Security breaches are reaching epidemic proportions. BMC and Forbes Insights conducted a security survey among more than 300 C-level executives around the globe and found that known vulnerabilities are the leading cause of exposure to data breaches. The report also unmasks a significant gap between the activities of security and IT operations teams, termed the “SecOps gap,” which can lead to unnecessary data loss, production downtime, and reputation damage.
Videogame localization & technology_ how to enhance the power of translation.pdf
The Game Plan for Closing the SecOps Gap
17. Learn more about the SecOps Gap and solutions for overcoming it
Read the full report, “A Game Plan for Closing the SecOps Gap”
Hinweis der Redaktion
The Game Plan for Closing the SecOps Gap
• Security and operations collaboration drives faster response, stronger security and improved compliance
Sound Familiar? If Your Organization Is Bracing Against More Cyber Attacks, You’re Not Alone
• The expected rise in cyber-risks reflects the opinions of hundreds of senior security, IT and operations managers in North America and Europe who participated in the Forbes Insights/BMC survey
• Additional in-depth interviews with executives on both continents captured additional insights about the current threat landscape
Keeping Large Enterprises Secure Against Cyber Criminals Has Never Been Tougher
• A resounding 97% of executives in North America and Europe expect a rise in data breach attempts in the next 12 months, according to Forbes Insights/BMC research.
• As a result, 99% plan to invest more in security in the next 12 months than they did in 2015.
The Biggest Takeaway: Many Breaches Are Avoidable
Security and operations executives acknowledge that their organizations face unnecessary risks
• 44% of executives on both continents say security breaches occur even when vulnerabilities and their remediation have already been identified
What’s the Answer?
• To ensure they’re getting the full value from security investments, large enterprises must guard against breakdowns between security and operations departments that cause the SecOps Gap
• Sec · Ops Gap
1. Poor coordination between security and operations departments
2. Conflicting responsibilities and metrics for evaluating and rewarding successful performance for each group
3. Increasing number of attacks coupled with rapid pace of change
Underlying Causes of the SecOps Gap
• 60% of executives say operations teams have only a general or little understanding of security-staff requirements
Cause: Security teams are judged by how well they block and remediate threats, not how installing a new security patch impacts uptime
• 60% also believe that security personnel have only a passing understanding of operations requirements
Cause: Operations professionals are judged by how well they keep vital business systems up and running, not on speeding the implementation of an update
Source: Forbes Insights and BMC survey of senior security and IT managers at large enterprises in North America and Europe, October 2015
Ripple Effects
SecOps Gaps resulting from misalignment of security and operations results in significant business consequences
• 50% of enterprises experience outages and poor performance in IT systems due to poorly applied security patches
* 44% say it takes organizations weeks to fix high-impact vulnerabilities once a patch is available.
Additional Stat
42% of executives report that poor coordination between security and operations staffs leads to excessive labor costs in both departments
Lots of stats out there saying years to implement fix for HeartBleed – and that’s the RLM fix Find out BOM, who is affected, fix it.
53% think its important/critical to address the increase in the number and the complexity of regulatory compliance requirements in the coming year.
Risks for Regulatory Compliance
Heightened security risks may be the most obvious consequence of the SecOps gap, but regulatory compliance efforts may also suffer
“When teams aren’t aligned around a program for compliance efficiency, it can be a huge productivity hit.”
—Bill Brown, CIO at Veracode
Governance, Compliance, Audit (there might be a bigger story about governance – is everyone just doing their own thing?, then there is the compliance, then the audit gives the trail that’s left by the tool – look for Kurt, Amy. Story could be bigger than compliance. Because of consistency and automation
Close Alignment Creates New Opportunities
We’ve discussed how the SecOps Gap
1. Increases security vulnerabilities
2. Threatens downtime in IT systems
3. Leads to unnecessary labor costs in security and operations departments
4. Makes compliance processes less productive
• The question is, how can you close this dangerous gap?
A Three-Pronged Game Plan
To stay on top of today’s complexities, threats and opportunities, large enterprises are developing SecOps strategies that focus on three core areas:
1. People—Security and operations professionals share common goals for making business systems more secure and reliable
2. Processes—Guide and integrate the activities of key stakeholders in security and IT operations
3. Technology—Heighten security by replacing error-prone manual processes with automated tools
Its not reporting its goals. Need to remember fighting on the same side. Just using different terms – common goals around security issues and performance issues
People: The Heart of Effective Change
• Rethink internal reporting structures—Reporting to a shared leader creates one consistent vision for the security and operations teams
• Rewrite job descriptions—So security and operations work to achieve common goals
• Create new compensation packages—To reward teams when they successfully balance security and uptime
Forgets the execution piece. How do you release a patch quickly. The key is the fix.
Processes: Frameworks for Success
Large enterprises create collaborative workflows that guide and integrate the activities of key stakeholders in security and IT operations. Baseline analyses of the current environment is key.
“The process starts with a monitoring capability to help us understand what security concerns we’re facing and what remediation we must put in place. Then we move to prioritizing our vulnerabilities.”
—Eric Hlutke, global IT security and compliance director at Anheuser-Busch InBev
Technology: Reap the Benefits of Automation38% of North American and 44% of European executives see new technology as important
62% look for tools to determine that a patch won’t result in downtime
60% want tools for automating corrective actions
59% value a centralized view into vulnerabilities and remediation actions
60% of North American firms expect to purchase or implement a SecOps solution in the next 12 months
Criteria That Decision Makers Consider Important in SecOps Solutions
62% of executives want flexibility to tailor the solution to the specific regulations and unique needs of their industry
58% want integration with service desks and change-management processes
50% want reporting for compliance audits
Source: Forbes Insights and BMC survey of senior security and IT managers at large enterprises in North America and Europe, October 2015
Build the Business Case for Closing the SecOps Gap
Even the best SecOps strategy won’t get off the ground if CIOs, CISOs and IT operations vice presidents can’t demonstrate the value of investments made to improve security, uptime and compliance activities. Quantify the ROI with targeted metrics.
“Include factors such as trends in downtime and resolution times, as well as user satisfaction rates and the degree to which security can be enhanced without disrupting business functions. The more accurately metrics relate to actual business processes and functions, the better.”
—Amit Basu, chairman of the IT and Operations Management Department, Southern Methodist University’s Cox School of Business
Recap: A Checklist for SecOps Success
1. People
Revise reporting structures to better align security and IT operations
Create cross-functional working groups for greater understanding of each group’s roles
2. Technology
Replace error-prone, manual processes with intelligent compliance and security platforms
Automate the testing and rollout of security patches
3. Processes
Install centralized information management tools