planning for failure
TRANSCRIPT
-
7/31/2019 Planning for Failure
1/16
Making Leaders Successul Every Day
Neer 9, 2011
Pnnng Fr Fre Jhn Knderg nd Rk Hndr Ser & Rsk Pressns
http://www.forrester.com/ -
7/31/2019 Planning for Failure
2/16
2011 Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRankings, and Total EconomicImpact are trademarks o Forrester Research, Inc. All other trademarks are the property o their respective owners. Reproduction or sharing o thiscontent in any orm without prior written permission is strictly prohibited. To purchase reprints o this document, please email [email protected]. For additional reproduction and usage inormation, see Forresters Citation Policy located at www.orrester.com. Inormation is
based on best available resources. Opinions refect judgment at the time and are subject to change.
Fr Ser & Rsk Pressns
ExEcutivE SummaRy
Its not a question o i but when your organization will experience a serious security breach.
Cybercriminals are using more sophisticated and targeted attacks to steal everything rom valuable
intellectual property to the sensitive personal and nancial inormation o your customers, partners,
and employees. Teir motivations run the gamut rom nancial to political to retaliatory. With enough
time and money, they can breach the security deenses o even the largest enterprises. You cant stop
every cyberattack. However, your key stakeholders, clients, and other observers do expect you to take
reasonable measures to prevent breaches in the rst place, and when that ails, to respond quickly andappropriately. A poorly contained breach and botched response have the potential to cost you millions
in lost business and opportunity, ruin your reputation, and perhaps even drive you out o business.
ta blE oF coNtENtSYou Will Suer A Security Breach; You May
Een Hae A Breach Riht Now
You Must Establish An Onoin Incident
Manaement Proram
Testin And Trainin Are Critical To Success
You Must Decide I You Want To ProsecuteBeore You Remediate
WHat it mEaNS
Make Incident Manaement A Top Security
Priority
Supplemental Material
NotES & RESouRcES
in deepng hs repr, Frreser drew
r weh ns eperene, nsgh,
nd reserh hrgh dsr nd nqr
dsssns wh end sers nd endrs rss
ndsr sers.
Related Research Documents
upded Q4 2011: the New thre lndspe
Preed Wh cn
Neer 1, 2011
P yr Hed o o the Snd and P i on
a Swe: inrdng Newrk anss and
vs
Jnr 24, 2011
Soc 2.0: vrzng Ser operns
apr 20, 2010
Neer 9, 2011
Pnnng Fr Frean Eee inden mngeen Prgr is Essen t Hep y S in bsness
by John Kindera and Rick Hollandwh Sephne brs nd Kee mk
2
5
10
11
12
13
http://www.forrester.com/go?docid=60563&src=60564pdfhttp://www.forrester.com/go?docid=60563&src=60564pdfhttp://www.forrester.com/go?docid=58445&src=60564pdfhttp://www.forrester.com/go?docid=58445&src=60564pdfhttp://www.forrester.com/go?docid=58445&src=60564pdfhttp://www.forrester.com/go?docid=56681&src=60564pdfhttp://www.forrester.com/go?docid=56681&src=60564pdfhttp://www.forrester.com/go?docid=58445&src=60564pdfhttp://www.forrester.com/go?docid=58445&src=60564pdfhttp://www.forrester.com/go?docid=58445&src=60564pdfhttp://www.forrester.com/go?docid=60563&src=60564pdfhttp://www.forrester.com/go?docid=60563&src=60564pdfhttp://www.forrester.com/ -
7/31/2019 Planning for Failure
3/16
2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
2
YOU WILL SUER A SECURITY BREACH; YOU MAY EvEN HAvE A BREACH RIgHT NOW
Breaches are expensive. Sony announced that it will cost the company more than $170 million to
clean up the PlayStation Network breach alone.1 One nancial analyst estimates that the breach will
ultimately cost the company $1.25 billion in lost business, compensation, and new investments.2
During the past 12 months, 25% o I security decision-makers and inuencers reported at least
one breach o their sensitive inormation (see Figure 1-1). Its interesting to note that 21% o
respondents didnt eel comortable answering that question although their responses were
anonymous a testament to just how sensitive enterprises have become to the potential economic
impact and damage to corporate reputation o a publicized security breach.
Even more interesting is that 7% reported Dont know. Forrester believes that even among those
respondents that reported no breaches in the past 12 months, many o them have suered a
breach they just dont know it. In todays changed threat landscape, cybercriminals are skilled,well-unded, and patient. Tey target their attacks and do everything in their power to conceal their
activity so that they can accomplish their goal, whether its to steal intellectual property or conduct
man-in-the-middle attacks.
Inadequate Incident Response Leads To inancial, Operational, And Reputational Losses
Consider the example o DigiNotar, the primary certicate authority or the Dutch government. On
September 19, 2011, the company led or bankruptcy as a result o a massive breach by suspected
Iranian actors.3 Te breach resulted in the issuance o more than 500 raudulent digital certicates.
In its investigation, I security rm Fox-I stated: We ound that the hackers were active or a
longer period o time. Tey used both known hacker tools as well as soware and scripts developed
specically or this task. Some o the soware gives an amateurish impression, while some scripts,
on the other hand, are very advanced.4
Tis example illustrates the sophistication o todays cyberattacks and the difculty, even or
a security company, to detect them. It also illustrates the importance o having an incident
management program. Government and industry experts criticized DigiNotar or ailing to notiy
the public o the breach sooner and or downplaying the scope and seriousness o the breach.
Incident Response Is One O The Most Oerlooked Areas In Inormation Security
In Forresters experience, incident response is one o the most overlooked areas o inormation
security. Surprisingly, even among those enterprises that have already suered a breach during thepast 12 months, only 18% increased spending on their incidence response program as a result (see
Figure 1-2). Sadly, and perhaps even more surprisingly, many enterprises did nothing at all as the
result o their breach. Others increased spending on breach prevention technologies.
-
7/31/2019 Planning for Failure
4/16
2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
3
iure 1 Freqen and Ress o D brehes
Source: Forrester Research, Inc.60564
Frequency of breaches during the past 12 months1-1
Changes resulting from a breach1-2
How many times do you estimate that your firms sensitive data was potentiallycompromised or breached in the past 12 months?
Base: 341 North American and European enterprise security decision-makers responsiblefor network or data security at companies that have had a breach in the past 12 months
(percentages may not total 100 because of rounding)
Source: Forrsights Security Survey, Q2 2011
25% of companies have
experienced a breach
during the past 12 months
that they know of.
21%7%
45%
1%
1%
3%
8%
6%
6%
Cannot discloseDont know
No breaches in the past 12 months
More than 25 times in the past 12 months
11 to 25 times
Six to 10 times
Three to five times
Twice
Once
If you have had a breach, what has changed at your firm in thepast 12 months as a result of the breach?
Base: 625 North American and European enterprise security decision-makersresponsible for network or data security
(multiple responses accepted)
0%
1%
2%
2%
4%
6%
9%
11%
18%
25%
30%
43%
Greater difficulty attracting new customers
Lost business partners
Lost customers
Switched IT auditors
Other action
Switched security vendors or service providers
Bad publicity
Dont know
Increased spending on incident response programs
Increased spending on breach prevention technologies
Nothing has changed in the past 12 months as a resultof security breaches
Additional security and audit requirements
-
7/31/2019 Planning for Failure
5/16
2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
4
Unortunately, even enterprises with the most mature security organizations and advanced security
controls cant prevent every single breach especially i your opponent has the time and nancial
backing to target you. Every enterprise needs an incident response plan, but enterprises oen ail to
map out their incident response plan prior to a breach or other security incident. Without a properplan in place ahead o time, its extremely difcult to contain or stop the incident once detected and
preserve appropriate orensic evidence while you help restore I services. You must also understand
the extent o the incident and what inormation the attackers compromised so that you can
determine i you need to contact law enorcement and send breach notications to aected parties,
such as your customers, partners, and employees.
A Patchwork O Industry And goernment Reulations Mandate Incident Response
I you have yet to invest signicant time and resources in incident management and response and you
ail to respond appropriately to a breach, your enterprise could nd itsel acing noncompliance and
signicant nes. Te US Congress strongly criticized Sony or waiting more than a week to notiycustomers that an external attacker may have compromised their personal inormation.5 Consider that:
Almost every US state requires breach notication. In the US, 46 states plus the District oColumbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notication o
security breaches involving personal inormation.6 In act, Caliornia recently updated breach
notication requirements to include notiying the state attorney general when a breach aects
more than 500 residents, as well as adding new content requirements or breach notication
letters.7
Some US ederal law requires breach notication. Te US HIECH Act requires healthcareproviders and other Health Insurance Portability and Accountability Act (HIPAA) entities tonotiy when a breach aects more than 500 individuals. Failure to notiy individuals o a data
breach could result in a HIPAA violation and a ne o up to $50,000 per violation.8
EU law requires telecoms and Internet service providers to report breaches. In 2010, the EUintroduced a new data breach notication requirement or electronic communication as part o
a comprehensive review o the ePrivacy Directive.9 Tere is also discussion o extending breach
notication requirements to more industries.10
Canadian legislators are reviewing breach notication. House Government Bill C-29 seeks
to amend the Personal Inormation Protection and Electronic Documents Act (PIPEDA). Teamendment is making its way through the regulatory process and includes breach notication
obligations.11
Te PCI Data Security Standard provides very specic guidance on incident response.Requirement 12.9 states: Implement an incident response plan. Be prepared to respond
immediately to a system breach. Requirement 10.2 requires automated audit trails or all
system components to reconstruct seven categories o events. Appendix 1.4 requires an
-
7/31/2019 Planning for Failure
6/16
2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
5
organization to enable processes to provide or timely orensic investigation in the event o a
compromise to any hosted merchant or service provider.12
YOU MUST ESTABLISH AN ONgOINg INCIDENT MANAgEMENT PROgRAM
An incident response plan, like a business continuity (BC) or an I disaster recovery (DR) plan, is
your organizations immediate response to a specic threat. I security proessionals should talk
with their counterparts in BC/DR; the undamentals o strategy development and response planning
are very similar as are the lessons learned. Your organization wouldnt want to learn how to cut over
rom a ailed primary site to a backup hot site aer the outage occurred. You have created a DR plan
to handle this scenario. By the same token, you dont want to develop your incident response plan
in real time while cybercriminals are pilering your intellectual property. A well-dened incident
management program provides organizations a script to ollow when incidents occur.
Defne The Incident Manaement Lie Cycle
o be eective, you need to establish an ongoing incident management program one that lets you
identiy the potential risks and threats to your enterprise so that you can create appropriate response
plans, test those plans, and keep those plans current (see Figure 2). Forrester denes the six main
areas o the incident management lie cycle as:
Risk analysis. Just as with BC/DR planning, beore you can plan, you have to understand yourbusiness and identiy the most probable, high-impact risks that you must mitigate or or which
you will develop response plans. Who or what are you trying to protect your assets rom?
Treat analysis. Beore you deploy a technology or service to improve business and I resiliency,it helps to understand your I architecture and inrastructure so that you can identiy your single
points o ailure and other weaknesses. In a security context, you want to understand where and
how your enterprise stores its most sensitive inormation and where your systems and networks
are the most vulnerable to attack. You can conduct a data discovery project to determine where
your most sensitive data resides. You can also use a vulnerability management program, including
vulnerability scanning and penetration testing to determine weaknesses in your environment.
Security policy mapping. Over the years, the goal o BC/DR has been to mitigate the mostcommon cause o disruption by building high availability and resiliency into the I architecture
itsel. Te same is true with security; you want to embed security throughout the environmentto mitigate known threats and vulnerabilities as much as possible. Evaluate the results o your
risk and threat analyses and compare them against your existing security controls. Implement
measures that apply the appropriate level o rigor to your security controls based on the
likelihood o a threat occurring and its impact. For example, you may need to purchase a new
web application and database rewall to protect a newly launched web application that is core to
your business success.
-
7/31/2019 Planning for Failure
7/16
2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
6
Incident response policies and procedures. You cant mitigate every risk; at some point youwill need to respond quickly to a sudden I ailure or natural disaster such as an earthquake.
Likewise, theres no set o security controls that will guarantee you wont suer a breach. A
security breach is inevitable. When it happens, you will need to categorize the incident according
to certain criteria, mobilize the response team, contain or stop the incident, gather orensic
evidence, i applicable, restore the disrupted service, notiy individuals i necessary, and
continue the orensic investigation to determine what happened and what course o action the
organization needs to take.
esting. Teres a saying in DR i youre not nding problems when you test, yourenot testing thoroughly enough. Its critical to test your incident response plans beore the
incident. esting validates your response capabilities, trains the response team in its roles and
responsibilities, and uncovers weaknesses or invalid assumptions in the plan. I youre not
testing, youre simply not prepared.
Review and update. Aer each test or incident, you should hold a debrieng, aer which youupdate your plans. You should also update your plans aer every major change to the business
or the I environment; ideally, change to your response plans is a part o ongoing change and
conguration management.
iure 2 inden mngeen le ce
Source: Forrester Research, Inc.60564
Security policymapping
Threat analysis
Risk analysis
Testing
Incident responsepolicies andprocedures
Review andupdate
-
7/31/2019 Planning for Failure
8/16
2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
7
Set Up A Cross-unctional Incident Response Team
Te makeup o the incident response team will vary depending on your industry, the size and
geographic reach o your enterprise, and the types o incidents to which it will respond. However,
your incident response team will likely include a cross-unctional group o both internal and
external experts, including (see Figure 3):
Inormation security staf. Tese individuals are responsible or handling the detailedinvestigation o the incident. Depending on the size o your organization, you might have
dedicated incident response sta with advanced orensics capabilities. Many organizations hire
external consultants to assist with incident response and orensics. Despite this, at a minimum,
you still want someone on your sta who can perorm basic incident response.
I staf. You may need these system and network administrators to help with investigations
because o their advanced knowledge o the applications and systems they support.
Legal representative. A member o your legal sta should participate in the incidentmanagement planning and response to provide guidance as to the legality o potential searches
and the requirements o evidence collection. He or she can also help you determine i you need
to contact law enorcement and other government ofcials.
Business representative. Te inormation security team is a custodian o data and will need topartner with the business unit data owners to understand the data and its implications. Ideally,
this should be done prior to an incident occurring and not aer youve activated the incident
response plan.
Corporate communications representative. Tis team members involvement is critical. Teorganization must know who is going to speak or the company and what message the company
will deliver to customers, investors, and business partners. Poor communication can increase
customer rustration and anger and irreparably damage your corporate reputation.
External orensic investigator. Hire an external investigator when your own team isoverwhelmed or lacks the necessary skills to properly respond to the incident. Tere are a
variety o rms that oer orensics services. Te major consulting rms have orensics practices
around the globe, and a number o smaller rms have oerings as well.13 Mandiant, Guidance
Soware, and many value-added resellers can also assist with incident response. All third-party
rms arent created equal. You should consider the organizations experience, methodology, and
scalability.
External breach notication providers. In the US, almost every state now has its own breachnotication requirements, and although theyre generally similar, theyre not identical. In the
event o a breach or your organization, these laws require a timely response. Service providers
-
7/31/2019 Planning for Failure
9/16
2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
8
such as Co3 Systems and ID Experts can lend their expertise with the notication process i
your organization isnt yet prepared to handle a breach. Identity the protection organizations
such as Debix or Equiax oen work in concert with the notication providers, and you can hire
them to monitor your victims nancial accounts as remuneration.
iure 3 inden Respnse te
Source: Forrester Research, Inc.60564
All employees
Do they know how and when toreport an incident? Make IT part
of security awareness.
External investigators
Who will you hire in each potential
situation? How quickly will theyrespond? How much will it cost?
ITFind out who owns and manages
each system. Who has forensicsskills? Who has databaseadministrator access?
Peer incident response teams
Share best practices andknowledge about current IT
viruses and attacks.
Law enforcementWho do you contact when theinvestigations show signs of
criminal activities?
Lines of businessHelp identify important businessassets and drive process
improvements.
Incident response team
Requires communicator, systemsexpert, and network expert at aminimum. Larger teams often
include: physical security, forensics,risk management, and legal.
Corporate communications
Who is responsible for conveyingrelevant messages to employees,partners, or customers? Who will
craft and approve that message toensure that it is correct?
External business serviceproviders
How will they alert you to anincident? Who has authority torequest and receive sensitive
information?
-
7/31/2019 Planning for Failure
10/16
2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
9
Use A Reconized Industry ramework or Your Incident Handlin And Response
When you dene your incident response policies and procedures, you should make sure that they
also ollow a lie cycle. Tere are numerous rameworks or this lie cycle rom industry groups
such as the SANS Institute and government groups such as the National Institute o Standards and
echnology (NIS). We use the NIS Computer Security Incident Handling Guide (800-61) as our
sample reerence ramework because o its popularity with clients and its simplicity.14 It consists o
the ollowing phases (see Figure 4):
Preparation. Tis phase includes all the initial planning that weve already described in thisreport, such as the denition o an ongoing incident management program lie cycle and the
creation o a cross-unctional team. As you can see, most o the work is in preparation and
ongoing management. NIS provides a ools and Resources or Incident Handlers checklist
with very specic guidance on preparing or incidents.
Detection and analysis. Many enterprises are not even aware that theyve already suered abreach. oo many enterprises underinvest in network analysis and visibility (NAV) tools that
can detect abnormal patterns and user behavior in their networks and I environment.15 NIS
lists common sources o attack precursors and indications o attacks.
Once you detect an incident, analysis is also important. In BC/DR, enterprises avoid invoking
a response plan i possible. Te event or incident must meet certain activation criteria beore a
designated individual makes the decision to invoke a plan. Similarly, you must provide a clear
identication and escalation process or incidents and you must tightly integrate it with your
existing incident management processes in your network operations center (NOC) and security
operations center (SOC).16 NIS provides criticality ratings and also includes a sample incidentresponse service-level agreement (SLA) matrix.
Containment, eradication, and recovery. Te business has less and less tolerance or downtime,whatever the cause: the weather or a security breach. You will be under tremendous pressure to
stop the attack and resume normal operations as soon as possible. You need to be careul, because
you want to make sure that: 1) you have truly contained the attack, and 2) you dont destroy
any orensic evidence in the process o quickly restoring the I service. Its important that you
train employees in orensics and prevent other employees or tools rom inadvertently destroying
evidence that you might need later in any kind o internal or government investigation. NIS
provides helpul criteria or determining the appropriate containment strategy.
Its critical to ensure that the incident is truly contained or remediated. In the DigiNotar breach,
the rm ailed to revoke all the malicious certicates. According to Wired.com, Te company
insisted that all o the certicates had been revoked which would have undermined any
attempt by someone to use the certicate to impersonate a legitimate site but somehow
missed the Google certicate. DigiNotar nally revoked the Google certicate aer the search
giant disclosed its existence in the wild.17
-
7/31/2019 Planning for Failure
11/16
2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
10
Post-incident activity. Tis phase o incident response is critical, and you must not shortchangeit. You must incorporate the lessons learned rom the incident into uture incident response
plans. NIS provides a list o seven questions that you should include in post-incident meetings.
iure 4 NiSt inden Hndng
TESTINg AND TRAININg ARE CRITICAL TO SUCCESS
Weve already discussed testing and training as a key phase in the incident management lie cycle,
but its important to call them out separately because they really determine the long-term success o
your program and individual response plans.
I You Dont Test, Youre Not Prepared
Conucius said, What I hear, I orget. What I see, I remember. What I do, I understand. o truly
understand your incident management capabilities you must periodically test your individual incident
response plans. You test a BC plan; you should do the same here. esting helps validate your response
capabilities and questions assumptions in the plan. In addition, testing helps everyone understand the
contents o the plan as well as their roles and responsibilities. Here are some keys to successul testing:
esting needs to include all members o the team. At least once a year you need to conductan incident response test that goes beyond the connes o I or the inormation security sta.
Validate your call tree and ensure that you have correct aer-hours contact inormation or all
the team members.
Just as in BC, take advantage o multiple test types. Tere are multiple types o tests,including plan walk-throughs, tabletop exercises, and simulations. Plan walk-throughs and
tabletop exercises help the response team understand the contents o a plan and their roles
and responsibilities. For simulations, you should consider hiring a third-party penetration
testing company to perorm an assessment o your security controls and detection capabilities.
Source: Forrester Research, Inc.60564
Source: Karen Scarfone, Tim Grance, and Kelly Masone, Computer Security Incident Handling Guide, NationalInstitute of Standards and Technology Special Publication 800-61 Revision 1, March 2008
Incident response life cycle
PreparationDetectionand analysis
Containment,eradication,and recovery
Post-incidentactivity
-
7/31/2019 Planning for Failure
12/16
2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
11
Some organizations may elect to inorm their sta o the testing, while others choose a blind
penetration test.
Incorporate test results into incident management planning. Its absolutely critical that youincorporate the results o your tests into your plans. Your incident management strategy and
your individual plans should adapt and change based on the successes and ailures o your
testing scenarios.
You Must Train IT And Non-IT Sta In Incident Response
Companies need to train their sta to understand what an incident is, how to respond appropriately,
how to contact responders or services, and how to put incident response into the greater context o
inormation security. Tis is a necessary next step in order to provide eective response and orensic
services. Here are some suggestions to maximize your training:
Budget or incident response training. Build incident response training into your annualbudget. Te threat landscape is constantly changing, and cybercriminals are using new,
advanced techniques to breach organizations. Specic training is critical to staying abreast o
the latest attack and mitigation techniques. Your sta will also network with other incident
handlers, which will result in uture collaboration and inormation-sharing. Te SANS Institute
and CER oer widely recognized incident handling courses.
Include all employees in incident response training. raining needs to extend beyond I sta.End users are on the rontline and need to be aware o the threats and how to respond to them.
Conduct end user training that specically addresses social engineering, spear phishing, and
how to respond to suspicious emails, les, and instant messages.
YOU MUST DECIDE I YOU WANT TO PROSECUTE BEORE YOU REMEDIATE
Tings work dierently in real lie than it does on your avorite crime investigation show. oo
oen, companies clean up a breach and then decide later that they want to nd and prosecute the
perpetrator. Unortunately, theyve also cleaned up most o the evidence, and true justice becomes
illusory. Electronic crimes and physical crimes are dierent, so you must:
Make an investigation and prosecution decision immediately. Bringing the bad guy to justice
could be problematic. You may need to keep a breached system running in order to preserveevidence. In addition, it could take a signicant amount o time beore a trained orensic
investigator or law enorcement ofcial can respond to your breach.
Consider the preservation o evidence and chain o custody. Remember that to prosecute acybercrime, you must present breach evidence in court. Tis mean that not only will the details
o the crime become part o the public record, but the proper preservation o the evidence may be
called into question. Tere are rules o evidence that must be ollowed i you want to see justice.
-
7/31/2019 Planning for Failure
13/16
2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
12
W H a t i t m E a N S
MAKE INCIDENT MANAgEMENT A TOP SECURITY PRIORITY
Wh n nhe se, eder, nd ndsr-spef reh nfn ws n he hrzn,
he n he peen n nden ngeen prgr. i dn he n
nden ngeen prgr nd spef nden respnse predres n pe, s pere
h d s ede. Hweer, dn see nden ngeen s js nher regr
gn, sehng h d h-hered ppese nern nd eern drs. an
eee nden respnse sers ser reh n e he derene eween r
rgnzns reer nd re sess nd rrepre dge. tke sers, nd ke
p prr r r rgnzn. ipeen n ngng prgr, defne r respnse
predres, es he, nd rn s n pepe nsde nd sde it s n. Se sene
d, rd p r re preen, nd egn deepng renshps wh peers
nd her ndsr epers shre es pres.
SUPPLEMENTAL MATERIAL
Methodoloy
Forresters Forrsights Security Survey, Q2 2011, was elded to 2,353 I executives and technology
decision-makers located in Canada, France, Germany, the UK, and the US rom small and medium-
size business (SMB) and enterprise companies with two or more employees. Tis survey is part o
Forresters Forrsights or Business echnology and was elded during June 2011. LinkedIn Research
Network elded this survey online on behal o Forrester. Survey respondent incentives included
a choice o gi certicates and charitable donations. We have provided exact sample sizes in this
report on a question-by-question basis.
Forresters Forrsights or Business echnology elds 10 business-to-business technology studies
in 12 countries each calendar year. For quality control, we careully screen respondents according
to job title and unction. Forresters Forrsights or Business echnology ensures that the nal
survey population contains only those with signicant involvement in the planning, unding, and
purchasing o I products and services. Additionally, we set quotas or company size (number o
employees) and industry as a means o controlling the data distribution and establishing alignment
with I spend calculated by Forrester analysts.
We have illustrated only a portion o survey results in this document. For access to the ull dataresults, please contact [email protected].
-
7/31/2019 Planning for Failure
14/16
2011, Frreser Reserh, in. Reprdn Prhed Neer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
13
ENDNOTES
1 Sony has disclosed that the immediate breach costs will be about 14 billion, which was approximately
$171 million at the time o the announcement. Source: Matthew J. Schwartz, Sony Data Breach Cleanup
o Cost $171 Million, InormationWeek, May 23, 2011 (http://www.inormationweek.com/news/security/
attacks/229625379).
2 Source: Juro Osawa, As Sony Counts Hacking Costs, Analysts See Billion-Dollar Repair Bill, Te Wall
Street Journal, May 9, 2011 (http://online.wsj.com/article/SB100014240527487038593045763076641746679
24.html).
3 Source: VASCO Announces Bankruptcy Filing by DigiNotar B.V., Vasco press release, September 20, 2011
(http://www.vasco.com/company/press_room/news_archive/2011/news_vasco_announces_bankruptcy_
ling_by_diginotar_bv.aspx).
4 Source: DigiNotar Certicate Authority breach Operation Black ulip, Fox-I, September 5, 2011 (http://
cryptome.org/0005/diginotar-insec.pd).
5 Source: Grant Gross, Lawmakers Question Sony, Epsilon on Data Breaches, PC World, June 2, 2011
(http://www.pcworld.com/businesscenter/article/229258/lawmakers_question_sony_epsilon_on_data_
breaches.html).
6 Source: Security Breach Legislation 2011, National Conerence o State Legislature, September 12, 2011
(http://www.ncsl.org/deault.aspx?tabid=22295).
7 Te state o Caliornia recently updated breach notication requirements to include notiying the state
attorney general when a breach aects more than 500 residents, as well as adding new content requirements
or notication letters. Source: Judy Greenwald, Caliornia law updates notication requirements or data
breaches, Business Insurance, September 2, 2011 (http://www.businessinsurance.com/article/20110902/NEWS07/110909966?tags=|338|299|305|340|303|87).
8 Te US HIECH Act requires healthcare providers and other HIPAA entities to notiy when a breach
aects more than 500 individuals. Failure to notiy individuals o a data breach could result in a HIPAA
violation resulting in a ne o up to $50,000 per violation. Source: HHS Issues Rule Requiring Individuals
Be Notied o Breaches o Teir Health Inormation, US Department o Health & Human Services press
release, August 19, 2009 (http://www.hhs.gov/news/press/2009pres/08/20090819.html) and Federal
Register, Vol. 74, No. 209, US Department o Health & Human Services, October 30, 2009 (http://www.hhs.
gov/ocr/privacy/hipaa/administrative/enorcementrule/enr.pd).
9 Source: Data breach notications, European Network and Inormation Security Agency (http://www.enisa.
europa.eu/act/it/dbn).
10 Jennier Baker, EU considers stricter data breach notication rules, Computerworld, July 14, 2011
(http://www.computerworld.com/s/article/9218417/EU_considers_stricter_data_breach_notication_
rules?taxonomyId=17).
11 In Canada, House Government Bill C-29 seeks to amend the Personal Inormation Protection and
Electronic Documents Act (PIPEDA) and is making its way through the regulatory process and
-
7/31/2019 Planning for Failure
15/16
2011, Frreser Reserh, in. Reprdn PrhedNeer 9, 2011
Pnnng Fr Fre
Fr Ser & Rsk Pressns
14
includes breach notication obligations. Source: Bill C-29, Parliament o Canada (http://www.parl.gc.ca/
HousePublications/Publication.aspx?Language=E&Mode=1&DocId=4547739) and An Act o Amend Te
Personal Inormation Protection And Electronic Documents Act, Parliament o Canada, March 3, 2010
(http://www.parl.gc.ca/LegisIno/BillDetails.aspx?Language=E&Mode=1&billId=4543568).
12 Requirement 12.9 states: Implement an incident response plan. Be prepared to respond immediately to a
system breach. Requirement 10.2 requires automated audit trails or all system components to reconstruct
seven categories o events. Appendix 1.4 requires an organization to enable processes to provide or timely
orensic investigation in the event o a compromise to any hosted merchant or service provider. Source:
Payment Application Data Security Standard: Requirements and Security Assessment Procedures, Version
2.0, Payment Card Industry, October 2010 (https://www.pcisecuritystandards.org/documents/pa-dss_
v2.pd).
13 In Forresters 75-criteria evaluation o inormation security and risk consulting service providers, we
ound that Deloitte led the pack because o its maniacal customer ocus and deep technical expertise.
PricewaterhouseCoopers (PwC), Ernst & Young, and Accenture are market leaders due to their security
expertise, breadth o services, and global reach. KPMG provides excellent strategic work and boasts great
client eedback. See the August 2, 2010, Te Forrester Wave: Inormation Security And Risk Consulting
Services, Q3 2010 report.
14 Karen Scarone, im Grance, and Kelly Masone, Computer Security Incident Handling Guide, National
Institute of Standards and echnology Special Publication 800-61 Revision 1 , March 2008 (http://csrc.nist.gov/
publications/nistpubs/800-61-rev1/SP800-61rev1.pd).
15 o provide this type o deep insight into internal and external networks, Forrester has dened a new
unctional space called network analysis and visibility (NAV). NAV is comprised o a diverse tool set
designed to provide situational awareness or networking and inormation security proessionals. See theJanuary 24, 2011, Pull Your Head Out O Te Sand And Put It On A Swivel: Introducing Network Analysis
And Visibility report.
16 Stafng the traditional security operations center (SOC) is expensive. Forrester anticipates that the SOC will
become virtualized in the uture, in a next-generation transormation that we call SOC 2.0. SOC 2.0 will
not be a physical place or a projection screen but an enterprisewide, distributed, virtualized inormation
resource that allows security and risk proessionals access to the data they need wherever and whenever
they need it. See the April 20, 2010, SOC 2.0: Virtualizing Security Operations report.
17 Source: Kim Zetter, DigiNotar Files or Bankruptcy in Wake o Devastating Hack, Wired, September 20,
2011 (http://www.wired.com/threatlevel/2011/09/diginotar-bankruptcy/).
http://www.forrester.com/go?docid=56675&src=60564pdfhttp://www.forrester.com/go?docid=56675&src=60564pdfhttp://www.forrester.com/go?docid=58445&src=60564pdfhttp://www.forrester.com/go?docid=58445&src=60564pdfhttp://www.forrester.com/go?docid=56681&src=60564pdfhttp://www.forrester.com/go?docid=56681&src=60564pdfhttp://www.forrester.com/go?docid=58445&src=60564pdfhttp://www.forrester.com/go?docid=58445&src=60564pdfhttp://www.forrester.com/go?docid=56675&src=60564pdfhttp://www.forrester.com/go?docid=56675&src=60564pdf -
7/31/2019 Planning for Failure
16/16
Forrester Research, Inc. (Nasdaq: FORR)
is an independent research company
that provides pragmatic and orward-
thinking advice to global leaders in
business and technology. Forrester
works with proessionals in 19 key roles
at major companies providing
proprietary research, customer insight,
consulting, events, and peer-to-peerexecutive programs. For more than 28
years, Forrester has been making IT,
marketing, and technology industry
leaders successul every day. For more
inormation, visit www.orrester.com.
Headquarters
Forrester Research, Inc.
60 Acorn Park Drive
Cambridge, MA 02140 USA
Tel: +1 617.613.6000
Fax: +1 617.613.5000
Email: [email protected]
Nasdaq symbol: FORR
www.orrester.com
m k n g l e d e r s S e s s E e r D
For inormation on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or [email protected].
We oer quantity discounts and special pricing or academic and nonprot institutions.
Research and Sales Ofces
Forrester has research centers and sales ofces in more than 27 cities
internationally, including Amsterdam, Netherlands; Beijing, China;
Cambridge, Mass.; Dallas, Texas; Dubai, United Arab Emirates; Frankurt,
Germany; London, UK; New Delhi, India; San Francisco, Cali.; Sydney,
Australia; Tel Aviv, Israel; and Toronto, Canada.
For the location o the Forrester ofce nearest you, please visit:
www.orrester.com/locations.
mailto:[email protected]:[email protected]://www.forrester.com/