Professional Documents
Culture Documents
Page 1
CERTIFICATE
This is to certify that the summer internship report titled CISO Platform Index Report 2015,
submitted by Pratiksha Garnaik bearing Roll No. 14BM60039 to Indian Institute of
Technology, Kharagpur, is a record of bona fide research work under my supervision and I
consider it worthy of consideration for the award of degree of Master of Business
Administration in accordance with the regulation of the Institute.
Date:
_____________________
Supervisor
Page 2
CERTIFICATE OF EXAMIMATION
DD/MM/YYYY
Certified that the summer internship report titled CISO Platform Index Report 2015
submitted by Pratiksha Garnaik bearing Roll No. 14BM60039 to the Indian Institute of
Technology, Kharagpur, towards the partial fulfillment of the requirements for the award of
the degree Master of Business Administration has been accepted by the panel of examiners,
and that the student has successfully defended the work in the viva-voce examination held
today.
Panel Member 1
Panel Member 2
Panel Member3
Panel Member 4
Page 3
ACKNOWLEDGEMENT
This project could not have been successfully completed without help and support. I
would like to thank all of those who were responsible for the successful completion of this
project.
First of all I would like thank CISO Platform for giving me an opportunity to pursue
an Internship with and an opportunity to learn. I take great pleasure in presenting my project
that was carried out at CISO Platform, Koramangala.
I would like to thank Mr. Bikash Barai, Founder of IViZ Security, Koramangala
and Chief Advisor of CISO Platform for taking time out of his busy schedule guiding me
throughout the project, providing his valuable feedback, correcting me whenever needed.
Working with him was a great learning experience.
I take great pleasure in expressing my gratitude to Mrs. Priyanka Aash, MD, CISO
Platform and Ms. Pritha Aash, Associate Analyst, CISO Platform for helping me in all
possible ways to complete this project successfully. I would also like to thank Prof. Abhijeet
Chandra for his valuable guidance and suggestions for the successful completion of this
project.
My heartiest gratitude towards Mr. Abhishek Yadav, HR Head, CISO Platform for
streamlining my project with his interests and helping me fruitfully complete it.
Page 4
Executive Summary
Over time, influence of customer satisfaction ratings on buying decision has increased. In the
field of Information Security, there is lack of an index where customer satisfaction ratings are
put together and made public so that new customers can use those ratings before buying any
product. There is no common place where opinions of users about a product are present.
CISO Platform aims at making the work of CISOs easier. In an attempt to provide IT security
customers with a system which would rate products based on customer recommendation an
unique framework called the CISO Platform Index (CPI) is to be formed. This would help
buyers compare the products and make a well-informed decision. This index would help
buyers identify the most used and preferred products and would act as a guide to make quick
decisions regarding which product to buy.
This study started with collection of data from Chief Information Security Officers through a
survey. This survey consisted of collection of rating for IT security products on different
parameters on a scale of 1 to 10(1 being the least). Different weightage was given to different
parameters and CPI was calculated according to the ratings. The products for which ratings
were collected were mapped to appropriate domains. The products were mapped according to
their parameter ratings as well. Three product buckets were formed according to CPI and
analyst ratings.
At the end of this study, in different domains in the field of IT security we were able to
identify products which ranked highest according to customer satisfaction. Analyst ratings
were also obtained for all major products from major vendors in all identified domain. This
index is expected to make the job of CISOs easier while selecting a product for their
respective organisations. Selection of products can be more well-informed and quicker if this
index is used.
Page 5
CONTENTS
1. ABOUT CISO PLATFORM
2. BACKGROUND AND MOTIVATION
2.1 Growing importance of Word of Mouth
2.2 Need of a customer-satisfaction based rating framework
3. OBJECTIVES
4. LITERATURE REVIEW
5. METHODOLOGY
5.1 Framework Building
5.2 Domain Identification
5.3 Data Collection
5.4 Bad Data Removal
5.5 Data Sorting
5.6 Use of Tools
5.7 Calculation Methodology
5.8 Analyst Rating
5.9 Product Bucket Categorization
6. RESULTS
6.1 Distribution of Responses across domains
6.2 Distribution of companies according to CPI
6.3 Domain-wise distribution of CPI rated Products
6.4 Domain-wise analysis
6.4.1 Application Security Testing (AST)
6.4.2 Endpoint Security (EPS)
6.4.3 Data Leakage Prevention (DLP)
6.4.4 Distributed Denial of Services (DDoS)
6.4.5 Firewall
6.4.6 IT Governance, Risk and Compliance (IT GRC)
6.4.7 Identity and Access Management (IAM)
6.4.8 Intrusion Detection/Prevention System (IDS/IPS)
Pratiksha Garnaik, VGSoM, IIT Kharagpur
Page 6
Page 7
Page 8
CISO Platform Annual Summit: Annual event where 200+ CISOs gather to
share knowledge through 18 minute "Turbo Sessions"
Why CISO Platform is a great platform for CISOs across the country?
CISO's need online presence. CISO Platform gives Information security leaders
greater online exposure. Here on CISO Platform, you can showcase your hands on
knowledge to an audience that might not otherwise find you. Content that we love is
immediately submitted to Google and hugely promoted on other social platforms like
Twitter, LinkedIn and StumbleUpon, meaning your content gets a far wider audience
than it might otherwise reach.
Simply by joining Information security leaders will be able to do the following:
Start a blog to demonstrate their thought leadership.
Participate in webinars as speakers or audience.
Build a profile page with contact details, logo, web address and a customizable
design area to showcase their services.
Ask questions to other peers on implementation or on their prior experiences.
They have a huge range of members globally who provide great opinion pieces, offer
advice and share their experiences in IT Security. Members include:
CIO
CISO
VP-IT
Director-IT
IT Manager
Page 9
(Source: https://moderncomment.com/customer-feedback-stats)
Pratiksha Garnaik, VGSoM, IIT Kharagpur
Page 10
(Source: https://moderncomment.com/customer-feedback-stats)
(Source: https://moderncomment.com/customer-feedback-stats)
Pratiksha Garnaik, VGSoM, IIT Kharagpur
Page 11
Page 12
OBJECTIVES
Through this project CISO Platform wishes to give its customers an index which they
can use as a quick reference to which product to prefer while making a buying
decision.
Segregating products according to their ratings, both CPI and Analyst ratings into
different buckets will be done.
To feature only those products which have got good ratings in the index.
Parameter-wise mapping of products will also be done so that the user can
segregate products according to his/her priorities.
All the above will be done for all identified domains in the field of Information Security.
Page 13
LITERATURE REVIEW
People generally take expert opinions as well as user reviews before buying any product.
When it comes to any purchase for an organisation, proper decision-making becomes even
more critical because it affects not only the organisation in which it will be used but also the
customers it would be catering its products or services to. So getting reviews for products
before making a purchase becomes very important.
Some word of mouth facts:
The average consumer mentions specific brands over 90 times per week in conversations with
friends, family, and co-workers. (Keller Fay, WOMMA, 2010)
When asked what sources influence your decision to use or not use a particular
company, brand or product 71% claim reviews from family members or friends exert a
great deal or fair amount of influence. (Harris Interactive, June 2010)
90% of consumers online trust recommendations from people they know; 70% trust opinions
of unknown users. (Econsultancy, July 2009)
The above mentioned facts show that word of mouth has considerable importance on buying
decision. But, it is not always possible that you get feedback for the products you need
through conversations. Thus, the need of a rating framework arises.
Advantages of a rating framework:
1. Common Platform- Ratings collected would be from wide range of industries and a large
number of security professionals. So for a better overview of a products performance can be
helpful.
2. Parameter-wise evaluation- Sometimes some parameters are more important for some
organisations than others. So a framework where parameter-wise ratings are given for
different products can be useful.
3. Comparison with analyst rating- Sometimes only user ratings are not adequate to make a
decision especially when there is lack of sufficient user ratings. Adding a new dimension of
analyst rating would help in making better decisions
Page 14
Page 15
METHODOLOGY
1. Framework building
The framework building started off with defining parameters that a buyer evaluates before
making a decision. Four distinct parameters were identified which generally influence buying
decision of an IT security product. Certain weightage was given to each parameter based on
its influence on buying behaviour. The weightage was decided by taking expert opinion and
interviewing few CISOs.
The following parameters were identified and their respective weightages are also given
below:
a) Features of the product-30%
b) Ease of Implementation-30%
c) Return on Investment/Pricing-10%
d) Support-30%
CPI = (0.3*Feature Rating) + (0.3*Ease of Implementation Rating) + (0.1*ROI Rating)
+ (0.3*Support Rating)
2. Domain Identification
The major domains of IT security products were identified. The product evaluation and
comparison was done domain-wise. The major domains that were identified to which the IT
security products belonged were:
a) Application Security and Testing (AST)
b) Endpoint Security (EPS)
c) Data Loss Prevention (DLP)
d) Distributed Denial of Service (DDoS)
Pratiksha Garnaik, VGSoM, IIT Kharagpur
Page 16
3. Data Collection
Data was collected both online and offline. Chief Information Security Officers (CISOs) of
various organisations from different industry verticals were the respondents of the survey.
In the online data collection process, a form was floated online via email to CISOs of various
organisations in which they had to rate the products they had used in their organisations
according to the defined parameters on a scale of 1 to 10, one being the least. They were also
asked to give an overall rating to the products according to their perception. Their names and
organisation to which they belonged to was also collected.
The offline questionnaire was also similar to the online one. The data was collected during
the Decision Summit that happened in New Delhi where huge number of CISOs from across
the country participated for the various seminars, events and training sessions. CISO Platform
was the organiser of the event.
Page 17
5. Data Sorting
Data sorting involved:
a) Finding out all unique product names by removing duplicates. A consolidated list of all
products was made for all products
b) Finding vendor names for each individual product if vendor name was not provided by the
respondent
c) Mapping the products to their respective domains for domain-wise analysis.
6. Use of Tool
Microsoft Excel was used for this project. Data filtering, sorting, calculations etc were all
done by various functions of MS Excel. Data plotting using graphs was also done using this
tool.
7. Calculation Methodology
Average ratings were taken for each individual product. A snapshot of the calculation is
given below. Similar procedure was implemented for all domains. The product names have
been masked because of company policies.
For making the graphs to represent the product ratings also Microsoft Excel was used. Graphs
were made to represent the individual parameter rating as well as CPI ratings for different
Pratiksha Garnaik, VGSoM, IIT Kharagpur
Page 18
8. Analyst Rating
A second dimension of analyst rating was added to the framework. Analyst opinion was
obtained by developing a model in which a rating was given to the products for which ratings
were obtained from the survey as well as for those which there were no ratings but the
products were competent.
This started with studying the Gartner and Forrester reports and thus identifying
prominent products in the particular domain.
Then a score was given to the products according to the products position in the
Gartners Magic Quadrant and Forrester Wave. The score given was calculated by
adding x and y axis values on the Quadrant.
Average was taken for products which were present in both Gartner and Forrester.
For products which were present in only one of them, the score was directly taken.
The identified products must be having their ratings above a certain value to get
featured on the quadrant; they needed to be scaled out of 10. The minimum score was
assumed to be 6. Thus the analyst score was calculated as follows:
Page 19
Page 20
Distribution of Responses across Domains- The following graph (Fig. 3) shows the
domain-wise distribution of the responses that were recorded.
Maximum responses were recorded from CISOs for Firewall products followed by
DLP products.
(Fig. 3)
Distribution of companies according to CPIo Of the products for which we calculated the CPI only 14% of products had a
CPI>8.5.
o Majority of products i.e., 65% had CPI in the range of 7 and 8.5
o 21% of products had CPI <7
(Fig. 4)
Page 21
(Fig. 5)
Page 22
Page 23
Page 24
33%
67%
CPI<7
CPI>=7
Page 25
Page 26
Page 27
Page 28
Page 29
Support
HP Tippint Point
McAfee IPS
Sourcefire
Symantec HIPS
IBM Proventia IPS
5.50
7.50
9.50
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
The best products according to the rating framework are present in Bucket 1.
Bucket 1 products are good according to both customer satisfaction rating as well as
analyst rating.
Bucket 2 and Bucket 3 products are other prominent players in the market in the
respective domains, but customer feedback about them is not known.
Data collection, filtering, sorting and mapping techniques for further data analysis
Overview of IT security trends and technologies and the companies that offer various
products in the market in different domains
Learnt about 360 degree marketing which includes re-marketing, social marketing etc.
Use the simplest of the Info-graphics so that it can be understood by all without the
need of being explained.
The framework can be made more efficient by collection of more data points by
reaching out to more number of CISOs.
People other than CISOs who have good knowledge of the products that have been
used in their organisations can be selected as respondents.
Page 37
The framework can be automated by standardising and using various database tools
and thus reflection of new data entry easier and faster on the CPI.
Page 38
REFERENCES
[1] Martin Hugh J.[2013], The economics of Word of Mouth: Designing Effective
Social Media Marketing for Magazines
[3] Firstbrook P., Girard J. and MacDonald N. [2014]. Gartners Magic Quadrant
Report for Endpoint Protection
[4] Ouellete E. [2013]. Gartners Magic Quadrant Report for Content aware Data Loss
Protection
[5] http://ddos-protection-services-review.toptenreviews.com/
[6] Hils A., Young G. and Jeremy D'Hoinne [2015]. Gartners Magic Quadrant
Report for Enterprise Nettwork Firewall.
[7] Witty R. [2014], Gartners Magic Quadrant for Business Continuity Management
Planning Software
[8] Wheeler J. [2014], Gartners Magic Quadrant for Operational Risk Management
[9] Pratap K. [2014], Gartners Market Guide for Audit Management Solutions
[10] Kreizman G. and Wynne N.[2015], Gartners Magic Quadrant for Identity and
Access Management
[11] Hils A., Young G. and D'Hoinne J. [2013], Gartners Magic Quadrant for
Intrusion Prevention Systems
[12] Gartner [2014], Gartners Magic Quadrant for Mobile Data Protection
[13] Firstbrook P. and Lowans B. [2014], Gartners Magic Quadrant for Secure email
gateways
[14] Orans L. and Firstbrook P. [2014], Gartners Magic Quadrant for Secure web
gateways
Page 39
[15] D'Hoinne J., Hils A. and Greg Young [2014], Gartners Magic Quadrant for
Unified Threat Management
[16] Nicolett M. and Kavanagh K. [2013], Gartners Magic Quadrant for Security
Information and Event Management
[17] D'Hoinne J., Hils A., Young G. and Feiman J. [2014], Gartners Magic Quadrant
for Web Application Firewall
[18] Cser A. and Maxim M. with Balaouras S., Blackborow J. and Dostie P. [2015],
Forrester Wave for Identity and Access Management
[20] Shields T. with Balaouras S. and Duong J.[2015], Forrester Wave for
Application Security
[22] About CISO Platform from CISO Platform website and blogs
http://www.cisoplatform.com/ (accessed on 27th July,2015)
[24] Ambrose C. [2014]. Gartners Magic Quadrant Report for IT Vendor Risk
Management
Page 40
QUESTIONNAIRE
Please rate the IT Security products that you have used in your organizations based on
the given parameters on a scale of 1 to 10, 1 being the least
Domain
Product
Name
Parameters
Overall
Satisfaction
Feature
Completeness
Ease of
Implementation
ROI
Support
Name:
Organization:
Page 41
Domain
Product Name
1 Firewall
Application
2 Security
3 IDS/IPS
4 IDS/IPS
5 IDS/IPS
Mobile Device
6 Security
DLP/Data
7 Security
DLP/Data
8 Security
End point
9 security
Secure
email/web
gateway,content
10 filtering
11 Firewall
12 Antivirus
Secure
email/web
gateway,content
13 filtering
Application/Data
14 base Security
End point
16 security
Digital Rights
17 Management
Security
Information and
Event
Management/
Incident
18 Response
Application/Data
20 base Security
21 Secure
Pratiksha Garnaik, VGSoM, IIT Kharagpur
Overall
Features
Ease of
Implement
ation
7
8
9
10
7
8
7
10
7
8
5
7
7
8
6
8
7
8
6
7
5
9
8
5
9
8
7
9
8
5
6
8
1
9
8
10
10
10
8
7
7
6
8
8
8
7
8
7
ROI
Support
Page 42
22
23
24
25
26
27
31
39
40
41
43
44
45
46
47
48
49
50
51
52
53
54
55
email/web
gateway,content
filtering
End point
security
DLP/Data
Security
Firewall
Mobile Device
Security
Firewall
Encryption for
servers/storage/
database
IDS/IPS
End point
security
Security
Information and
Event
Management/
Incident
Response
Firewall
DLP/Data
Security
DLP/Data
Security
DLP/Data
Security
Firewall
Firewall
Firewall
Application/Data
base Security
Identity and
Access
Management
Identity and
Access
Management
Identity and
Access
Management
Identity and
Access
Management
End point
security
End point
security
8
9
8
9
7.5
8
8
8
8
8
9
8
9
8
9
8
9
8
9
8
9
8
9
8
8
8
9
7
9
8
7
7
7
7
7
7
7
7
7
7
5
6
7
7
6
6
7
7
6
5
7
7
5
5
7
7
5
6
7
7
8
Page 43
74
77
78
85
93
94
95
101
104
105
106
107
108
End point
security
End point
security
Firewall
Firewall
Firewall
DOS(Denial of
Service security)
Application/Data
base Security
Application/Data
base Security
Firewall
DLP/Data
Security
Mobile Device
Security
DLP/Data
Security
DLP/Data
Security
End point
security
Identity and
Access
Management
Secure
email/web
gateway,content
filtering
Firewall
DLP/Data
Security
Firewall
Firewall
Unified Threat
Management
Identity and
Access
Management
DLP/Data
Security
Encryption for
servers/storage/
database
Mobile Device
Security
Firewall
Firewall
7
8
7
7
7
8
7
7
6
8
7
7
7
7
7
7
7
7
5
7
8
8
8
8
8
8
8
7
8
8
8.5
8.5
8.8
8.4
8.1
8
8
8
9
7
7
6
6
9
9
5
9
8
5
9
7
5
8
8
5
5
6
1
9
8
10
8
8
8
8
8
8
8
8
8
8
7
8
6
6
7
Page 44
113
114
115
116
117
118
119
120
121
129
135
136
137
139
140
141
Digital Rights
Management
Application/Data
base Security
IDS/IPS
Firewall
Identity and
Access
Management
Identity and
Access
Management
Application/Data
base Security
DOS(Denial of
Service security)
DLP/Data
Security
Identity and
Access
Management
Firewall
Firewall
Security
Information and
Event
Management/
Incident
Response
Application/Data
base Security
Security
Information and
Event
Management/
Incident
Response
Application/Data
base Security
DLP/Data
Security
Identity and
Access
Management
Firewall
Security
Information and
Event
Management/
Incident
Response
Microsoft IRM
6
8
6
6
8
4
7
8
9
7
7
8
8
7
7
8
8
8
8
8
9
8
8
7
8
8
8
8
8
8
8.5
8.5
7.5
8.5
8
8
7
7
8
8
7
6
7
6
Page 45
142
143
145
146
147
148
149
150
Security
Information and
Event
Management/
Incident
Response
Firewall
Firewall
Security
Information and
Event
Management/
Incident
Response
Mobile Device
Security
DLP/Data
Security
Application/Data
base Security
Application/Data
base Security
8
8
8
7
8
7
7
8
7
8
8
7
7
8
8
10
10
Page 46