or was poised to be subsumed into other technologies, such as VPN. That was before the explosive growth of BYOD, which has put NAC back on enterprises radar screens with 16 percentage points of projected growth possible in the next 18 months. Nothing in network security is quite so mainstream as the network firewall, implemented at 100% of interviewed enterprises. That said, high penetration has never equaled dormancy; the technology remains a contested one, with 39% of enterprises increasing spending in Cisco leads the pack, with Check Point in second. Juniper Networks has posted modest gains with about 15% of responses, and newer entrant Palo Alto Networks has seen a rise to 1 of enterprises stating they provide the primary network firewall. Unified threat management (UTM) continues to suffer from perceptions that it is an SMB solution, creates vendor lock-in, or that its components are not best-of-breed. That said, in use growth potential of 14 percentage points in the next 18 months could change that.

21 W W W Wave 16 INFORMATION SECURITY STUDY TECHNOLOGY ROADMAP 21 Application-aware Firewall 2H 09, n=255; 2H 10, n=208; 2H 11, n=174; 2H 12, n=200; 2H 13, n=205. Spending Change: 2013 vs. 2012, n=122; 2014 vs. 2013, n=120. Palo A lto Ntw ks Imperva F5 Ntw ks Check Point Cisco Citrix Dell Fortinet Symantec H P A kamai J uniper atchg uard V Mw are Trustw ave Microso IBM eb sense hiteh at Sec V end or Im pl em entation 0 % 10 % 20 % 30 % In Use Now In Pilot/Evaluation ( Budget H as A lready Been A llocated) Near- term Plan ( In Next 6 Months) Long- term Plan ( 6-18 Months) Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now Cisco is not always a dominant player in information security the way it is in network technology, but network security is an area where the networking giant is prominent. Cisco leads network firewall implementations for another year, is the primary beneficiary of the resurgence of NAC, and has leaped to the front of a once hotly contested space in intrusion detection and prevention systems with the acquisition of Sourcefire. FireEye continues to lead the category of advanced anti-malware, denoting approaches to dealing with malware that go beyond traditional antivirus solutions, but sees old standbys Symantec and Intel s McAfee on its tail in this newer technology category on which 29% of respondents note they will spend more in Web content filtering, another staid and ubiquitous network security technology, remains highly penetrated at 8 in use, but sees 1 of enterprises decreasing their 2014 spending levels against 2 increasing them. This notably afects the two leaders in the technology: Websense and Blue Coat. 2H ' 0 9 2H ' 10 2H ' 11 2H ' 12 2H ' vs vs % Im pl em entation Road m ap % 6 28% 10 % % 39% Spend ing C hang e 60 % 4 We moved into a new datacenter this year and spent a lot on infrastructure. In 2014, we expect to bring in new firewall from Cisco predominantly. We run into limitations with Palo Alto and slow response. Thus looking at Cisco going forward. Cisco has more of an end-to-end solution from the edge for BYOD and integrating other technologies. LE, Consumer Goods/Retail We are good at understanding incoming traffic but need work on outgoing application traffic. Want to get the capability out of the firewall to get deeper dives for social media. LE, Healthcare/Pharmaceuticals 3 39% Less Spending A b out the Same More Spending