INFORMATION SECURITY
STUDY
M A RKE T DY NA MI CS
Designed for IT professionals, this report captures highlights from the complete study, and provides business intelligence in the form of technological roadmaps, budget trends, ‘voice of the customer’ narratives and vendor spending plans and performance ratings.
© 2014 451 Research, LLC and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication, in whole or in part, in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. 451 Research disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although 451 Research may discuss legal issues related to the information technology business, 451 Research does not provide legal advice or services and their research should not be construed or used as such. 451 Research shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions ex-pressed herein are subject to change without notice.
TheInfoPro™ and logo are registered trademarks and property of 451 Research, LLC.
© 2014 451 Research, LLC. All Rights Reserved. 20 West 37th Street, 3rd Floor, New York, NY 10018 P 21 2.672.00 10
F 21 2.688.6598
E S A L E S @ 4 5 1 R E S E A R C H . C O M W W W. 4 5 1 R E S E A R C H . C O M
TheInfoPro’s Information Security Study takes an in-depth look at key industry trends and tracks the
performance of individual vendors. Now in its 11th year, this study was finalized in December 2013
and is based on 207 interviews.
TheInfoPro’s methodology uses extensive interviews with a proprietary network of IT professionals
and key decision-makers at large and midsize enterprises. Each interview explores several
fundamen-tal areas, including the implementation and spending plans for technologies, evaluations of vendors
observed from business and product perspectives, macro IT influences transforming the sector, and
factors affecting decision processes. Results are collated into comprehensive research reports
provid-ing business intelligence in the form of technological roadmaps, budget trends and vendor spendprovid-ing
plans and performance ratings.
E XAMPL ES OF VENDORS COVERED IN TH E ST UDY
Aruba Networks Blue Coat Systems Check Point Cisco Dell EMC (RSA) FireEye Fortinet Guidance Software Hewlett-Packard Imperva Juniper Networks McAfee Microsoft
Palo Alto Networks
Qualys Sophos Sourcefire Symantec Websense
ABOUT TH E AUTH OR
This report was written by Daniel Kennedy, Research Director for Networking and Information Security.
Daniel Kennedy is an experienced information security professional. Prior to joining 451 Re-search, he was a partner in the information security consultancy Praetorian Security LLC, where he directed strategy on risk assessment and security certification. Before that, he was Global Head of Information Security for D.B. Zwirn & Co., as well as Vice President of Application Secu-rity and Development Manager at Pershing LLC, a division of the Bank of New York.
Kennedy has written for both Forbes online and Ziff Davis, has provided commentary to numer-ous news outlets, including The New York Times and The Wall Street Journal, and his personal blog, Praetorian Prefect, which was recognized as one of the top five technical blogs in informa-tion security by the RSA 2010 Conference.
Kennedy holds a master of science degree in information systems from Stevens Institute of Technology, a master of science in information assurance from Norwich University, and a bach-elor of science in information management and technology from Syracuse University. He is certified as a CEH (Certified Ethical Hacker) from the EC-Council, is a CISSP, and has a NASD Series 7 license.
Wave 16
Table of Contents
A B O U T T H E I N FO P R O I N FO R M AT I O N S EC U R I T Y ST U DY 2 E X EC U T I V E S U M M A RY 4 M AC R O T R E N D S 6 BUDGET 6THE PRE DICTING P OW E R O F PA I N 7
TO P IN FORM ATI O N S ECUR I TY P ROJ ECTS 8
SECURITY O RGA N I ZATI ON 9
ROLE OF CO MPLI A NC E 10
THREAT RESP ON S E 1 1
SECURITY AWAR EN ESS 12
SECURITY PO LI CY 12
T EC H N O LO GY R OA D M A P 1 3
I NF RAST RU CT UR E S ECUR I TY ROAD MA P 1 4
A P P LI CAT IO N S ECU RI TY 1 8
N E T WO R K S ECU RI TY 20
V E N D O R P E R FO R M A N C E 2 2
E N T E R P R I S E S PE ND I NG 22
CU STO M E R R E TEN TIO N 23
P RO M I S E VS. F UL FI LLME NT 24 A P P E N D I X A : D E M O G R A P H I C S 26 A P P E N D I X B : M E T H O D O LO GY A N D S CO P E 27 A P P E N D I X C : I N T E R P R E T T H E DATA 28 A P P E N D I X D : A D D I T I O N A L I N FO R M AT I O N A B O U T C H A RT FO OT N OT E S 29 IN FO RM AT I O N S ECUR ITY ST U DY 3
INFORMATION SECURITY STUDY, WAVE 16
PCI, SOX, HIPAA, GLBA and other regulations occupy a
good chunk of enterprise security managers’ time, as the
requirements are translated into legal/compliance
func-tions within the enterprise. Working out the appropriate
level of interplay with compliance is a major concern of
managers interviewed for the Wave 16 Security Study,
and a continued indicator of the ‘catch-up’ nature of
en-terprise security. Thirty-eight percent (38%) of enen-terprises
saw budget increases specifically to deal with
compli-ance projects, the same percentage that said the most
common way for security projects to be funded was
compliance deciding they needed to be done. Nearly half
of security managers (42%) have serious concerns about
the technical abilities of those conducting internal audits
that drive these requirements.
Not surprisingly, compliance-related concerns top this
year’s list of security managers’ pain points, most notably
data security, which is now at number two. Regulatory
re-quirements have risen as a source of consternation from
1% to 8% between studies. The technical offshoot of data
security, authorization/access control or maintaining the
principle of least privilege in the workplace, was cited by
representatives of 10% of interviewed enterprises.
The disrupter technology in the security world continues
to be mobile. Mobile device management (MDM) is the top source of pain at 18% of large enterprises.
This refers to dealing with the proliferation of employee-owned mobile devices being connected
to company resources, most commonly email but increasingly file shares and applications. MDM
offerings have stepped in to help solve this problem, and the technology has seen incredible growth,
moving from 46% in use a year ago to 59% in use now. Expect a further 8% worth of new large
enter-prises implementing MDM in the next six months.
With concerns about keeping data out of the wrong hands, the top project in 2013 was identity
man-agement. This project took the slot from data-loss prevention (DLP), which led in 2012 but is now in
fourth place. Other projects under the identity management umbrella that cracked the top projects
list include authorization/access control and privileged identity management. Thirty-nine percent
INFORMATION SECURITY 2013 BUDGETS CON -TINUED A HEALTHY MULTI-YEAR RUN. 2014 PROJECTS SIMILARLY POSITIVE, WITH 45% OF RESPONDENTS REPORTING THEIR ENTER -PRISES WILL INCREASE SPENDING ON SECURITY AGAINST ONLY 11% DECREASING THE SAME.
THIRTY-EIGHT PERCENT (38%) OF ENTER -PRISES SAW BUDGET INCREASES SPECIFICALLY TO DEAL WITH COMPLIANCE PROJECTS, THE SAME PERCENTAGE THAT REPORTED THE MOST COMMON WAY FOR SECURITY PROJECTS TO BE INITIATED WAS COMPLIANCE DECIDING THEY NEEDED TO BE DONE. YET, REGULATORY RE -QUIREMENTSHAVE RISENFROM 1% TO 8% BE -TWEEN STUDIESAS A SOURCE OF ‘PAIN.’
MOBILE DEVICE MANAGEMENT (MDM) IS THE TOP SOURCE OF PAIN AT 18% OF LARGE EN -TERPRISES, BUT PRODUCTS ADDRESSING THIS FUNCTION ARE GROWING, AS THEIR USE ROSE FROM 46% LAST YEAR TO 59% IN THIS STUDY.
THE EFFECTS OF LAST YEAR’S ACQUISITIONS BECAMEEVIDENTINTHIS STUDY, ESPECIALLYIN THE SIEM SPACE, WHERE IBM AND MCAFEE NOW APPEAR AS SERIOUS ENTERPRISE COMPE -TITION FOR HP WITH THE ACQUISITIONS OF Q1
(39%) of security managers cited IT professionals with elevated privileges as the greatest insider threat
they deal with.
The effects of last year’s acquisitions became evident in this study, especially in the SIEM space, where
IBM and McAfee now appear as serious enterprise competition for HP with the acquisitions of Q1
Labs and Nitro Security, respectively. This year’s changes include security monitoring provider Vigilant
becoming part of Deloitte; Solutionary is now a part of NTT Communications; application-aware
fire-wall maker StoneSoft joined McAfee; and in two deals with eye-popping valuations, Cisco acquired
Sourcefire and FireEye added incident response provider Mandiant.
Looking forward we see the effects of new technology. Cloud insecurity rose as a cited pain point
interstudy from 2% to 8% of enterprises. On the technology roadmaps, enterprise security managers
reported plans that will double the use of cloud security solutions from 14% now to 28% in the next
18 months.
-35% -25% -15% -5% 5% 15% 25% 35% > 50% Less 25%-50% Less 11%-24% Less 5%-10% Less < 5% Less < 5% More 5%-10% More 11%-24% More 25%-50% More > 50% More 45% plan increased spending
Information Security Budget Changes 2014 vs. 2013
44% plan stable spending
11% plan decreased spending 11% 15% 10% 44% 39% 45% 45% 46% 45% 2014 vs. 2013 (2H '13) 2013 vs. 2012 (2H '13) 2012 vs. 2011 (2H '12)
Decreasing No Change Increasing
B U DG ET
Information security budgets continue a healthy multi-year run, with 46% of enterprises increasing their security budgets in 2013 against only 15% decreasing security budget allocations. 2014 projects similarly positive, with 45% of respondents reporting their enterprises will increase spending on security against only 11% decreasing the same. Most of the budget increases are in the 5-10% range next year, while 5% of enterprises see their security budgets decreasing from 25% to 50% less. The highest reported median budgets were in the financial services and business/ accounting/engineering verticals, each averaging $5.5m. Capex on security equipment dwarfs opex 67% to 33%. Almost half of all enterprises surveyed (45%) believe spending on third-party services will increase in 2014.
Macro Trends
B UDG ET, HOT TEC HNOLOG IES A ND KEY TR EN DS
CO M ME N TATOR Q U OT ES
We are on a November budget schedule and in a preliminary budget cycle for 2014. Our budget is an always-changing growth. We spend in security/compliance pretty close to $2m a year – pretty low overall. As budget controls have been engaged, we’re actually spending less this year. 2014 budgets depend upon our third- and fourth-quarter performance.
LE, Consumer Goods/Retail
In 2013, we added 40% more security staff. Now that includes DR/BC, security infrastructure, infosec, risk, etc. There was a scope and organization change as well. These functions are now consolidated under the CISO. I represent the old IT security organization.
LE, Financial Services
Information Security Budget Trends
IN FO RM AT I O N S ECUR ITY ST U DY | M AC RO TR ENDS 7
Wave 16
THE P RE DICT IN G P OWE R O F PAIN Mobile device management takes over as the security manager’s greatest pain point at 18% of enterprises; this is managing the proliferation of employee-owned mo-bile devices connecting to company resources (most commonly email) rather than MDM tools themselves. Data security has also seen a serious uptick in concern, rising to number two on the list of pain points, up 8 per-centage points from last year, which may coincide with the increase in enterprises citing regulatory require-ments as their primary source of pain, up to 8% of en-terprises from 1% last year. Authorization/access control can be seen as a similar concern, how employees have access to data in a way that maintains the principle of least privilege, a chief pain point for 10% of enterprises. Rounding out the top four concerns of security manag-ers are problems with administering and the effective-ness of security awareeffective-ness training at 11% of enterprises, and dealing with organization politics, cited by 11% of enterprises. User behavior, cited by 9% of respondents as the key pain point, is somewhat related to the secu-rity awareness ineffectiveness. Cloud insecusecu-rity leaped from 2% last year to 8% this year as a key source of pain. Information Security Pain Points
What are your top information security-related pain points?
Select up to three. n=206.
CO MM ENTATO R Q U OT ES
Change in attack vectors – it’s really phishing and the web-site drive-bys and the hijacking. And there isn’t a lot of, no one’s caught up with it yet. The government was supposed to do a lot of this, and they haven’t, consolidate the lists of who’s being bad so I can prophylactically shut them down.
LE, Consumer Goods/Retail
Not having security on the front burner – not enough ur-gency at this time, but we have the thumbs up to spend on some technologies.
LE, Financial Services
And inward out is the over-reliance of appliances and physi-cal assets to enable security controls. The lack of virtualiza-tion for security controls. So I don’t have to deploy a piece of hardware within my environment to get my security con-trols. Because my environment is changing too quickly and actually becoming more SDN than physical, and security is behind.
LE, Consumer Goods/Retail
3% 3% 3% 3% 3% 3% 3% 4% 4% 4% 4% 5% 5% 5% 6% 6% 7% 7% 8% 8% 9% 9% 9% 10% 11% 11% 15% 18%
Endpoint SecurityFirewall Keeping Up With New TechnologyMobile Device Security Patch ManagementRisk Assessment Tool Management Security OrganizaIncident Responsetion Policy Management Vulnerability ManagementThird Party Security Budget IdenApplicatity Managementtion Security Resource ConstraintsMonitoring MalwareCloud Regulatory RequirementsUser Behavior Compliance/AudiHackersting AuthorizaOrganization/Access Controltional Politics Security Awareness TrainingData Security Mobile Device Management
Other Pain Points Mentioned
Asset Management Outsourcing Attack Surface Password Management Business Continuity Phishing Change Management Physical Security
Data Classification Portable Storage DDoS Privileged Access Management Directory Services Remote Access
Documentation Resiliency Dual Factor Authentication Security Architecture
Encryption Security Operations Intellectual Property Protection SIEM
Intrusion Management Social Media Key Management Spam Log Management Threat Intelligence Mergers and Acquisitions User/Business Requirements
Metrics Virtualization Security NAC Web Content Filtering Network Security Wireless Security
TO P INFOR M ATIO N SECU RIT Y PRO JECTS Identity management took over as the top security proj-ect in 2013, deposing data-loss prevention (DLP), which slipped to fourth place. Add in related projects such as authentication, authorization/access control, and privileged identity management, and the gap is more pronounced.
Many identity management projects are compliance-driven; the case is similar with SIEM and DLP, meaning three out of the top four security projects have roots in compliance spending. This coincides with how projects are approved, at 38% of enterprises ‘compliance decides,’ dwarfing the next most common approval mechanism with some manner of ROI calculation present at 10% of enterprises. Demonstrating an increased attention to monitoring over prevention, both SIEM and intrusion management have seen upticks in the number of enter-prise project implementations.
CO MM ENTATO R Q U OT ES
Outside vendor access and relations – how to ensure the people we’re doing business with are themselves a mea-sure of secure. Are they subcontracting, and if so, are they [the subcontractors] secure? We’re gonna hold you respon-sible for the security.
LE, Consumer Goods/Retail
Identity as a service. In those instances where we deal with people from other companies, what identities are we using. Or if we wanted to do something with alumni, people that used to work with us, how to identify with them.
LE, Consumer Goods/Retail
Information Security Projects
What are your organization’s top information security-related projects in the next 12 months?
Select up to three. n=204. 3% 3% 3% 3% 3% 4% 4% 4% 4% 5% 6% 6% 6% 6% 7% 8% 8% 8% 9% 9% 10% 12% 13% 13% 14% Anti-DDoS Datacenter Expansion/Consolidation Directory Services GRC VPN/Remote Access Cloud Computing Control Data Security PCI Compliance Data Classification Web Content Filtering Application Security Encryption Monitoring Improvements Vulnerability Assessment Security Awareness Keeping Up With New Technology Log Management Policy Management Authorization/Access Control Mobile Device Management Intrusion Management DLP Firewall Management SIEM Identity Management
Other Projects Mentioned
Alignment to Best
Practices Network Segmentation AML Requirements Operating System Security
Anti-fraud Outsourcing Anti-malware Password Management Anti-phishing Patch Management
Anti-spam PKI Anti-virus Privileged IdenManagementtity Application Blacklisting Risk Assessment Application Whitelisting Secure File Transfer
Authentication Security Architecture Configuration
Management Security Operations Disaster Recovery Security Organization Dual Factor Authentication Segregation of Duties
E-discovery Single Sign On Endpoint Security SSL File Integrity Monitoring Third Party Security
HIPAA Compliance Threat Intelligence Incident Response Tokenization
Insider Security Tool Management Managed Security Services UTM
Mergers and Acquisitions Virtualization Metrics Virtualization Security
NAC WAF
Wave 16 IN FO RM AT I O N S ECUR ITY ST U DY | M AC RO TR ENDS 9
S ECU R ITY ORGAN IZATIO N
The greatest percentage of enterprises in the Wave 16 Study, 53%, employ 10 or fewer full-time information security professionals. Growth is in the cards, though; of the 51% of respondents who stated there were struc-tural changes to their teams, the greatest numbers of those (22%) were additions to staff.
The information security team is a separate division in only 42% of enterprises. The majority of information se-curity professionals are still embedded within informa-tion technology, creating an obvious conflict of interest when security and IT clash over project requirements or delivery. Physical security reporting into the same lead-ership structure as information security occurs in only 16% of enterprises.
Even in the 42% of organizations where security is a separate division, 65% of those divisions reported up to the head of information technology, typically a CIO.
Twelve percent (12%) reported to a risk management-based position. There is very little consistency in the way information security professionals are measured by enterprises: project management, compliance, issue or ticket resolution, vulnerability metrics, and the number of breaches or incidents all feed into the perception of security’s effectiveness at different large enterprises.
CO MM ENTATO R Q U OT ES
Infosec officer (me) reports to risk management for the or-ganization. The operations and implementation folks are all part of IT and are not segregated per se.
LE, Healthcare/Pharmaceuticals
I report to the CIO and dotted line to the chief risk officer. It’s through the CRO that I have visibility to the board of direc-tors.
LE, Financial Services
Information Security Organizational Structure
Is information security a separate division or department at your enterprise?
n=194. See Appendix for full set of questions and sample sizes.
Is Security a Separate Division?
If Not, Where Does It Lie?
Yes 42% No58%
If So, Who Does It Report To?
1% 1% 1% 2% 3% 93%
Directly to Board of Directors Legal Privacy Department Finance Business Unit Information Technology 1% 1% 1% 1% 3% 3% 5% 7% 12% 65% Other Compliance Directly to COO Executive Committee Business Unit Directly to CEO/Chairman Finance Directly to CISO or Equivalent Risk Management Information Technology
ROLE O F COM PL IAN CE
PCI, SOX, HIPAA and GLBA are cited most often as having ‘regulatory requirements’ for information security, and 38% of information security managers saw their bud-get increase specifically to deal with regulatory or legal compliance requirements, usually in the 1-20% range of increase. The majority of enterprises are conducting between one and 30 internal and external assessments annually.
When considering these internal audits, security man-agers found the greatest strength of their company’s auditors to be their process orientation (32% of enter-prises). The greatest weakness, cited by 42% of security managers, was a lack of technology knowledge imped-ing the quality of audit results or findimped-ings.
It’s just consistent increasing capabilities. I know it sounds stupid, but honestly, when you’re out there in the world, people still can’t patch their [expletive]. Everybody’s look-ing for a silver bullet. There isn’t one. You have to do work, dumbass. Everybody’s working hard not to do the work. And non-technical CSOs are so involved in the process that they don’t get s--- done.
LE, Consumer Goods/Retail
People have really brittle infrastructure and they’re so wound up answering checklists that they’re actually not providing security. And the new generation doesn’t give a s--- about security, not one iota. You get this wild di-vergence. [They say] ‘I just wanna be able to do anything I need to do my job, or if I just feel like it.’ It’s almost like communism. [You see] Really rigid adherence to auditors rather than providing security. Auditors have a really hard time with me. They’re not technical, don’t understand what you’re saying to them, they say ‘show me the checklist.’
LE, Consumer Goods/Retail
Approval Methodology
How are security projects approved within your organization?
n=248. 17% 3% 1% 1% 1% 1% 2% 2% 2% 4% 4% 5% 5% 7% 10% 38% None Various Approval Methodologies CISO Decides Holding Company Driven Operations Decides Reaction to Security Problem Sacred Cow Ad Hoc Strategic Plan Business Group Driven Senior Management Decides CIO Decides Committee Approval Risk Assessment ROI Calculation Compliance Decides CO M ME N TATOR Q U OT ES
Strategy – rather than participating in an arms race in which I must come in with the new controls. Rather get rid of the data that is in question. New point of sale required 4,000 servers being encrypted to protect data. Let’s not store SS, year of birth with point of sales system. De-scope for PCI.
Wave 16 IN FO RM AT I O N S ECUR ITY ST U DY | M AC RO TR ENDS 11
THR EAT RESP ON SE
Sixty-three percent (63%) of information security man-agers are most concerned with external threats to their enterprises, while 37% believe their focus should be on internal threats such as employee malfeasance. Consid-ering that internal threat, 51% of security managers said contractors and temporary staff were a population that posed the greatest risk of insider threat. Thirty-nine per-cent (39%) said information technology professionals with elevated privileges such as root or domain admin were a serious source of insider threat.
CO MM ENTATO R Q U OT ES
Functionally, those who have a need to get to the member data, rather than client data, application tool set.
LE, Financial Services
It’s about company culture. The programmer who believes that they are invincible.
LE, Financial Services
Threat Rankings – Personnel Type
Which of the personnel types below do you consider to be the greatest internal IT security risk to your organization? n=197. 1% 1% 1% 1% 1% 1% 1% 1% 1% 1% 2% 7% 17% 18% 22% 23% 27% 39% 51% BYOD Departing Employees Engineers Field Workers High Ranked O cials Hosting Partners Overeager Programmers The Uninformed Visitors Students Technical Sta Without Elevated Privilege Business Partners Remote Employees Outsourced Service Provider Personnel Management/Executive Team Business Unit Sta (Non-IT Technical) Technical Sta Elevated Privilege (Including IT Systems Administrators) Contractors and Temporary Sta
S ECU R ITY AWAR E N ESS
Eleven percent (11%) of enterprises cited security aware-ness training as the top pain point in their enterprises, with a further 9% citing user behavior as the chief issue. While 43% of enterprises invested more than 150 hours building and administering coursework to employees per year, a quarter spent only between one and 50 hours a year doing the same.
SECU R ITY POL ICY
Sixty-two percent (62%) of information security depart-ments are tasked with setting policies for their orga-nizations, whereas 38% of security managers see their primary role as the implementation of policies decided upon elsewhere. Thoughts on policy enforcement or effectiveness split nearly evenly: 47% of enterprise secu-rity managers believe their policies are little more than paper tigers, while 46% believe policy enforcements are effective. A much greater 65% of enterprises believe they have a strong business continuity plan in place ready for the next minor or major disaster.
CO M ME N TATOR Q U OT ES
Continuing security awareness, especially as attack factors change. Client-side, via phishing, is changing. As users en-gage on the Internet more than they had, they need to be educated about how to recognize and handle attacks.
LE, Healthcare/Pharmaceuticals
It’s not. The way that I am measured against my goals and performance management plan – initiated two years ago with the newest HR director. The firm has goals which are aligned with the company’s five strategic initiatives. GRC system, SOX compliance are examples of these goals/proj-ects. The two metrics in the IT strategic plans are 1) audit deficiencies and 2) percentage of employees who take the security awareness training – we rolled it out in the last year.
LE, Healthcare/Pharmaceuticals
End User Security Training
How many hours per year does your team spend on security awareness programs and training for end users? n=162. 11% 25% 14% 7% 43% None 1- 50 51- 10 0 10 1- 150 > 150 Ho ur s per Y ea r Neutral 7% E ective 46% Ine ective 47% CO M ME N TATOR Q U OT ES
I think it’s [expletive] stupid. We are totally around prophylactics. Don’t let them hurt themselves. If it’s written, it’s automatic. It’s disallowed. Only thing is porn – hey, dumbass. Once people know we watch it, [porn usage] just literally went away. I’ll call people, and say, seriously, how can you watch porn on your BlackBerry? LE, Consumer Goods/Retail
Can I lie? We have some very good policies that don’t get en-forced as well as they should be. I think we need to be more even-handed, and handle everybody the same way.
LE, Consumer Goods/Retail
Thoughts on Policy Enforcement
What are your thoughts on the enforcement of your organization’s formal written security policies?
IN FO RM AT I O N S ECUR ITY ST U DY 13
Wave 1 6
Technology Roadmap
According to TheInfoPro’s proprietary Heat Index, a measure of the immediacy of user needs around a security technology, endpoint data-loss prevention (DLP) takes the pole position. Compliance concerns around both cus-tomer custodial information and intellectual property continue to drive DLP adoption, currently led by endpoint security titans Symantec and Intel’s McAfee.
The aforementioned phenomenon of employees connecting personal devices to the company network, ‘bring your own device’ (BYOD), sees mobile device management (MDM) climb to third in the Heat Index and has also driven network access control (NAC) from a more stagnant technology to sixth place.
Pre-integration of security technologies into a SIEM or other ‘security dashboard’ would influence 50% of enterprise security managers buying decisions, a marked advantage for larger vendors with portfolios of security technologies as long as those technologies form a part of a coherent whole.
Heat
Rank Technology Heat Score Adoption Score Heat Rank Technology Heat Score Adoption Score
1 Endpoint Data-loss Prevention Solutions 100 28 25 Information or Digital Rights Management 32 0
2 Application-aware Firewall 97 28 26 Laptop Encryption 28 67
3 Mobile Device Management 95 52 26 Tokenization 28 2
4 Security Information Event Management
(SIEM) 87 57 28 Email/Messaging Archiving/Compliance 27 47
5 Identity Management 85 48 29 Multifactor Authentication for Web-based Applications 25 18
6 Network Access Control (NAC) 78 13 30 Hard Drive Encryption 24 42
7 Event Log Management System 76 63 31 Key Management and/or Public Key Infrastructure 24 37
8 Network Data-loss Prevention Solutions 73 13 32 Database Security 23 24
9 Unified Threat Management (UTM) 72 2 33 Single Sign-on 23 39
10 Application Security Testing – Code or Binary
Analysis-based Vulnerability Assessment 70 26 34 Network Firewalls 22 100
11 IT GRC (Governance, Risk, Compliance) 60 22 35 Web Content Filtering 20 67
12 Policy and Configuration Management 54 35 36 Application Security Testing – External Interface
Fuzzing or Testing Vulnerability Assessment 19 22
13 Two-factor (Strong) Authentication for
Infrastructure (e.g., VPN, Remote Access) 51 53 37 File Integrity Monitoring 18 18
13 IT Security Training/Education/Awareness 51 25 38 Vulnerability/Risk Assessment/Scanning
(of Infrastructure) 15 80
15 Advanced Anti-malware Response 50 17 38 Secure File Transfer 15 46
15 Network Intrusion Detection and/or
Prevention (NIDS/NIPS) 50 86 38 SSL VPNs 15 79
17 Virtualization Security 48 12 41 Penetration Testing 14 69
18 Email Encryption 46 53 41 Computer Forensics 14 38
19 Web Application Firewall (WAF) 44 26 41 Secure Instant Messaging 14 24
20 Mobile Device Security (Not MDM) 43 8 44 Anti-spyware 8 68
20 Anti-botnet 43 24 44 Host Intrusion Detection and/or Prevention (HIDS/HIPS) 8 36
20 Threat Intelligence 43 19 46 Patch Management 6 82
23 Cloud Security 41 1 47 Anti-virus 4 90
23 Managed Security Service Provider (MSSP) 41 20 48 Anti-spam/Email Security 0 82
Technology Heat Index®: measures user demand for a technology based on several factors including: usage or planned usage, changes in planned spending, an organiza-tion’s budget for the relevant IT sector, and future changes in the organizaorganiza-tion’s budget. A high score means a technology is expected to see significant growth. A ‘!’ vendor has at least twice the number of selections as the closest competitor.
Technology Adoption Index: measures aggregate investment in a technology based on several factors including: usage or planned usage, changes in planned spending, and an organization’s budget for the relevant IT sector. A high score means the technology is already experiencing healthy adoption.
Information Security Technologies: Heat Index® vs. Adoption Index
Mobile device management had the strongest spending intentions in 2013; 41% of respondents stated their enter-prises increased spending as a management response to employees bringing their own devices (BYOD) to work. Spending on MDM only improves in 2014, with 46% of respondents indicating an intent to increase spending. Cloud-specific security solutions are implemented in less than 15% of enterprises now, but expect that to change, potentially doubling over the next 18 months. Forty-three percent (43%) of security managers say that securing the hybrid cloud is the priority.
Firewalls, both standard stateful ones and newer ‘application-aware’ products, had healthy spending allocations in 2013, placing second and third respectively in the list of technologies the greatest percentage of security manag-ers increased spending on. Next year, security information and event management (SIEM) climbs to second place behind only MDM in spending change, as security managers continue their renewed focus on proactive monitoring and reaction to security incidents in addition to preventative controls.
I NFRASTRU CT U RE SECU RIT Y ROA DM AP
The infrastructure security category serves as a catchall for technologies from vulnerability assessment and Infrastructure Security Technology Roadmap
What is your status of implementation for this technology?
n=198-205. 14% 18% 19% 26% 27% 28% 33% 36% 38% 52% 54% 61% 68% 80 % 82% 84% 88% 1% 1% 1% 1% 2% 1% 3% 1% 1% 1% 2% 1% 2% 1% 1% 2% 3% 1% 1% 5% 2% 2% 2% 2% 2% 3% 1% 2% 2% 11% 3% 4% 4% 9% 5% 2% 8% 4% 6% 3% 2% 5% 1% 1% 1% 2% 1% 1% 1% 2% 1% 1% 2% 1% 1% 1% 1% 2% 1% 68% 70 % 69% 58% 52% 58% 60 % 42% 53% 34% 37% 31% 22% 12% 15% 12% 7% 3% 7% 6% 7% 5% 6% 4% 4% 2% 6% 4% 3% 1% 2% 2% 2% 3% Cloud Security Information or Digital Rights Management Tokeniz ation Mob ile Device Security ( Not MDM) Netw ork Data- loss Prevention Solutions
V irtualiz ation Security File Integrity Monitoring Endpoint Data- loss Prevention Solutions Managed Security Service Provider ( MSSP) K ey Management and/or Pub lic K ey Infrastructure H ost Intrusion Detection and/or Prevention ( H IDS/H IPS)
H ard Drive Encryption Tw o- factor ( Strong) A uthentication for Infrastructure Laptop Encryption A nti- spyw are Penetration Testing V ulnerab ility/Risk A ssessment/Scanning ( of Infrastructure)
In Use Now ( Not Including Pilots) In Pilot/Evaluation ( Budget H as A lready Been A llocated) In Near- term Plan ( In Next 6 Months) In Long- term Plan ( 6- 18 Months)
Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now
CO MM E N TATO R Q U OT ES
[Virtualization security:] I don’t know of any product, do you? We are 95% virtualized in our datacenter ... we’re still depend-ing on the hypervisor layer for our security. If it can break through that, we’re in trouble. Some thdepend-ings you just have to trust.
LE, Education
We’re supposed to be doing that [laptop encryption] but people are resistant. Never gets off the ground, crashes on the pad. The security office sets it up, but there’s not enough people to carry it through, not enough resource. Even the pilot sorta fizzled. They talk about it, but nobody enforces it. Even us techies don’t like to do it.
Wave 16
CO M ME N TATO R Q U OT ES
Symantec [has exciting] offerings – the DLP. We have al-most stopped business with them because we find McAfee superior in the antivirus space, but they seem to know the DLP space well with Vontu, and they’ve enhanced that technology quite a bit.
LE, Materials/Chemicals
IN FO RM AT I O N S ECUR ITY ST U DY | TECH N OLOGY ROA DMA P 15
penetration testing to data protection technologies like encryption and DLP.
Both flavors of DLP, endpoint and network, continue an upward growth trajectory, poised to grow 16 and 14 per-centage points respectively in the next 18 months. Cloud security solutions are implemented at only 14% of enter-prises but could grow another 14% in the next 18 months as enterprise security managers look for ways to properly secure hybrid cloud implementations.
Vulnerability testing/risk assessment solutions are now implemented at 88% of enterprises, with Qualys out to a large lead over contenders including Rapid7 and Tenable. Laptop encryption is increasingly common, implemented at 80% of enterprises with Microsoft, McAfee and Symantec leading the choices of vendor solutions. Information rights or digital rights management (DRM) products continue to be a niche solution; 18% of enterprises rely mainly on solutions from Microsoft.
Symantec has for the first time ranked ahead of Dell (SecureWorks) in the managed security service provider cat-egory, however growth projections show Dell may reacquire the top slot next year. Tripwire remains completely dominant in File Integrity Monitoring.
While endpoint security providers Symantec and Intel’s McAfee lead the data-loss prevention (DLP) list of vendors, Websense has risen to take third place. When it comes to a second factor for au-thentication, EMC/RSA tokens continue to be the dominant choice capturing 40% of enterprises. Endpoint Data-loss Prevention Solutions
2H ‘11, n=176; 2H ‘12, n=200; 2H ‘13, n=205. Spending Change: 2013 vs. 2012, n=107; 2014 vs. 2013, n=108. Im pl em entation Road m ap 36% 28% 20 % 3% 4% 2% 5% 6% 6% 8% 11% 19% 2% 3% 13% 42% 45% 40 % 4% 5% 2H ' 13 2H ' 12 2H ' 11
Spend ing C hang e V end or Im pl em entation
0 % 10 % 20 % 30 %
V oltage SecCitrix Trend Micro BeyondTrustCA Tech Cisco Code G reen Ntw ksIron Mountain Treadstone 71W ave Sys ForSophostinet V erdasys Microso Check Point
EMC W eb senseMcA fee Symantec
In Use Now
In Pilot/Evaluation ( Budget H as A lready Been A llocated) Near- term Plan ( In Next 6 Months)
Long- term Plan ( 6- 18 Months)
Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now 2% 2% 53% 69% 42% 26% 20 14 vs. 20 13 20 13 vs. 20 12
Less Spending A b out the Same More Spending
We’ve got a big PII initiative we’re trying to take on, to really secure any information that could be related to personal identifiable, from policy point of view and encryption. It will probably bring in other things such as DLP.
S ECU R ITY M AN AGE M E N T
The security management category includes such long-term standbys as antivirus and patch management along-side increasingly ubiquitous log management and SIEM solutions.
Mobile device management (MDM) is being driven quickly into use by the security conditions created when em-ployees bring their own devices to work (BYOD). A fast rise from 46% in use last year to 59% in use this year will continue to grow a further 8 percentage points in the next six months. About a third (32%) of enterprises noted greater spending on their SIEM solutions in 2013, a figure that balloons to 46% in 2014 based on the predictions of interviewed security managers. SIEM, besides being a compliance-driven solution around log review, also continues to grow based on security managers’ focus on reactionary controls as a supplement to preventative measures. Another key compliance initiative, the catchall ‘identity management,’ captures increased spending intentions among 40% of interviewed enterprises seeking to get their hands around proper implementation of the principle of least privilege.
No technology is more ubiquitous in this category than antivirus, implemented at 100% of the enterprises inter-viewed in the study, and led largely by security stalwarts Symantec and Intel’s McAfee. Close behind are patch management solutions, implemented at 97% of interviewed enterprises. This is a bit of a false indicator, though, as the majority of enterprises cite Microsoft management tools as their primary patch management solution, indicat-ing they do not have a dedicated third-party patch management solution (rather they are usindicat-ing Microsoft tools to manage a Microsoft environment) such as that provided by IBM (BigFix).
36% 37% 42% 46% 50 % 55% 57% 59% 59% 62% 64% 73% 97% 10 0 % 2% 1% 1% 1% 2% 2% 1% 1% 5% 1% 1% 1% 4% 2% 4% 4% 3% 5% 1% 3% 2% 4% 4% 1% 4% 4% 2% 3% 5% 5% 9% 2% 8% 2% 6% 8% 1% 1% 2% 1% 1% 2% 2% 1% 2% 1% 53% 48% 52% 43% 37% 33% 24% 34% 21% 29% 22% 14% 2% 4% 4% 2% 2% 2% 1% 2% 3% 2% 3% 2% 1% Threat Intelligence IT G RC ( G overnance, Risk, Compliance)
Secure Instant Messaging IT Security Training/Education/A w areness Policy and Con guration Management Single Sign- on Identity Management Computer Forensics Mob ile Device Management Email/Messaging A rchiving/Compliance Security Information Event Management ( SIEM)
Event Log Management System Patch Management A nti- virus
In Use Now ( Not Including Pilots) In Pilot/Evaluation ( Budget H as A lready Been A llocated) In Near- term Plan ( In Next 6 Months) In Long- term Plan ( 6- 18 Months)
Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now
Security Management Technology Roadmap
What is your status of implementation for this technology?
Wave 16 IN FO RM AT I O N S ECUR ITY ST U DY | TECH N OLOGY ROA DMA P 17
Threat intelligence is the least implemented technology under the security management umbrella. However, at 36% of enterprises and with an ever-changing definition of what constitutes a ‘threat intelligence solution,’ expect future focus in this area.
Good Technology has taken the lead in MDM implementations but faces serious competition from both MobileIron and AirWatch, all continuing to take share from the leader of a few years ago, BlackBerry. The SIEM space remains contested even as solutions become commonplace in the enterprise. HP with ArcSight retains the lead. However, IBM (acquired Q1Labs), EMC with Envision, and McAfee (acquired NitroSecurity) battle it out with the pure-play Splunk a log management tool being used as a SIEM.
Oracle’s identity management solutions continue to see potential for growth as the only major vendor outside of using Microsoft’s standard tools (Active Directory) seeing significant enterprise penetration. The IT GRC space continues to be dominated by EMC with the RSA Archer product. Guidance Software (maker of EnCase) faces serious competition in the enterprise forensics space for the first time from AccessData.
CO M ME N TATOR Q U OT ES
We tried AirWatch and weren’t too happy. However, they’ve made some more advances, may look at it again. I wasn’t impressed with it. Biggest issue, it depended on version as to whether it would work with an iPhone.
LE, Services: Business/Accounting/Engineering
We have implemented Good Technologies, but to imple-ment beyond email, contact and tasks costs much more money. We don’t have the money to address these addi-tional features, since it is not business critical.
LE, Telecom/Technology
Mobile Device Management
2H ‘12, n=200; 2H ‘13, n=204. Spending Change: 2013 vs. 2012, n=157; 2014 vs. 2013, n=156. Im pl em entation Road m ap 59% 46% 5% 7% 3% 13% 8% 8% 2% 1% 21% 21% 2% 5% 2H ' 13 2H ' 12
Spend ing C hang e
2H ' 12, n= 20 0 ; 2H ‘ 13, n= 20 4. Spending Change: 20 13 vs. 20 12, n= 157; 20 14 vs. 20 13, n= 156. V end or Im pl em entation 0 % 10 % 20 % A T& T Fortinet MotorolaSprint V eriz on A rub a Ntw ksDropb ox A ppSenseDell G oogle H omegrow nIBM J A MF S w Open SourceW atchDox
SymantecSA P McA feeCisco MicrosoCitrix Fib erlink CommBlackBerry A irW atch Mob ileIronG ood Tech
In Use Now
In Pilot/Evaluation ( Budget H as A lready Been A llocated) Near- term Plan ( In Next 6 Months)
Long- term Plan ( 6- 18 Months)
Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now 4% 1% 42% 53% 46% 41% 20 14 vs. 20 13 20 13 vs. 20 12
Less Spending A b out the Same More Spending
Absence of good device-centric controls; also, the ‘BYO’ as-pect – in many cases the platform is no longer owned by us, so regulating and securing becomes that much harder. An-droid devices are harder than Apple to secure, it seems.
LE, Materials/Chemicals
Both network and server log management done with enVi-sion, and we change for all functions to something. We’re considering McAfee as frontrunner, but IBM and HP are in the mix. We want to look at an ISSP as well.
A P PLI CATION SECU RIT Y
Application security solutions continue to get attention from enterprises as specific countermeasures to applica-tion-based attacks. However, with none above 50% implemented, it continues to be a category that is not receiving enough attention.
Code or binary assessment, currently implemented at 38% of enterprises, is poised to grow 8 percentage points in the next 18 months, as enterprises seek to harden the applications written by their development teams from the inside out. No technology under the application security umbrella is mainstream; none have cracked the 50% in-use mark in interviewed enterprises. The closest is Web application firewalls (WAFs) at 40% in use, driven largely by the technology’s prominent mention in the PCI application security requirements. The implementation of dual-factor authentication for Web-based applications is implemented in only 32% of enterprises. Driven largely in financial institutions by guidance released by the Federal Financial Institutions Examination Council, it has yet to see wide-spread adoption. 32% 35% 36% 38% 40 % 1% 1% 1% 1% 2% 2% 2% 3% 4% 3% 3% 4% 4% 5% 1% 2% 58% 52% 51% 50 % 47% 3% 9% 6% 4% 3%
Multifactor A uthentication for W eb - b ased A pplications A pplication Security Testing – External Interface Fuz z ing or Testing V ulnerab ility A ssessment Datab ase Security A pplication Security Testing – Code or Binary A nalysis- b ased V ulnerab ility A ssessment W eb A pplication Firew all ( W A F)
In Use Now ( Not Including Pilots) In Pilot/Evaluation ( Budget H as A lready Been A llocated) In Near- term Plan ( In Next 6 Months) In Long- term Plan ( 6- 18 Months)
Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now
Application Security Technology Roadmap
What is your status of implementation for this technology?
n=198-205.
CO M ME N TATOR Q U OT ES
Foundstone/McAfee, Qualys and Nexpose/Rapid7 for vulnerability and pen testing as well.
LE, Financial Services
A lot of interest in pen-testing and Web application assessments today. We’ve spoken with WhiteHat Security, NetSPI about pen-testing assessments.
Wave 16 IN FO RM AT I O N S ECUR ITY ST U DY | TECH N OLOGY ROA DMA P 1 9
HP and IBM have long led the code/binary assessment category via prior acquisitions, but Veracode is poised to become a threat to its supremacy. Similarly IBM remains in the lead in external application security testing, but HP has fallen to third place amid a serious challenge by WhiteHat Security. F5 Networks continues to complete with Imperva in the WAF space, but is showing signs of potentially pulling away.
CO M ME N TATOR Q U OT ES
Checkmarx offers very good code coverage. They cover just about everything around here. Downside – when it works, it is great; however, we have had improper scanning of code take place. They expect us to do too much work. This is something they should do as part of their service.
LE, Consumer Goods/Retail
[Veracode:] Static analysis, they do a good job on that.… They need to make their results a little bit more easy to under-stand. It can be a little difficult trying to discern exactly, you get a report, what exactly, what does that mean, and what do I need to do? To be fair, they’ll help you with that, but there’s always room for improvement.
LE, Financial Services
So deep in the layers that we may not bother with it – we’re not increasing budget. Unless an examiner says it must be done.
LE, Services: Business/Accounting/Engineering
Application Security Testing – Code or Binary Analysis-based Vulnerability Assessment
2H ‘12, n=200; 2H ‘13, n=205. Spending Change: 2013 vs. 2012, n=91; 2014 vs. 2013, n=91. Im pl em entation Road m ap 38% 41% 1% 1% 3% 3% 4% 3% 1% 50 % 46% 4% 8% 2H ' 13 2H ' 12
Spend ing C hang e V end or Im pl em entation 0 % 5% 10 % 15% Cenz ic OnapsisV eriz on SymantecCigital A cuneCA Techtix Core SecurityCoverity InfoSecurus Security CompassTenab le Open SourceH omegrow n Checkmarx W hiteH at SecQ ualys V eracodeIBM H P
In Use Now
In Pilot/Evaluation ( Budget H as A lready Been A llocated) Near- term Plan ( In Next 6 Months)
Long- term Plan ( 6- 18 Months)
Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now 2% 58% 70 % 34% 24% 20 14 vs. 20 13 20 13 vs. 20 12
N ET WORK SECU RIT Y
Network security continues to be a mix of old standby perimeter security tools such as the firewall, newer versions of the same in the form of the application-aware firewall, and perimeter monitoring via intrusion management and newer network security options including network-based DLP and anti-botnet services.
22% 30 % 33% 40 % 43% 65% 68% 84% 88% 90 % 98% 10 0 % 2% 4% 2% 1% 4% 1% 1% 1% 2% 2% 2% 4% 5% 1% 2% 2% 1% 10 % 10 % 6% 3% 7% 3% 5% 2% 4% 1% 2% 1% 1% 2% 1% 1% 1% 1% 1% 62% 51% 55% 49% 39% 28% 23% 13% 3% 8% 2% 1% 1% 2% 3% 1% 1% 1% 1% 1%
Uni ed Threat Management ( UTM) Netw ork A ccess Control ( NA C) A dvanced A nti- malw are Response A nti- b otnet A pplication- aw are Firew all Secure File Transfer Email Encryption W eb Content Filtering Netw ork Intrusion Detection and/or Prevention ( NIDS/NIPS) SSL V PNs A nti- spam/Email Security Netw ork Firew alls
In Use Now ( Not Including Pilots) In Pilot/Evaluation ( Budget H as A lready Been A llocated) In Near- term Plan ( In Next 6 Months) In Long- term Plan ( 6- 18 Months)
Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now
Network Security Technology Roadmap
What is your status of implementation for this technology?
n=198-205.
Application-aware firewalls remain a top growth technology in terms of new installations, rising to 43% in use in 2013 with a further 9 percentage points of projected growth over the next six months. Palo Alto Networks continues to be the standard bearer in a technology 34% of security managers reported spending more on in 2013, and Check Point for the first time shows significant growth potential for its application-aware offering.
Network access control (NAC) seemed to have plateaued in recent years or was poised to be subsumed into other technologies, such as VPN. That was before the explosive growth of BYOD, which has put NAC back on enterprises’ radar screens with 16 percentage points of projected growth possible in the next 18 months.
Nothing in network security is quite so mainstream as the network firewall, implemented at 100% of interviewed enterprises. That said, high penetration has never equaled dormancy; the technology remains a contested one, with 39% of enterprises increasing spending in 2013. Cisco leads the pack, with Check Point in second. Juniper Networks has posted modest gains with about 15% of responses, and newer entrant Palo Alto Networks has seen a rise to 13% of enterprises stating they provide the primary network firewall.
Unified threat management (UTM) continues to suffer from perceptions that it is an SMB solution, creates vendor lock-in, or that its components are not ‘best-of-breed.’ That said, ‘in use’ growth potential of 14 percentage points in the next 18 months could change that.
Wave 16 IN FO RM AT I O N S ECUR ITY ST U DY | TECH N OLOGY ROA DMA P 21
Cisco is not always a dominant player in information security the way it is in network technology, but net-work security is an area where the netnet-working giant is prominent. Cisco leads network firewall implementa-tions for another year, is the primary beneficiary of the resurgence of NAC, and has leaped to the front of a once hotly contested space in intrusion detection and prevention systems with the acquisition of Sourcefire. FireEye continues to lead the category of ‘advanced anti-malware,’ denoting approaches to dealing with malware that go beyond traditional antivirus solutions, but sees old standbys Symantec and Intel’s McAfee on its tail in this newer technology category on which 29% of respondents note they will spend more in 2014. Web content filtering, another staid and ubiquitous net-work security technology, remains highly penetrated at 84% in use, but sees 11% of enterprises decreasing their 2014 spending levels against 22% increasing them. This notably afects the two leaders in the technology: Web-sense and Blue Coat.
CO MM ENTATO R Q U OT ES
We moved into a new datacenter this year and spent a lot on infrastructure. In 2014, we expect to bring in new firewall from Cisco predominantly. We run into limitations with Palo Alto and slow response. Thus looking at Cisco going forward. Cisco has more of an end-to-end solution – from the edge for BYOD and integrating other technologies.
LE, Consumer Goods/Retail
We are good at understanding incoming traffic but need work on outgoing application traffic. Want to get the capa-bility out of the firewall to get deeper dives for social media.
LE, Healthcare/Pharmaceuticals Application-aware Firewall 2H ‘09, n=255; 2H ‘10, n=208; 2H ‘11, n=174; 2H ‘12, n=200; 2H ‘13, n=205. Spending Change: 2013 vs. 2012, n=122; 2014 vs. 2013, n=120. Im pl em entation Road m ap 43% 33% 28% 26% 34% 4% 2% 2% 3% 4% 5% 6% 4% 3% 4% 7% 11% 10 % 5% 12% 1% 3% 11% 39% 41% 44% 63% 46% 1% 6% 2H ' 13 2H ' 12 2H ' 11 2H ' 10 2H ' 0 9
Spend ing C hang e V end or Im pl em entation
0 % 10 % 20 % 30 %
W hiteH at SecW eb sense IBM Microso Trustw aveV Mw are W atchG uardJ uniper A kamaiH P SymantecFortinet Dell CitrixCisco Check PointF5 Ntw ks Imperva Palo A lto Ntw ks In Use Now
In Pilot/Evaluation ( Budget H as A lready Been A llocated) Near- term Plan ( In Next 6 Months)
Long- term Plan ( 6- 18 Months)
Past Long- term Plan ( Later Than 18 Months Out) Not in Plan Don' t K now 10 % 2% 46% 60 % 39% 34% 20 14 vs. 20 13 20 13 vs. 20 12
Vendor Performance
E NT ER PR ISE SP E N DING
IBM saw the greatest percentage of its customers increasing spending in 2013, while HP and Palo Alto Networks saw the greatest percentage of customers decreasing from 2012 spending levels. That said, both performed well in aggregate, with those advancing spending outnumbering those decreasing it.
2014 trends positively for Qualys, with a little more than half of its current and soon-to-be customers increasing spending. IBM continues a positive trend, while Palo Alto Networks for the first time has an equal percentage de-creasing spending levels as inde-creasing them on its firewall products. Check Point and Juniper Networks similarly trend near even between advancers and decliners of budget among respondent enterprises.
In terms of deal sizes, IBM, Cisco and Symantec captured the greatest percentages of high-dollar deals in 2013.
13% 22% 14% 19% 8% 33% 9% 14% 13% 8% 13% 14% 54% 10 0 % 56% 64% 56% 71% 62% 33% 58% 50 % 50 % 54% 38% 29% 43% 33% 22% 23% 26% 29% 31% 33% 33% 36% 38% 39% 50 % 57% 57% Total Sample W eb sense J uniper McA fee Check Point Microso Dell Palo A lto Ntw ks Symantec EMC H P Cisco IBM Fortinet Q ualys
Less Spending A b out the Same More Spending
- 10 0 % - 75% - 50 % - 25% 0 % 25% 50 % 75% 10 0 % Total Sample W eb sense J uniper McA fee Check Point Microso Dell Palo A lto Ntw ks Symantec EMC H P Cisco IBM Fortinet Q ualys
1%- 10 % Less 11%- 24% Less 25%- 50 % Less > 50 % Less 1%- 10 % More 11%- 24% More 25%- 50 % More > 50 % More 2014 vs. 2013 Spending Change by Information Security Vendor
Compared to 2013, approximately how much will your information security spending with this vendor change in 2014?
See Appendix for sample sizes.
CO M M EN TATO R Q U OT ES
Check Point
Weaknesses: They’re expensive, and they cost a lot. I think their documentation could improve a little bit more. They touch every-thing, but maybe not enough examples of real-world implementation or whatever. Strengths: Their reliability has stayed good. The software’s stayed good enough. It has some bugs, but they’re at a minimum. Haven’t had too much pain. Their management is really good, one of their main selling points. I can manage 60-plus firewalls with three people. With Cisco I’d have four more people. LE, Education
Cisco
Strengths: Name brands, professional, everybody at least knows how to do something on Cisco. A lot of professional support for the brand name and products. Weaknesses: Unifying all of their security products, ‘cause some of their products have been homegrown, some purchased, their security line is fragmented. Not a lot of cohesion between IPS and firewalls and management – they’re still all separate products that happen to be under the same brand name.
LE, Financial Services Dell
SecureWorks – we have concerns regarding the impending Dell control changes – Microsoft? Others? My ratings are on SecureWorks, not Dell overall. Account management problems exist today.
LE, Other 13% 22% 14% 19% 8% 33% 9% 14% 13% 8% 13% 14% 54% 10 0 % 56% 64% 56% 71% 62% 33% 58% 50 % 50 % 54% 38% 29% 43% 33% 22% 23% 26% 29% 31% 33% 33% 36% 38% 39% 50 % 57% 57% Total Sample W eb sense J uniper McA fee Check Point Microso Dell Palo A lto Ntw ks Symantec EMC H P Cisco IBM Fortinet Q ualys
Less Spending A b out the Same More Spending
- 10 0 % - 75% - 50 % - 25% 0 % 25% 50 % 75% 10 0 % Total Sample W eb sense J uniper McA fee Check Point Microso Dell Palo A lto Ntw ks Symantec EMC H P Cisco IBM Fortinet Q ualys
1%- 10 % Less 11%- 24% Less 25%- 50 % Less > 50 % Less 1%- 10 % More 11%- 24% More 25%- 50 % More > 50 % More
Wave 16 IN FO RM AT I O N S ECUR ITY ST U DY | V EN DOR PE RFORM ANC E 23
CU STOMER RE T E N T IO N
Web content filtering providers Websense and Blue Coat showed the greatest vulnerability to losing customers in 2013, taking the top spots over from HP and EMC in 2012. Edge security providers Barracuda Networks, Cisco and Palo Alto Networks showed the least vulnerability to customer loss. Palo Alto Networks also captured the greatest percentage of vendor conversions (40% of those rating it) from another security provider. For the 9% who did switch, Cisco, McAfee, HP and Blue Coat lost the greatest percentage of clients from the respondent base.
Performance and cost were the two top issues cited nearly equally by respondents as reasons for replacing their cur-rent security provider. Lock-in strength, a measure of the technical difficulty of switching security providers, favored network security providers such as Juniper Networks and Check Point, as well as IBM.
25% 25% 20% 15% 13% 13% 12% 12% 11% 10% 10% 6% 6% 10% 40% 7% 38% 25% 4% 11% 14% 10% 9% 29% 31% 20% 12% 75% 75% 40% 78% 50% 63% 88% 85% 78% 76% 80% 85% 65% 69% 80% 100% 78% Fortinet IBM Blue Coat Symantec Websense HP Palo Alto Ntwks McAfee Juniper Check Point Microso Cisco EMC Dell Barracuda Ntwks Qualys Total Sample Yes Maybe No
Vendor Vulnerability by Information Security Vendor
Are you considering switching from this vendor to a competitor?
See Appendix for sample sizes.
CO M ME N TATOR Q U OT ES
EMC
When you look up ‘strategic partner’ in the dictionary, you get EMC’s picture. They want to solve the problems, not just sell you a bunch of unnecessary product. They really don’t have any weakness I can think of. They have proven to be beyond reproach up to this point. They are no BS, straight shooters.
LE, Financial Services HP
Weakness is related to the acquisition by HP. What used to be a small agile company in London has been sucked up into a mothership in California. Also, as HP is our one technology services provider, we use ArcSight, but aren’t convinced it is a true best-of-breed technology. Some HP people say that if we didn’t own this, we wouldn’t recommend it.
LE, Financial Services IBM
IBM does offer good reliability of their products. They do a lot of testing up front, and their patches are tried and tested. The biggest weakness is cost. Compared to their competition, IBM is significantly more. We have IBM in-house and contracted with many of our systems. In order to enjoy that luxury and ease, we have to pay the price.
P ROMI SE VS. F U L FIL L M E NT
Qualys, Barracuda Networks and Palo Alto Networks all received ratings from their customers that bubbled up to signify strong overall strategic and tactical delivery, placing them in the top quadrant of security vendors for the Wave 16 Information Security Study. Firewall providers Cisco and Check Point both received above-average index scores in promise and fulfillment.
Dell scored well on the fulfillment side, but received lower forward-looking ratings on ‘promise’ or strategic concerns. IBM conversely scored well on the promise side of the equation, but failed to beat the study average in fulfillment. HP, Blue Coat, Fortinet and Symantec all trended below the study average in both the Promise and Fulfillment indexes, indicating issues at both the strategic planning and tactical delivery levels.
Information Security Market Window
See Appendix for sample sizes.
Vendor Promise Score Ful llment Score
Average 70 70 Barracuda Ntwks 79 85 Check Point 76 69 Cisco 71 75 Dell 68 73 EMC 68 66 Fortinet 62 62 HP 53 56 IBM 74 65 Juniper 67 66 McAfee 68 64 Microso 69 69 Palo Alto Ntwks 83 81 Qualys 85 88 Symantec 66 61 Websense 67 65 Low Promise,
High Fulfillment High FulHigh Promise, fillment Low Promise,
Low Fulfillment Low FulHigh Promise, fillment The Market Window plots the Promise and Fulfillment Indexes to compare vendors’ e ectiveness at marketing and execution. A vendor placing in the upper right
quadrant is rated highly for both its promise and ability to execute – underpromising and overdelivering – relative to its peers. Conversely, a vendor in the lower le quadrant rates poorly on the same criteria. The Vendor Promise Index is designed as a measure of marketing e ectiveness. It uses 4 of the 14 customer ratings criteria (Competitive Positioning, Technical Innovation, Management’s Strategic Vision, and Brand/Reputation), which are related to global concepts conveyed to potential customers prior to actual product/service delivery and use. The Vendor Ful llment Index is designed as a measure of execution e ectiveness. It uses 4 of the 14 customer ratings criteria (Value for the Money, Product Quality, Delivery as Promised, and Technical Support Quality), which are related to the physical product/service delivery and customer experience of using the product or service.
The size of the circle indicates the relative volume of ratings a vendor received. The intersecting lines indicate the average vendor score, including those for companies not depicted in the chart.
Cisco Dell EMC HP IBM Juniper McAfee Microso Palo Alto Ntwks Qualys Symantec Websense 50 55 60 65 70 75 80 85 90 50 55 60 65 70 75 80 85 90 Fu l llmen t I nd ex Promise Index Fortinet Barracuda Ntwks Check Point CO MM E N TATO R Q U OT ES Juniper
Juniper delivers as advertised; don’t expect much more than that. They are really lagging from an innovation standpoint. Their cost is OK, but you get what you pay for. Biggest weakness – their tech support can sometimes make a problem worse. They may connect in and make a change without telling us. Can be very confusing.
LE, Financial Services McAfee
McAfee has a very aggressive sales team; they work hard at selling you anything. Technical innovation, for McAfee that is an oxymo-ron. They do not keep up with innovation, at all. Since they buy most of their new technology, they do a horrible job at integration. I am not sure why this is, but it is causing us to look elsewhere.
LE, Financial Services Symantec
Symantec offers great features, as well as a wide breadth of products. Downside is reliability and technical support. They take too many dissimilar products and glue them together. There are too many scalability issues. They can do a better job of designing their environment to handle a typical large company load. They do too much testing within their client environments. We buy a product and we expect better functionality. At times it seems like I am asking too much of them.
Wave 16 IN FO RM AT I O N S ECUR ITY ST U DY | V EN DOR PE RFORM ANC E 25
Qualys performed extremely well in ratings from their customers, scoring significantly above average in all but four categories. Barracuda Networks saw positive marks in seven categories, primarily on the fulfillment side. Check Point and Cisco were both noted positively by their respondent customers for their brands/reputation.
HP scored poorly in the greatest number of categories, primarily on the strategic or forward-looking side. Fortinet saw poor grades in its strategic vision, technical support and sales force. IBM received negative marks in ‘value for the money’ and ‘ease of doing business,’ but balanced these against top marks in brand/reputation and strategic vision. McAfee saw a down tick in product performance. Websense received a low score in features/functions of its product line.
Palo Alto Networks scored well in technical innovation, competitive positioning and ease of doing business, among other categories. Palo Alto Networks and FireEye captured the top and second slots as 2013’s most exciting security vendors for large enterprises; however, the vote was more split this year than last.
In terms of newer smaller vendors generating excitement, Bromium was mentioned by 7% of respondents, followed by Cyber-Ark, Mandiant, Zscaler, Xceedium and Trusteer, among others.
CO M M EN TATO R Q U OT ES
Bromium – we’re negotiating with them. Somewhere between a startup and almost-established company. They’re doing something called microvirtualization. A VM-type environment with such a light weight that you can keep three Android phones open at the same time. Also, Wombat – they’re an awareness company. They have awareness products that edu-cate users in a fun and entertaining way; these are training tools.
LE, Materials/Chemicals
ObserveIT has a package where you can effectively, almost SIM-like, but beyond SIM, you can see what a person, a worksta-tion, what they did and follow their keystrokes of what they actually did. An intriguing piece of software.
Appendix A: Demographics
< 100 1% 100-9997% 1,000-4,999 20% 5,000-10,000 17% > 10,000 55% < $500K 19% $500K-$999K 9% $1M-$1.9M 13% $2M-$3.9M 18% $4M-$6.9M 14% $7M-$9.9M 4% $10M-$19.9M 13% $20M-$30M 4% > $30M 6% < $499.99M 16% $500M-$999.99M 7% $1B-$4.99B 29% $5B-$9.99B 15% $10B-$19.99B 13% $20B-$29.99B 7% $30B-$40B 4% > $40B 9% Financial Services 24% Healthcare/ Pharmaceuticals 11% Consumer Goods/Retail 11% Industrial/ Manufacturing 9% Other 8% Services: Business/Accounting/ Engineering 8% Education 7% Telecom/Technology 7% Materials/Chemicals 6% Energy/Utilities 5% Transportation 3% Public Sector 1% Employee SizeIndustry Verticals Enterprise Revenue
Wave 16 IN FO RM AT I O N S ECUR ITY ST U DY 27
Appendix B: Methodology and Scope
M ETH ODO LOGY
The Information Security Study relies on a proprietary network of IT professionals and is based on in-depth inter-views with 207 information security professionals conducted from April 2013 through October 2013. TheInfoPro’s interviewers are current and former IT managers and executives. They ask open-ended questions that enable TheInfoPro to gain an excellent understanding of the issues and decision-making process related to strategic planning, technology benchmarking, and vendor selection and negotiation.
The Commentator Network has a variety of industry types and levels of technology adoption. TheInfoPro screens potential commentators to ensure that they can discuss in detail their enterprises’ technology roadmap and re-lationships with pertinent vendors. To participate, a commentator had to work for a large or midsize enterprise. For the purposes of this study, large enterprises have more than $1bn of revenue and midsize enterprises have annual revenue of $100m to $999m.
SAMPLE SIZE VARIATI ON
Because the interviews are designed to be flexible to the needs and knowledge of the commentator, not every interviewee is asked every question. As a result, many charts have a sample size varying from the total number of interviews.
R EC E N T C H A NG ES TO THE ST U DY
Many respondents have detailed knowledge of all technology areas, but some do not. Beginning this year we are reporting percentages based upon the full survey sample of respondents, and showing the percentage of respondents who indicated that they did not have detailed status knowledge for certain technologies.
TheInfoPro’s Technology Heat Index® and Adoption Index have been updated. The indexes were re-engineered to provide a stronger picture of user demand and investment in technologies. The calculations now account for planned changes in a technology’s spending and the relevant sector’s budgets.
Appendix C: Interpret the Data
TECHN OLOGY ROA DM A P A ND I ND EXES
The Technology Roadmaps highlight the percentage of respondents with a technology ‘in use,’ the percentage
that are likely to use the technology for the first time in the next two years, and those who have no plans. The size of the gap between ‘in use’ and ‘not in plan’ status indicates the potential opportunity for a technology in the next two years.
This data is combined with spending and budget data to calculate the Heat and Adoption index values for each technology.
The Technology Heat Index® measures user demand for a technology based on several factors, including: usage or planned usage, changes in planned spending, an organization’s budget for the relevant IT sector and future changes in the organization’s budget. A high score means a technology is expected to see significant growth.
The Technology Adoption Index measures aggregate investment in a technology based on several factors ,
including: usage or planned usage, changes in planned spending, and an organization’s budget for the relevant IT sector. A high score means the technology is already experiencing healthy adoption.
Technologies with a high Heat Index score and a low Adoption Index score have the largest near-term market opportunity for vendors. Technologies with a high Heat Index score and a high Adoption Index score are experi-encing near-term growth but have limited opportuni
