planning for failure

7/31/2019 Planning for Failure

1/16

Making Leaders Successul Every Day

Neer 9, 2011

Pnnng Fr Fre Jhn Knderg nd Rk Hndr Ser & Rsk Pressns

7/31/2019 Planning for Failure

2/16

2011 Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRankings, and Total EconomicImpact are trademarks o Forrester Research, Inc. All other trademarks are the property o their respective owners. Reproduction or sharing o thiscontent in any orm without prior written permission is strictly prohibited. To purchase reprints o this document, please email clientsupport@orrester.com. For additional reproduction and usage inormation, see Forresters Citation Policy located at www.orrester.com. Inormation is

based on best available resources. Opinions refect judgment at the time and are subject to change.

Fr Ser & Rsk Pressns

ExEcutivE SummaRy

Its not a question o i but when your organization will experience a serious security breach.

Cybercriminals are using more sophisticated and targeted attacks to steal everything rom valuable

intellectual property to the sensitive personal and nancial inormation o your customers, partners,

and employees. Teir motivations run the gamut rom nancial to political to retaliatory. With enough

time and money, they can breach the security deenses o even the largest enterprises. You cant stop

every cyberattack. However, your key stakeholders, clients, and other observers do expect you to take

reasonable measures to prevent breaches in the rst place, and when that ails, to respond quickly andappropriately. A poorly contained breach and botched response have the potential to cost you millions

in lost business and opportunity, ruin your reputation, and perhaps even drive you out o business.

ta blE oF coNtENtSYou Will Suer A Security Breach; You May

Een Hae A Breach Riht Now

You Must Establish An Onoin Incident

Manaement Proram

Testin And Trainin Are Critical To Success

You Must Decide I You Want To ProsecuteBeore You Remediate

WHat it mEaNS

Make Incident Manaement A Top Security

Priority

Supplemental Material

NotES & RESouRcES

in deepng hs repr, Frreser drew

r weh ns eperene, nsgh,

nd reserh hrgh dsr nd nqr

dsssns wh end sers nd endrs rss

ndsr sers.

Related Research Documents

upded Q4 2011: the New thre lndspe

Preed Wh cn

Neer 1, 2011

P yr Hed o o the Snd and P i on

a Swe: inrdng Newrk anss and

vs

Jnr 24, 2011

Soc 2.0: vrzng Ser operns

apr 20, 2010

Neer 9, 2011

Pnnng Fr Frean Eee inden mngeen Prgr is Essen t Hep y S in bsness

by John Kindera and Rick Hollandwh Sephne brs nd Kee mk

2

5

10

11

12

13

7/31/2019 Planning for Failure

3/16

2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

2

YOU WILL SUER A SECURITY BREACH; YOU MAY EvEN HAvE A BREACH RIgHT NOW

Breaches are expensive. Sony announced that it will cost the company more than $170 million to

clean up the PlayStation Network breach alone.1 One nancial analyst estimates that the breach will

ultimately cost the company $1.25 billion in lost business, compensation, and new investments.2

During the past 12 months, 25% o I security decision-makers and inuencers reported at least

one breach o their sensitive inormation (see Figure 1-1). Its interesting to note that 21% o

respondents didnt eel comortable answering that question although their responses were

anonymous a testament to just how sensitive enterprises have become to the potential economic

impact and damage to corporate reputation o a publicized security breach.

Even more interesting is that 7% reported Dont know. Forrester believes that even among those

respondents that reported no breaches in the past 12 months, many o them have suered a

breach they just dont know it. In todays changed threat landscape, cybercriminals are skilled,well-unded, and patient. Tey target their attacks and do everything in their power to conceal their

activity so that they can accomplish their goal, whether its to steal intellectual property or conduct

man-in-the-middle attacks.

Inadequate Incident Response Leads To inancial, Operational, And Reputational Losses

Consider the example o DigiNotar, the primary certicate authority or the Dutch government. On

September 19, 2011, the company led or bankruptcy as a result o a massive breach by suspected

Iranian actors.3 Te breach resulted in the issuance o more than 500 raudulent digital certicates.

In its investigation, I security rm Fox-I stated: We ound that the hackers were active or a

longer period o time. Tey used both known hacker tools as well as soware and scripts developed

specically or this task. Some o the soware gives an amateurish impression, while some scripts,

on the other hand, are very advanced.4

Tis example illustrates the sophistication o todays cyberattacks and the difculty, even or

a security company, to detect them. It also illustrates the importance o having an incident

management program. Government and industry experts criticized DigiNotar or ailing to notiy

the public o the breach sooner and or downplaying the scope and seriousness o the breach.

Incident Response Is One O The Most Oerlooked Areas In Inormation Security

In Forresters experience, incident response is one o the most overlooked areas o inormation

security. Surprisingly, even among those enterprises that have already suered a breach during thepast 12 months, only 18% increased spending on their incidence response program as a result (see

Figure 1-2). Sadly, and perhaps even more surprisingly, many enterprises did nothing at all as the

result o their breach. Others increased spending on breach prevention technologies.

7/31/2019 Planning for Failure

4/16

2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

3

iure 1 Freqen and Ress o D brehes

Source: Forrester Research, Inc.60564

Frequency of breaches during the past 12 months1-1

Changes resulting from a breach1-2

How many times do you estimate that your firms sensitive data was potentiallycompromised or breached in the past 12 months?

Base: 341 North American and European enterprise security decision-makers responsiblefor network or data security at companies that have had a breach in the past 12 months

(percentages may not total 100 because of rounding)

Source: Forrsights Security Survey, Q2 2011

25% of companies have

experienced a breach

during the past 12 months

that they know of.

21%7%

45%

1%

1%

3%

8%

6%

6%

Cannot discloseDont know

No breaches in the past 12 months

More than 25 times in the past 12 months

11 to 25 times

Six to 10 times

Three to five times

Twice

Once

If you have had a breach, what has changed at your firm in thepast 12 months as a result of the breach?

Base: 625 North American and European enterprise security decision-makersresponsible for network or data security

(multiple responses accepted)

0%

1%

2%

2%

4%

6%

9%

11%

18%

25%

30%

43%

Greater difficulty attracting new customers

Lost business partners

Lost customers

Switched IT auditors

Other action

Switched security vendors or service providers

Bad publicity

Dont know

Increased spending on incident response programs

Increased spending on breach prevention technologies

Nothing has changed in the past 12 months as a resultof security breaches

Additional security and audit requirements

7/31/2019 Planning for Failure

5/16

2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

4

Unortunately, even enterprises with the most mature security organizations and advanced security

controls cant prevent every single breach especially i your opponent has the time and nancial

backing to target you. Every enterprise needs an incident response plan, but enterprises oen ail to

map out their incident response plan prior to a breach or other security incident. Without a properplan in place ahead o time, its extremely difcult to contain or stop the incident once detected and

preserve appropriate orensic evidence while you help restore I services. You must also understand

the extent o the incident and what inormation the attackers compromised so that you can

determine i you need to contact law enorcement and send breach notications to aected parties,

such as your customers, partners, and employees.

A Patchwork O Industry And goernment Reulations Mandate Incident Response

I you have yet to invest signicant time and resources in incident management and response and you

ail to respond appropriately to a breach, your enterprise could nd itsel acing noncompliance and

signicant nes. Te US Congress strongly criticized Sony or waiting more than a week to notiycustomers that an external attacker may have compromised their personal inormation.5 Consider that:

Almost every US state requires breach notication. In the US, 46 states plus the District oColumbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notication o

security breaches involving personal inormation.6 In act, Caliornia recently updated breach

notication requirements to include notiying the state attorney general when a breach aects

more than 500 residents, as well as adding new content requirements or breach notication

letters.7

Some US ederal law requires breach notication. Te US HIECH Act requires healthcareproviders and other Health Insurance Portability and Accountability Act (HIPAA) entities tonotiy when a breach aects more than 500 individuals. Failure to notiy individuals o a data

breach could result in a HIPAA violation and a ne o up to $50,000 per violation.8

EU law requires telecoms and Internet service providers to report breaches. In 2010, the EUintroduced a new data breach notication requirement or electronic communication as part o

a comprehensive review o the ePrivacy Directive.9 Tere is also discussion o extending breach

notication requirements to more industries.10

Canadian legislators are reviewing breach notication. House Government Bill C-29 seeks

to amend the Personal Inormation Protection and Electronic Documents Act (PIPEDA). Teamendment is making its way through the regulatory process and includes breach notication

obligations.11

Te PCI Data Security Standard provides very specic guidance on incident response.Requirement 12.9 states: Implement an incident response plan. Be prepared to respond

immediately to a system breach. Requirement 10.2 requires automated audit trails or all

system components to reconstruct seven categories o events. Appendix 1.4 requires an

7/31/2019 Planning for Failure

6/16

2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

5

organization to enable processes to provide or timely orensic investigation in the event o a

compromise to any hosted merchant or service provider.12

YOU MUST ESTABLISH AN ONgOINg INCIDENT MANAgEMENT PROgRAM

An incident response plan, like a business continuity (BC) or an I disaster recovery (DR) plan, is

your organizations immediate response to a specic threat. I security proessionals should talk

with their counterparts in BC/DR; the undamentals o strategy development and response planning

are very similar as are the lessons learned. Your organization wouldnt want to learn how to cut over

rom a ailed primary site to a backup hot site aer the outage occurred. You have created a DR plan

to handle this scenario. By the same token, you dont want to develop your incident response plan

in real time while cybercriminals are pilering your intellectual property. A well-dened incident

management program provides organizations a script to ollow when incidents occur.

Defne The Incident Manaement Lie Cycle

o be eective, you need to establish an ongoing incident management program one that lets you

identiy the potential risks and threats to your enterprise so that you can create appropriate response

plans, test those plans, and keep those plans current (see Figure 2). Forrester denes the six main

areas o the incident management lie cycle as:

Risk analysis. Just as with BC/DR planning, beore you can plan, you have to understand yourbusiness and identiy the most probable, high-impact risks that you must mitigate or or which

you will develop response plans. Who or what are you trying to protect your assets rom?

Treat analysis. Beore you deploy a technology or service to improve business and I resiliency,it helps to understand your I architecture and inrastructure so that you can identiy your single

points o ailure and other weaknesses. In a security context, you want to understand where and

how your enterprise stores its most sensitive inormation and where your systems and networks

are the most vulnerable to attack. You can conduct a data discovery project to determine where

your most sensitive data resides. You can also use a vulnerability management program, including

vulnerability scanning and penetration testing to determine weaknesses in your environment.

Security policy mapping. Over the years, the goal o BC/DR has been to mitigate the mostcommon cause o disruption by building high availability and resiliency into the I architecture

itsel. Te same is true with security; you want to embed security throughout the environmentto mitigate known threats and vulnerabilities as much as possible. Evaluate the results o your

risk and threat analyses and compare them against your existing security controls. Implement

measures that apply the appropriate level o rigor to your security controls based on the

likelihood o a threat occurring and its impact. For example, you may need to purchase a new

web application and database rewall to protect a newly launched web application that is core to

your business success.

7/31/2019 Planning for Failure

7/16

2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

6

Incident response policies and procedures. You cant mitigate every risk; at some point youwill need to respond quickly to a sudden I ailure or natural disaster such as an earthquake.

Likewise, theres no set o security controls that will guarantee you wont suer a breach. A

security breach is inevitable. When it happens, you will need to categorize the incident according

to certain criteria, mobilize the response team, contain or stop the incident, gather orensic

evidence, i applicable, restore the disrupted service, notiy individuals i necessary, and

continue the orensic investigation to determine what happened and what course o action the

organization needs to take.

esting. Teres a saying in DR i youre not nding problems when you test, yourenot testing thoroughly enough. Its critical to test your incident response plans beore the

incident. esting validates your response capabilities, trains the response team in its roles and

responsibilities, and uncovers weaknesses or invalid assumptions in the plan. I youre not

testing, youre simply not prepared.

Review and update. Aer each test or incident, you should hold a debrieng, aer which youupdate your plans. You should also update your plans aer every major change to the business

or the I environment; ideally, change to your response plans is a part o ongoing change and

conguration management.

iure 2 inden mngeen le ce

Source: Forrester Research, Inc.60564

Security policymapping

Threat analysis

Risk analysis

Testing

Incident responsepolicies andprocedures

Review andupdate

7/31/2019 Planning for Failure

8/16

2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

7

Set Up A Cross-unctional Incident Response Team

Te makeup o the incident response team will vary depending on your industry, the size and

geographic reach o your enterprise, and the types o incidents to which it will respond. However,

your incident response team will likely include a cross-unctional group o both internal and

external experts, including (see Figure 3):

Inormation security staf. Tese individuals are responsible or handling the detailedinvestigation o the incident. Depending on the size o your organization, you might have

dedicated incident response sta with advanced orensics capabilities. Many organizations hire

external consultants to assist with incident response and orensics. Despite this, at a minimum,

you still want someone on your sta who can perorm basic incident response.

I staf. You may need these system and network administrators to help with investigations

because o their advanced knowledge o the applications and systems they support.

Legal representative. A member o your legal sta should participate in the incidentmanagement planning and response to provide guidance as to the legality o potential searches

and the requirements o evidence collection. He or she can also help you determine i you need

to contact law enorcement and other government ofcials.

Business representative. Te inormation security team is a custodian o data and will need topartner with the business unit data owners to understand the data and its implications. Ideally,

this should be done prior to an incident occurring and not aer youve activated the incident

response plan.

Corporate communications representative. Tis team members involvement is critical. Teorganization must know who is going to speak or the company and what message the company

will deliver to customers, investors, and business partners. Poor communication can increase

customer rustration and anger and irreparably damage your corporate reputation.

External orensic investigator. Hire an external investigator when your own team isoverwhelmed or lacks the necessary skills to properly respond to the incident. Tere are a

variety o rms that oer orensics services. Te major consulting rms have orensics practices

around the globe, and a number o smaller rms have oerings as well.13 Mandiant, Guidance

Soware, and many value-added resellers can also assist with incident response. All third-party

rms arent created equal. You should consider the organizations experience, methodology, and

scalability.

External breach notication providers. In the US, almost every state now has its own breachnotication requirements, and although theyre generally similar, theyre not identical. In the

event o a breach or your organization, these laws require a timely response. Service providers

7/31/2019 Planning for Failure

9/16

2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

8

such as Co3 Systems and ID Experts can lend their expertise with the notication process i

your organization isnt yet prepared to handle a breach. Identity the protection organizations

such as Debix or Equiax oen work in concert with the notication providers, and you can hire

them to monitor your victims nancial accounts as remuneration.

iure 3 inden Respnse te

Source: Forrester Research, Inc.60564

All employees

Do they know how and when toreport an incident? Make IT part

of security awareness.

External investigators

Who will you hire in each potential

situation? How quickly will theyrespond? How much will it cost?

ITFind out who owns and manages

each system. Who has forensicsskills? Who has databaseadministrator access?

Peer incident response teams

Share best practices andknowledge about current IT

viruses and attacks.

Law enforcementWho do you contact when theinvestigations show signs of

criminal activities?

Lines of businessHelp identify important businessassets and drive process

improvements.

Incident response team

Requires communicator, systemsexpert, and network expert at aminimum. Larger teams often

include: physical security, forensics,risk management, and legal.

Corporate communications

Who is responsible for conveyingrelevant messages to employees,partners, or customers? Who will

craft and approve that message toensure that it is correct?

External business serviceproviders

How will they alert you to anincident? Who has authority torequest and receive sensitive

information?

7/31/2019 Planning for Failure

10/16

2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

9

Use A Reconized Industry ramework or Your Incident Handlin And Response

When you dene your incident response policies and procedures, you should make sure that they

also ollow a lie cycle. Tere are numerous rameworks or this lie cycle rom industry groups

such as the SANS Institute and government groups such as the National Institute o Standards and

echnology (NIS). We use the NIS Computer Security Incident Handling Guide (800-61) as our

sample reerence ramework because o its popularity with clients and its simplicity.14 It consists o

the ollowing phases (see Figure 4):

Preparation. Tis phase includes all the initial planning that weve already described in thisreport, such as the denition o an ongoing incident management program lie cycle and the

creation o a cross-unctional team. As you can see, most o the work is in preparation and

ongoing management. NIS provides a ools and Resources or Incident Handlers checklist

with very specic guidance on preparing or incidents.

Detection and analysis. Many enterprises are not even aware that theyve already suered abreach. oo many enterprises underinvest in network analysis and visibility (NAV) tools that

can detect abnormal patterns and user behavior in their networks and I environment.15 NIS

lists common sources o attack precursors and indications o attacks.

Once you detect an incident, analysis is also important. In BC/DR, enterprises avoid invoking

a response plan i possible. Te event or incident must meet certain activation criteria beore a

designated individual makes the decision to invoke a plan. Similarly, you must provide a clear

identication and escalation process or incidents and you must tightly integrate it with your

existing incident management processes in your network operations center (NOC) and security

operations center (SOC).16 NIS provides criticality ratings and also includes a sample incidentresponse service-level agreement (SLA) matrix.

Containment, eradication, and recovery. Te business has less and less tolerance or downtime,whatever the cause: the weather or a security breach. You will be under tremendous pressure to

stop the attack and resume normal operations as soon as possible. You need to be careul, because

you want to make sure that: 1) you have truly contained the attack, and 2) you dont destroy

any orensic evidence in the process o quickly restoring the I service. Its important that you

train employees in orensics and prevent other employees or tools rom inadvertently destroying

evidence that you might need later in any kind o internal or government investigation. NIS

provides helpul criteria or determining the appropriate containment strategy.

Its critical to ensure that the incident is truly contained or remediated. In the DigiNotar breach,

the rm ailed to revoke all the malicious certicates. According to Wired.com, Te company

insisted that all o the certicates had been revoked which would have undermined any

attempt by someone to use the certicate to impersonate a legitimate site but somehow

missed the Google certicate. DigiNotar nally revoked the Google certicate aer the search

giant disclosed its existence in the wild.17

7/31/2019 Planning for Failure

11/16

2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

10

Post-incident activity. Tis phase o incident response is critical, and you must not shortchangeit. You must incorporate the lessons learned rom the incident into uture incident response

plans. NIS provides a list o seven questions that you should include in post-incident meetings.

iure 4 NiSt inden Hndng

TESTINg AND TRAININg ARE CRITICAL TO SUCCESS

Weve already discussed testing and training as a key phase in the incident management lie cycle,

but its important to call them out separately because they really determine the long-term success o

your program and individual response plans.

I You Dont Test, Youre Not Prepared

Conucius said, What I hear, I orget. What I see, I remember. What I do, I understand. o truly

understand your incident management capabilities you must periodically test your individual incident

response plans. You test a BC plan; you should do the same here. esting helps validate your response

capabilities and questions assumptions in the plan. In addition, testing helps everyone understand the

contents o the plan as well as their roles and responsibilities. Here are some keys to successul testing:

esting needs to include all members o the team. At least once a year you need to conductan incident response test that goes beyond the connes o I or the inormation security sta.

Validate your call tree and ensure that you have correct aer-hours contact inormation or all

the team members.

Just as in BC, take advantage o multiple test types. Tere are multiple types o tests,including plan walk-throughs, tabletop exercises, and simulations. Plan walk-throughs and

tabletop exercises help the response team understand the contents o a plan and their roles

and responsibilities. For simulations, you should consider hiring a third-party penetration

testing company to perorm an assessment o your security controls and detection capabilities.

Source: Forrester Research, Inc.60564

Source: Karen Scarfone, Tim Grance, and Kelly Masone, Computer Security Incident Handling Guide, NationalInstitute of Standards and Technology Special Publication 800-61 Revision 1, March 2008

Incident response life cycle

PreparationDetectionand analysis

Containment,eradication,and recovery

Post-incidentactivity

7/31/2019 Planning for Failure

12/16

2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

11

Some organizations may elect to inorm their sta o the testing, while others choose a blind

penetration test.

Incorporate test results into incident management planning. Its absolutely critical that youincorporate the results o your tests into your plans. Your incident management strategy and

your individual plans should adapt and change based on the successes and ailures o your

testing scenarios.

You Must Train IT And Non-IT Sta In Incident Response

Companies need to train their sta to understand what an incident is, how to respond appropriately,

how to contact responders or services, and how to put incident response into the greater context o

inormation security. Tis is a necessary next step in order to provide eective response and orensic

services. Here are some suggestions to maximize your training:

Budget or incident response training. Build incident response training into your annualbudget. Te threat landscape is constantly changing, and cybercriminals are using new,

advanced techniques to breach organizations. Specic training is critical to staying abreast o

the latest attack and mitigation techniques. Your sta will also network with other incident

handlers, which will result in uture collaboration and inormation-sharing. Te SANS Institute

and CER oer widely recognized incident handling courses.

Include all employees in incident response training. raining needs to extend beyond I sta.End users are on the rontline and need to be aware o the threats and how to respond to them.

Conduct end user training that specically addresses social engineering, spear phishing, and

how to respond to suspicious emails, les, and instant messages.

YOU MUST DECIDE I YOU WANT TO PROSECUTE BEORE YOU REMEDIATE

Tings work dierently in real lie than it does on your avorite crime investigation show. oo

oen, companies clean up a breach and then decide later that they want to nd and prosecute the

perpetrator. Unortunately, theyve also cleaned up most o the evidence, and true justice becomes

illusory. Electronic crimes and physical crimes are dierent, so you must:

Make an investigation and prosecution decision immediately. Bringing the bad guy to justice

could be problematic. You may need to keep a breached system running in order to preserveevidence. In addition, it could take a signicant amount o time beore a trained orensic

investigator or law enorcement ofcial can respond to your breach.

Consider the preservation o evidence and chain o custody. Remember that to prosecute acybercrime, you must present breach evidence in court. Tis mean that not only will the details

o the crime become part o the public record, but the proper preservation o the evidence may be

called into question. Tere are rules o evidence that must be ollowed i you want to see justice.

7/31/2019 Planning for Failure

13/16

2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

12

W H a t i t m E a N S

MAKE INCIDENT MANAgEMENT A TOP SECURITY PRIORITY

Wh n nhe se, eder, nd ndsr-spef reh nfn ws n he hrzn,

he n he peen n nden ngeen prgr. i dn he n

nden ngeen prgr nd spef nden respnse predres n pe, s pere

h d s ede. Hweer, dn see nden ngeen s js nher regr

gn, sehng h d h-hered ppese nern nd eern drs. an

eee nden respnse sers ser reh n e he derene eween r

rgnzns reer nd re sess nd rrepre dge. tke sers, nd ke

p prr r r rgnzn. ipeen n ngng prgr, defne r respnse

predres, es he, nd rn s n pepe nsde nd sde it s n. Se sene

d, rd p r re preen, nd egn deepng renshps wh peers

nd her ndsr epers shre es pres.

SUPPLEMENTAL MATERIAL

Methodoloy

Forresters Forrsights Security Survey, Q2 2011, was elded to 2,353 I executives and technology

decision-makers located in Canada, France, Germany, the UK, and the US rom small and medium-

size business (SMB) and enterprise companies with two or more employees. Tis survey is part o

Forresters Forrsights or Business echnology and was elded during June 2011. LinkedIn Research

Network elded this survey online on behal o Forrester. Survey respondent incentives included

a choice o gi certicates and charitable donations. We have provided exact sample sizes in this

report on a question-by-question basis.

Forresters Forrsights or Business echnology elds 10 business-to-business technology studies

in 12 countries each calendar year. For quality control, we careully screen respondents according

to job title and unction. Forresters Forrsights or Business echnology ensures that the nal

survey population contains only those with signicant involvement in the planning, unding, and

purchasing o I products and services. Additionally, we set quotas or company size (number o

employees) and industry as a means o controlling the data distribution and establishing alignment

with I spend calculated by Forrester analysts.

We have illustrated only a portion o survey results in this document. For access to the ull dataresults, please contact orrsights@orrester.com.

7/31/2019 Planning for Failure

14/16

2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

13

ENDNOTES

1 Sony has disclosed that the immediate breach costs will be about 14 billion, which was approximately

$171 million at the time o the announcement. Source: Matthew J. Schwartz, Sony Data Breach Cleanup

o Cost $171 Million, InormationWeek, May 23, 2011 (http://www.inormationweek.com/news/security/

attacks/229625379).

2 Source: Juro Osawa, As Sony Counts Hacking Costs, Analysts See Billion-Dollar Repair Bill, Te Wall

Street Journal, May 9, 2011 (http://online.wsj.com/article/SB100014240527487038593045763076641746679

24.html).

3 Source: VASCO Announces Bankruptcy Filing by DigiNotar B.V., Vasco press release, September 20, 2011

(http://www.vasco.com/company/press_room/news_archive/2011/news_vasco_announces_bankruptcy_

ling_by_diginotar_bv.aspx).

4 Source: DigiNotar Certicate Authority breach Operation Black ulip, Fox-I, September 5, 2011 (http://

cryptome.org/0005/diginotar-insec.pd).

5 Source: Grant Gross, Lawmakers Question Sony, Epsilon on Data Breaches, PC World, June 2, 2011

(http://www.pcworld.com/businesscenter/article/229258/lawmakers_question_sony_epsilon_on_data_

breaches.html).

6 Source: Security Breach Legislation 2011, National Conerence o State Legislature, September 12, 2011

(http://www.ncsl.org/deault.aspx?tabid=22295).

7 Te state o Caliornia recently updated breach notication requirements to include notiying the state

attorney general when a breach aects more than 500 residents, as well as adding new content requirements

or notication letters. Source: Judy Greenwald, Caliornia law updates notication requirements or data

breaches, Business Insurance, September 2, 2011 (http://www.businessinsurance.com/article/20110902/NEWS07/110909966?tags=|338|299|305|340|303|87).

8 Te US HIECH Act requires healthcare providers and other HIPAA entities to notiy when a breach

aects more than 500 individuals. Failure to notiy individuals o a data breach could result in a HIPAA

violation resulting in a ne o up to $50,000 per violation. Source: HHS Issues Rule Requiring Individuals

Be Notied o Breaches o Teir Health Inormation, US Department o Health & Human Services press

release, August 19, 2009 (http://www.hhs.gov/news/press/2009pres/08/20090819.html) and Federal

Register, Vol. 74, No. 209, US Department o Health & Human Services, October 30, 2009 (http://www.hhs.

gov/ocr/privacy/hipaa/administrative/enorcementrule/enr.pd).

9 Source: Data breach notications, European Network and Inormation Security Agency (http://www.enisa.

europa.eu/act/it/dbn).

10 Jennier Baker, EU considers stricter data breach notication rules, Computerworld, July 14, 2011

(http://www.computerworld.com/s/article/9218417/EU_considers_stricter_data_breach_notication_

rules?taxonomyId=17).

11 In Canada, House Government Bill C-29 seeks to amend the Personal Inormation Protection and

Electronic Documents Act (PIPEDA) and is making its way through the regulatory process and

7/31/2019 Planning for Failure

15/16

2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011

Pnnng Fr Fre

Fr Ser & Rsk Pressns

14

includes breach notication obligations. Source: Bill C-29, Parliament o Canada (http://www.parl.gc.ca/

HousePublications/Publication.aspx?Language=E&Mode=1&DocId=4547739) and An Act o Amend Te

Personal Inormation Protection And Electronic Documents Act, Parliament o Canada, March 3, 2010

(http://www.parl.gc.ca/LegisIno/BillDetails.aspx?Language=E&Mode=1&billId=4543568).

12 Requirement 12.9 states: Implement an incident response plan. Be prepared to respond immediately to a

system breach. Requirement 10.2 requires automated audit trails or all system components to reconstruct

seven categories o events. Appendix 1.4 requires an organization to enable processes to provide or timely

orensic investigation in the event o a compromise to any hosted merchant or service provider. Source:

Payment Application Data Security Standard: Requirements and Security Assessment Procedures, Version

2.0, Payment Card Industry, October 2010 (https://www.pcisecuritystandards.org/documents/pa-dss_

v2.pd).

13 In Forresters 75-criteria evaluation o inormation security and risk consulting service providers, we

ound that Deloitte led the pack because o its maniacal customer ocus and deep technical expertise.

PricewaterhouseCoopers (PwC), Ernst & Young, and Accenture are market leaders due to their security

expertise, breadth o services, and global reach. KPMG provides excellent strategic work and boasts great

client eedback. See the August 2, 2010, Te Forrester Wave: Inormation Security And Risk Consulting

Services, Q3 2010 report.

14 Karen Scarone, im Grance, and Kelly Masone, Computer Security Incident Handling Guide, National

Institute of Standards and echnology Special Publication 800-61 Revision 1 , March 2008 (http://csrc.nist.gov/

publications/nistpubs/800-61-rev1/SP800-61rev1.pd).

15 o provide this type o deep insight into internal and external networks, Forrester has dened a new

unctional space called network analysis and visibility (NAV). NAV is comprised o a diverse tool set

designed to provide situational awareness or networking and inormation security proessionals. See theJanuary 24, 2011, Pull Your Head Out O Te Sand And Put It On A Swivel: Introducing Network Analysis

And Visibility report.

16 Stafng the traditional security operations center (SOC) is expensive. Forrester anticipates that the SOC will

become virtualized in the uture, in a next-generation transormation that we call SOC 2.0. SOC 2.0 will

not be a physical place or a projection screen but an enterprisewide, distributed, virtualized inormation

resource that allows security and risk proessionals access to the data they need wherever and whenever

they need it. See the April 20, 2010, SOC 2.0: Virtualizing Security Operations report.

17 Source: Kim Zetter, DigiNotar Files or Bankruptcy in Wake o Devastating Hack, Wired, September 20,

2011 (http://www.wired.com/threatlevel/2011/09/diginotar-bankruptcy/).

7/31/2019 Planning for Failure

16/16

Forrester Research, Inc. (Nasdaq: FORR)

is an independent research company

that provides pragmatic and orward-

thinking advice to global leaders in

business and technology. Forrester

works with proessionals in 19 key roles

at major companies providing

proprietary research, customer insight,

consulting, events, and peer-to-peerexecutive programs. For more than 28

years, Forrester has been making IT,

marketing, and technology industry

leaders successul every day. For more

inormation, visit www.orrester.com.

Headquarters

Forrester Research, Inc.

60 Acorn Park Drive

Cambridge, MA 02140 USA

Tel: +1 617.613.6000

Fax: +1 617.613.5000

Email: orrester@orrester.com

Nasdaq symbol: FORR

www.orrester.com

m k n g l e d e r s S e s s E e r D

For inormation on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or clientsupport@orrester.com.

We oer quantity discounts and special pricing or academic and nonprot institutions.

Research and Sales Ofces

Forrester has research centers and sales ofces in more than 27 cities

internationally, including Amsterdam, Netherlands; Beijing, China;

Cambridge, Mass.; Dallas, Texas; Dubai, United Arab Emirates; Frankurt,

Germany; London, UK; New Delhi, India; San Francisco, Cali.; Sydney,

Australia; Tel Aviv, Israel; and Toronto, Canada.

For the location o the Forrester ofce nearest you, please visit:

www.orrester.com/locations.