1. Info-Tech Research Group1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2014 Info-Tech Research Group Inc. Develop a Network Security Roadmap to Lower Incident Costs and Increase Efficiency Save over $100,000 in consulting fees with a streamlined and accelerated process. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2014 Info-Tech Research Group

2. Info-Tech Research Group2 Creating a security roadmap does not have to take a lot of time or money from consulting firms. Use your time and information you already have, and save. Introduction and Member Understanding I’m an IT security or network manager and: My team and I are constantly in security fire-fighting mode. Our security strategy is to add solutions piecemeal and I know it would cost us less if we planned better. Despite our attempts to patch the “leaks,” we’re dealing with more problems than we need to. There are definitely gaps in our architecture – which is leading to higher costs in network maintenance and lost productivity throughout the whole company. I keep getting surprised by new threats. Validating your risk tolerance level Identifying your threat landscape Establishing business requirements and security priorities Documenting your current processes and technologies Developing your roadmap based on priorities tailored to your organization’s needs Does this sound like you? This Research Will Help You By: As an IT security or network manager, to solve these problems, I need to: Understand what my organization currently has in place and optimize it. Identify what we’re missing and develop a plan to address those gaps. Prepare a strategy to secure business buy-in to justify costs and create a more comprehensive security plan.

3. Info-Tech Research Group3 The benefit of a network security roadmap is that it sets your organization up for success, no matter its size Value of creating a network security roadmap Increased preparedness (for the annual budget cycle and the ability to defend security) Increased security against risk Proactive posture towards the threat landscape Future-looking agenda to address security goals in the long-term Minimized number of potential breaches Minimized impact of potential breaches Minimized cost and time of responding to breaches and dealing with potential network downtime (and subsequent employee and client dissatisfaction and business grief) Short-term impact: the process will prevent a lot of headaches and costs that an organization will experience if it attempts to create a roadmap through a consulting group. Long-term impacts: increased protection against risks, fewer problems with network breaches, less time spent firefighting, and security costs evening out and eventually lowering as issues are proactively addressed. Whether you are a large or small organization, this blueprint still applies. Impact

4. Info-Tech Research Group4 Save time and gain value through an accelerated project plan. Info-Tech’s Network Security Blueprint provides a streamlined process Value of completing the Info-Tech Blueprint Expected Project Timeline Minimized time spent on creating a network security roadmap Minimized cost spent on creating a network security roadmap through outsourcing a consulting group, etc. Optimized up-front capital (hardware/software) on security spend and operational (labour) expenditures Optimized ongoing operational expenditures and minimized overall security spend Be aware that while the creation of the actual roadmap document may be streamlined, you and your team should expect that implementing the roadmap will take anywhere from one to three years. Many security solutions can’t be implemented in a day.

5. Info-Tech Research Group5 Info-Tech’s Network Security Roadmap Blueprint Methodology Step # Step Name/Description Step InputStep OutputDeliverableInsight 1 Conduct current state analysis Understand risk tolerance levels. Discuss organizational reality (IP, data sensitivity). Establish how much risk you’re willing to accept. Risk Tolerance Level.Risk Tolerance level Most IT shops do not realize that their tolerance of risk is the first factor to influence their roadmap. 2 Establish your organization’s threat landscape Current threat landscape. Top existing threats to organization. Potential threats to organization. Where your organization’s attention should be in terms of current and potential security threats. Information Security Event Analysis Tool Most organizations have a narrow-minded idea about the real threats facing their organization. 3 Determine roadmap deployment priorities Business requirements. Security priorities (e.g. Compliance requirements). Current security tools deployed. Implementation Roadmap. Network Security Implementation Roadmap Tool You can take the roadmap to your stakeholders when they want to know your short and/or long-term plan, and what your team uses as a to- do list for implementations. 4Obtain business buy- in Implementation roadmap priorities for next budget year. Costs/implementation time required. Network Security Communication and Business Justification Deck. Network Security Communication and Business Justification Deck Roadmaps go nowhere without buy-in. Successful communication equals approval for your priorities.

6. Info-Tech Research Group6 Create a roadmap with what you have; no outside consulting groups are required Key insight: If you get the right people in the room who will work hard, this project will not require a month to complete – you could finish it in 2 days. What insights and trends are driving this project? Completing a roadmap proactively instead of reactively (e.g. after an incident) keeps stakeholders impressed instead of unhappy. APTs – the threat landscape is more unpredictable than ever. You can’t afford not to plan. The increased focus on meeting compliance regulations due to the unpredictable threat landscape encourages planning. Mobile device landscape – security must be applied beyond your perimeter, which means you’ll be dealing with different threats. Cloud proliferation –secure end-to-end. Insights by step Step 1: Conduct current state analysis o Risk tolerance plays a larger role than you think in where your roadmap will end up. Step 2: Establish an organization’s threat landscape o Your present-day threats don’t always inform your future; be prepared. Step 3: Determine roadmap deployment priorities o Your roadmap must be informed not only by what you currently have in place, but by your business and compliance requirements as well. Step 4: Communicate to stakeholders o Buy-in won’t necessarily come easily; you need to sell your roadmap using their language.

7. Info-Tech Research Group7 The following are mini case studies on what happens when a formal security policy does not exist. No plan = more stress, more costs, more attacks Not Meeting Business Requirements Neglecting to formally establish what the business’ security requirements are can result in failing to appropriately serve and protect the business. This can be costly in the long run. Example: A sales organization that had plans to move to online sales never conveyed these plans to IT. Similarly, IT never asked what the business’ plans were as they never went through the IT Security Planning process. The organization’s Security Network Architecture supported the “old” requirements but not the new direction. When the new direction was communicated, IT was unprepared to support the needs of the company. In the end, IT needed to delay the business’ move to online sales while they changed the gateway security infrastructure. Security Gaps Informal, ad-hoc security planning results in security gaps as the organization fails to implement the right tools in the right order to maximize security. Example: An organization that had recently purchased a Unified Threat Management solution that included gateway anti-malware protection, decided that endpoint anti-malware was no longer necessary. When one of its remote employees who had been disconnected from the network connected to it with his infected laptop, a virus ran rampant through the network because the endpoints were unprotected. With proper planning, the organization would have been able to consider the risks that remote workers present and would have been required to take the necessary steps to mitigate these. Inappropriate Tools in Place Info-Tech research shows that companies with no formal IT Security Plan in place show significant random selection in the tools they choose and the order in which these are implemented. Example: A financial organization that needs to meet specific compliance requirements purchased Content Filtering and Data Leakage Protection systems after implementing baseline tools. Instead, it should have implemented a Management System to monitor all of the tools it already had in place. The high cost of the Management System caused the organization to look for cheaper tools first. This misalignment resulted in its failing to provide conclusive reporting for security auditing purposes.

8. Info-Tech Research Group8 You are here. Probably because business has requested a plan (it has read the news and knows the costs), or you’re ready to pay more attention to your security plans. If you’ve suffered an incident, or you simply have no plan – you need this blueprint. You can’t afford to keep firefighting. You can’t afford not to have a plan Having a roadmap means realistically anticipating current issues and potential incidents based on where IT and the business currently is and where it wants to go. This is not an IT-exclusive process; it must reflect business requirements as well. If business wants to become more mobile, a roadmap will help IT plan for that move appropriately instead of creating an ineffective piecemeal plan when it creeps up on them. A roadmap will also help IT acknowledge that the future is going to be even more unpredictable. o Trend Micro predicts that there will be one major data breach each month in 2014, and so far this year, that has proven to be true (e.g. Target, Yahoo). o Attacks will become more mature and continue to cost organizations financially and reputation-wise. –2013– Carberp (a botnet creation kit) stole banking credentials and $250 million from financial institutions and customers. –Target breach projected to cost the organization over a billion dollars and reputation damage control. 1 o Continued movement to the Cloud and mobile means more access points for attackers to grab your data. 1 http://www.bizjournals.com/dallas/blog/morning_call/2014/02/target-data-breach-could-cost-retailer-more-than.html

9. Info-Tech Research Group9 If you can check off three or more of the following options, this Network Security Roadmap blueprint will address your goals. Is this blueprint right for you? Is your organization planning to allow more mobile devices and/or a move towards the Cloud? Do you have a plan to properly secure your networks? Has business requested to see a short or long-term plan for what IT wants to implement in terms of security for budget purposes? Has business been pressuring IT to increase security in the wake of highly-publicized breaches? Have you and your team ever attempted to create a forward-looking plan for security? Do you and your team have the basics implemented, but are unsure of where to go next?

10. Info-Tech Research Group10 Using metrics with a roadmap works best when you already have baseline information, but can be done without it as well. Any roadmap must include metrics for success Most organizations do not frequently track their security metrics (e.g. how many incidents have been prevented? How many incidents have occurred? What kind of impact did they have? What was the recovery time? Etc.) However, value will not necessarily be achieved with a metric of “your overall security score post-roadmap completion,” but with measuring value from each component of the roadmap. o Because roadmap completion happens in short and long-term gains, it’s too difficult to anticipate when it will be entirely finished, and benefits can be achieved in the process. o By looking at each component and tracking that it’s doing its job, you can get an overall sense that the tools that have been implemented are doing their job. Your final metric in this blueprint will be to succeed at getting business support for the roadmap as it won’t get far without business backing it financially. This measuring tape, which can be found throughout the blueprint, is an indicator of where your metrics can come into play to benefit you. In this blueprint, you will see this image when you have an opportunity to track how a control is working for you or not (E.g. Control – Firewall). Measure the metric’s ability to block attacks. Metrics Timeline: Take a baseline snapshot of the past year of security-related incidents. Save that total. Track incidents for the current year as you normally would. At the end of the that year, compare the total number to last year’s total number to identify a reduction of incidents.

11. Info-Tech Research Group11 Coordinate stakeholders so that they are ready for each stage of the process. Successfully developing a network security roadmap requires the right people Steps: IT StaffCIOIT Manager CEO Security Manager 1. Conduct a current state analysis 2. Establish an organization’s threat landscape 3. Determine the roadmap deployment priorities 4. Obtain business buy-in

12. Info-Tech Research Group12 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889