Why You Need Security Strategy and How to Develop one?

Some questions we need to address before we embark on Information Security Improvement journey!

Edward Snowden’s leaks to the press, we now know that there has been systematic, broad and deep surveillance of online activity at a scale that could not have been previously imagined. Beyond simply snooping, the revelations pointed to infiltration of the hardware and software we rely on to secure our communications.

When it comes to policies and strategies, it’s hard to go past the tried and tested ways of the past. The best way to make a start is by doing SWOT analysis: Strengths, Weaknesses, Opportunities and Threats. 

Strengths
Look within your organisation. There are bound to be some really good things happening when it comes to Information Security. For example, you might have a very well-educated workforce that never open unexpected attachments. Or your IT team is very conscious of the potential threats to your business and have solid systems and processes in place to deal with them.

Weaknesses
Over the last 15 years, the focus of security in enterprises has been on vulnerability tracking and making sure that your systems are protected from external attacks. While that’s still important, it should only be one facet of your total security strategy. Have you considered what happens once someone gets past your firewalls and other blocking mechanisms? Or if the attack starts from within?

Give some consideration in your strategy to dealing with attacks once they are in action. Are your people ready to react once there is a breach? Are they across the latest threats and attack vectors?

Perhaps the most often seen security weakness (in our observation) is that managing compliance with the security policy is seen as an annual project that’s executed in order to keep auditors happy.

If that’s the case in your business, look for ways to alter that culture.

Opportunities
Aside from using security as a way to get lots of shiny new gear into your server racks or to justify new services, getting your Information Security right can be a great chance to re-engage IT with the business. Look for ways to turn the security conversation into an opportunity to change service delivery. It’s also a great way to further the professional development of your staff.

If you have some strong skills in data analytics in the business, you might find you can give them a new challenge by engaging them in threat intelligence.

Employing red/blue team exercises regularly doesn’t just improve your security response but can be a great way to add some excitement to how you manage security.

Review existing systems and processes to find the security issues. You might find it becomes an opportunity to ditch an old legacy system that’s costing lots of time and resources to maintain.

Threats
Over the last year, it’s become apparent that the threats of last decade are really just background noise today. Sure, we need to keep our firewalls locked down and end-point protection up to date but what can you do when your hardware is compromised or a nation-state can break through your encryption?

These are real threats today. Stuxnet, back in 2010, compromised a nuclear power plant. It is believed by many that it was part of an attack by one government against another. Today, Snowden’s documents tell us that the NSA can intercept a massive array of data. And not just from enemies but from within friendly states.

• So, when was the last time you reviewed your security policy?
• Does it take into account new security mitigation techniques?
• Have you adjusted the skills in your business to manage changing attack methods?
• Is security a once-a-year audit activity?

BYOD, Corporate-Owned or Hybrid Environments?

BYOD: Problem in the reality is smaller than it seems!

Companies nowadays wrestle with the decision of whether to give employees the freedom to use personal mobile devices to access corporate data, or issue secure, mobile devices.

The main issue of the BYOD concept is to deal with corporate control and user privacy and usually at the end of the day this concept can cost to the company more than buying corporate-owned mobile devices. You also have to deal with different OS versions, installed applications, rooted devices, etc. They are some great MDM out there, but no one can deal with the diversity world of mobile devices.

BYOD, Corporate-Owned or Hybrid Environments? That depends of the “type” of business you do, but the best way to start is to limit the access to the resources from mobile devices to those who they really need them. In this way at the end of the day you will find out, that the problem in the reality is smaller than it seem at the moment.

An interesting article about the cost, efficiency, productivity, risk and security implications of BYOD, Corporate-Owned and Hybrid Environments can be found on the following link http://goo.gl/7g0LL3.

CIO can be Chief Digital Officer?

It's difficult — if not impossible — to build great digital capabilities without linking to your existing IT capabilities and people

CIOs who do great things in leading IT soon gain extra responsibilities. By helping business leaders to improve their businesses, the CIO becomes an obvious candidate to fill any open role that involves technology, process, or strong governance. Some CIOs become CIO-Plus-COO or CIO-Plus-Head of Shared Services. Others gain new responsibilities in strategy, integration, or innovation.

But there is another leadership role that has arisen in many organizations in recent years: the Chief Digital Officer (CDO). In many companies, "digital" is a cacophony of disconnected, inconsistent, and sometimes incompatible activities.

It's commonly seen that company have three simultaneous mobile marketing initiatives, conducted by different groups, using different tools and vendors. Other companies have multiple employee collaboration platforms with different rules and technologies. The problem is exacerbated as business units do their own things digitally, or as companies hire vendors who can only do things their own way.

The CDO's job is to turn the digital cacophony into a symphony. It's OK to experiment with new businesses and tools, but experimentation must be coupled with building scalable, efficient capabilities.

The CDO creates a unifying digital vision, energizes the company around digital possibilities, coordinates digital activities, helps to rethink products and processes for the digital age, and sometimes provides critical tools or resources. That's why Starbucks — an early leader in all things digital — hired a CDO last year. And it's why many other companies are naming CDOs before they get too far along the digital road.

The title CDO may or may not become permanent in the company. But the responsibilities of the CDO will be required. You may appoint a temporary CDO to get your house in order, or you may develop other ways to get the job done.

Whatever approach you choose, you need to create appropriate levels of digital technology synergy, brand integration, investment coordination, skill development, vendor management, and innovation over the long term.

In an increasingly digitizing business world, most companies need better digital leadership and coordination. You need to create a compelling digital vision, coordinate digital investments, drive appropriate synergies, build a clean technology platform, and foster innovation. You need to energize a busy workforce and generate shared understanding in your senior executive team. 

BYOD is here to stay, Why?

Should enterprise adapting to an increasingly mobile world?

Statistics from major BYOD surveys and analysts over the last year shows that the BYOD trend is strong and will only get stronger. There are already 1 billion smartphone users around the world, with 1.3 billion smartphone and tablet sales expected in 2013.

Employees are using their personal smartphones for work all over the globe. However, the trend is strongest in high growth countries, such as Brazil, Russia and India, and among the youngest workers. Employees bring their own devices because they believe they let them do their jobs better, they like the flexibility to work when they want, and they prefer to carry a single device for work and personal use. Even knowing the security risks and that their companies might be watching their online activities, isn’t stopping this trend. 

IT departments are paying attention. They are aware of the growth of BYOD and are mostly positive about it. High growth countries and the US are more positive and providing the most support. While most IT departments have been supporting BlackBerry and Apple devices, many are realizing the need to support Android and Windows Mobile as well. Not surprisingly, the most popular business applications being used on mobile are email, web browsing, contacts and calendars, however more than half of IT departments report mobile apps being used for office applications, task and project management, social media, sales force automation or CRM as well. 

By embracing the rise of BYOD and enterprise mobility, 2013 presents the opportunity for IT to change their role from service providers and technology partners to leaders and business strategists. By taking the initiative and working closely with all areas of the business, IT can lead the company into the New Age of enterprise mobility – enabling increased productivity and operational efficiencies, securely, and cost-effectively. 

See below A Visual Display of the Current State of BYOD 2013:

Recommendations For Your Information Risk Management and Security Strategy

The strategy associated with an enterprise’s information risk management and security (IRMS) program becomes a road map for its activities. When developing or refreshing your IRMS strategy, there are many considerations that should be accounted for to make sure it is beneficial to your enterprise and plausible for implementation and ongoing success.

Here are five things to consider when undergoing this effort:

1. Validate your strategy with your intended audiences early in its development
   
   The key to any successful strategy is the positive perception and realization of its value by the people it will impact.
   
   Too often IRMS professionals assume they intuitively understand their enterprise’s requirements and expectations, as well as the benefits that will be obtained by implementing their proposed strategies. While this may be the case, it is important to validate these assumptions with the customer of the strategy to ensure they agree. Without their support the strategy will have little chance of success.
   
   The easiest way to achieve this validation is to socialize the concepts and ideas that you intend to include in your strategy with key leaders and stakeholders early in the development process. If they are involved in shaping its development and agree with your views and approach, there is a much higher likelihood of successful execution.
   
2. Align the IRMS strategy with your enterprise’s information risk profile
   An enterprise’s approach to IRMS should be about information risk first and security second. When developing your IRMS strategy, make sure you align your programs and activities with your enterprise’s information risk profile.
   
   This profile will identify the information risk appetite of your enterprise. A risk-based strategy presented to a sponsor or leader has a high probability of gaining support since it is designed to align with needs and expectations. If your enterprise does not have a formal information risk profile, seek out the individuals who have risk management responsibilities in the enterprise (i.e., finance, legal, compliance) as well as business process and data owners to work with them to identify their information risk appetite and expectations of security to create a profile to support them.
   
3. Leverage staff as a force multiplier
   Leaders and individual contributors associated with IRMS programs and capabilities often feel as though they are overworked and undersupported by their enterprises. One approach that can help to ease this pain is to plan in your IRMS strategy to leverage your enterprise’s overall staff as a force multiplier.
   
   One strategy that is often successful is to identify individuals who will be tasked as IRMS champions within the key functions and services within your organization. By empowering these champions with knowledge, capabilities and expectations, they can assist you in meeting your IRMS objectives without having to significantly expand the budget or staffing of your program. Beyond the establishment and support of champions, the creation of a risk-conscious and security-aware culture within your enterprise can provide an effective force multiplier for your efforts as individuals incorporate IRMS as a business as usual activity.
   
4. Consider current and projected business conditions
   Current and projected economic and business conditions can have a distinct impact on ISRM strategy development. If your enterprise is currently or projected to contract or operate in an extremely cost-cautious manner, develop a strategy that accounts for this situation. Even when considering areas such as compliance, where many ISRM professionals assume their organizations will have to invest to ensure alignment, it is important to identify contingencies in cases where they are unwilling or unable to do so.
   
   Alternatively, if your enterprise is currently or plans to be operating in a business growth and expansion mode, this is an ideal time to invest in programs and capabilities that will ensure alignment with business needs and expectations. When developing strategies in either scenario, it is important to identify and validate the business value of your proposed strategy to gain the support of your enterprise’s leadership and program sponsors.
   
5. Ensure the strategy can be implemented and operate successfully with your existing budget and resources
   A common mistake made in the development of IRMS strategy is to assume that enhanced funding will be provided or sustained as part of its execution. Business conditions and information risk appetites of organizations can change quickly. IRMS can be an easy target for budget and resource adjustments.
   
   If the foundation of your strategy is based on the use of your current budget and resource allocation, your ISRM program and its capabilities will be more resilient during these types of fluctuations. Components of your strategy that require expanded budget and staff should be developed as modular initiatives whose business value can be clearly understood and monitored, but also easily adjusted if business conditions change.

Source from ISACA.

The Department of Defense Cloud Computing Strategy

Goals presented “consolidate and share commodity IT functions resulting in a more efficient use of resources.”


The Department of Defense needs to accomplish its critical global missions despite a decreasing budget and rising cybersecurity threat. To that end, the Chief Information Officer of the DoD, Teri Takai, released its Cloud Computing Strategy, which outlines its goals to accelerate the adoption of cloud computing throughout the department.


In the strategy, the Office of the CIO explains why it wants to move to the cloud, its goals, the challenges that stand in its way and methods to mitigate them, and the coming steps the Defense Department plans to take to get there. The strategy uses the National Institute of Standards and Technology’s definition of cloud computing for their strategy.


NIST defines cloud computing as: “A model for enabling ubiquitous, convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”


DoD likes this definition because it includes Software as a Service, Platform as a Service, and Infrastructure as a Service. According to the CIO, the DoD currently has a “duplicative, cumbersome, and costly set of application silos” that can benefit from more cloud computing. The goals presented in the Cloud Computing Strategy is to “consolidate and share commodity IT functions resulting in a more efficient use of resources.”


The DoD hopes to provide device and location independent on-demand secure global access to mission data and enterprise services. They also hope to enable rapid application development and reuse of applications by other organizations. This means both sharing and adopting the most secure commercially available cloud services.


The Cloud Computing Strategy also lays out four steps for implementing the Department of Defense Cloud Environment. The first will be to “Foster Adoption of Cloud Computing” by establishing a joint governance structure to drive the transition and an Enterprise First approach while reforming DoD IT finance, acquisition, and contracting and increasing cloud outreach and awareness.


The next step is to “Optimize Data Center Consolidation” by consolidating and virtualizing legacy applications and data. The third step is to “Establish the DoD Enterprise Cloud Infrastructure” so that it’s agile, consolidated, and secure.


The last step will be to “Deliver Cloud Services” using existing DoD cloud services and external providers. The CIO will provide oversight for component implementation of these steps.


Please refer here to download the strategy.

Why Business Continuity is Critical For Your Business?

4 Tips to Gain Upper Management Attention


Companies often make many strategic decisions such as outsourcing, off-shoring and long supply chains without full consideration of the consequence of business interruption.


They primarily focus in adding short-term value to the bottom-line, but when these strategies fail to deliver, reputation and brand image are compromised. Short-term financial losses might be containable, but long-term loss of market share is often much more damaging.


By implementing effective business continuity plans, businesses can increase their recovery capabilities dramatically. And that means they can make the right decisions quickly, cut downtime and minimize financial losses. So, getting buy-in at the top is crucial. It requires professionals to have better understanding of the concerns of top management and an ability to communicate risk issues in a common language.


Here are a few ways business continuity practitioners can seek upper management attention.


Emphasize business consequences: Many leaders were shaken by the corporate impact that the Gulf of Mexico oil spill incident had on the finances, share-price and reputation of British Petroleum.


Business continuity managers need to bring these real-life cases in their presentation to management and further use their skills to identify their own organization's potential high consequence events. 


Implement innovative tests and exercises: A traditional difficulty is that BCM practitioners do not report at a high enough level to affect decisions. Although often true, they are not without influence, and one way to use it is in developing an innovative testing and exercising program.


In the past, too many exercises have concentrated on evacuation, safety and emergency response. Although these are required, top management employs specific specialists to handle safety and security on their behalf. 


What BC practitioners need to do is choose scenarios and techniques in their exercises that really interest the leadership team. Using scenarios that highlight fundamental business threats and challenging top management to respond can be scary, but it also can raise the profile of BCM rapidly.


Techniques such as war games, stress testing, scenario planning and horizon scanning are becoming important to business continuity tests. These are areas in which the BCM professional could and (in the future) really should take a leading role.


Be more assertive: BCM professionals can get top level attention by taking a more assertive position to organizational change. Clearly, there are limits to which individuals can become involved in strategic decisions, but by producing a well considered analysis of the consequences of change, they can often get senior management interest.


Decisions can be reviewed or modified if consequential risks are better articulated. BCM professionals can do this through a risk management organizational framework and can make their voice heard.


Communicate BCM benefits: Practitioners must concentrate on finding value and benefits for BCM and promoting them.


For example, if having proper BCM in place helps the organization get on the approved supplier list for a major customer, it's the BC professional's job to ensure that everyone knows about it. If it were a key deciding factor that actually won a big contract, make sure that sales, marketing and finance recognize and publicize that fact.


If BCM helps procurement eliminate high-risk suppliers, again getting that message out through whatever communication vehicles is key.

Utilities Sector Have The Poorest Governance Practices

Corporate Boards Still In the Dark About Cybersecurity


As the U.S. natural gas pipeline sector and the Department of Homeland Security square off against malicious cyber intrusions aimed at companies, along comes yet another study that highlights serious governance shortcomings of critical infrastructure companies when it comes to cybersecurity.


“The Governance of Enterprise Security: CyLab 2012 Report” [PDF], released last week by Carnegie Mellon University, offers the first side-by-side comparison of industries on governance practices and cybersecurity oversight.


Compared against the financial, IT/telecom, and industrials sectors, energy/utilities companies fared the worst. “Of the critical infrastructure respondents, the energy/utilities sector had the poorest governance practices,” writes study author Jody Westby in Forbes (a co-sponsor of the survey, along with RSA).


“When asked whether their organizations were undertaking six best practices for cyber governance, the energy/utilities sector ranked last for four of the practices and next to last for the other two.” The energy/utilities sector responses, as reported by Forbes, broke down as follows:

• 71 percent of their boards rarely or never review privacy and security budgets.
• 79 percent of their boards rarely or never review roles and responsibilities.
• 64 percent of their boards rarely or never review top-level policies.
• 57 percent of their boards rarely or never review security program assessments.

The energy/utilities respondents also “placed the least value on IT experience when recruiting board members,” writes Westby, the CEO of the consultancy Global Cyber Risk. Westby finds the energy/utilities results particularly troubling: “What is disturbing about these findings is that the energy/utilities sector is one of the most regulated industry sectors and one of the most important to business continuity,” she says.


The sector is also heavily dependent on industrial control systems (known by the acronym SCADA), “most of which were not designed for security and have no logging functions to enable forensic investigations of attacks,” she adds. The survey noted that overall, “the financial sector has better privacy and security practices than other industry sectors.”


The financial sector got the highest marks on undertaking best practices, and respondents from those companies also indicated “they are much farther ahead in establishing risk committees” on the board:


78 percent said they had a risk committee separate from the audit committee, compared to 44 percent among industrials, 35 percent among energy/utilities, and 31 percent among IT/telecom. The energy/utilities and the IT/telecom sectors were the least likely to review cyber insurance coverage—79 percent and 77 percent, respectively, said they did not do so. Meanwhile, 52 percent of financial sector boards and 44 percent of industrial sector boards said they didn’t perform a review.


But as the first round of CyLab survey findings published earlier this year revealed, governance around cyber risk is generally lacking. Despite holding extensive troves of digital assets—and bearing an explicit fiduciary duty to protect those assets—boards and senior management “are not exercising appropriate governance over the privacy and security of their digital assets,” according to the results.


These findings on board oversight dovetail with those of a 2011 study by the Center for Strategic and International Studies and McAfee, focused on power, oil, gas, and water companies around the world. That report, too, uncovered a similar dearth of preparedness.


“What we found is that they are not ready,” wrote the authors of last year’s “In the Dark: Crucial Industries Confront Cyberattacks” [PDF]. “The professionals charged with protecting these systems report that the threat has accelerated—but the response has not.” 


 Those threats, as reported by company executives, increased substantially from the previous year. In the 2010 survey, “nearly half of the respondents said that they had never faced large-scale denial of service attacks or network infiltrations,” according to the authors.


By 2011:

• 80 percent of respondents said they had faced a large-scale denial of service attack.
• 80 percent of respondents said they had faced a large-scale denial of service attack.
• 85 percent said they had experienced network infiltrations.
• A quarter of respondents reported daily or weekly denial-of-service attacks on a large scale.
• Nearly two-thirds said that, on at least a monthly basis, they found malware designed for sabotage on their system.

Yet the bottom line for corporate cybersecurity was still disappointing: “Most companies failed to adopt many of the available security measures. This means that, for many, security remained rudimentary.”


Refer here to read more details.

McAfee Report Exposes Contradictions in Security Perception vs. Reality

Organizations Recognize Pervasiveness and Resiliency of Cyber Criminals - "Yet 79 Percent Experienced a Significant Incident in Past 12 Months"

McAfee announced the State of Security report showing how IT decision-makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It also reveals companies’ IT security priorities around processes, practices and technology for 2012.

As the corporate data environment expands, effective information security is possible only by creating a Strategic Security Plan (SSP) which incorporates a comprehensive threat analysis and an in-depth, layered security risk mitigation approach. The survey looked to identify some of the key trends facing enterprises in developing their SSPs.

Security Maturity

The survey respondents categorized themselves into various states of security maturity. These categorizations help to understand the mindset of the companies as they view enterprise information security. The terms below are used to describe the level of security maturity of participating organizations:

• Reactive – uses an ad hoc approach to defining security processes and is event driven. 9 percent of the surveyed companies claim to be at this stage.
  
  
• Compliant – has some policies in place, but has no real standardization across security policies. The organization adheres to some security standards or the minimum required. 32 percent of the surveyed companies claim to be at this stage.
  
  
• Proactive – follows standardized policies, has centralized governance, and has a degree of integration across some security solutions. 43 percent of the surveyed companies claim to be at this stage.
  
  
• Optimized – follows security industry best practices and maintains strict adherence to corporate policy. The organization utilizes automated security solutions which are highly integrated across the enterprise. 16 percent of the surveyed companies claim to be at this stage.

The key findings included:

Organizations are confident about identifying the most critical threats to their environments and knowing where their critical data resides. However, most companies are not confident about quantifying the potential financial impact of a breach should one occur.

Organizational awareness and protection against information security risks is very important. However, one-third of the “Optimized” companies are uncertain about their IT security posture in terms of awareness and protection. Despite having formal strategic plans, 34 percent of the companies believe they are not adequately protected against information security risks which could impact their business.

A majority of the respondents tells that as they develop Strategic Security Plans, they include consideration of potential threats and the associated risk to business and financial analysis. Yet, four out of five of the companies experienced a significant security incident in the past 12 months.

Almost a third of organizations surveyed have either not purchased or not yet implemented many of the next-generation security technologies that are designed to address current-day threats, despite more than 80 percent of the organizations identifying malware, spyware and viruses as major security threats.

Two out of every five organizations have either an informal or ad hoc plan or no security strategic plan in place. The size of the organization matters when it comes to having a formal SSP. Six of every ten large enterprises have a formal SSP, two out of every three mid-size enterprises has a formal SSP, while this ratio dips to only one in two small enterprises.

Organizations in North America and Germany are more likely to have a formal SSP than those organizations in other regions of the world. This may be attributed to the regulatory environments in those countries.

Top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. The lowest priority is to reduce capital and operating expenditures for security infrastructure, which in turn indicates that organizations are willing to spend on the right kind of security solutions.

Conclusions

While organizations are working on their strategic security plans and putting in their best efforts toward protecting business systems and critical data, there is much room for improvement all the way around.

Step up to a higher security maturity level. Only 16 percent of the survey respondents classify their organizations as being at the “Optimized” level. Worse, however, is the fact that 9 percent of the organizations are “Reactive” in their approach to IT security.

• Executive involvement is crucial While IT and security personnel may take the lead in developing the plan, it’s important to have insight from those who best understand the business systems and the data they use. Moreover, executive involvement is critical to set the tone for the importance of security throughout the organization.

• Test early, test often, and make adjustments as needed. What good is a plan if it is developed and put on a shelf? If it is never tested? Unfortunately we learned that 29 percent of “Compliant” companies never test how they would respond to an incident. What’s more, the fact that 79 percent of the surveyed companies had security incidents in the past year indicates that there are gaps in the security plans that must be addressed.
  
  
• Use budget allocations wisely. Though every manager would like to have a bigger budget to be able to apply more safeguards, the “Optimized” companies have found ways to reach the highest level of performance with the same level of funding (percentage-wise) as the companies who are less prudent with their budgets.
  
  
• Use the right tools for the current threats. The survey shows that 45 percent of the companies haven’t deployed next-generation firewalls. Mobile security is another area that should not be ignored, yet 25 percent of the organizations have not purchased any tools for this purpose.

Focus on protecting the lifeblood of the company-the sensitive corporate data. The top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity.

Additional high-priority activities are all meant to improve each organization’s overall security posture. This is encouraging because without timely recognition and mitigation of security threats, an organization may be the next news headline—and nobody wants that dubious distinction.

About the Survey

The survey was conducted by Evalueserve and included responses from 495 organizations. Countries included in the survey were: United States, Canada, United Kingdom, Germany, France, Brazil, Australia, Singapore, and New Zealand and range in size from a minimum of 1,000 employees to more than 50,000 employees. The report is available at: www.mcafee.com/ssp

Gartner: 2012 Information Technology Predictions and Trends

Gartner has issued a full report titled "Gartner's Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away"

Gartner, Inc. issued a press release announcing it’s 2012 list of top predictions and trends for IT organizations and users. Highlighted are key trends like Cloud Computing, Social Business, Big Data, Security, and Mobile. The predictions and trends made by Gartner align closely with the research I am conducting for my HorizonWatching 2012 Trends report due out in early January.

The eleven predictions from Gartner are as follows

Cloud Services: By 2015, low-cost cloud services will cannibalize up to 15 percent of top outsourcing players' revenue.

Social & Collaboration Platforms: In 2013, the investment bubble will burst for consumer social networks, and for enterprise social software companies in 2014.

Enterprise Email: By 2016, at least 50 percent of enterprise email users will rely primarily on a browser, tablet or mobile client instead of a desktop client.

Mobile Apps: By 2015, mobile application development projects targeting smartphones and tablets will outnumber native PC projects by a ratio of 4-to-1.

Cloud Security: By 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service.

Public Clouds: At year-end 2016, more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud.

IT Budget Management: By 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the IT department's budget.

Asia Sourcing: By 2014, 20 percent of Asia-sourced finished goods and assemblies consumed in the U.S. will shift to the Americas.

Cybercrime: Through 2016, the financial impact of cybercrime will grow 10 percent per year, due to the continuing discovery of new vulnerabilities.

Cloud & Sustainability: By 2015, the prices for 80 percent of cloud services will include a global energy surcharge.

Big Data: Through 2015, more than 85 percent of Fortune 500 organizations will fail to effectively exploit big data for competitive advantage.

Gartner has issued a full report titled "Gartner's Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away," which is available on Gartner's website at www.gartner.com/predicts. The report apparently has links to more than 70 Gartner ‘predicts’ reports broken out by topics, industries and markets.