So who better than an analyst legend of the networking and computing boom era, the founder of analyst firm Current Analysis himself, and now a year-long member of the HfS team, Fred McClimans<\/a>, to have a serious deep dive into what we are calling… Trust-as-a-Service:<\/p>\n Click to Enlarge<\/p>\n<\/div>\n So Fred, why a Blueprint on security, or perhaps the better question, why trust as a Blueprint topic? The transformation from an analog to a digital economy has been profound, giving rise to a whole new wave of business and economic models that place the consumer first and corporate assets online. This is a huge shift from the legacy models where brands controlled the message, consumers ate what was available, and managing risk meant not much more than a solid business plan, a line of credit, and Master locks on the front and back doors. That game ended a long time ago.<\/p>\n With most, if not all, corporate data now available online, and a massive consumer-driven omnichannel engagement model, we\u2019ve literally given competitors and \u201cevil-doers\u201d a map of where to find corporate treasure, while replacing those locked doors with free keys that we hand out to every customer. While the legacy threat had to get close to inflict damage, the threat today can manifest itself from anywhere.<\/p>\n We\u2019ve also seen a huge shift in the value that brands deliver to their consumers. It used to be all about the product, but now it\u2019s increasingly about the experience \u2013 an experience that is inherently digital, less personal, and perhaps a bit more fragile. No matter how you look at it, enterprises today face risk both to their internal assets as well as to their greatest asset, their customers. Hacks and data theft \u2013 especially personal consumer data \u2013 ruin that customer experience, and decrease the level of trust. If your online or digital brand isn\u2019t trusted by the consumer, they\u2019ll easily go elsewhere. So, as we looked at the market for managed security services, it became clear pretty early on that it wasn\u2019t just security, or cybersecurity, that mattered, but the trust it enabled between a brand and its customers, partners, and even employees. That realization shifted how we approached the security market. Security isn\u2019t about securing assets, it\u2019s about creating trusted assets that can be leveraged in the market, hence Trust-as-a-Service for our Blueprint theme.<\/p>\n That\u2019s quite a shift from the traditional approach of measuring security in terms of firewalls, identity and access management, and malware detection. What was the approach you took to measure the ability to provide trust as a service? And can you share some of the key takeaways from your research?<\/span><\/p>\n Fred McClimans is Managing Director for Security Research, HfS (Click for Bio)<\/p>\n<\/div>\n Well, first off, this Blueprint definitely takes all the traditional security elements into account \u2013 what we refer to as the technology side of security. Security Event and Information Management (SIEM), Data Loss Prevention (DLP), Identity Access Management (IAM), app and device security are just as important today as they were a year ago, perhaps even more important as the sophistication of cyberthreats has increased. But the real area where we are seeing new value in security is in behavior, and not just user behavior, but enterprise behavior.<\/p>\n An increasing number of security breaches can be directly tied to enterprise behavior and processes that haven\u2019t kept up with the growing threat. We see insider threats all the time, even though most security is directed outward. And increasingly, data isn\u2019t just being stolen from within the enterprise, but from enterprise partners and consumers. So there\u2019s real need to start looking at some of the business structures and processes, the deals we make, and the types of information and access we\u2019re willing to share, that often lead to increased risk that even the best technology is unable to protect from the right prying eyes.<\/p>\n T-mobile had a significant (hack recently that came through one of their partners, Experian. And Sony\u2019s infamous hack last year, that was linked to North Korea and the film \u201cThe Interview\u201d, revealed that over 100 internal Sony system were simply unmonitored. Both of these hacks can be tied to behavior and process.<\/p>\n So what did we do? We started with the main technical criteria and then layered on top the ability of providers to take their customers to the next level of blended physical\/digital and process\/behavior maturity, which you\u2019ll see referenced in the Blueprint as the HfS Digital Trust Framework (see Can Today\u2019s Providers Deliver the Elements of Digital Trust?<\/a>) and the Digital Security Maturity Model (see Transforming the Security Maturity Model<\/a>).<\/p>\n What separates the winners in security apart from the others? Is there a particular technology or focus that gives them the edge in helping enterprises counter the cybersecurity threat?<\/span><\/p>\n Now you\u2019re really getting into it. I think the best way to put it is to start with the technology. Every provider we looked at had solid technical chops. In fact, there\u2019s a pretty good overlap with some of the partnerships that operate behind the scenes. And while each provider has a bit of their own special sauce in the mix, technically they all show very well.<\/p>\n Moving up the maturity stack, what tended to set the providers apart was vision, and execution, for how enterprise security and trust enablement would materialize moving forward. Accenture and Wipro, two examples from our Winner\u2019s Circle (along with HPE and IBM), had existing services and processes that really closely aligned with our models for Trust. Leidos and Unisys, two of our High Performers (along with Cognizant, Dell, AT&T and Atos), similarly showed a good understanding of the need to move beyond security as technology and start thinking of it as a larger enabler of corporate risk management. At the end of the day, vision, innovation, and the ability to help their clients mature digitally were all key elements of success.<\/p>\n You mentioned a shift from security as a way to protect assets towards security as a way to build and leverage trusted assets. Does that have a bearing on the way enterprises approach outcomes? And what recommendations do you have for them on this journey?<\/span><\/p>\n Phil, that mindset shift is going to play a huge part in the success, or failure, of enterprises moving forward. Security can\u2019t afford to be an afterthought; it really needs to be thought of as a transformational enabler of a better, more trusted, business. The key recommendations? Let\u2019s start with the basics. If enterprises aren\u2019t aligning themselves with the Digital Trust Framework and the Security Maturity Model, they\u2019re already behind the game. By doing this, they\u2019ll be a bit more prepared for taking the steps needed to elevate their game.<\/p>\n Some specific recommendations would include elevating the responsibility for overall corporate risk and security management as close to the CEO and Board as possible; expanding their security architecture to include coordination, if not oversight, of their ecosystem partners; and a shift from a \u201cprevent all breaches\u201d to a \u201cminimize breaches and control risk\u201d approach. We\u2019re also recommending some actions in the areas of provider relationships, in particular related to contractual flexibility, a greater level of actionable innovation, and a closer review of international privacy policies, something that delves into the role of security with regard to personal privacy and data rights.<\/p>\n And of course technology \u2013 automation is going to play an increasingly significant role in identifying and countering security breaches.<\/p>\n How about the providers? What recommendations do you have for them, and how will they need to transform themselves moving forward, or even can they?<\/span><\/p>\n I think transformation is going to be a challenge for some of the providers out there today. Those that are leading with tech may find themselves defining their own outcomes, and miss the opportunity to shift from service providers to service, and value, enablers. I can easily see a bifurcation of the market into two groups: one that is focused on delivering value by leveraging security as a way to create trust (as their clients go through their own digital transformation), and one that remains very tech-focused and becomes more of a modular, or on-demand, type of provider. There\u2019s room for both, by the way.<\/p>\n But more directly, providers definitely need to think about security maturity in a fundamentally different fashion, which means they\u2019ve got a lot of education to do with their clients who, based on our research, are still often thinking of security from a tech-only perspective. They also need to target the C-suite aggressively, as many of the security-related improvements and initiatives that need to be discussed go beyond the scope of a CISO.<\/p>\n There\u2019s also an emerging physical\/digital approach to security that winning providers will, and are starting to, adopt. Biometrics, access control systems, these are all physical systems that help provide a trusted environment, but today they\u2019re separate from the digital security grid, unless they\u2019ve been included as IoT devices. But the future of security services will require providers to start to leverage these devices to provide both contextual awareness of threats and help seal off threat venues.<\/p>\n We\u2019re also recommending providers take a much more aggressive stance regarding corporate processes and behavior, especially from a larger risk mitigation perspective, that more emphasis be placed on aligning security services with specific business unit objectives, and that user education be significantly strengthened, to the point of bringing users in as collaborate security partners to help build a more trusted digital ecosystem.<\/p>\n And again, on the tech side, we\u2019re pushing for a greater level of modularity and adaptability to keep pace with the rapid evolution of malware, spear-phishing, and embedded code hacks. This is not an easy market to be in, and they\u2019ve got their work cut out for them.<\/p>\n What can we expect out of the industry in the coming year or so \u2013 it sounds like the threats show no sign of abating any time soon?<\/span><\/p>\n Let\u2019s face it, the security market may never achieve a stable, or inherently safe, status. One of the constants throughout the past decade \u2013 really since the inception of digital technology \u2013 is that the level of threat always seems to meet or beat the level of protection.<\/p>\n Enterprises are constrained by time, technology, and budget. Hackers, especially those that are organized or sponsored, live by a different set of rules. There\u2019s somewhat of an asymmetrical challenge at play. If you want to keep an asset 100% safe, you have to win every battle 100% of the time. But if you want to steal something, you only have to win once.<\/p>\n This imbalance is likely to become more pronounced as hackers find, and exploit, an increasing number of zero day vulnerabilities, especially in older, legacy systems, or as they start to leverage more of the accumulated personal data, that\u2019s available in the dark corners of the web, to put together sophisticated personalized hacks that continue to blur the lines between the physical and digital worlds.<\/p>\n We\u2019re also expecting an increase in the number of \u201cmass risk\u201d attacks \u2013 hacks that have the ability to cause fairly significant damage to a very large number of people, as well as an increase in smart hacks that find value in the accumulation of smaller pieces of less valued, or protected, information.<\/p>\n Fred McClimans\u00a0can be tweeted at @fredmcclimans<\/a><\/em><\/p>\n HfS readers can click\u00a0<\/i><\/b>here<\/i><\/b><\/span><\/a>\u00a0to view highlights of all our 26 HfS Blueprint reports.<\/i><\/b><\/span><\/p>\n![\"Click](\"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2015\/10\/Trust-as-a-Services-2015_Axis_only-e1445212169869.jpg\")
<\/a><\/p>\n
\n<\/span><\/p>\n![\"\"](\"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2015\/10\/Fred-McClimans-HfS.jpg\")
<\/a><\/p>\n