As part of my job, I speak with lots of CISOs about their day-to-day activities, challenges, and responsibilities. Motivated by a few of these discussions last summer, I posted a blog called the CISO-centric Information Security Triad, which defined the three primary CISO priorities: security efficacy, operational efficiency, and business enablement.
As I’ve written several times, endpoint security used to be synonymous with a single software product category--antivirus software. As a result, the endpoint security market was really dominated by five major vendors: Kaspersky, McAfee, Sophos, Symantec, and Trend Micro.
I was able to get out of snowy Boston this week to give a presentation on enterprise security to a Federal IT audience in Washington DC. As usual, I stated my opinion that enterprises are in the midst of a profound transformation with how they address cybersecurity risk. This change will require a new strategy around security technology and a new type of leadership from CISOs.
For the past 15 to 20 years, the vast majority of organizations install commercial antivirus software on just about every PC residing on their networks. This resulted in a multi-billion dollar industry dominated by five vendors: Kaspersky Lab, McAfee (Intel Security), Sophos, Symantec, and Trend Micro. AV security efficacy has come into question over the past few years, however, as cyber-criminals and state-sponsored hackers regularly use customized malware and zero-day attacks to circumvent AV and compromise PCs.
Those of us in the cybersecurity community can name-drop dozens of data breaches from the last ten years, but the late 2013 breach at US retailer Target could be considered a game-changer. In addition to the $148 million price tag, the CEO and CIO were both ousted in the wake of the cyber-attack.
In order to accurately assess organizations’ endpoint security technologies, policies, and processes, ESG surveyed 340 IT and information security professionals representing large midmarket (500 to 999 employees) and enterprise-class (1,000 employees or more) organizations in North America. All respondents were responsible for evaluating, purchasing, and managing endpoint security technology products and services.
Endpoint security used to be a quasi “set-it-and-forget-it” category at many enterprise organizations. The IT operations team would provision PCs in an approved, secure configuration and then install AV software on each system. Of course there were periodic security updates (vulnerability scans, patches, signature updates, etc.), but the endpoint security foundation was set and dry by then.
Like all other industry analysts, I offered my prognostications for 2015 in my blog way back in 2014. Prediction #1 on my list: Widespread impact from the cybersecurity skills shortage.
Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s information security service. With over 25 years of technology industry experience, Jon is widely recognized as an expert in all aspects of information security and is often called upon to help customers understand a CISO's perspective and strategies. Recently, Jon has been an active participant with cybersecurity issues, legislation, and technology within the U.S. federal government.
© 2015 by The Enterprise Strategy Group, 20 Asylum Street, Milford, MA 01757 508.482.0188