Professional Documents
Culture Documents
ENTERPRISE TO ADDRESS
TODAY’S TOP SECURITY
VULNERABILITIES
WHITE PAPER
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES
What might have been a state of rock-solid cyber security last year may be a
flawed security approach chock-full of gaps today. This is a reality facing many
87% executives
and board members
organizations. To keep pace with the onslaught of cyber threats, organizations lack confidence in their
must have a proactive security strategy in place. But most senior executives organization’s cyber
and board members doubt their organizations are prepared. A recent survey by security posture.1
global consulting group EY found that 87 percent of them lack confidence in their
organization’s cyber security posture.5
A second factor that is transforming the face of security programs is the evolution of
27% of enterprises
regulatory compliance. Enterprises must continually reevaluate their security posture with experienced a
the introduction of new regulations such as the EU’s General Data Protection Regulation ransomware incident
(GDPR) and the National Institute of Standards and Technology (NIST) framework, as well last year.2
as changes to existing ones such as the Payment Card Industry Data Security Standard v3
(PCI DSS).
A final driver of change is the evolving and expanding corporate infrastructure. Many An average of 10.7
technologies such as mobile devices and cloud capabilities did not exist a decade ago. And unique application exploits
the emergence of cloud services and Internet of Things (IoT), including Industrial Control are present per enterprise
Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, make organization.3
protection of the corporate infrastructure an even more daunting undertaking.
These issues present a number of top cyber security concerns that security leaders must
address today. Ransomware is on track to
become a $1 billion
per year industry in 2017.4
2
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES
3
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES
4
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES
5
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES
6
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES
MANAGING RISK EXPOSURE business and to prioritize vulnerabilities and consist of technology, people, and
measure the impact of incidents from the processes, all of which have a cost tied
We live in a day of perpetual digital change.
vista of the business. The following are some to them.
The opportunities for technology disruption
of the questions cyber security leaders need
often supplant the cyber risk. But in most 5. What Is the Probability/Likelihood?
to ask:
instances, organizations lack the ability to In addition to potential business impact,
measure risk—both current and projected— 1. What Matters? Certain data assets and organizations need to look at the
and thereby an understanding of what their systems are more important than others. probability (or likelihood) that a risk will
risk tolerance looks like even if they wanted These are based on corporate objectives, occur without any mitigation as well
to do so.23 This makes it immensely difficult key performance indicators (KPIs), and as with mitigation. For example, in an
to assess the risk of existing technology other business-related issues. instance where mitigation reduces the
deployments, let alone the anticipated risks probability from 50 percent to 40 percent,
2. What Is at Risk? This enables an
of new solutions. the ROI is much diminished as compared
organization to determine what is at
to a scenario where mitigation takes the
A key driver in the push for organizations to highest risk—data, cloud services,
probability from 80 percent to 10 percent.
quantify cyber risks and return on investment devices, or users, among others.
(ROI) is fueled in part by previous efforts in The above data points are reflected in Table
3. What Is the Potential Business
the financial services industry to quantify 1 below, where each of the elements is
Impact? The financial, operational,
financial risks.24 With cyber security spending used to prioritize cyber security initiatives
and brand impact associated with each
growing at an annual rate of 15 percent,25 based on their ROI. With the emergence of
risk varies. Organizations need to think
organizations are demanding that their artificial intelligence (AI) and machine learning
in terms of the cost to manage a risk
security teams demonstrate ROI on these (ML) capabilities that tap external data and
(technology, staff, outside resources,
investments. historical trending, cyber security leaders
etc.) versus the potential financial,
now have the ability to create predictive,
One realization that companies increasingly operational, and/or brand risk impact to
data-driven security risk models.26 These
reach is that the cyber security team does the organization.
can be employed to develop risk tolerance
not belong underneath the IT organization 4. How Best to Fill Those Gaps? Once curves used to develop security strategies
but rather tightly embedded in the business. risks have been identified and ranked, and identify which investments will generate
This enables cyber security leaders to gain organizations can align solutions to the highest ROI.
a much broader and deeper picture of the mitigate each of them. The solutions
7
WHITE PAPER: STRATEGIES FOR THE ENTERPRISE TO ADDRESS TODAY’S TOP SECURITY VULNERABILITIES
1
“Path to Cyber Resilience: Sense, Resist, React,” EY’s 19th Global Information Security Survey 2016-17, 2016.
2
Jon Oltsik, “Through the Eyes of Cyber Security Professionals: An Annual Research Report,” a Cooperative Research Project by ESG and ISSA,
December 2016.
3
“Threat Landscape Report: Q4 2016,” Fortinet, January 2017.
4
Kyle Torpey, “2016 Big Year for Ransomware—70% Pays in This $1 Billion Industry,” Bitcoin, December 29, 2016.
5
“Path to Cyber Resilience: Sense, Resist, React,” EY’s 19th Global Information Security Survey 2016-17, 2016.
6
“Path to Cyber Resilience.”
7
Michael Suby, et al., “The 2015 (ISC)2 Global Information Security Workforce Study,” Frost & Sullivan, 2015.
8
“Path to Cyber Resilience.”
9
“Cyber Threat Intelligence—How to Get Ahead of Cybercrime.”
10
Jon Oltsik, “Through the Eyes of Cyber Security Professionals: An Annual Research Report,” a Cooperative Research Project by ESG and ISSA,
December 2016.
11
Lily Hay Newman, “Hacker Lexicon: What Is An Attack Surface?” Wired, March 12, 2017.
12
Louis Columbus, “Roundup of Internet of Things Forecasts and Market Estimates, 2016,” Forbes.com, November 27, 2016.
13
Ibid.
14
“IoT Security: The Majority of IoT Devices Is Not Monitored in Real Time,” i-SCOOP, accessed April 10, 2017.
15
“2016 Industrial Control System Security Trends: Challenges and Strategies for Securing Critical Infrastructure,” Fortinet and Forrester, September 14, 2016.
16
Fahmida Y. Rashid, “The Dirty Dozen: 12 Cloud Security Threats,” InfoWorld, March 11, 2016.
17
“Building Trust in a Cloudy Sky.”
18
“Cloud Security Standards: What to Expect & What to Negotiate: Version 2.0,” Cloud Standards Customer Council, August 2016.
19
“Threat Landscape Report: Q4 2016.”
20
“Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security,” McAfee, January 2017.
21
Ibid.
22
Patrick Moorhead, “With a Few Surprises: Cisco Releases 2017 Annual Cybersecurity Report,” Forbes, February 14, 2017.
23
Natalia Nelson, “How Companies Achieve Balance Between Technology Enabled Innovation and Cyber-Security,” MBA Thesis, Massachusetts Institute
of Technology, June 2016.
24
J.R. Reagan, et al., “Quantifying Risk: What Can Cyber Risk Management Learn from the Financial Services Industry?” Deloitte University Press,
July 25, 2016.
25
“Cybersecurity Market Report,” Cybersecurity Ventures, Q1 2017.
26
Douglas W. Hubbard and Richard Seiersen, How to Measure Anything in Cybersecurity Risk (New York: John Wiley & Sons, 2016).
GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA HEADQUARTERS
Fortinet Inc. 905 rue Albert Einstein 300 Beach Road 20-01 Sawgrass Lakes Center
899 Kifer Road 06560 Valbonne The Concourse 13450 W. Sunrise Blvd., Suite 430
Sunnyvale, CA 94086 France Singapore 199555 Sunrise, FL 33323
United States Tel: +33.4.8987.0500 Tel: +65.6513.3730 Tel: +1.954.368.9990
Tel: +1.408.235.7700
www.fortinet.com/sales
Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other
results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied,
except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in
such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal
lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. 76764-A-0-EN May 15, 2017