Professional Documents
Culture Documents
Outlook
2 | Risk & Compliance Outlook 2011
Contents
EXeCUTIVe SUMMARY P| 03
CHALLeNGe:
Risk Management P| 05
CHALLeNGe:
Effective Patching P| 08
CHALLeNGe:
Compliance P| 10
CHALLeNGe:
Audit P| 14
RespONse:
The Risk and Compliance Market P| 16
CONCLUsION:
Emerging Trends P| 19
ReseARCH AppROACH P| 20
Key research findings • Keeping IT systems compliant is a • Audit tracking is reasonably strong
serious challenge for companies, around what changes occurred and
• Although companies are aware of as is automating compliance, and when. However, the companies fall
the factors, such as the correlation understanding and meeting the needs short in recording who made the
of threats, vulnerabilities and asset of multiple regulations. change, where and how.
value to the business, that comprise IT
• Investment in compliance products • Companies want a more solution-
business risk assessment, they still find
is strong – and will continue to grow based approach when it comes
it challenging to execute measures to
– particularly in the areas of change to selecting Risk and Compliance
address them.
assessment, file integrity monitoring products, rather than selecting vendors
• Generally, IT decision-makers are and database activity monitoring. that provide only one-off point
confident in their ability to patch products.
• When buying products in
security flaws. However, they invest
2011, companies are expected
heavy man-hours in the patching
to accord highest priority to
process, and their operations are
organizational compliance
significantly disrupted when they have
mandates on databases and
to deal with out-of-cycle patches.
networks.
Other data in the report reflected the America, France, and APAC, where just • Asset discovery: Asset
security impact of lack of visibility. Three over 50 percent report spending six to ten management programs are only as
of five attacks were discovered by third man-hours per month assessing threats. good as the information supplied
parties; 96 percent of the breaches were In contrast, one-third of the companies in to them. Discovery tools provide a
avoidable through simple or intermediate the UK and Germany spend just two to six complete picture of the devices on
controls; a quarter of the breaches were hours per month on threat assessments, corporate networks, and the operating
not discovered for weeks; and more than possibly because of the impact of systems, services, and applications
a third went undiscovered for months. automation. As an aside, only 26 percent running on them, as well as rogue
of McAfee users spend ten to twenty devices (Do you have wireless access
It is no surprise, then, that companies
man-hours per month compared with 31 points on your network? – No? – How
participating in this survey said that they
percent of non-users of McAfee products, do you know that?)
take risk management very seriously.
which again indicates the benefits of • Vulnerability detection: Using
Overall, 74 percent of the participating
automation. scanning tools to discover not only
companies agreed that visibility into the
risk posture of their IT environment is network-based flaws, but application
important. More than 80 percent of the vulnerabilities, database issues and
companies in the UK and North America “Four of ten respondents configuration errors.
agreed that it is important to have admitted that either they are • Risk assessment: This is a critical
visibility into their IT environment’s risk unaware of all information step that many organizations are not
posture; however, companies in Germany yet prepared to take, but it pays off
and France were less likely to consider security risks or they are not fully in reduced investment in resources.
such visibility important. protected against information Business risk can be established
A higher proportion of McAfee users (77
security risks” by weighing: the severity of the
vulnerability; the likelihood of it being
percent) agreed that this is important, as
exploited (Are there known exploits?
compared to the non-users of McAfee
Is the asset well-protected by network
products (70 percent), reflecting their
Companies also identified the key factors firewall, IPS, web application firewall,
commitment to investing in automated
that go into their IT risk assessment etc.?); the criticality of the asset and
technology to support their risk
process and the challenges they face in the business impact if the vulnerability
management and compliance efforts.
carrying through an effective and efficient is exploited; and the resources required
This visibility translates directly into more risk management. To put those responses for mitigation and remediation.
efficient operations. Half the companies in context, let us first examine the • Remediation: This is not simply a
estimate that they save from six to ten essentials of such a practice. scan-and-patch process. Remediation
hours per week if they have 100 percent should be applied within the company’s
visibility into the risk posture of their The Risk Management change control process, leveraging
businesses. Meanwhile, at least a quarter Lifecycle ticketing systems or whatever change
of the companies in the UK and North mechanisms are in place.
America estimated that they will save ten Companies operate in a dangerous
world, fraught with threats from external • Verification: Rescan or other
to twenty hours per week if they have
attackers and malicious insiders. Leading technical validation that the
100 percent visibility.
organizations have well-defined risk remediation was successful.
Consider that slightly less than half the management lifecycle programs that • Audit/Report: Documented evidence
companies surveyed spend six to ten address IT vulnerability in a business risk that the vulnerability was discovered,
man-hours per month on assessment of context, and therefore, address these assessed and remediated, and who
threats to their business. The figure is a issues more efficiently. This lifecycle is accountable.
bit higher among companies in North commonly comprises the following:
Factors Used to critical factors for determining business risk. on the business falls right in the middle
This is very closely followed by potential among their challenges, indicating
Determine Risk loss of customer faith and the impact on recognition that this is a key element
Vulnerabilities (79 percent) and threats the company’s brand. Of those surveyed in focusing their efforts (vulnerability
(78 percent) are the topmost factors in North America, 71 percent cited loss of detection and remediation) on their most
that companies take into account while man-hours as the least important factor. valuable assets. Since the respondents
determining IT risk. These are closely Loss of revenue is considered the least rated focusing their effort on their most
followed by the value of the asset (71 important by companies in APAC, the UK valuable assets and applications as the
percent) and countermeasures that and Germany. least critical of their challenges, it is clear
companies take to thwart threats they are aware of the importance of
(60 percent). Seen in line with a risk Risk Management prioritizing their efforts and therefore, use
management lifecycle, we see that IT Challenges limited resources to best effect.
leaders take the correlation of critical Notwithstanding the positive findings, a
risk factors seriously. The responses are Respondents said the biggest challenge
that their companies face is identifying large number of respondents said they still
similar across countries, and among both had work to do: four of ten respondents
users and non-users of McAfee products. threats, followed by discovering
vulnerabilities in their systems (see Figure admitted that either they are unaware of
However, ideally, organizations prefer to all information security risks or they are
reduce their efforts while reducing risk, 1). Being able to know which systems are
adequately protected from threats is the not fully protected against information
indicating a stronger need for automation security risks. While the observations are
of the IT risk management process. third biggest challenge. These challenges
are greater for those companies that have similar across most countries, half the
Multiple factors are considered while low awareness of or partial protection companies in Germany say they are not
determining business impact: 70 percent against information security risks. Note aware of all their security risks or are not
of the companies cite loss of revenue and that quantifying the impact of threats fully protected.
two-thirds consider loss of man-hours as
Figure 1: With 1 being the biggest challenge and so on, please rank your 5 biggest challenges in risk
management
Cost continues to remain one of the Impact of Out-of-Cycle patching when an out-of-cycle patch
biggest challenges. Valuable man-hours is released, with McAfee product users
that could be redirected to activities that Patches and Patch Tuesday spending fewer hours than non-users,
are closer to core business needs are spent Out-of-cycle patches throw corporate demonstrating a positive impact of
on routine vulnerability patching. IT processes and resources off track, automation technology.
CIOs and their senior management disrupting operations, escalating
representatives say that they will save unanticipated (and unbudgeted cost).
valuable man-hours by reducing patching The survey shows that 82 percent of “Companies spent an average
frequency. They estimate an average of respondents feel that there is an impact of 15 hours in a week when
12 man-hours will be saved per week if due to out-of-cycle patches. In France, an out-of-cycle patch was
the frequency of patching is reduced from a quarter of the companies surveyed
reporting that out-of-cycle patches have a
released.”
weekly to monthly. North America stands
out with the highest estimated savings of major impact on operations.
18 man-hours per week. Disruptive out-of-cycle patches result in:
The reaction to “Patch Tuesdays” is similar
Accurate detection is critical. However, • Data loss
to dealing with out-of-cycle patches.
not all companies are able to pinpoint • System crashes Nearly two-thirds of the companies
threats or vulnerabilities, with just a little
• Service interruptions surveyed said that they are somewhat
above half of respondents saying they
concerned about vulnerabilities and
are able to do so. As a result, 44 percent
remediation during Patch Tuesdays.
said that they over-protect and patch
Companies in APAC (73 percent) and
everything they can. “When in doubt, “82 percent respondents feel
North America (69 percent) in particular
patch” is clearly not the way to reduce that out-of-cycle patches expressed concerns around this
patching man-hours. On the positive side, have an impact on their IT monthly burden.
61 percent of the surveyed companies in
APAC try to focus on the most important processes.” Even with fully automating risk and
assets during threat/vulnerability compliance management, 73 percent
detection. On the other hand, only one- companies said that they would review
third of the companies in France take this vulnerabilities whenever possible,
approach, while more than half try to • Productivity loss whereas, just 15 percent would forget
patch everything they can. • Remote endpoints affected about dealing with Patch Tuesday as a
• Disruption of planned activities special case. France stood out among
Organizations clearly need to make
all the countries, with 28 percent of the
effective use of automated risk • Increase in IT management and
companies saying that they plan around
management tools for accurate and security costs
Patch Tuesday on the same day.
comprehensive vulnerability detection
Respondents report that they spend
coupled with detailed asset profiling and
an average of 15 hours in a week
risk assessment based on business impact.
• The US Congress continues to wrangle have to comply with up to greatest of these challenges, for CIOs
over federal cyber security legislations, 20 regulations. and their teams, is to keep their systems
which will have a profound impact • Integrating various parts of the compliant. The second biggest challenge
on both the federal government and organization: Risk and compliance is to completely automate IT controls, and
business IT security. platforms need to establish a seamless understanding complex regulations is the
and transparent flow of data across third biggest hurdle. The answer to these
In addition, auditors are honing their
the organization. This is a difficult challenges is automation and integration.
interpretations of requirements as they
task, especially when the various While it does not eliminate the need for
gain experience and are more likely to
factions of a large company may human participation, it allows skilled
hold corporate feet to the fire.
have their own vulnerabilities and professionals to focus on informed
Apart from regulatory reasons, companies regulatory requirements. This requires decision making rather than on slow and
are also turning to risk and compliance management support for a uniform error-prone manual information gathering
products because of the following factors: risk and compliance policy and process for tasks such as risk assessment and
• Multiple compliance across the organization, and tools that audit response. Automated change
regulations: The global reach scale risk management and compliance control monitoring, enforcement, and
of modern companies is making it on a large company level. reporting are key elements in achieving
difficult for them to address multiple compliance and security. Moreover, in
• Increasing complexity of
compliance regulations, which vary large organizations, it is almost impossible
malicious attacks: Corporations
from country to country, as well as to keep systems compliant, which was
around the world are facing threats
multiple regulations within each the respondents’ number one challenge,
that are growing increasingly
national jurisdiction. A company needs without automation.
sophisticated and targeted. In addition
to cater to each regulation, which to theft by cyber criminals, attacks are
may set very different compliance increasingly motivated by corporate
requirements, without disrupting the competition and nations seeking “The greatest challenge for
normal flow of information across cutting-edge intellectual property and/ CIOs and their teams is to keep
the organization. or state secrets. In order to keep up
their systems compliant.”
• Risk and compliance products with these ever-changing attacks,
help organizations apply security systems need to be constantly
controls using recognized upgraded. Apart from external threats,
standards (ISO, COBIT, NIST, etc.) corporations today also face the Risk and compliance tools enable
and map them to applicable prospect of insider sabotage, identity understanding regulations and managing
regulations: This enables fraud, and unauthorized access to each regulation off a common set of
organizations to apply a uniform set of systems and networks. processes and data (assuming they do an
sound security controls and issue audit inadequate job of mapping controls to
reports on an as-needed basis. While Challenges in Achieving each regulation and producing regulation-
half the companies participating in Compliance specific audit reports that can be tailored
the survey usually have to comply with to the companies’ specific policies
fewer than 10 regulations worldwide Companies face many challenges to and requirements).
(no small number!), around 20 percent achieve compliance (see Figure 2). The
Figure 3: Which of the following is the most challenging in terms of and separation of duties. Database
complying with regulatory mandates? scanning capabilities are now included in
a number of vulnerability
management tools.
Network mandates are ranked number
two followed by applications. After
long neglect – despite the proliferation
of application-layer vulnerabilities
Rank 1 Databases
and attacks – application vulnerability
detection and remediation is merging as
Rank 2 Network
a security priority. This is especially true
as web-based applications represent
Rank 3 Applications
the tip of the spear for attacks. It is also
becoming an implicit and in some cases,
Rank 4 Storage Systems
such as PCI DSS, explicit compliance
Rank 5 Operating System (OS)
requirement for both existing production
applications and software development.
Storage systems are ranked fourth and
operating systems comes last, most
likely because this is a well understood
and addressed area of risk, taking into
account the higher inherent security in
Unix and Linux installations; the long and
Source: Evalueserve Primary Research
deep experience with Windows flaws and
patches; and Microsoft’s security initiatives
in recent years (“secure by design, secure
by default…”).
Current and Planned operations. Consider that companies tools (see Figure 4). This is followed
surveyed estimate that 14 percent of closely by file integrity monitoring (68
Deployment to Achieve downtime in a year is to the result of percent) and database activity monitoring
Compliance unauthorized changes. (68 percent) products.
As we’ve indicated previously, primarily in The UK has a significantly higher
regard to vulnerability and configuration (63 percent vs. overall 54 percent)
remediation, strong change control
“Companies that were surveyed adoption of audit reporting technology,
policies, processes and the use of estimated that 14 percent of the and Germany is lowest, with just a third
automated tools are essential to downtime in a year is the result using it currently.
effectively implement and maintain a risk of unauthorized changes.” Deployment will continue to grow sharply,
management and compliance program on
so it is expected that the overwhelming
an enterprise scale.
majority of companies will implement all
There’s good cause, not only from a of these compliance technologies by the
Small wonder that 75 percent companies
security and compliance perspective, end of 2011.
currently deploy configuration assessment
but in terms of the business impact on
Figure 4: Which of the following IT controls do you currently use/deploy to achieve compliance, and which
ones do you plan to implement in 2011?
Figure 5: If you maintain audit trails of changes to your servers, which of the following control informa-
tion is included in your current audit trails?
Diversity and Fragmentation the lowest Symantec usage. These figures also indicate that
companies are using multiple vendors for single or
Managing different processes within the organization while multiple locations.
simultaneously maintaining strict levels of compliance and
security is a time-consuming and error-prone task for most Market Size and Growth
companies. Using integrated risk and compliance products,
organizations can coordinate and automate the entire security According to IDC, in 2009, the worldwide risk and compliance
and compliance process, freeing them to focus on their market grew by a modest 6 percent y-o-y, from $2.6 billion to
core business. $2.8 billion, primarily because of a sluggish world economy and
a decline in overall IT spending. However, stricter compliance
The risk and compliance market (encompassing all policy, mandates and a growing body of data disclosure laws toward
compliance, risk and vulnerability assessment products), is highly the end of 2009 increased the market growth expectations. IDC
fragmented and saturated with a large number of small players. now estimates the market to grow at a CAGR of 12.1 percent
Many of them offer products clearly defined across niche lines over 2009–2013, to reach around $4.4 billion in 2013
such as compliance offerings, risk management, and vulnerability (see Figure 6).
assessment. Several large players, with backgrounds as diverse
as ERP, business intelligence, and security software, put further Of the companies surveyed, nine of ten plan to deploying risk
pressure on an already crowded market. The market has seen a and compliance products through software; appliances were the
few mergers and acquisitions in recent times, but the frequent second most popular deployment model, with two-thirds of the
entry of new players makes market consolidation difficult. respondents. While these are conventional methods, new modes
of deployment are expected to gain preference. One-third of the
According to the survey, McAfee has the highest deployment companies surveyed plan to deploy risk and compliance through
among risk and compliance vendors—60 percent of the hosted SaaS or virtual machines. The UK emerges as an early
respondent companies using its products and services. The UK adopter, with 50 percent currently deploying risk and compliance
(70 percent) and North America (67 percent) have the highest solutions through SaaS and 61 percent deploying the technology
deployment of McAfee’s risk and compliance portfolio. as virtual machines.
McAfee is followed by Symantec (54 percent) and IBM (48 The IDC findings show that risk and compliance technology
percent). Symantec has the highest deployment (61 percent) delivered on the SaaS platform is expected to witness strong
in APAC. Germany (44 percent) and France (38 percent) report growth of 30.5 percent CAGR from 2009 to 2013.
5,000
4,500 540
4,000 411
176
3,500 309
116 659
238 69 547
3,000 186
155 52 443
26 36 360
2,500 314
287
2,000
500
0
2008 2009 2010 2011 2012 2013
Software Hardware Virtualized SaaS
Non-
Overall North McAfee
APAC UK Germany France McAfee
Rank America Users
Users
Proof of concept 2
Market Outlook In 2011, the outlook risk and compliance on risk and compliance management in
spend is robust, with nine out of ten 2011. McAfee users are also spending
On an average, companies are spending companies estimating similar or higher heavily on information security and risk
15 percent of their IT budgets on risk IT spending levels. On an average, and compliance management when
and compliance management and 22 companies are expecting to spend 21 compared with non-users.
percent of their IT budgets on information percent more on risk and compliance
security. Companies in Germany are management in 2011. The UK is expected
the lowest spenders, with more than to be the highest spender, with an “In 2011, the outlook on risk
half spending less than 10 percent of estimated increase of 24 percent on risk and compliance spend is robust,
their IT budgets on risk and compliance and compliance management, and APAC
management. German companies with nine out of ten companies
is expected to be the lowest, with an
surveyed are also the lowest information average increase of 15 percent. estimating similar or higher IT
security spenders at 18 percent of their spending levels.”
IT budgets. More than half the users of McAfee
products are expected to spend more
Moving forward, the dynamic nature of the risk and compliance trend toward integrating compliance and regulations within
market necessitates that products adapt rapidly to changing the core business structure is expected to pick up in the near
requirements and regulations placed on companies worldwide. future. Data aggregation and analytics will play increasingly
The likely trends to emerge in the market are: crucial roles in helping businesses understand the information
• Risk and compliance practices are not expected from the perspective of both compliance requirements as
to mature in the short term: Continuous changes in well as self-regulatory risk assessment. Technologies such as
the industry and new regulations will impede the maturation vulnerability management, presently used to assess network
of risk and compliance practices. For some time, innovation vulnerabilities, are expected to be gradually absorbed into risk
in risk and compliance products is expected to be driven management and remediation.
primarily by the corporations’ need to react to short-term • Emerging technologies are expected to add value
changes in compliance requirements. to risk and compliance industry: Risk and compliance
• Increasing vendor competition: Strong market growth, professionals are expected to start using emerging mobile,
coupled with a constant requirement for newer technologies social, and cloud technologies. This will not only have an
and products, is expected to bring several new vendors impact on the products at the functional level, but will also
into the risk and compliance playing field. This fragmented affect the way they are marketed and sold.
industry, however, is expected to undergo some consolidation The risk and compliance market, therefore, is expected to follow
in the following years. on its dynamic path of rapidly changing requirements and
• Vertical specialization among risk and compliance their solutions in the short term. However, risk and compliance
vendors: Vendors are expected to start differentiating solutions of the future will be based on a variety of platforms,
themselves by developing products that serve only particular and come integrated with other technologies such as business
verticals. In the long term, larger vendors will be able to intelligence. These products will allow companies to not only
capture larger and more profitable verticals, charging higher achieve basic regulatory requirements, but will also allow
prices in the process. This is expected to improve their them to use the vast store of risk and compliance information
profitability and cause a shift in revenues toward to streamline their organizations and strengthen any internal
these vendors. weaknesses. This will drive the overall maturation of this market
• Integrating risk assessment with business in the long term.
intelligence and data governance technology: The
North Germany
UK N = 70 (20%)
America
N = 70 (20%)
N = 72 (20%)
France
N = 71 (20%)
APAC
N = 70 (20%)
The margin of error on a sample size of 353 is ± 5.2 percent, The sample size for some questions is lower than 353. This is
with a confidence level of 95 percent—i.e., overall the findings because not all respondents qualified to answer these questions
have a 95 percent chance of lying between ± 5.2 percent. The based on their response to previous question(s).
percentages on questions where respondents could select only
one answer may not sum to 100 due to rounding.