GRC Bullseye? RSA Updates Archer Platform
Nov04

GRC Bullseye? RSA Updates Archer Platform

EMC’s RSA Security division has announced a new release (6.0) of its Archer Goverance, Risk and Compliance (GRC) Platform at this week’s RSA Conference Abu Dhabi, intended to inspire ‘everyone to own risk within the enterprise’. This market is hot, and depending upon the source, is only going to get hotter, but it is not without some major challenges. “Risk is no longer just the responsibility of executives,” said Grant Geyer, Senior Vice President of Products, RSA, in a prepared statement. “To keep up with the uncertainty and complexity triggered by rapid changes in business today, organizations are decentralizing risk management to put it as close as possible to the risk itself. As front line employees are being asked to contribute more towards risk management, we have focused heavily on usability in the new RSA Archer 6.0 platform.” New Archer features, which will be available only for new, on-premises installations on November 10, include: -an enhanced user experience with a simpler but more powerful user interface and advanced workflow capabilities; and, -enhancements to Archer Operational Risk Management to help streamline how organizations identify, assess, respond, and monitor existing and emerging risks. GRC is about the practice, not the technology, said Marshall Toburen, GRC Strategist, Enterprise Risk Management, RSA. He told IT Trends & Analysis “I couldn’t agree with that more”, when asked to comment on this quote: ‘Organizations do not buy GRC, they do GRC. (GRC 20/20 Research)’ “What this release does is acknowledge that fact.” Whatever organizations are doing about GRC, they’re also buying GRC. The GRC market is expected to reach $2.592 billion this year, driven by the need for a federated architecture approach to handle the GRC ‘data tsunami’. “The idea of a single GRC platform to meet all of an institution’s needs is a myth,” Shagun Bali, TABB technology analyst and author of The Data Tsunami: Combating the Overwhelming Supply of GRC Data. “But no single IT tool has all the answers, which is why firms need to create cohesive business processes to manage various functions and technologies in sync.” Another report values this year’s GRC market more than four times higher, at $11.89 billion – and that’s excluding the professional services component. The enterprise segment represents about 10% of this figure. A third report estimates the market is even bigger: the global enterprise governance, risk, and compliance market will grow from $15.98 billion in 2015 to $31.77 billion by 2020, at a CAGR of 14.7%. North America is expected to be the largest market in terms of market size, while Europe and Asia-Pacific (APAC) are expected to experience increased market traction during the forecast...

Read More
NIST Framework To Help But Cyber Insurance Still Lagging
Feb11

NIST Framework To Help But Cyber Insurance Still Lagging

On Thursday the US National Institute of Standards and Technology (NIST) will publish the Cybersecurity Framework (Version 1.0), based on existing standards, guidelines, and practices, for reducing cybersecurity risk to critical infrastructure. The result of the Executive Order, Improving Critical Infrastructure Cybersecurity, issued by President Obama a year ago, the hope was that the framework would lead to a more robust cyber insurance market with lower premiums, said NSS Labs’ Research Director Andrew Braunberg. “It will take a while for that to play out.” With interest in enterprise security at an all-time high and the security industry’s annual Olympics’ equivalent, RSA Conference 2014, just two weeks away, cyber security insurance has been generating increasing interest. According to Braunberg, more transparency regarding cyber risk and cyber attacks is expected to drive greater adoption of cyber insurance as a means of demonstrating better corporate risk management. NSS is traditionally a security testing house that’s been around for two decades and which a year ago decided to expand its focus with mobility and GRC (governance, risk management and compliance), where the insurance comes in, he said. “Cyber insurance is a topic people have been talking about for 10 years.” Security insurance may be generating a lot of talk, but the current situation is “discouraging”, said Braunberg. As an example, none of the companies in the Fortune 1000 are coming close to the SEC guidelines re disclosures, he said, and growing threats, and risks to companies’ assets and reputations make this an area of increasing concern. The challenge is that cyber security is facing increasing pressure, according to NSS, which in December took a closer look at a growing privileged class of cyber criminals, governments and brokers that are amassing information on newly-discovered vulnerabilities – as many as 151 days, on average – before affected software vendors are notified of these weaknesses. According to NSS Research VP Dr. Stefan Frei in his The Known Unknowns report, third-party services are offering subscriptions to zero-day (previously unknown) vulnerability information are breaking nation-states’ traditional monopoly on advanced cyber weapons. The findings include: -on any given day over the past 3 years, two vulnerability purchase programs alone gave their privileged subscribers early access to at least 58 vulnerabilities, on average, in Microsoft, Apple, Oracle or Adobe products; -these vulnerabilities remained private for an average of 151 days before disclosure to vendors or the public; -specialized vulnerability brokers’ fees are within more determined attackers’ budgets: For example, NSS found subscriptions delivering 25 zero-day vulnerabilities per year can be had for $2.5 million; -attackers are outsourcing weaponry: Jointly, a half dozen “boutique” exploit providers have the capacity to craft...

Read More
Security 2014: Expect A Bad Situation To Get Worse
Dec16

Security 2014: Expect A Bad Situation To Get Worse

With the IT Trends & Analysis holiday break starting next week (December 23-January 3), I’m clearing out my mailbox, and trying to incorporate the various vendor 2014 predictions into this week’s stories, including today’s focus on security. One would expect doom and gloom forecasts from security vendors – and IT industry analysts – and you won’t be disappointed. Looks like CISOs can expect the Grinch for the holidays… and the foreseeable future. Recent publicity about cyberattacks and data security breaches has increased IT risk awareness among CIOs, chief information security officers (CISOs) and senior business executives. However, Gartner’s 2013 Global Risk Management Survey found that fear of attack is causing security professionals to shift focus away from disciplines such as enterprise risk management and risk-based information security to technical security. This shift in focus is driven by what Gartner analysts refer to as fear, uncertainty and doubt (FUD), which often leads to reactionary and highly emotional decision making. “While the shift to strengthening technical security controls is not surprising given the hype around cyberattacks and data security breaches, strong risk-based disciplines such as enterprise risk management or risk-based information security are rooted in proactive, data-driven decision making,” said John A. Wheeler, research director at Gartner. “These disciplines focus squarely on the uncertainty (as in, risk) as well as the methods or controls to reduce it. By doing so, the associated fear and doubt are subsequently eliminated.” The IT security market will grow at a CAGR of 9.29% over the 2012-2016 period, more than double the 4% increase overall IT budgets will see in 2014. In addition to Cisco, the key vendors include EMC, Fortinet, Hewlett-Packard, Juniper Networks, McAfee, Palo Alto Networks, Symantec, and Trend Micro. Despite being busy spying itself, the US government’s security budget is expected to be $6.1 billion next year. That’s up from last year’s $5.9 billion, and a lot less than the $7.3 billion projected for 2017. Contrast that with the U.S. intelligence budget for FY13, which was set at $52.3 billion, with an additional $400 million in spending across other government agencies, which require some level of interaction of data sharing with the intelligence community. However, earlier this month IDC’s 2014 predictions included two items highlighting why security’s future looks so dismal, including 70% of CIOs will increase enterprise exposure to risk to accelerate business agility through increased cloud adoption. Unfortunately for that increased risk exposure, by 2015, 60% of CIO security budgets for increasingly vulnerable legacy systems will be 30-40% too small to fund enterprise threat assessments. Next year will see plenty of opportunities for big data security analytics to enter the enterprise...

Read More