How Much Security Do You Really Need? A Practical Approach for Midsize Businesses

May 2011

An Executive Brief Sponsored by IBM

2 © 2011 Stratecast. All Rights Reserved. May 2011

TABLE OF CONTENTS

HOW MUCH SECURITY DO YOU REALLY NEED? A PRACTICAL APPROACH FOR MIDSIZE BUSINESSES

INTRODUCTION

There’s a lot of information to protect in your business. Proprietary customer data, billing information, client orders, supplier schedules, all need to be kept from competitors’ hands. Customer and employee data needs to be secured from identity thieves and hackers. Business operations need to be protected from disruption. And your reputation as a smart, customer-focused business needs to be safeguarded.

Protecting your business means enabling your business to survive and grow. It means ensuring business processes and technologies are fortified so that operations can withstand deliberate and accidental disruptions. It means recovering seamlessly from unanticipated mishaps. It means proving you are worthy of the trust your customers and vendors have placed in your business.

The challenge of protecting your business becomes more complex with the adoption of new business models. Over half of midsize businesses plan to try cloud computing in the next year, according to a Frost & Sullivan survey, yet they cite security as a top concern. Similarly, although the number of businesses deploying “mobile office” capabilities (smartphones plus access to office applications) is growing at over 20 percent a year, security concerns remain a key restraint for many. Each business has to weigh the expected benefits of the new technologies—including increased productivity and reduced costs—against the risk that business operations may be compromised.

For most midsize businesses, the security challenge isn’t in deciding what to protect. It’s figuring out how to invest in the right solutions. Too often, disparate security solutions (e.g., firewalls, spam filters, password-protected access) seem to add more in costs and administrative complexity than they deliver in terms of protection.

So how much protection is enough, and how much is too much? With the complex and dynamic nature of security—in which crippling threats can crop up overnight, and new data-handling regulations are introduced regularly—it’s difficult for a midsize business to find the right balance. Too great an investment in security solutions can waste resources; not enough can jeopardize the business.

In this white paper, we will take a critical look at the top security concerns for midsize businesses. We outline an approach that addresses “risk assessment” as a business process. And we look at ways IBM can help midsize businesses build and implement a security profile that meets their needs.

3 © 2011 Stratecast. All Rights Reserved. May 2011

TOP SECURITY CONCERNS FOR MIDSIZE BUSINESSES

The “security” umbrella covers a lot of territory. Threats come from malicious hackers and innocent employees—even hardware itself (for example, a crashed hard drive can destroy data every bit as much as a planned attack). The list of threats includes:

1. Data loss or leakage: Damage can be caused by hackers who find increasingly creative ways to infiltrate systems to steal proprietary data or disrupt operations. But many (in fact, most) security breaches arise from sources that are closer to home. An employee loses a laptop computer. Discarded PCs are sent to a recycling firm without wiping the hard drive. A disgruntled employee siphons off data to offer to a competitor. Midsize businesses must protect their data from malicious outsiders as well as from well-meaning insiders.

2. Cyber attacks: This broad category of malicious malware and data theft is large, dangerous, and eating into our economy. The latest IBM X-Force Trend and Risk Report notes that hacking has long since moved from the realm of bored teenagers to sophisticated criminal rings who are making lots of money. Most recently, concerns have centered on “Advanced Persistent Threats” perpetrated by well-organized, often state-sponsored, groups that focus on industrial or national espionage. The new hackers are creative, sophisticated, and well-funded. Midsize businesses can be impacted by a broad-based attack that may take the form of malicious code hidden in common file formats (e.g., PDF or JavaScript). They can also be affected when their partners—for example, their email providers—are attacked.

3. Unauthorized access to proprietary data – Nearly half of all data breaches are tied to misuse of access privileges, according to security experts; and the number is increasing by double-digits. The fault lies with a combination of lax security technology and poor policy implementation or enforcement. Too often companies rely on simple authentication schemes that are easy for unauthorized users to guess or find (for example, employees tape their passwords under their keyboards or choose passwords like “12345”). Or, a disconnect between HR and IT means that former employees, contractors, or partners retain access to company networks long after they have left the company, through IDs that aren’t invalidated. Midsize businesses must look for identity authentication solutions that are strong enough to prevent unauthorized access, but simple enough for employees to use without frustration.

4. Inaccessible or unusable data. Data protection isn’t just about thwarting crime. It’s also about making sure the data is available and usable as needed. Midsize businesses need to protect themselves from critical hardware or software failures by building a resilient infrastructure with appropriate backup processes. They also need to identify acceptable durations of downtime and develop appropriate recovery processes.

5. Compliance. Industry standards, such as those issued by the Payment Card Industry (PCI), and laws designed to protect consumers, corporations, and employees specify how certain data must be handled—both in active state and in stored or archived state. Regulations may be issued by any number of governing bodies (for example, federal,

4 May 2011 © 2011 Stratecast. All Rights Reserved.

state, and even local governments), and they often change. For midsize businesses, the challenge is to continually keep up with regulations that may apply, as well as to prepare and file reports that certify compliance.

APPROACHING THE SECURITY DISCUSSION

Given the variety, number and dynamic nature of threats, it’s not surprising that the majority of midsize businesses feel their current security profile is inadequate. In a recent Frost & Sullivan study, 57 percent of IT leaders from midsize businesses indicated they are concerned about data loss or leakage from their private data centers; 40 percent believe they have weak access controls in place; and 39 percent feel they are at risk for cyber attacks.

Despite their concerns, many of these companies have shied away from a full-scale security initiative, fearing that the effort would be too expensive, too labor-intensive, and of uncertain value. And yet, without an assessment, they are leaving their companies at risk.

To frame up a discussion about security, it helps to keep a few points in mind:

1. Think in terms of “risk assessment”, not “security”. Your goal isn’t to implement security solutions; it’s to implement adequate security solutions. Solutions that protect your businesses from the most likely and/or most potentially devastating threats, without breaking the bank. Solutions that safeguard your intellectual property and critical workloads, while reducing administrative burden. When you talk about “risk assessment”, you correctly acknowledge the business decisions and trade-offs that will help you determine the appropriate solutions.

2. There’s no one-size-fits-all security solution. The right solution (or combination of solutions) for your business depends on several factors, including:

Your industry – Are you in an industry that is entrusted with personal data (e.g., healthcare or financial services)? Are you subject to regulations on how to handle the data? You may need to take special care protecting certain types of data.

The type of workloads/data you are protecting – Which workloads are truly essential for continued operation of your company? Which databases or files contain information that could cripple your company if lost or made public? Those should be the focus of your primary security efforts.

Your brand image – If your e-commerce site is disabled by an attack, will the media splash the news all over the Internet? If customer data is leaked, will your competitors exploit your misfortune? In performing your risk assessment, consider how much embarrassment or ill will your company may suffer from a data breach.

5 © 2011 Stratecast. All Rights Reserved. May 2011

Your corporate culture or “risk averseness” – Is your company a cautious operation that requires a Plan B and Plan C for each Plan A? Or do you, culturally speaking, drink milk past the expiration date? Depending on how conservative or risk-averse your company is, you may choose to invest more in security than another company.

3. You can’t go it alone. As cybercriminals become more clever, creative and automated with their attacks, the security challenge becomes exponentially complex. It would take a team of full-time up-to-date security experts to keep up—an impossibility for most businesses of any size. That’s why businesses turn to outside experts to assist them in assessing their security risks, and developing and implementing an adequate, cost-effective solution.

BUILDING THE BUSINESS CASE FOR SECURITY INVESTMENTS

A successful security strategy meets three criteria:

It protects the business, especially from the most likely and most devastating scenarios.

It minimizes complexity, both for end users and for IT administrators.

It reduces or avoids costs to the business.

The challenge is to calculate meaningful results and associate dollar values with each criterion, to help you determine an appropriate investment. This is made difficult because security justification is based on “what ifs”. What if a hacker shuts down our network? What if an HR employee loses a laptop with employee social security numbers on it? What if a disgruntled employee corrupts our customer database?

To build a business case, you need to quantify hard and soft costs associated with the following:

Regulatory compliance – Availability and secure handling of data, as required by federal, state, and local regulations, is a requisite for businesses. In some industries, compliance with industry standards is important; for example, PCI requires certain protections be in place before credit or debit card transactions can be processed electronically. In your business case, calculate not only the fines that are levied for non-compliance, but also the labor impact of inadequate administrative tools (that is, the hours associated with scrambling to produce compliance reports from multiple systems and/or data sources).

Financial impact of lost sales/revenue – In industries that are particularly dependent on technology (e.g., financial trading and retail), stories about the horrifying financial impact of service outages are a staple of trade press. By assigning a dollar value to “uptime”—and thus calculating the loss associated with “downtime”—you can quantify the value of security options that keep operations running.

6 May 2011 © 2011 Stratecast. All Rights Reserved.

Administrative costs – In the absence of a coordinated security solution, security measures are likely distributed among software, hardware and network elements, each managed via a separate system and by a separate IT technician and/or outsourcer. To investigate potential breaches or even to run a vulnerability assessment takes significant employee-hours. In contrast, an integrated security solution that provides visibility across a number of areas (people; data and applications; infrastructure) will significantly reduce administrative time and effort while yielding improved results. By calculating and contrasting administrative costs, you can bolster your business case for an integrated end-to-end security solution.

Financial payouts to customers – In addition to lost sales and revenue, businesses may also incur out-of-pocket costs associated with missing commitments to their own customers when security breaches shut down operations. For example, an Internet Services Provider with a service disruption will likely pay claims for missing a service availability commitment. A manufacturer whose operations are stalled may be hit with penalties for missing just-in-time timelines. The degree of importance you place on this business plan element varies by business and industry, and relates to how severe the penalties may be.

Competitive market positioning – More difficult to quantify, market positioning and brand reputation can factor into a company’s willingness to invest in security solutions. A solid security plan may not only increase your ability to deliver services, but also serve as a strong market differentiator. Businesses with e-commerce and customer self-servicing portals will be able to use their security measures in their market messaging, as evidence that they respect and care for their customers’ data. Furthermore, if you have built your brand reputation on quality of service, you will need to understand how security breaches can negatively impact you. You don’t want a breach to be reported in the trade publications for your industry.

SECURITY IN THE CLOUD

Midsize businesses are starting to incorporate cloud computing into their data environments, subscribing to Infrastructure as a Service, Storage as a Service, or Software as a Service from third-party providers. By doing so, they benefit from on-demand scalability, pay-per-use pricing, and relief from capital expenses for hardware purchases. And yet, many companies remain concerned about trusting their proprietary data and critical workloads to a shared environment.

In truth, a cloud delivery model can be more secure than a traditional data center. Many midsize businesses find that large cloud centers managed by leading cloud providers offer a step up in terms of security and resiliency. Cloud service providers generally provide up-to-date protections for their web servers and other infrastructure elements. Many providers also offer their clients application protections that are regularly updated and managed. From a physical security perspective, a top-tier cloud center, for example, may require thumbprint verification to ensure that only authorized personnel gain entry to the facility; and may offer access to redundant power grids and fiber routes, thus

7 © 2011 Stratecast. All Rights Reserved. May 2011

ensuring high resiliency. Such attributes would be cost-prohibitive for most businesses to implement in their in-house data centers or server rooms.

However, the shared cloud model may introduce some security challenges that the business needs to discuss with the provider. For example, as part of due diligence, the business should understand:

Where is the cloud data stored, geographically? It’s common in Europe for countries to specify that consumer data must be stored in-country—a challenge for a company that serves customers worldwide.

What are the provider’s abilities to conduct an audit, if required by law?

What security elements are used to partition data in shared servers and on shared networks, so that customers’ data is not intermingled?

What policies does the provider have in place to assure that your workloads will not be impacted if another tenant is the subject of a cyber attack?

How will the provider assure your data is removed from servers after the contract is terminated?

Keep in mind that in all cases, even when using a third-party for hosting or cloud computing, the ultimate responsibility for security falls with your company—legally and in the eyes of the market. Determine which workloads you’re comfortable placing in the cloud, and be sure you select a cloud provider that has a strong history of providing secure hosting services.

GETTING STARTED: CHOOSING A SECURITY PARTNER

As noted, security risks encompass nearly every element of the IT ecosystem, from users to data and applications, to network, to IT infrastructure. Furthermore, the dizzying number of solutions available in the market, each targeting a different piece of the security problem, will add to the complexity and confusion. So where to start?

For midsize businesses, the place to start developing a security strategy is by choosing a partner—a trusted security expert that can help you develop and implement sustainable, affordable integrated security solutions. The right security partner will have the knowledge to help you assess security risks to your business, not just at time of implementation but into the future. The partner will offer technology solutions that meet your end-to-end security needs and are able to be centrally managed (thus easing the administrative burden). And the partner will enable you to implement the solution with a total cost of ownership that is appropriate for your business size and model.

Why IBM?

Recognized as a leader in security solutions, IBM has assembled an impressive array of expertise, technology, and services that are unmatched in the industry. The company’s

8 May 2011 © 2011 Stratecast. All Rights Reserved.

security roadmap shapes all product development, service delivery, and consulting efforts—thus ensuring that security is built into the fabric of every solution that customers choose. Furthermore, IBM is uniquely positioned to provide the integrated, end-to-end security solutions that midsize businesses need, complete with simple, single-console administrative capabilities.

Expertise: Fueling IBM’s security expertise is a research team that rivals any in the world—the formidably named IBM X-Force. This team is devoted to compiling, analyzing, and mitigating the growing number of Internet threats, and has developed one of the world’s most comprehensive databases of threats. Staying one (or more) steps ahead of increasingly creative and well-funded hackers, the X-Force tracks software vulnerabilities (up 36 percent in the past year), identifies sources of threats, and builds countermeasures. While X-Force knowledge is used to develop the pre-emptive security capabilities in IBM products and technologies, the team’s work is considered too important to be kept in-house. Instead, part of the X-Force mission is to educate the market about the nature of threats. To that end, the X-Force publishes its Trend and Risk report twice yearly, and its Threat Insight Report quarterly.

Scope: In a fragmented industry, IBM offers the scope and breadth to build a business-wide security plan for customers. The company’s comprehensive security portfolio—comprising services, software, and hardware—covers a range of security solutions addressing user identity authentication, data and applications, and infrastructure protection. The breadth of portfolio and expertise enables IBM to build integrated end-to-end security solutions for every size business, based on their needs.

Service Level Agreements: IBM stands behind its claims with robust service level agreements—including the industry’s first results-based money-back assurances for many solutions.

Partner Network: Most midsize businesses work with one or more local partners who act as an extension of their IT team. IBM’s extensive network of certified IBM Business Partners makes it easy to find a partner in your area to help you implement and maintain your solution.

IBM Security Solutions for Midsize Businesses

IBM developed its “Security Roadmap for Midsize Businesses” to remove the complexity of security decisions for midsize businesses. As shown in Figure 1 below, the Security Roadmap identifies three categories where businesses need protection. IBM solutions in each category span security, compliance, and resiliency. These solutions are often available for on-site or cloud/hosted deployments.

9 © 2011 Stratecast. All Rights Reserved. May 2011 9

Figure 1 – IBM Security Roadmap for Midsize Businesses

People and Identity

This is about WHO—which users have access to what data and which users do not. People and Identity solutions ensure that authorized users have easy access to data, and unauthorized users are blocked.

IBM People and Identity Management Solutions include IBM Tivoli Access Manager for Enterprise Single Sign-On. The solution allows midsize businesses to easily and safely establish and manage password access to all corporate applications. User satisfaction and productivity increases, as users can log into their work environment with a single password and no longer have to juggle multiple log-in IDs. Costs are reduced, as help desk calls and administrative tasks related to password resets diminish. Corporate security and compliance are increased, as authentication assurance is strengthened and audit tracking is done centrally.

Data and Applications

This is about WHAT—what workloads and data need to be protected. Understanding the relative risks associated with data breaches or outages will help shape the appropriate solution for each type of data and application.

Midsize businesses that choose IBM Managed Security Services will receive peace of mind from round-the-clock proactive monitoring for web-based security threats, backed by the industry’s most aggressive service level agreements. To protect on-premises data centers and server rooms, IBM Managed Security Services include managed intrusion prevention and detection, firewall, and unified threat management. In addition, Managed Security Services for Cloud Computing offers hosted vulnerability management services. These services reduce administrative complexity and costs by providing consolidated reporting through a single console. Managed security services are also budget-friendly for midsize businesses, because they offer adequate protection at predictable monthly

Source: IBM

10 May 2011 © 2011 Stratecast. All Rights Reserved.

operating costs. To ensure security of web-based applications, IBM Rational AppScan Express automatically tests for vulnerabilities. Appscan is comprehensive scanning software which is continually updated, enabling detection of the latest web threats. AppScan is also available as an OnDemand cloud-based service, in which IBM security experts remotely run the application scans for you, report the vulnerabilities, and suggest actions you can take to close them.

Infrastructure

This is about WHERE—the physical servers and storage, appliances, network facilities, and endpoints (including PCs and smartphones) that house, shape, access, and transport the data. Infrastructure should be assessed for vulnerability to attack as well as breakage.

IBM offers a range of Infrastructure Security Solutions for midsize businesses. Tivoli Endpoint Manager offers visibility and protection for endpoints including servers, desktops, laptops, and specialized equipment, with simplified administration and consistent policy enforcement. IBM System Storage DS3500 Express and LTO-5 tape drives secure the data with their sophisticated encryption capability. IBM Tivoli Key Lifecycle Manager helps IT organizations better manage the encryption key lifecycle by allowing them to simplify, centralize, automate and strengthen key management processes for their storage protected data. IBM Managed Protection Services for Server offers 24x7 protection for servers, protecting them from attack. IBM Threat Mitigation Services for Network is a multi-function security bundle that includes security appliance, maintenance, and managed services at a price affordable for midsize businesses. The all-in-one solution simplifies and reduces costs related to staffing, training, maintenance, and infrastructure support.

By integrating IBM security services into a complete end-to-end solution, midsize businesses can enhance protection while simplifying administration—thus reducing costs and improving the return on investment.

Case Study:

DeCare Systems Ireland

Software development company DeCare Systems Ireland (DSI) has built its reputation on integrating secure, high-performance applications for some of the world’s largest enter-prises. When it came time to revamp its processes, the company sought a solution that will allow them to build the latest security technologies into the software—from devel-opment onwards. DSI turned to IBM Rational Appscan. Rational Appscan provides con-tinuous web monitoring, and offers recommendations for simple fixes, allowing develop-ers to quickly pinpoint problems and remediate the affected code. Rational AppScan also simplified black-box testing, saving development time and costs. As a result, DSI was able to reduce costs associated with identifying security vulnerabilities. The company also saved time and increased productivity by providing automated compliance reports to cus-tomers.

11 © 2011 Stratecast. All Rights Reserved. May 2011

Stratecast The Last Word

Can you afford to implement a robust security solution? Can you afford not to?

With the number and severity of web-borne automated threats exploding, it’s essential to protect your business with a security solution that is comprehensive and broad-based; proactive and pre-emptive; and backed by service assurances. The right solution should also be affordable and easy to implement and administer.

Because security solutions are complex and require continual updating to combat the latest threats, few midsize businesses can reasonably expect to go-it-alone. Instead, many turn to a technology partner with security expertise; a broad portfolio of security hardware, software, and services; and the ability to build seamless, end-to-end solutions. With the advent of secure cloud-based solutions, midsize businesses are able to rely on expert service providers to keep their security continually up to date.

With its teams of security experts led by the renowned X-Force, IBM has the security DNA that midsize businesses need to protect their businesses today and in the future. IBM offers an unparalleled portfolio of security products and services for on-premises data centers and hosted (cloud) workloads—comprehensive, end-to-end solutions comprised of:

People and Identity management

Data and application management

Infrastructure management.

Furthermore, IBM understands the unique challenges faced by midsize businesses, and has developed a security roadmap to help them build simple, affordable, and easily administered solutions.

At the end of the day, it’s not about security—it’s about protecting your business. That’s something every midsize business can take to the bank.

Lynda Stadtmueller

Program Manager – Business Communication Services Stratecast (a Division of Frost & Sullivan) lstadtmueller@stratecast.com

For more information, visit www.ibm.com/businesscenter

Silicon Valley 331 E. Evelyn Ave., Suite 100

Mountain View, CA 94041 Tel 650.475.4500 Fax 650.475.1570

San Antonio

7550 West Interstate 10, Suite 400 San Antonio, Texas 78229-5616

Tel 210.348.1000 Fax 210.348.1003

London

4, Grosvenor Gardens, London SWIW ODH,UK

Tel 44(0)20 7730 3438 Fax 44(0)20 7730 3343

877.GoFrost myfrost@frost.com

http://www.frost.com

ABOUT FROST & SULLIVAN

Frost & Sullivan, the Growth Partnership Company, enables clients to accelerate growth and achieve best-in-class positions in growth, innovation and leadership. The company's Growth Partnership Service provides the CEO and the CEO's Growth Team with disciplined research and best-practice models to drive the generation, evaluation, and implementation of powerful growth strategies. Frost & Sullivan leverages 50 years of experience in partnering with Global 1000 companies, emerging businesses and the investment community from more than 40 offices on six continents. To join our Growth Partnership, please visit http://www.frost.com.

ABOUT STRATECAST

Stratecast assists clients in achieving their strategic and growth objectives by providing critical, objective and accurate strategic insight on the global communications industry. As a division of Frost & Sullivan, Stratecast’s strategic consulting and analysis services complement Frost & Sullivan's Market Engineering and Growth Partnership services. Stratecast's product line includes subscription-based recurring analysis programs focused on Business Communication Services (BCS), Cloud Computing (CC), Connected Home (CH), Consumer Communication Services (CCS), Communications Infrastructure and Convergence (CIC), OSS and BSS Global Competitive Strategies (OSSCS); and our weekly opinion editorial, Stratecast Perspec-tives and Insight for Executives (SPIE). Stratecast also produces research modules focused on a single re-search theme or technology area such as IMS and Service Delivery Platforms (IMS&SDP), Managed and Pro-fessional Services (M&PS), Mobility and Wireless (M&W) and Secure Networking (SN). Custom consulting engagements are available. Contact your Stratecast Account Executive for advice on the best collection of services for your growth needs.

Beijing

Bengaluru

Bogotá

Buenos Aires

Cape Town

Chennai

Delhi

Dubai

Frankfurt

Kolkata

Kuala Lumpur

London

Manhattan

Melbourne

Mexico City

Milan

Mumbai

Oxford

Palo Alto

Paris

Rockville Centre

San Antonio

São Paulo

Seoul

Shanghai

Singapore

Sydney

Tel Aviv

Tokyo

Toronto

Warsaw

CONTACT US

SMW03037USEN-00