January 25, 2011, 4:21 PM — Every New Year brings an opportunity to review existing security plans and adjust strategies for the next year. And, as I participate in these conversations for 2011, a lot of similar themes have popped up. Most CISOs are struggling with the same issues, ranging from dealing with the changing threat landscape to properly supporting the rising adoption of social technologies, employee-owned mobile devices, and cloud services. In fact, Forrester's research shows that a majority of challenges for security professionals all relate to business orientation and alignment. For example, many senior business and IT leaders are asking CISOs to better support and align with the business and IT objectives, requesting regular interactions and updates from security teams.
Given security leaders' pain points and focus areas for 2011, Forrester has identified recommendations for security strategies that address the broad security trends in the current market. Our recommendations fall into three major themes: 1) better governance structures; 2) more mature security processes; and 3) improved analytics and reporting capabilities.
Develop Governance Strategies To Support An Empowered Organization
Social, mobile, and cloud technologies are part of a groundswell movement that has taken hold of organizations, propelling waves of innovation and business transformations. Security can no longer block or impede this momentum; rather it's time for security leaders to mitigate risk to a level that is acceptable to the business. This means security leaders need to:
* Prepare for social technology adoption. As one CISO put it, social media adoption is like a freight train coming; if we don't prepare ourselves for it, we'll get hit pretty hard. Forrester surveys show a dramatic increase in the number of people accessing social media Web sites every day--the numbers have jumped from about 11% in 2008 to 30% in 2010. Social media technology increases the risk of malware infections and data leaks (both intentional and unintentional). Social media policies will have a wide variation, but it's important to have a governance strategy and specific policies in addition to the technical controls, process checks, and people awareness to mitigate this risk.
* Help the business devise a strategy to leverage cloud services. The cloud is here to stay, so while security leaders should raise concerns about data security and regulatory risks, they should also be recommending ways to mitigate these risks of data disclosure or a data breach.