Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability



Similar documents
Are SMBs Taking Disaster Recovery Seriously Enough?

Capacity Management Benefits For The Cloud

Customer Cloud Adoption: From Development To The Data Center

IT Security s Responsibility: Protecting Mobile Certificates

Records Management And Hybrid Cloud Computing: Transforming Information Governance

Intent Data Can Sharpen Your Competitive Edge

Protecting Customer Experience Against Distributed Denial Of Service (DDoS)

Future IT Capacity Planning Depends On Flexibility

Consumer Web Portals: Platforms At Significant Security Risk

Managed Mobility Cloud Services Gain Momentum With European Midmarket Organizations

UC And Collaboration Adoption By Business Leads To Real Benefits

Enterprises Seek The Benefits Of Hybrid Cloud, And Work To Overcome The Challenges

Hybrid Cloud Adoption Gains Momentum

SMBs File Storage Needs Are Growing, But 57% Underestimate File Server Costs 45% Are Interested In Cloud Options

Top Unified Communications Trends For Midsize Businesses

Firms Turn To Next- Generation Firewalls To Tackle Evolving IT Threats

Big Data Ups The Customer Analytics Game

Benefits Of Leveraging The Cloud Extend To Master Data Management

Governance Takes A Central Role As Enterprises Shift To Mobile

Leverage Micro- Segmentation To Build A Zero Trust Network

Single-Vendor Security Ecosystems Offer Concrete Benefits Over Point Solutions

Cloud Without Limits: How To Deliver Hybrid Cloud With Agility, Governance, And Choice

Digital Business Requires Application Performance Management

How To Adopt Cloud Based Disaster Recovery

Why Endpoint Backup Is More Critical Than Ever

The Risks Of Do It Yourself Disaster Recovery

How To Get Cloud Erp For A Small Business

Enterprises Shift To Smart Process Apps To Engage Customers

Data Growth Presents Challenges And Opportunities

A Custom Technology Adoption Profile Commissioned By Aerohive Networks. January Cloud Networking

A Faster Pace For Retail Paid Search Real-Time Insights Are Critical To Competitive Advantage

Strategically Detecting And Mitigating Employee Fraud

A Tidal Wave of Dynamic Web Content Is Coming How Will You Respond?

Hybrid Cloud Places New Demands On The Network

The Move Toward Modern Application Platforms

Application Performance Management Is Critical To Business Success

Private Or Public Cloud Isn t The Right Question It s Going To Be A Hybrid World

Are SMBs Taking Disaster Recovery Seriously Enough?

The Cloud Manager s Balancing Act Balancing Security And Cost Without Sacrificing Time-To-Value

Latest IT Trends For Secure Mobile Collaboration

Connect and Protect: The Importance Of Security And Identity Access Management For Connected Devices

Zero Trust Requires Effective Business-Centric Application Segmentation

File Sync And Share Grows In The Enterprise: Capture The Benefits And Manage The Risks

The Expanding Role Of Mobility In The Workplace

Best Practices For Public Cloud Security Part Three Of A Three-Part Series On Public Cloud Security

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Leverage A Third-Party Data Center To Deliver Increased Business Value

A Forrester Consulting Thought Leadership Paper Commissioned By Brother. December 2014

Is Your Big Data Solution Production-Ready?

Leverage Cloud-Based Contact Center Technologies To Provide Differentiated Customer Experiences

Software Integrity Risk Report

Not All Cloud Solutions Are Created Equal: Extracting Value From Wireless Cloud Management

Anatomy of a Healthcare Data Breach

Close The Gaps Left By Traditional Vulnerability Management Through Continuous Monitoring Organizations Find Real Value With Continuous Monitoring

Application Delivery Controllers For Virtual Applications

What are your firm s plans to adopt x86 server virtualization? Not interested

Executive Summary Sales Reps And Operations Professionals Need Rich Customer Data To Meet Revenue Targets... 3

Trends In Data Quality And Business Process Alignment

Key Strategies To Capture And Measure The Value Of Consumerization Of IT

How Organizations Are Improving Business Resiliency With Continuous IT Availability

Which Managed Hosting And Private Hosted Cloud Option Is Right For You?

A Forrester Consulting Thought Leadership Paper Commissioned By Zebra Technologies. November 2014

The Move Is On To Open Source Integration Software

Accelerate BI Initiatives With Self-Service Data Discovery And Integration

Page 2. Most Of The Information Workforce Now Works Remotely

Strategically Source Your Next Data Centre Data Centre Purchasing Drivers, Priorities, and Barriers for Asia-Pacific Firms

The Unified Communications Journey

The Era Of Intimate Customer Decisioning Is At Hand

CPG Sales Leaders Go Multichannel A Guide To CPG Sales And Channel Management In A Digital World

Seize The Mobile Moment: Field Service Mobility Solutions Improve Customer Experience

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

Building Value from Visibility

Mobile Device Management Underpins A Bring-Your-Own- Device (BYOD) Strategy

A Forrester Consulting Thought Leadership Paper Commissioned By MetaPack. September 2014

If you had your choice of two work devices that would make you most productive in your job, which two devices would you prefer to have?

The Power Of Real-Time Insight How Better Visibility, Data Analytics, And Reporting Can Optimize Your T&E Spend

The State Of Public Cloud Security Part One Of A Three-Part Series On Public Cloud Security

Simplify And Innovate The Way You Consume Cloud

Infrastructure As Code: Fueling The Fire For Faster Application Delivery

Is It Time To Refresh Your Wireless Infrastructure?

Delivering New Levels Of Personalization In Consumer Engagement

Enable Mobility With Application Visibility At The Edge Of The Network

QUESTIONS 1. Is cloud necessarily less secure than my own IT infrastructure, or can it be more secure?

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Many Firms Are Overconfident In Their Disaster Recovery Ability

Managed Hosting And Private Hosted Cloud Both Are Viable Alternatives To Public And Virtual Private Cloud Models

Cloud Change Agents Drive Business Transformation

Improving The Agent Experience Moves The Needle On Customer Satisfaction

Improving The Retail Experience Through Fast Data

How To Get Started With Customer Success Management

Digital Video Advertising - Advantages and Disadvantages

In Big Data We Trust?

The X-Factor in Data-Centric Security. Webinar, Tuesday July 14 th 2015

VENDOR MANAGEMENT. General Overview

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

How Predictive Marketing Analytics Boosts B2B Business Performance

CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES

Transcription:

A Custom Technology Adoption Profile Commissioned By BitSight Technologies Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability Introduction As concerns around data guardianship, targeted attacks, and advanced security threats have risen, so too have the number and significance of various types of third-party relationships, such as those with suppliers and partners. Therefore, more potential vulnerabilities are being exposed at the same time that regulator, customer, and business scrutiny of such is reaching an apex. In October 2014, BitSight Technologies commissioned Forrester Consulting to examine the current practices of IT decision-makers as they relate to monitoring and managing third-party risk, along with their perceptions of the potential impacts of objective and reliable continuous monitoring that aren t apparent from manual efforts like qualitative questionnaires. Enterprises are experiencing increased pressure from regulators, frameworks, and other sources to expand third-party oversight while also incorporating more line-of-business objectives and input when sourcing vendors and evaluating their worthiness. As such, there is significant appetite for monitoring various elements of third-party security, yet few firms have the resources to do so with adequate frequency or objectivity. To rectify this gap, the majority of survey respondents see benefit from a continuous third-party monitoring capability. This includes significant improvement in metrics, ranging from the vendor sourcing process to incident identification and remediation. This BitSight-commissioned profile of enterprise IT security decision-makers in the US, UK, France, and Germany evaluates attitudes and capabilities regarding third-party security compliance, based on Forrester s own market data and a custom study of the same audience. January 2015

1 Regulations And Frameworks Are Driving Increased Third-Party Security Scrutiny Today s IT security professionals certainly have no shortage of concerns and priorities on their plates. Forrester s Business Technographics Global Security Survey, 2014, however, shows that among those in US and European enterprises, ensuring regulatory compliance is of particular importance, with 82% ranking it as a critical or high priority (see Figure 1). Seventy-nine percent reported that another top priority is ensuring business partners and third parties which are increasingly in the mix due to modern business objectives and resources, and whose policies and practices may be opaque comply with their security requirements. The importance of such concerns is underscored by dismally low levels of compliance, including on the part of third parties with whom so many firms do business today. Forrester data shows that across 18 regulations, professional frameworks, and best practice guidance documents, an average of only 29% of firms are fully compliant (see Figure 2). But these firms will likely soon have even more onus for protecting their data, as the level of regulatory oversight is only increasing. As of September 2014, the US Congress is considering 112 pieces of legislation addressing privacy and data breaches, and the EU Commission is preparing to significantly tighten data regulations in an update to its 1995 Data Protection 1 Directive. Federal contractors, in particular, are currently in the unenviable position of navigating the intentionally vague guidelines set forth in the massively overhauled National 2 Institute of Standards and Technology (NIST) framework. They will need to conduct thorough reviews of their partners to ensure compliance. Third Parties Are Being Held Accountable For Increasingly Security-Minded Business Goals Forrester estimates that in 2014, IT departments among enterprises in the US, UK, France, and Germany allocated 3 21% of their overall IT spending to third parties. That 4 equates to over $270 billion annually in the US alone. With FIGURE 1 Regulatory Compliance And Third-Party Security Concerns Are Top IT Priorities Base: 375 IT decision-makers at enterprises in the US, UK, France, and Germany Source: Business Technographics Global Security Survey, 2014, Forrester Research, Inc.

2 FIGURE 2 Full Regulatory Compliance Is Rare Base: 1,039 IT decision-makers at enterprises in the US, UK, France, and Germany Source: Business Technographics Global Security Survey, 2014, Forrester Research, Inc. FIGURE 3 IT Has Increased Coordination With Lines Of Business To Ensure Third-Party Relationships Are Valuable Base: 106 IT security decision-makers at enterprises in the US, UK, France, and Germany Source: A commissioned study conducted by Forrester Consulting on behalf of BitSight Technologies, November 2014 such a large portion of spend going to service providers, it follows logically that IT decision-makers are expecting a lot from these relationships. And indeed, they are taking steps to ensure they get maximum value. Fifty-six percent of our survey respondents said they are better coordinating with their business counterparts to define outcomes, 51% are directly involving them in defining metrics, and 50% are writing business outcomes and performance metrics directly

3 into their contracts (see Figure 3). In other words, thanks to greater appreciation of the legal, IT, public relations, and insurance costs (among others) that follow breaches often made possible by the new anytime, anywhere technologies customers demand, ensuring these capabilities and services follow policies and best practices is now directly 5 tied to the bottom line. FIGURE 4 IT Seeks The Ability To Track Supplier Risk Metrics Ironically, though hardly a surprise, the move toward outsourcing has not bypassed the security organization. In fact, as far back as 2012, an average of 62% of security decision-makers had implemented, were planning to implement, or were interested in implementing as-a-service approaches across 13 security categories, with the highest 6 number (71%) for vulnerability assessments. Two years later, that shift has only accelerated, with 70% of respondents to our custom survey indicating that leveraging cloud-based or managed security services is a high or critical priority at their organizations. IT Seeks Third-Party Security Tracking And Management Capabilities But Relies On Sporadic Intelligence IT decision-makers aren t just looking at the strategic value of their third-party relationships. In fact, they re very interested in getting down to brass tacks. According to Forrester s Forrsights Security Survey, Q3 2013, respondents from enterprises in the US, UK, France, and Germany show significant interest in tracking hard metrics from their suppliers around risk of critical data loss or exposure (63%), general security risks such as cyberattacks (62%), and risk of intellectual property theft (52%), among others (see Figure 4). In our custom survey, we asked respondents from the same population about more specific pieces of third-party security information they would see value in monitoring and uncovered significant appetite for insight into those firms own security practices. Roughly twothirds of respondents, for example, indicated a desire to know third-party threat and vulnerability management practices (68%), encryption policies and procedures (67%), security incidence response processes (66%), and threat intelligence practices (64%). Despite their enthusiasm for third-party security insights, respondents to our custom survey reported only sporadic updates to their knowledge of such information. In fact, no more than 37% reported formally tracking any one of these metrics on at least a monthly basis, thereby leaving them Base: 422 IT decision-makers at enterprises in the US, UK, France, and Germany Source: Forrester Forrsights Services Survey, Q3 2013 vulnerable in the event of a breach or change in policy. On average, 59% of respondents claimed to glean valuable insight from these metrics, but fewer than half of that number (22%) have the opportunity to do so monthly (see Figure 5). What s more, firms that rely on disconnected governance, risk, and compliance (GRC) efforts, including overly manual processes such as surveys (which introduce human error and time lag considerations), provide cloudy insights at best and simply do not keep up with the pace demanded by the 7 business today. Continuous Third-Party Monitoring Improves IT And Business Performance Given that most firms today fail to formally track third-party security information with prudent frequency, continuous monitoring may seem like a pie-in-the-sky notion. Yet, when asked to consider such a capability, respondents to our custom survey showed a clear awareness of the shortcomings of their current approaches. A clear majority anticipate a major or moderate benefit resulting from continuous third-party monitoring for any one of the seven metrics we asked about.

4 FIGURE 5 IT Sees Value In Third-Party Security Monitoring But Relies On Sporadic Intelligence Base: 106 IT decision-makers at enterprises in the US, UK, France, and Germany Source: A commissioned study conducted by Forrester Consulting on behalf of BitSight Technologies, November 2014 The most impressive number of respondents agreed on the tactical benefits in the case of a security event, such as event identification time (76%), event remediation time (72%), and response time to high-profile events such as Heartbleed and POODLE (71%). Respondents also anticipate more strategic benefits of such a monitoring approach. For instance, 65% predicted major or moderate benefits to their ability to compare security postures among third parties, with 63% and 62% reporting the same for their ability to screen vendors based on risk and evaluate infrastructure configuration of third parties, respectively (See Figure 6). FIGURE 6 Continuous Monitoring Is Seen As Beneficial To Critical Metrics Base: 106 IT decision-makers at enterprises in the US, UK, France, and Germany Source: A commissioned study conducted by Forrester Consulting on behalf of BitSight Technologies, November 2014

5 Conclusion In the midst of high-profile data breaches and an increased awareness by the public and regulators of the importance of good data guardianship, firms today are allocating significant portions of their IT budgets hundreds of billions of dollars per year in the US alone to third parties. In addition, IT professionals are making efforts to better align their vendor contracts with business objectives. As a result, there is an appetite among the majority of these professionals to track and monitor important third-party metrics, such as the risk of losing critical company data and event identification and remediation times. Yet most firms fail to do so with adequate frequency. Across the nine types of third-party information we surveyed IT security decision-makers on, an average of 59% indicated a desire to track and monitor. Yet across those same nine information types, an average of only 22% were tracking with monthly or greater frequency. Enterprises overwhelmingly anticipate major or moderate improvement to many metrics around third-party evaluation, such as the ability to compare security postures, screen vendors based on risk, and evaluate infrastructure configurations. Additionally, enterprises anticipate reductions in times required for security event identification and remediation times and responses to high-profile events. Real-time security monitoring can benefit many industries and departments beyond IT. Potential use cases include merger and acquisition due diligence for law and investment firms, federal agencies monitoring the ongoing security practices of the nation s critical infrastructure, or insurance actuaries determining the appropriate insurance rates for cyberinsurance coverage. What s more, agencies such as the Office for Civil Rights can use security monitoring tools to triage their HIPAA audit scheduling, and healthcare providers can use the technology to assess their in-network physicians and centers to assess the risk of those third parties. It s fair to say that continuous security monitoring can find an appropriate role in nearly any organization. Methodology This Technology Adoption Profile was commissioned by BitSight Technologies. To create this profile, Forrester leveraged its Forrsights Services Survey, Q3 2013 and Business Technographics Global Security Survey, 2014. Forrester Consulting supplemented this data with custom survey questions asked of 106 IT security and risk management decision-makers at firms with over 1,000 employees in the US and over 500 employees in the UK, France, and Germany. Survey respondents included IT security professionals from various industries with manager or above seniority and responsibility for third-party IT service sourcing and management. The auxiliary custom survey was conducted in November 2014. For more information on Forrester s data panel and Tech Industry Consulting services, visit www.forrester.com. Endnotes 1 Source: How Dirty Is Your Data? Forrester Research, Inc., September 16, 2014. 2 Source: Brief: New NIST Cybersecurity Guidelines Target Firms With US Federal Agency Customers, Forrester Research, Inc., July 11, 2014. 3 Source: Forrester s Business Technographics Global Business and Technology Services Survey, 2014. 4 A recent Forrester study estimates total IT spend by businesses and government in the US at over $1.3 trillion. Source: US Tech Market Outlook For 2014 And 2015 Solid, Steady Growth, Forrester Research, Inc., April 24, 2014. 5 Source: Build The Business Case For GRC, Forrester Research, Inc., December 10, 2014. 6 Source: Security s Cloud Revolution Is Upon Us, Forrester Research, Inc., August 2, 2013.

6 7 Source: Choose The Right Technologies To Support Your GRC Program, Forrester Research, Inc., April 28, 2014. ABOUT FORRESTER CONSULTING Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting. 2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to www.forrester.com. 1-S27AU1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information