hpesp wp esg_research-security_mgmtandoperations

ESG Research Final Sponsor Report

Security Management and Operations

By Jon Oltsik, Senior Principal Analyst

With Kristine Kao and Jennifer Gahm

June 2012

© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.

Research Report: Security Management and Operations 2


Contents

List of Figures ................................................................................................................................................ 3

List of Tables ................................................................................................................................................. 4

Executive Summary ...................................................................................................................................... 5 Report Conclusions ................................................................................................................................................... 5

Introduction .................................................................................................................................................. 8 Research Objectives ................................................................................................................................................. 8

Research Findings ....................................................................................................................................... 10 The ESG Security Management and Operations Segmentation Model ................................................................. 10 The State of Security Management and Operations .............................................................................................. 13 The Evolving Security Organization ........................................................................................................................ 19 Security Organization Responsibilities ................................................................................................................... 22 Security Services Trends ......................................................................................................................................... 24 Risk Management Strategies .................................................................................................................................. 27 Security Controls Effectiveness and Testing ........................................................................................................... 30 Situational Awareness ............................................................................................................................................ 34 Assessing the State of Security Information and Event Management (SIEM) ....................................................... 38 Changing Attitudes Towards Security Management .............................................................................................. 40

Research Implications ................................................................................................................................. 45 Research Implications for Technology Vendors ..................................................................................................... 45

Research Methodology ............................................................................................................................... 48

Respondent Demographics......................................................................................................................... 49 Respondents by Role in Purchasing Decisions ....................................................................................................... 49 Respondents by Current Responsibility.................................................................................................................. 49 Respondents by Number of Employees ................................................................................................................. 50 Respondents by Industry ........................................................................................................................................ 50 Respondents by Annual Revenue ........................................................................................................................... 51



List of Figures Figure 1. ESG Security Management and Operations Segmentation Model Criteria ............................................... 11 Figure 2. Survey Respondents based on ESG Security Management and Operations Segmentation Model ........... 11 Figure 3. Most Important Factors Driving Organization’s Information Security Strategy in 2012 ........................... 13 Figure 4. Influence of Regulatory Compliance on Organization’s Information Security Strategy and Investment

Decisions ...................................................................................................................................................... 14 Figure 5. How Security is Viewed at Organizations ................................................................................................... 16 Figure 6. Perception of CISO within Organization ..................................................................................................... 16 Figure 7. Level of Engagement of Executive Management Team ............................................................................. 17 Figure 8. Characterization of Executive Management Team .................................................................................... 17 Figure 9. Organizations Increasing Security Headcount ........................................................................................... 19 Figure 10. Organizations Increasing Security Headcount by the ESG Security Management and Operations

Segmentation Model .................................................................................................................................... 19 Figure 11. Areas of Information Security with a Shortage of Existing Skills.............................................................. 20 Figure 12. Current State of Information Security Professional Recruitment/Hiring ................................................. 21 Figure 13. Information Security Organization’s Level of Responsibility ................................................................... 22 Figure 14. Groups Security Team Works With Most Closely .................................................................................... 23 Figure 15. Planned Use of Third-Party Professional/Managed Services in 2012 ...................................................... 24 Figure 16. How Use of Third-Party Professional/Managed Services has Changed ................................................... 24 Figure 17. Reasons for Increasing Use of Third-Party Security Services ................................................................... 25 Figure 18. Areas of Third-Party Security Services Used ............................................................................................ 26 Figure 19. Formal IT Risk Management Programs in Place ....................................................................................... 27 Figure 20. How Formal IT Risk Management Program is Implemented ................................................................... 28 Figure 21. Organization’s Rating on Standard Security Best Practices ..................................................................... 29 Figure 22. Frequency of Security Controls Effectiveness Testing ............................................................................. 30 Figure 23. Technologies/Techniques Used to Test Effectiveness of Security Controls ............................................ 31 Figure 24. Metrics Used to Gauge Effectiveness of Security Management .............................................................. 32 Figure 25. Security Technology that Most Effectively Performs Task For Which It Was Designed .......................... 33 Figure 26.Organization’s Ability to Detect Suspicious Activity or an Attack ............................................................. 34 Figure 27.Level of Visibility of Security Status .......................................................................................................... 35 Figure 28.Level of Visibility of Security Status Analyzed by the ESG Security Management and Operations

Segmentation Model .................................................................................................................................... 35 Figure 29.Biggest Inhibitors to Having Real-Time Security Visibility ......................................................................... 36 Figure 30.Weakest Aspects of Incident Response .................................................................................................... 37 Figure 31. SIEM Deployment ..................................................................................................................................... 38 Figure 32. Effectiveness of SIEM ............................................................................................................................... 39 Figure 33. How Security Management has Changed Over Past 24 Months ............................................................. 40 Figure 34. How Introduction of Technologies and Policies Altered Security Management and Operations ........... 41 Figure 35. Use of Security and IT Operations Tools in Concert to Automate Security Remediation Tasks .............. 42 Figure 36. Automated Actions Currently Executed ................................................................................................... 42 Figure 37. How Security Technology Strategy Decisions Will Change ...................................................................... 43 Figure 38. Biggest Security Management Challenges ............................................................................................... 44 Figure 39. Survey Respondents, by Role in Security Management Purchasing Decisions ........................................ 49 Figure 40. Survey Respondents, by Current Responsibility ...................................................................................... 49 Figure 41. Survey Respondents, by Number of Employees ...................................................................................... 50 Figure 42. Survey Respondent, by Industry .............................................................................................................. 50 Figure 43. Survey Respondents, by Annual Revenue ................................................................................................ 51



List of Tables Table 1. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model ................ 15 Table 2. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model ................ 18 Table 3. IT Risk Management Programs Analyzed by the ESG Segmentation Model ............................................... 29

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.



Executive Summary Enterprise Strategy Group (ESG) conducted an in depth research survey on the subject of security management and operations with 315 U.S.-based security professionals working at enterprise-class (i.e., 1,000 employees or more) organizations. For the purposes of this project, survey respondents were asked a series of questions about their organization’s information security philosophy, staffing and services, as well as security management and operations technology adoption, and purchasing plans.

The objectives of this report were as follows:

• Appraise the current state of security management and operations. Strong information security depends upon an integrated mix that includes organizational leadership, formal policies, documented processes, skilled tacticians, and layers of complementary technical defenses. In this report, ESG looked at these areas to gather a comprehensive viewpoint on enterprise security management and operations. ESG also looked into three specific aspects of security management and operations: risk management, incident detection, and incident response. Finally, this report was intended to highlight specific security management and operations challenges and determine what, if anything, large organizations were doing to overcome them.

• Understand security management and operations changes. Driven by technologies such as server virtualization, cloud computing, web-based applications, and mobile devices, enterprise IT is going through numerous simultaneous changes. At the same time, large firms also face an increasingly difficult threat landscape featuring exponential malware growth and damaging targeted attacks. This research report looks at how IT and information security trends are transforming enterprise security management and operations requirements today and in the future.

• Explore the links between information security and business operations. As part of the research conducted for this report, ESG spoke with numerous enterprise security professionals. Many of these individuals indicated that executive managers were much more engaged with information security than in the past. As one CISO put it:

“Every time the Wall Street Journal includes an article about a security breach, I can anticipate a call from our CEO asking if we are vulnerable to a similar type of attack.”

While there is plenty of anecdotal evidence suggesting that executive managers are paying closer attention to information security, ESG wanted to take the opportunity to collect data in order to validate or refute this thesis.

• Analyze the impact of security skills shortages. ESG’s 2012 IT Spending Intentions Survey found that 23% of organizations believe they have a “problematic shortage” of IT security skills, and that 39% of organizations planned to add information security staff in 2012. This data is indicative of a growing information security skills shortage that ESG continues to track. In this report, ESG pushed further to find out exactly where IT security skills are most needed and whether organizations were busy recruiting help or offloading internal security tasks to third-party service providers.

• Evaluate how large organizations measure their security management and operations effectiveness. As the old adage states, “you can’t manage what you can’t measure.” With this in mind, ESG wanted to understand the methods used to gauge the effectiveness of current security programs and technical controls.

Report Conclusions

Based on the data collected from this survey, ESG concludes:

• Most large organizations have significant security management and operations shortcomings. Based upon a number of select criteria, ESG segmented the entire survey population into three sub-groups we classified as security management “leaders,” “followers,” and” laggards.” Security management and operations “leaders” comprised just 19% of the total survey population, meaning that 81% were deficient in



one or multiple areas. Additionally, ESG found security management and operations “leaders” were not resting on their laurels. For example, these enterprises were most aggressive in terms of hiring additional security staff, engaging third-party security service providers, and investing in new types of technical controls. Even with these steps, the data suggests that most large organizations may be extremely vulnerable to future types of security attacks.

• New technologies make security management and operations more difficult. More than half of security professionals say that cloud computing, mobile devices, and remote worker policies are making security management and operations “much more difficult” or “somewhat more difficult” at their organizations. This is not surprising since new IT initiatives are often based upon immature technology, emerging and/or hard-to-find skill sets, and ill-defined or inadequate controls.

• Information security is becoming an enterprise-class function. The data points to an ongoing intellectual shift in which information security is increasingly perceived as a core responsibility of the organization rather than a series of IT tasks and compliance oversight. For example, 44% of organizations say that information security is aligned with corporate culture and 55% say that information security is aligned with business processes. In spite of these trends, however, information security still has a long way to go in many organizations. When asked to identify the most important factors driving their information security strategy, many companies remain grounded in classic infosec roots: 55% of large organizations say “protecting sensitive data and Intellectual Property (IP)” is driving IT security strategy, while 50% say “regulatory compliance” is driving their information security strategy. Of course, these factors remain the foundation of information security strategy but don’t extend to business processes or incorporate the entire organization beyond IT. Given the preponderance of network-based business processes and Internet/web communications, information security should be more pervasive beyond the IT organization and regulatory compliance domains alone.

• Information security management and operations relies on cooperative responsibilities across the IT organization. Security management and operations tasks like establishing controls for security policy enforcement, developing security policies, and working with business units to define security needs depend upon strong collaboration between information security and other IT and business groups. As a general rule, information security teams work most closely with other functional IT groups like network operations and server administrators, and IT oversight functions like IT and regulatory compliance auditors. ESG sees deeper meaning in these data points. An organization may have world-class security expertise and best-of-breed security technology controls, but the overall effectiveness of its information security programs and strategy depends upon the working relationship, shared processes, and communication between the information security group and a number of other functional IT teams. If these relationships are dysfunctional, information security success will likely be marginal at best.

• Security assessment testing frequency varies widely. Forty percent of organizations test the effectiveness of their security controls constantly, 15% test the effectiveness of their security controls on a weekly basis, 14% do so twice a month and 14% conduct these tests on a quarterly basis. This data is generally encouraging as infrequent security controls testing increases vulnerability and overall IT risk.

• Security monitoring and visibility is a mixed bag. A vast majority (81%) of security professionals say that their organization’s level of visibility about its security status is either “excellent” or “good.” Nevertheless, security status visibility gaps remain. When asked to identify areas that inhibit real-time and comprehensive security visibility, 34% said they need tighter integration between security and IT operations tools, 33% said they need better security analysis/forensic skills at their organization, and 29% said they needed better automated analytics from their security intelligence tools.

• Large organizations have numerous weaknesses with incident response. Twenty-seven percent of large organizations report weaknesses performing security forensics to determine the root cause of a problem, 27% say they have weaknesses determining which assets remain vulnerable to similar attacks, and 24%



point to weaknesses gathering the right data for accurate situational awareness. These deficiencies were consistent across all three groups of the ESG security management and operations segmentation model.

• CISOs are increasing their use of automated security remediation. More than half of large organizations (56%) are using their security and IT operations tools in concert to automate security automation remediation tasks. In terms of common automation chores, 66% employ security/IT operations automation to block URLs or web content, 53% generate firewall or IDS/IPS rules based upon network behavior or event detection, and 51% use risk management “triggers” to launch an immediate network scan.

• Security budgets remain a major obstacle. When asked to identify their most significant security management challenges, 50% of organizations pointed first and foremost to budget constraints. ESG is somewhat concerned that this response was common across security management “leaders,” “followers” and “laggards”—apparently even the best-prepared organizations still believe they are under-funded in their mission. Beyond budgetary problems, 30% say the security team spends too much of its time reacting to problems (and not enough time with proactive security management or strategic planning), 24% say they are challenged by a lack of appropriate security skills within the security organization, and 23% are challenged by too many security tools. It is also worth noting that 28% of security management and operations “laggards” are challenged by a lack of executive management support. This was much higher than the other segments.

• The security skills shortage is widespread. More than half (55%) of organizations plan to increase security headcount in 2012, yet 83% say that it is “extremely difficult” or “somewhat difficult” to recruit and hire security professionals. When asked to identify the areas of information security where they have a problematic skills shortage, 43% pointed to cloud/server virtualization security. Other areas identified include endpoint/mobile device security (31%), network security (31%), security analysis/forensics (30%), and data security (30%). Clearly, security skills deficits are widespread and will likely get worse in the near future, exacerbating the need for efficient and effective security management and operations technologies and processes.

• Large organizations are increasing their use of security services. Given the shortage of security skills, it is not surprising that 62% of enterprises plan on using third-party professional or managed security services in 2012. Additionally, 16% of large organizations say that their use of third-party professional or managed services has “increased substantially” over the past 24 months while 42% say that their use of third-party professional or managed services has “increased somewhat” over the same period. Security management and operations “leaders” are most active here—36% say that their use of third-party providers has “increased substantially” over the past 24 months. The top four security services currently used by organizations are security design (33% of organizations), security/risk management/regulatory compliance assessments (30%), network monitoring (30%), and threat management intelligence (30%).

• New security technology decisions are on the horizon. The evolving threat landscape, along with current security weaknesses, is persuading large organizations to make significant security technology changes. For instance, 44% of large organizations say they will design and build a more integrated security architecture, 39% will include new data sources for security intelligence, and 24% plan to buy more security suites from a single vendor. While 22% of all organizations also say they will actively decrease the number of security vendors they buy from, one-third of organizations classified as security management and operations “leaders” plan to reduce the number of security technology vendors they buy from today. This may be a leading indicator of market consolidation as “followers” and “laggards” adopt similar purchasing tactics.



Introduction

Research Objectives

In order to assess the state of information security management and operations in 2012 and beyond, ESG surveyed 315 security professionals working at enterprise-class (1,000 employees or more) organizations in North America. All respondents were personally responsible for or familiar with their organizations’ 2011 information security strategies as well as their 2012 IT security budget and spending plans at either an organizational or business unit/division/branch level.

To assess current and future information security management and operations strategies, survey respondents were asked to respond to questions in areas such as:

• The role of the information security within the organization.

o How is the CISO (or similar role) perceived within the organization?

o Is information security considered an integral part of the corporate culture? Is information security well aligned with business processes?

o Is the executive management team actively engaged in information security issues? If so, how? Does the executive management team have the right level of information security knowledge and skills?

• Information security organization and skills.

o What are the primary responsibilities of the information security team? Which tasks are shared between information security and other IT groups?

o Are organizations suffering from information security skills shortages? If so, in what areas?

o How are organizations consuming third-party security services today? Is the use of third-party security services increasing? Which security services are most popular?

• Security management and operations landscape.

o Is information security driven solely by regulatory compliance or are there other motivating factors?

o Is security management becoming progressively more difficult?

o What is the impact of new technology initiatives like server virtualization, cloud computing, and mobile device support on security management and operations?

o What are the security management and operations priorities for 2012 and beyond?

• Risk management.

o What types of policies and technical controls are in place to address IT risk?

o Are these policies and technical controls mandatory or discretionary?

o How effective are risk management programs? Are there particular areas of weakness?

o Do organizations have real-time visibility into IT risk as business conditions change?

• Incident detection and response.

o How do organizations detect security attacks?

o Do they have the right level of visibility to do so effectively? If not, are there particular areas where visibility is lacking?

o When the organization does detect a security incident, how efficient is its response?



• Security technologies.

o Which security technologies are most effective at performing the tasks they were designed for?

o In particular, how effective are security information and event management (SIEM) platforms?

Survey participants represented a wide range of industries including manufacturing, financial services, communications and media, retail, government, and business services. For more details, please see the Research Methodology and Respondent Demographics sections of this report.



Research Findings

The ESG Security Management and Operations Segmentation Model

The information security management and operations discipline contains a multitude of interrelated security policies, processes, technical controls, and monitoring activities. As a result, enterprise-class security management and operations includes a number of organizational, cultural, educational, financial, and technical dependencies.

Given the increasingly onerous threat landscape, the rise of Advanced Persistent Threats (APTs), and the alarming frequency of publicly-disclosed data breaches, many organizations are far more engaged with their information security strategies than they were a few years ago. While this is a positive step, ESG research indicates that security management and operations effectiveness and efficiency varies widely across enterprise organizations.

To better understand the state of enterprise security management and operations, ESG developed a security management and operations model that segments organizations based on five dimensions that tend to characterize security best practices and commitment. These dimensions are:

• Respondent organization’s perception of information security. A value for this dimension was calculated based upon how information security is viewed within the organization. ESG assigned a value of two (2) where information security was well aligned with corporate culture, and a value of one (1) where information security was aligned with specific business processes. Organizations offering other responses were assigned a value of zero (0) in this category.

• Respondent organization’s perception of the CISO role. A value for this dimension was calculated based upon the how the CISO (or similar role) was perceived within the organization. ESG assigned a value of two (2) to organizations that perceived the CISO as a business executive, and a value of one (1) to organizations where the CISO was perceived as an IT executive. Organizations offering other responses were assigned a value of zero (0) in this category.

• Level of executive management involvement with information security. A value for this dimension was calculated based upon whether the executive management team was more engaged with information security strategy and situational awareness than it was in 2010. ESG assigned a value of two (2) to organizations where the executive management team was much more engaged with information security strategy and situational awareness than it was in 2010, and a value of one (1) to organizations where the executive management team was somewhat more engaged. Organizations offering other responses were assigned a value of zero (0) in this category.

• Frequency of security controls testing. A value for this dimension was calculated based upon how often an organization tested the effectiveness of its security controls. ESG assigned a value of two (2) to organizations that tested its security controls “constantly,” and a value of one (1) to organizations that tested the effectiveness of its security controls at least twice a month. Organizations offering other responses were assigned a value of zero (0) in this category.

• Presence of a SIEM platform. A value for this dimension was calculated based upon whether organizations had a SIEM (security incident and event management) platform deployed. ESG assigned a value of two (2) to organizations that had a SIEM platform in place, and a value of one (1) to organizations that planned to implement a SIEM platform within the next 12 months. Organizations offering other responses were assigned a value of zero (0) in this category.

As indicated above, ESG used the survey data to assign every respondent organization a score for each of the five dimensions that comprise ESG’s security management and operations segmentation model (see Figure 1). The maximum possible score was ten points and the minimum was zero. Based on each respondent organization’s aggregate score, the organization was then classified as a security management and operations “leader” (7 to 10 points), “follower” (4 to 6 points), or “laggard” (0 to 3 points).



Figure 1. ESG Security Management and Operations Segmentation Model Criteria

Source: Enterprise Strategy Group, 2012.

Based upon this scoring algorithm, 19% of enterprise organizations participating in this research project were classified as security management and operations “leaders,” 49% were classified as security management and operations “followers,” and 32% were classified as security management and operations “laggards” (see Figure 2).

Figure 2. Survey Respondents based on ESG Security Management and Operations Segmentation Model


Using this market segmentation model as a guide, ESG’s analysis of the data found clear and profound differences among each market segment in a number of areas, including security management perceptions, organizational skills, use of third-party services, and security technology deployment.

Presence of a SIEM platform

High: SIEM platform deployed

Medium: plans to deploy SIEM

platform within 12 months

Low: none of the above

Frequency of security

controls testing

High: security controls tested

constantly

Medium: security controls tested at

least twice per month


Executive management's

involvement with security

High: much more enaged than in

2010

Medium: somewhat more engaged than in

2010


CISO role / perception

High: CISO perceived as

business executive

Medium: CISO perceived as IT

executive


Organizational perception of information

security

High: security aligned with

corporate culture

Medium: security aligned with

specific business processes


Leaders, 19%

Followers, 49%

Laggards, 32%

Percent of respondents by ESG security management and operations segmentation model. (Percent of respondents, N=315)



ESG’s security management and operations segmentation model is used for data analysis purposes throughout this report to illustrate varying degrees of cybersecurity activities, challenges, and strategies amongst the different groups. In aggregate, the data is indicative of a diverse population where 81% of organizations (i.e., “followers” and “laggards”) are lacking the essential security knowledge, processes, technology defenses, and organizational backing needed to adequately address IT risk, quickly detect security incidents, and respond to ongoing attacks in a timely and coordinated way. Thus it is safe to say that the vast majority of large organizations remain quite vulnerable to current and future threats.



The State of Security Management and Operations

ESG found that when it comes to factors influencing information security strategy, organizations are driven by two primary motivations: protecting sensitive data / intellectual property and regulatory compliance (see Figure 3). It is worth noting that 42% of security management and operations “leaders” said that their security strategy was driven by corporate governance as compared to 30% of the overall survey population. This is understandable since “leaders” tend to weave information security into comprehensive business policies and promote security awareness training for all employees. Additionally, 55% of “leaders” are driven by improving /automating security operations as compared to 39% of the overall survey population. ESG believes that this is a harbinger of things to come: Information security is often anchored by manual tasks and individual skill sets. Security “leaders” understand that they need to supplement human resources with more automation in order to manage risk and cope with growing IT scale in real-time.

Figure 3. Most Important Factors Driving Organization’s Information Security Strategy in 2012


With the passage of the Health Insurance Portability and Accountability Act (HIPAA, 1996), California Senate Bill 1386 (SB 1386, 2003), and the Payment Card Industry Data Security Standard (PCI DSS, 2004), regulatory compliance requirements have had a major influence on enterprise information security strategy in recent years. While these regulations have increased information security investment and visibility, they have also had some unintended consequences. Rather than encourage holistic security best practices, these mandates have led some

24%

29%

30%

31%

33%

35%

38%

39%

41%

50%

55%

0% 20% 40% 60%

Migrating from tactical security tools to a more integrated security technology architecture

Understanding business risk

Corporate governance

Creating an appropriate security model for cloud computing initiatives

Aligning security policies and controls with business processes

Improving our ability to analyze security data and detect attacks in progress

Addressing security issues created by the use of mobile devices

Improving/automating security operations

Addressing new types of threats

Regulatory compliance

Protecting sensitive data and IP

Of the following, which would you characterize as the most important factors driving your organization’s information security strategy in 2012? (Percent of

respondents, N=315, multiple responses accepted)



organizations to direct their information security efforts solely toward passing compliance audits. This has led to many firms technically complying with regulatory mandates, yet still plagued by significant security shortcomings.

ESG research indicates that this compliance-oriented “check box” mentality may be waning. 45% of large organizations say that regulatory compliance has less influence on their information security strategy today than it did in the past (see Figure 4). ESG sees this as a positive step forward. While regulatory compliance remains an important component of information security strategy, CISOs are focusing their attention beyond passing compliance audits alone and putting more resources and investment into bolstering risk management programs, accelerating incident detection, and improving incident response. In other words, information security objectives are centering on protecting the organization—not just appeasing the compliance auditors.

Figure 4. Influence of Regulatory Compliance on Organization’s Information Security Strategy and Investment Decisions


2%

8%

13%

33%

26%

19%

0% 5% 10% 15% 20% 25% 30% 35%

Don’t know / no opinion

Regulatory compliance was much less influential on my organization’s information security strategy and

investment decisions in 2010 than it is today

Regulatory compliance was somewhat less influential on my organization’s information security strategy and


Regulatory compliance was as influential on my organization’s information security strategy and

investment decisions in 2010 as it is today

Regulatory compliance was somewhat more influential on my organization’s information security strategy and


Regulatory compliance was much more influential on my organization’s information security strategy and


Compared to 2010, how would you characterize the influence of regulatory compliance on your organization’s information security strategy and investment decisions? (Percent

of respondents, N=315)



This changing attitude was most pronounced with security management and operations “leaders,” 32% of whom say that regulatory compliance has less influence on their information security strategy today than it did in the past (see Table 1). ESG believes this shift is due to a number of factors, including a more ominous threat landscape, visible publicly-disclosed data breaches, and greater cybersecurity awareness by corporate executives.

Table 1. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model

Influence of regulatory compliance on organization’s information security strategy and investment decisions as compared to 2010, by segmentation

Leaders (N=60)

Followers (N=154)

Laggards (N=101)

Regulatory compliance was much more influential on my organization’s information security strategy and investment decisions in 2010 than it is today

32% 19% 11%

Regulatory compliance was somewhat more influential on my organization’s information security strategy and investment decisions in 2010 than it is today

23% 29% 24%

Regulatory compliance was as influential on my organization’s information security strategy and investment decisions in 2010 as it is today

32% 31% 39%

Regulatory compliance was somewhat less influential on my organization’s information security strategy and investment decisions in 2010 than it is today

3% 14% 17%

Regulatory compliance was much less influential on my organization’s information security strategy and investment decisions in 2010 than it is today

10% 8% 6%

Don’t know 0% 1% 4%


Given its historical focus as an IT discipline, it is not surprising to see that 63% of organizations believe “information security is aligned with IT assets and the IT department.” Respondents also believe that “information security is aligned with regulatory compliance.”

Beyond these obvious connections however, this data also points to a changing mindset around information security: 55% of organizations see an alignment between information security and business processes. This is a positive step and represents both progressive and realistic thinking. More and more business processes across all industries are anchored by IT infrastructure and the public Internet. Consequently, CISOs and business managers should understand the IT assets, employees, and third-parties involved in each business process in order to identify risk, create/enforce policies, and monitor the effectiveness of security controls. The data also indicates that 44% of large organizations believe that information security is aligned with the corporate culture. This too represents a new function for information security. Since organizational success depends upon IT services, strong security depends upon participation from all employees. By aligning information security with corporate culture, some executive managers clearly recognize and support this connection deep within the organization (see Figure 5).



Figure 5. How Security is Viewed at Organizations


As a function, Chief Information Security Officers (CISOs) are also perceived differently among various organizations. Nearly three-quarters of organizations still view CISOs as an IT executive or support function. However, a significant 18% of survey respondents said that the CISO was perceived as a business executive in their organization (see Figure 6), a development that will only help raise the awareness of and effective response to information security issues in those firms.

Figure 6. Perception of CISO within Organization


Along with changing perceptions about regulatory compliance and CISOs, ESG research indicates that executive management teams are becoming increasingly engaged with information security situational awareness and strategy (see Figure 7.).

44%

45%

55%

59%

63%

0% 10% 20% 30% 40% 50% 60% 70%

Information security is aligned with the corporate culture

Information security is aligned with physical security

Information security is aligned with business processes

Information security is aligned with regulatory compliance

Information security is aligned with IT assets and the IT department

From an organizational perspective, which of the following statements best reflects how information security is viewed at your organization? (Percent of


As an IT executive, 51%

As a support function for IT (i.e.

support the CIO and others), 23%

As a business executive, 18%

As a support function for regulatory

compliance, 5%

Don’t know, 2%

In your opinion, how is the CISO (or similar position) perceived at your organization? (Percent of respondents, N=315)



Figure 7. Level of Engagement of Executive Management Team


ESG further explored executive management involvement in several areas. As shown in Figure 8, ESG further explored whether organizations as a whole generally believe that their senior executives are putting forth a “good” or “adequate” effort when it comes to making necessary security investments, increasing their knowledge about security concepts, and being actively involved in setting information security strategy.

Figure 8. Characterization of Executive Management Team


1%

1%

2%

27%

40%

29%

0% 10% 20% 30% 40% 50%

Don’t know / no opinion

Much less engaged with information security situational awareness and strategy

Less engaged with information security situational awareness and strategy

About the same level of engagement with information security situational awareness and strategy

Somewhat more engaged with information security situational awareness and strategy

Much more engaged with information security situational awareness and strategy

Compared to 2010, do you believe that the executive management team at your organization is: (Percent of respondents, N=315)

37%

39%

41%

45%

47%

47%

43%

42%

44%

40%

14%

16%

14%

10%

11%

1%

2%

3%

1%

2%

0% 20% 40% 60% 80% 100%

Demonstration of information security leadership position within the organization

Involvement in information security strategy decisions

Interest in information security status across the organization

General knowledge about information security concepts

Willingness to commit to a level of security investment necessary to address risk in an appropriate way

How would you characterize your organization’s executive management in the following areas? (Percent of respondents, N=315)

Good Adequate Fair Poor



The data paints a different picture, however, when viewed through the lens of the ESG security management and operations segmentation model (see Table 2). For instance, the majority of security management and operations “leaders” believe their executives are doing a “good” job across all areas. However, keep in mind that “leaders” make up only 19% of the total survey population. Executive managers at “follower” and “laggard” organizations don’t fare nearly as well when it comes to being knowledgeable about, investing in, and generally supporting security initiatives.

Table 2. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model

How would you characterize your organization’s executive management in the following

areas?

Percentage of “leaders” responding “good”

Percentage of “followers” responding

“good”

Percentage of “laggards”

responding “good”

Willingness to commit to a level of security investment necessary to

address risk in an appropriate way 62% 53% 28%

General knowledge about information security concepts

70% 50% 24%

Interest in information security status across the organization

58% 47% 23%

Involvement in information security strategy decisions

57% 44% 23%

Demonstration of information security leadership position within

the organization 58% 39% 22%


Overall, the ESG data points to some positive trends. Information security is slowly transforming from a back office IT and regulatory compliance function to a much more integral component of business operations. This change is impacting the role of CISOs and business executive involvement in information security. Nevertheless, these changes are extremely skewed to a progressive minority composed of security management and operations leaders. Other organizations are either caught in the past or evolving at a snail’s pace.



The Evolving Security Organization

Just over one-half of large organizations surveyed by ESG will increase information security headcount in 2012, while another 40% say that the size of their security organization will remain about the same. Just 4% will actually reduce staff (see Figure 9). In particular, large organizations categorized as security management and operations “leaders” are not resting on their laurels—42% will increase headcount “significantly” in 2012 (see Figure 10).

Figure 9. Organizations Increasing Security Headcount


Figure 10. Organizations Increasing Security Headcount by the ESG Security Management and Operations Segmentation Model


Yes, significantly, 17%

Yes, somewhat, 38%

No, it will remain about the same size,

40%

No, the security organization will

become somewhat smaller, 3%


become significantly smaller, 1%

Don’t know, 2%

To the best of your knowledge, will your organization increase its security headcount (i.e., hire new management/staff) in 2012? (Percent of respondents, N=315)

7%

33%

52%

5% 1% 2%

14%

45%

36%

3% 1% 1%

42%

27% 28%

2% 2% 0%

10%

20%

30%

40%

50%

60%

Yes, significantly Yes, somewhat No, it will remain about the same

size


become somewhat

smaller


become significantly

smaller

Don’t know

Organization's plans to increase security headcount (i.e. hire new management/staff) in 2012, by segmentation. (Percent of respondents)

Laggard (N=101) Follower (N=154) Leader (N=60)



The fact that information security is becoming more closely aligned with business operations and goals is one reason why so many organizations are hiring in 2012. Unfortunately, another reason for adding headcount is related to the dearth of existing security skills. Enterprises point to a problematic shortage of existing information security skills in a multitude of areas (see Figure 11). A few aspects of this list stand out:

• The biggest skills deficit is in the burgeoning area of cloud/server virtualization security. Since these are relatively new technology areas, it is likely to be extremely difficult finding seasoned professionals with this combination of skills. Alternatively, cloud/server virtualization security architects should have an assortment of high paying positions to choose from. ESG hopes that cloud, server virtualization, and security vendors recognize this critical skills shortage and will work to bridge this gap with the right automation, professional services, user training, and professional certifications.

• Large organizations also have skills deficiencies in a number of core areas such as endpoint/mobile security, network security, and data security. With respect to endpoint/mobile, it is likely that BYOD (bring your own device) initiatives are exacerbating the scarcity of skills, as organizations need more specialized capabilities for securing new platforms like iOS, Android, and Macintosh. However, network and data security are not new areas. This speaks to a more systemic shortage of available bodies for core information security jobs.

• A number of other specific areas such as security analytics/forensics, emerging threat/malware expertise, and application development security require highly experienced and senior professionals. Once again these skills don’t come easy or cheap as they are in high demand. Recruiting individuals with these skills will be highly competitive and very expensive. Organizations with lower pay scales or those in more rural areas will have the most difficult time here.

Figure 11. Areas of Information Security with a Shortage of Existing Skills


8%

20%

22%

23%

25%

28%

30%

30%

31%

31%

43%

0% 10% 20% 30% 40% 50%

We do not currently have a problematic shortage of existing information security skills

Application/database security

Email/messaging security

Security operations

Application development security

Emerging threat/malware expertise

Security analysis/forensics

Data security

Network security

Endpoint/mobile device security

Cloud/server virtualization security

In which of the following areas of information security do you believe your IT organization currently has a problematic shortage of existing skills? (Percent of




Whether general or specialized, finding information security help is becoming increasingly cumbersome. Nearly one-fifth or large organizations claim that it is “extremely difficult to recruit/hire security professionals,” while another 65% say it is “somewhat difficult to recruit/hire information security professionals” (see Figure 12). These hiring issues were consistent across the “leader, follower, and laggard” organizations of the ESG security management and operations segmentation model, suggesting that no class of organizations is immune from the current security skills crunch.

Figure 12. Current State of Information Security Professional Recruitment/Hiring


It is extremely difficult to

recruit/hire information security professionals, 18%

It is somewhat difficult to

recruit/hire information security professionals, 65%

It is somewhat easy to recruit/hire

information security professionals, 15%

It is extremely easy to recruit/hire

information security professionals, 1%

Don’t know, 1%

In your opinion, how would you characterize the current state of information security professional recruitment/hiring? (Percent of respondents, N=172)



Security Organization Responsibilities

As large organizations increasingly equate information security with business operations, invest in new technologies, and hire more security staff, it is important to recognize that information security is really composed of a number of shared tasks and responsibilities. As proof of this, ESG asked security professionals to identify areas where the security organization has primary responsibility and where it shares responsibilities with other IT groups. As shown in Figure 13, in the majority of areas, information security teams work hand-in-hand with other functional IT teams such as network/IT operations, DBAs, or application developers.

Given this situation, CISOs and their organizations should not be held accountable for information security efficiency and effectiveness alone. Rather, strong security is only possible through a CISO/IT organization partnership, with the appropriate strategy, goals, and metrics. It is also worth noting however, that security organizations within the ESG security management and operations “leader” segment were much more likely to have primary responsibility in a number of the areas listed below. Clearly, these “leaders” recognize the value of the security team and are willing to give these teams authority to take the initiative if it leads to lower risk, rapid decision making, and greater security protection.

Figure 13. Information Security Organization’s Level of Responsibility


31%

34%

34%

38%

38%

39%

39%

39%

41%

42%

42%

42%

44%

45%

55%

48%

53%

47%

52%

50%

50%

51%

48%

45%

48%

52%

51%

46%

11%

14%

8%

14%

9%

9%

9%

8%

9%

10%

7%

4%

3%

6%

3%

4%

5%

2%

2%

2%

3%

2%

2%

3%

3%

2%

2%

3%

0% 20% 40% 60% 80% 100%

Training non-IT employees on security policies and best practices

Patch management

Defining policies for cyber supply chain security

Day-to-day operation of network security devices

Defining secure configurations for hardware and software

Researching, testing, and purchasing security technologies

Incident response

Regulatory compliance policies, controls, and audits

Defining policies and standards for secure software development

Vulnerability scanning

Monitoring security status on a regular basis

Working with business units to define security needs

Developing security policies

Establishing controls for security policy enforcement

For each of the activities and tasks below, what is the information security organization’s level of responsibility? (Percent of respondents, N=315)

Security organization has primary responsibility Security organization shares responsibility with other IT groups (i.e. network operations, DBAs, etc.) Security organization is not responsible Don’t know



CISOs need their teams to collaborate across IT but these requirements are especially necessary with key groups such as network operations, server administrators, and IT auditors (see Figure 14). Security management and operations “leaders” tend to work more closely with the regulatory compliance team (57% of leaders as compared with 43% of the overall survey population), DBAs (38% of leaders as compared with 25% of the overall security population), and IT auditors (52% of leaders as compared with 43% of the overall survey population).

Figure 14. Groups Security Team Works With Most Closely


21%

25%

25%

27%

32%

43%

43%

46%

57%

0% 10% 20% 30% 40% 50% 60%

Endpoint administrators

Help desk

DBAs

Storage administrators

Applications administrators

Regulatory compliance

IT auditors

Server administrators

Network operations

With which of the following groups does your organization’s security team work most closely? (Percent of respondents, N=315, multiple responses accepted)



Security Services Trends

Many organizations plan on using third-party security services in 2012—17% of organizations surveyed by ESG will use professional or managed services “extensively” this year, while another 45% will use third-party professional or managed services to some extent in order to meet their information security requirements (see Figure 15). ESG also finds it noteworthy that 32% of security management and operations “leaders” will use third-party professional or managed services “extensively” in 2012 as compared to 17% of the overall survey population. Why? ESG suspects that “leaders” are far more aggressive at finding mundane security tasks to outsource as well as isolating areas where they need external expertise and internal skills may be lagging.

Figure 15. Planned Use of Third-Party Professional/Managed Services in 2012


As information security becomes increasingly business-critical, more and more large organizations will be forced to overcome internal skills gaps and hiring challenges with third-party service alternatives. The ESG research data indicates that this is already happening: 16% of enterprises say they will increase their use of third-party managed and/or professionals services “substantially” over the next 24 months, while another 42% will increase their use of third-party managed and/or professional services “somewhat” (see Figure 16).

Figure 16. How Use of Third-Party Professional/Managed Services has Changed


Yes, extensively, 17%

Yes, somewhat, 45%

No, 33%

Don’t know, 5%

Will your organization use third-party professional or managed services to meet its information security requirements in 2012? (Percent of respondents, N=315)

Increased substantially, 16%

Increased somewhat, 42%

Remained about the same, 35%

Decreased somewhat, 6%

Decreased substantially, 1%

Don’t know / no opinion, 1%

How has your organization’s use of third-party professional or managed security services changed over the past 24 months? (Percent of respondents, N=196)



Why are these organizations consuming more security services? ESG’s hypothesis going into this research was that security service growth was a result of the growing global shortage of security skills. The data gathered for this project verifies this theory. Large organizations are increasingly turning to service providers for specialized security skills or to supplement the internal security staff (see Figure 17).

Figure 17. Reasons for Increasing Use of Third-Party Security Services


20%

24%

27%

28%

29%

34%

39%

0% 10% 20% 30% 40% 50%

Couldn’t recruit/hire enough security expertise so we had no choice

My organization experienced a security breach which led us to seek out more security services and

expertise

Security is not core to the business so my organization decided to seek outside expertise

Don’t have specific security skills in house so the organization decided to outsource security tasks

Don’t have a large enough security staff to handle all security responsibilities

New types of security threats persuaded my organization to seek outside expertise

Security service providers can perform certain security tasks better than we can

What are the primary reasons for increasing the use of third-party security services at your organization? (Percent of respondents, N=114, multiple responses accepted)



Security services needs follow a pattern that is consistent with the general history of IT outsourcing over the decades. Enterprise companies tend to turn to service providers for specific skills (usually associated with new or changing technologies) or commonplace operational tasks. Interestingly, the list below seems weighted toward the former—i.e., specialized security skills such as security design, threat intelligence, and network monitoring (see Figure 18).

Figure 18. Areas of Third-Party Security Services Used


15%

18%

18%

22%

26%

28%

29%

29%

29%

30%

30%

30%

33%

0% 10% 20% 30% 40%

Event/log management

Managed network security

Endpoint security

Mail/messaging security

Staff augmentation

Penetration testing

Vulnerability scanning

Email encryption

Web threat management

Security/risk management/regulatory compliance assessment

Network monitoring

Threat management intelligence

Security design

Which of the following areas of third-party security services has your organization used in the past and/or does it plan to use in 2012? (Percent of respondents,

N=92, multiple responses accepted)



Risk Management Strategies

Most security professionals agree with the old adage “an ounce of prevention is worth a pound of cure.” In that spirit, nearly three-quarters of the enterprise organizations have a formal risk management program in place (see Figure 19). Defined simply, a risk management program would include:

1. Identifying all IT assets (i.e., applications, databases, servers, storage, networking equipment, data, etc.)

2. Classifying all IT assets based upon their value to the business mission.

3. Identifying threats to IT assets and the likelihood of these threats.

4. Identifying vulnerabilities associated with these IT assets.

5. Using these inputs (i.e., assets, asset value, threats, and vulnerabilities) to calculate some measure of overall risk.

6. Implementing controls to reduce risk.

7. Continually measuring any changes (i.e., new assets, changes to assets, new threats, new vulnerabilities, etc.) that could represent an increase in risk to the organization.

Figure 19. Formal IT Risk Management Programs in Place


Risk management programs are most effective when they are implemented throughout the enterprise as opposed to in an ad hoc or piecemeal fashion. As shown in Figure 20, nearly three-quarters of enterprise organizations say they have implemented their risk management program company-wide.

Yes, 73%

No, but we plan to implement one in the

next 12 to 18 months, 13%

No, but we are interested in

implementing one, 9%

No, and we have no plans or interest in implementing one,

3%

Don’t know, 2%

Does your organization have a formal IT risk management program in place? (Percent of respondents, N=315)



Figure 20. How Formal IT Risk Management Program is Implemented


Formal risk management programs are clearly a function of overall information security excellence. For example, 95% of organizations classified in the ESG segmentation model as security management and operations “leaders” have a formal risk management program in place, compared with 79% of “followers” and just 52% of “laggards” (see Table 3). Similarly, 91% of “leaders” have a formal risk management program implemented across the enterprise, compared to 69% of “followers” and 68% of “laggards.”

In a best case scenario, a formal risk management program would be implemented across the enterprise. To understand whether large organizations were following these best practices, ESG combined responses from the previous two questions (i.e., Figure 19 and Figure 20). When this data is aggregated, 54% of large organizations follow risk management best practices by implementing a formal risk management program across the enterprise. These results are marginal at best and indicate that many enterprises lack the adequate metrics needed to assess IT risk at any given time.

The data is even more revealing when viewed through the ESG security management and operations segmentation model. While 86% of the total “leader” population has a formal IT risk management program implemented throughout the enterprise, 55% of “followers” have a formal IT risk management program implemented throughout the enterprise, and only 35% of “laggards” have a formal IT risk management program implemented throughout the enterprise. Clearly, “followers” and “laggards” lag behind and are “flying blind” when it comes to understanding whether their organizations are vulnerable to attack or adequately protected (see Table 3).Strong security management and operations depends upon a long list of processes and skills so ESG asked security professionals to assess their organizations in a number of critical areas (see Figure 21). For the most part, enterprise firms rated their security standard best practices as either “very good” or “good.”

Across the entire enterprise, 74%

Across a majority of business units or divisions, but not across the entire enterprise, 24%

Across some business units or divisions, but not across the entire

enterprise, 1%

Which of the following best describes how your organization’s IT risk management program is implemented? (Percent of respondents, N=231)



Table 3. IT Risk Management Programs Analyzed by the ESG Segmentation Model

ESG Security

Management and Operations Segment

Percentage with a formal IT risk

management program

Percentage with a formal IT risk management

program implemented across the enterprise

Percentage of the population with both a

formal risk management program implemented across the enterprise

Total survey population (all segments)

73% 74% 54%

Leaders 95% 91% 86%

Followers 79% 69% 55%

Laggards 52% 68% 35%


Figure 21. Organization’s Rating on Standard Security Best Practices


24%

25%

28%

29%

29%

30%

30%

31%

33%

34%

35%

42%

48%

57%

50%

51%

55%

47%

53%

52%

57%

54%

50%

50%

25%

15%

17%

16%

14%

19%

16%

15%

9%

10%

13%

8%

3%

3%

5%

3%

2%

3%

1%

2%

1%

2%

2%

0% 20% 40% 60% 80% 100%

Mobile device security

Host activity monitoring

Cyber supply chain security

End user security

Data security controls

Secure software development lifecycle training, processes, and testing

Patching vulnerable systems in a timely manner

Threat management

Monitoring the security status of IT assets

Network security management

Network monitoring

Deploying IT assets (i.e. hardware and software) in hardened configurations

The following is a list of standard security best practices. Please rate your organization in each area. (Percent of respondents, N=315)

Very good Good Fair Poor



Security Controls Effectiveness and Testing

Earlier in this report, ESG demonstrated that 45% of security professionals believe regulatory compliance was less of an influence on their information security strategy than it was a few years ago. One indication of this change is illustrated by how frequently enterprise firms test the effectiveness of their security controls. When regulatory compliance is the primary objective, large organizations tend to schedule security controls effectiveness testing infrequently, exclusively around actual compliance audits. Driven by the increasingly dangerous threat landscape, many organizations are now willing to be much more diligent with their testing—40% of security professionals say their organizations test the effectiveness of their security controls “constantly” rather than on an as-needed basis (see Figure 22).

Figure 22. Frequency of Security Controls Effectiveness Testing


40%

15% 14% 14% 10%

3% 1% 1%

3%

0%

10%

20%

30%

40%

50%

Constantly Once per week

Twice per month

Once per month

About once per quarter

Twice a year

Once per year

Other Don’t know

On average, how often does your organization test the effectiveness of its security controls? (Percent of respondents, N=304)



Large organizations employ a multitude of methods to test the effectiveness of their security controls (see Figure 23). While most use fairly standard testing methods like network scans and log reviews to perform these functions, it is worth noting that 43% of security management and operations “leaders” configure and implement assets that violate security policies to assess how long it takes the security team to detect problems, as compared to 29% of “followers” and 23% of “laggards.” Seemingly, “leaders” believe it is critically important to “hack” their own networks to gain measurable experience of just how vulnerable they really are.

Figure 23. Technologies/Techniques Used to Test Effectiveness of Security Controls


1%

29%

30%

34%

34%

37%

43%

47%

48%

58%

0% 20% 40% 60% 80%

We do not test the effectiveness of our security controls

Monitor/analyze CMDB

Configure and implement assets that violate security policies to assess how long it takes for the security

team to detect problems

Third-party penetration testing

Help desk calls

Penetration testing by internal employees

Compliance/IT governance dashboard

Monitor/analyze log files

Scan for rogue systems on the network

Network/system scanning

Which of the following techniques/technologies does your organization use to test the effectiveness of its security controls? (Percent of respondents, N=315, multiple

responses accepted)



According to ESG’s survey respondents, large organizations constantly assess their security management capabilities using a number of metrics including the number of security events discovered, the number of security/IT audit violations or failures, and the number of vulnerable systems discovered (see Figure 24). These assessments were fairly consistent across “leaders,” “followers,” and “laggards” with a few exceptions. For example, “leaders” were somewhat more diligent in all areas and tended to put more emphasis on the time to remediate a compromised system (37% as opposed to 28% of the overall survey population).

Figure 24. Metrics Used to Gauge Effectiveness of Security Management


21%

22%

27%

28%

30%

32%

32%

32%

38%

43%

45%

0% 10% 20% 30% 40% 50%

Number of stale user accounts discovered

Number or percent of employees provided with the latest security training

Number of unapproved systems discovered on the network

Time to remediate a compromised system

Time between system compromise and detection by the security team

Number of service calls related to security incidents

Number of systems determined to be out of compliance with security configuration standards

Number of overall security tests (system scans, penetration tests, etc.) performed by the organization

Number of vulnerable systems discovered

Number of security/IT audit violations/failures

Number of security events discovered

Which of the following metrics does your organization use to gauge the effectiveness of its security management? (Percent of respondents, N=315, multiple responses accepted)



Enterprise firms depend upon a myriad of disparate security technologies at every layer of the technology stack. From a historical perspective, these tools were often purchased separately and were often operated by different IT functional groups. Alternatively, CISOs relied upon these individual tools in aggregate to provide a layered cybersecurity defense.

Given this somewhat haphazard strategy, ESG wondered which of these individual tools security professionals considered to be most and least effective (see Figure 25). There is a bit of a pattern here. The tools deemed most effective tend to be those where security professionals have the most experience, like network firewalls, or those that act as independent security filters once deployed on the network (i.e., web threat management, endpoint security software, etc.). Alternatively, security professionals seem to have a more difficult time with security technologies that demand custom configurations, advanced training, or advanced analysis. Security technology vendors and service providers should take note here as there are revenue opportunities in helping large organizations gain efficiency with these products.

Figure 25. Security Technology that Most Effectively Performs Task For Which It Was Designed


22%

23%

33%

37%

38%

39%

40%

44%

56%

0% 10% 20% 30% 40% 50% 60%

IDS/IPS

SIEM

Log management

Messaging security

Anti-malware network gateways

Endpoint anti-malware software

Web threat management

Application firewall

Network firewall

Which of the following would you say most effectively performs the tasks it was designed for (i.e., delivers effective protection, ease-of-use, strong reporting, etc.)?

(Percent of respondents, N=315, multiple responses accepted)



Situational Awareness

In addition to formal and comprehensive risk management programs, effective security management and operations depends upon a deep understanding of IT behavior. In other words, security professionals must know what represents “normal” behavior and how deviations from the norm may indicate suspicious or malicious activities. It appears that many large organizations believe they do have the right skills and knowledge around normal and anomalous IT behavior—most respondents “strongly agree” or “agree” that they can effectively detect suspicious activity or an attack in progress (see Figure 26). When analyzed by the ESG security management and operations model, responses to this question aligned in a predictable manner: 50% of “leaders” responded “strongly agree,” as compared to 22% of “followers” and only 10% of “laggards.”

Figure 26.Organization’s Ability to Detect Suspicious Activity or an Attack


Of course, any deviations from normal behavior may indicate suspicious activity or a security attack in progress. Detecting these activities requires real-time visibility. As a group, security professionals seem relatively comfortable with their organizations’ capabilities in this area: 81% rate their organization’s level of security visibility as either excellent or good (see Figure 27). As expected, levels of visibility vary based on the ESG security management and operations segmentation model. Thirty-seven percent of leaders believe their level of security visibility is excellent as compared to 23% of “followers” and just 11% of “laggards.” Alternatively, only 7% of leaders rated their organization’s level of security visibility as fair or poor. By comparison, 12% of “followers” and 34% of “laggards” rated their organization’s level of security visibility as fair or poor (see Figure 28).

Strongly agree, 23%

Agree, 55%

Neither agree nor disagree, 16%

Disagree, 3%

Strongly disagree, 2%

Please respond to the following statement: I believe that my organization has a very good understanding of normal IT behavior and could easily detect

anomalous/suspicious activity or an attack in progress. (Percent of respondents, N=315)



Figure 27.Level of Visibility of Security Status


Figure 28.Level of Visibility of Security Status Analyzed by the ESG Security Management and Operations Segmentation Model


1%

3%

15%

59%

22%

0% 10% 20% 30% 40% 50% 60% 70%

Don’t know

Poor. We collect and analyze some data but there are many areas where we don’t have strong visibility and we depend upon manual processes and analysis for visibility

into our security status.

Fair. We collect and analyze all of the data we can but there are some areas where we don’t have strong

visibility and we depend upon manual processes and analysis for visibility into our security status.

Good. We collect and analyze all of the necessary data but we depend upon manual processes and analysis for

visibility into our security status.

Excellent. We have set up the right data collection, analysis, and dashboards to have real-time visibility of

our security status.

Which of the following statements most accurately characterizes the level of visibility your organizations has of its security status? (Percent of respondents, N=315)

11%

53%

26%

9%

2%

23%

64%

11%

1% 1%

37%

55%

7% 2%

0%

10%

20%

30%

40%

50%

60%

70%

Excellent Good Fair Poor Don’t know

Level of visibility organization has into its security status, by segmentation. (Percent of respondents)

Laggard (N=101) Follower (N=154) Leader (N=60)



Security visibility is a function of collecting and analyzing a multitude of data from all IT domains throughout the enterprise. This process can be difficult as it depends upon numerous technical, organizational, and human elements. According to the security professionals surveyed, the biggest inhibitors to real-time security visibility include the need for tighter integration between security and IT operations tools (34%), the need for better security analysis and forensic skills (33%), and the need for more automated security analytics from their security tools (29%) (see Figure 29).

Figure 29.Biggest Inhibitors to Having Real-Time Security Visibility


21%

22%

22%

24%

27%

28%

28%

29%

33%

34%

0% 10% 20% 30% 40%

Need a better understanding of host behavior

Need a better understanding of network behavior

Need a better understanding of server virtualization technology behavior

Need a better understanding of application behavior

Need better tools to baseline normal behavior so we can detect anomalies

Need a better understanding of user behavior

Need for better networking visibility

Need better automated analytics from our security intelligence tools

Need better security analysis/forensic skills at our organization

Need tighter integration between security intelligence and IT operations tools

Of the following, which are the biggest inhibitors to having real-time and comprehensive security visibility at your organization? (Percent of respondents,

N=315, multiple responses accepted)



In addition to security visibility, enterprise organizations need strong incident response policies and procedures when security attacks are detected. When it comes to incident response, security professionals surveyed by ESG claim that their organizations are especially weak in areas such as performing forensic analysis to determine the root cause of problems (27%), determining which assets remain vulnerable to an attack (27%), and gathering the right data for accurate situational awareness (24%) (see Figure 30).

It is also interesting—and worrisome—to note that nearly one-in-four organizations (23%) say that reporting security incidents—whether inside or outside the company—is not a strength of their incident response capabilities.

Figure 30.Weakest Aspects of Incident Response


10%

17%

20%

22%

23%

23%

23%

24%

27%

27%

0% 10% 20% 30%

None of the above

Taking action to minimize the impact of an attack

Understanding the impact and/or scope of a security incident

Altering security controls to prevent future similar incidents

Analyzing security intelligence to detect security incidents

Reporting security incidents internally

Reporting security incidents externally

Gathering the right data for accurate situational awareness

Determining which assets, if any, remain vulnerable to a similar type of attack

Performing forensic analysis to determine the root cause of the problem

Which of the following aspects of incident response are weakest at your organization? (Percent of respondents, N=315, multiple responses accepted)



Assessing the State of Security Information and Event Management (SIEM)

For the purposes of this project, security information and event management (SIEM) was defined as:

Technology that provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances, or managed services, and are also used to log security data and generate reports for compliance purposes.

According to the security professionals surveyed, 47% of large organizations have SIEM systems in place today while another 24% plan to implement a SIEM platform in the next 12 months (see Figure 31).

Figure 31. SIEM Deployment


Yes, 47%

No, but we plan on implementing a SIEM system in the next 12

months, 24%

No, but we are interested in doing

so, 16%

No, no plans or interest, 9%

Don’t know, 5%

Based on the definition above, does your organization have a SIEM system currently deployed? (Percent of respondents, N=315)



ESG’s data suggests that organizations with SIEM solutions are an elite, security-conscious group willing to put time into implementing, learning, and tuning their SIEM systems: Respondents tended to rate their SIEM feature/functionality as “highly effective” or “effective” in most areas (see Figure 32), although ease of use and visibility into both network and end-user behavior stand out as potential areas for improvement.

Figure 32. Effectiveness of SIEM


31%

31%

33%

33%

35%

37%

38%

38%

39%

44%

46%

48%

55%

46%

51%

51%

53%

44%

51%

50%

49%

41%

16%

10%

18%

13%

10%

10%

13%

10%

7%

5%

10%

4%

1%

3%

2%

2%

3%

1%

3%

1%

1%

1%

3%

1%

1%

2%

1%

2%

1%

1%

1%

1%

0% 20% 40% 60% 80% 100%

Visibility into user behavior

Customization for specific use cases

Ease-of-use

Integration with other security tools

Value

Performance

Visibility into network behavior

Analytics

Visibility into host behavior

Scalability

Event detection

Please rate your organization’s SIEM system in the following areas: (Percent of respondents, N=147)

Highly effective Somewhat effective Not very effective Not at all effective Don’t know



Changing Attitudes Towards Security Management

A majority of security professionals agree that security management has become “significantly more difficult” (18%) or “somewhat more difficult” (44%) than it was 24 months ago (see Figure 33). Interestingly, organizations classified as security “leaders” in the ESG security management and operations segmentation model seem to be experiencing this change the most—33% of “leaders” say that security management is significantly more difficult than it was 24 months ago as compared to 18% of the overall survey population.

ESG believes that security “leaders” are likely aggressive IT users with complex infrastructures and leading-edge applications, so it follows that security management challenges are most pronounced in these organizations. Nevertheless, the security management challenges “leaders” face today are likely a harbinger. “Laggard” and “follower” organizations should anticipate similar security management difficulties as they move forward with new IT initiatives and plan accordingly.

Figure 33. How Security Management has Changed Over Past 24 Months


What is making security management more difficult? ESG believes this is due to a number of factors, including:

• Increasing threat volume and sophistication.

• Security management’s strong dependency on individual skills and manual processes.

• Pervasive security skills shortages at enterprise organizations.

In addition, the introduction of new and often immature technologies can also make security management and operations more complex. To test this hypothesis, ESG presented security professionals with a list of nascent IT technologies and policies and asked them about their impact on security management and operations. Of these, 31% of security professionals believe that cloud computing is making security management and operations much more difficult while 30% of security professionals believe that mobile devices are making security management and operations much more difficult (see Figure 34). While these two areas stand out, ESG believe it is worth noting that at least 40% of security professionals believe that each of the technologies or policies listed has made security

Significantly more difficult than it was

24 months ago, 18%

Somewhat more difficult than it was

24 months ago, 44%

About the same as it was 24 months

ago, 30%

Somewhat less difficult than it was 24 months ago, 3%

Significantly less difficult than it was 24 months ago, 2%

Don’t know / no opinion, 2%

How has security management changed over the past 24 months? (Percent of respondents, N=315)



management and operations more difficult to some extent. What’s more, new technologies and policies are often concurrent, creating a multiplicative impact on security management and operations.

Figure 34. How Introduction of Technologies and Policies Altered Security Management and Operations


As previously mentioned, security management and operations is often based upon an error-prone mix of individual skills and manual processes. Unfortunately, these dependencies are a mismatch for today’s threat landscape and complex, highly-virtualized, and rapidly-evolving IT infrastructure. Given this incongruence, it is not surprising to see that more than half of large organizations are using their security and IT operations tools together to automate security remediation tasks (see Figure 35). In these automated instances, a security “event” discovered by a security analytics tool initiates some IT operations action like blocking an Ethernet switch port, creating a new firewall rule, or quarantining a server exhibiting suspicious behavior.

Security management and operations “leaders” are the most aggressive in this area: 76% are using security and IT operations tools in concert to automate security remediation tasks as compared to 60% of “followers” and 36% of “laggards.” This may be a function of the influence of the security organization and its relationship with other IT groups, primarily network operations. Security management and operations “leaders” likely have formal shared processes, strong communications, and integrated technology tools between the security and IT operations team. These elements act as a foundation for collective action and security automation.

According to Figure 36, the most common automated security actions currently executed by ESG’s survey respondents include blocking URLs or web content (66%), generating firewall/IDS/IPS rules based upon network behavior or event detection (53%), and launching an immediate network scan as a result of some type of trigger event (51%).

6%

9%

13%

17%

18%

30%

31%

34%

37%

38%

30%

38%

32%

38%

41%

38%

32%

31%

29%

21%

16%

9%

11%

10%

7%

7%

9%

6%

3%

3%

4%

5%

3%

5%

3%

6%

3%

2%

10%

4%

2%

6%

0% 20% 40% 60% 80% 100%

Desktop virtualization

Web applications / SOA

Server virtualization

BYOD policies

Remote worker policies

Mobile devices

Cloud computing

How has the introduction of the following technologies and policies altered security management and operations at your organization? (Percent of respondents, N=315)

Made security management and operations much more difficult Made security management and operations somewhat more difficult Had no impact on security management and operations Made security management and operations somewhat easier Made security management and operations much easier Don’t know / Not applicable



Figure 35. Use of Security and IT Operations Tools in Concert to Automate Security Remediation Tasks


Figure 36. Automated Actions Currently Executed


Yes, 56%

No, but we plan on doing so within the

next 12 months, 25%

No, but we are interested in doing

so, 13%

No plans or interest, 4%

Don’t know, 3%

Does your organization use its security and IT operations tools in concert to automate security remediation tasks (i.e. block activities, disable a port, change

access policy enforcement, etc.)? (Percent of respondents, N=315)

26%

41%

46%

47%

47%

51%

53%

66%

0% 10% 20% 30% 40% 50% 60% 70%

Divert a system to a remediation VLAN/server

Ask users to re-authenticate based upon some anomalous user activity

Grant limited network access

Remove host systems from the network based on malware detection, anomalous system behavior, etc.

Enforce different access policies based upon device type, user location, time of day, etc.

Launch an immediate network scan

Generate firewall/IDS/IPS rules based upon network behavior or event detection

Block URLs or web content

Which of the following automated actions does your organization currently execute? (Percent of respondents, N=176, multiple responses accepted)



With security management and operations becoming increasingly difficult, many organizations will make a number of security technology strategy decisions over the next few years. Most significantly, security professionals say that their organizations will (see Figure 37):

• Design and build a more integrated enterprise security architecture. In the past, even large security-conscious organizations addressed information security risks with a series of standalone point tools deployed independently across the network. This created “islands of security” with no central command-and-control or situational awareness. The data indicates that 44% of large organizations intend to design and build a more integrated enterprise security architecture to alleviate shortcomings associated with existing tactical defenses.

• Include new data sources for security intelligence. To monitor and analyze their information security status, large organizations tended to rely on data sources like log files, NetFlow, and esoteric tools like database activity monitoring (DAM) systems. A fairly large population (39%) of the enterprise organizations surveyed plan to include new data sources for security intelligence moving forward. Examples of these sources could be full IP packet capture (PCAP), user access and behavior monitoring, or external data feeds from cloud providers. This data may foretell an emerging “big data” requirement for future security analytics platforms.

Responses were fairly consistent across all of segments of the ESG security management and operations segmentation model, but It is worth noting that 35% of security “leaders” say they will actively decrease the number of vendors they buy products from, as compared to 23% of “followers,” and 13% of “laggards.” Given the data described above, it is likely that “leaders” are looking to eschew point tool-only vendors for more enterprise-class and tightly integrated alternatives from an elite few.

Figure 37. How Security Technology Strategy Decisions Will Change


9%

22%

24%

39%

44%

0% 10% 20% 30% 40% 50%

We will not change our security technology strategy decisions over the next 24 months

Actively decrease the number of security vendors we buy from

Buy more security suites from a single vendor

Include new data sources for security intelligence

Design and build a more integrated enterprise security architecture

Do you believe that your organization will change its security technology strategy decisions in any of the following ways over the next 24 months in order to improve its security management? (Percent of respondents, N=315, multiple responses accepted)



The security professionals surveyed by ESG report a number of security management challenges that will need to be addressed moving forward. Specifically, respondents pointed to issues such as security budget constraints (50%), the amount of time spent “fire fighting” or reacting to events (30%), and a lack of appropriate security skills (24%) (see Figure 38). These challenges were consistent across all three segments of the ESG security management and operations segmentation model with one exception: While 18% of the overall survey population indicated a challenge around a lack of executive management support, these results were heavily skewed towards “laggards.” While just 12% of “leaders” and 14% of “followers” point out a lack of executive management support as a security management challenge, some 28% of “laggards” report such a lack of executive support. If is safe to assume that this lack of management buy-in is a significant factor in why these organizations are ultimately classified as security “laggards.”

Figure 38. Biggest Security Management Challenges


7%

14%

18%

19%

19%

23%

24%

30%

50%

0% 10% 20% 30% 40% 50% 60%

None of the above

Security is not considered as part of business process and IT deployment design and planning process

Lack of executive management support

Lack of the appropriate security skills within the security team

We lack the appropriate level of security intelligence to make accurate and timely decisions

Too many security tools

Lack of the appropriate security skills within IT

Security team spends too much of its time reacting to problems and not enough time with proactive security

management or strategic planning

Budget constraints

Which of the following would you say are the biggest security management challenges at your organization? (Percent of respondents, N=315, multiple responses accepted)



Research Implications Based on the data collected for this project, ESG believes that a lot of security management and operations work lies ahead for large organizations. The data indicates that many enterprises continue to approach security management and operations on an ad hoc and technology-focused basis. With today’s business process dependence on IT combined with an ominous and increasingly-complex threat landscape, this haphazard approach to security management and operations is no longer adequate.

Research Implications for Technology Vendors

The state of enterprise security management and operations as outlined in this report presents numerous opportunities for security services and technology vendors. Many large organizations are already making incremental changes to their information security strategies but these adjustments won’t be enough. As enterprises come to this realization and look to bolster existing security management processes, skills, and technologies, IT vendors should:

• Consider a market taxonomy similar to ESG’s segmentation model. As previously discussed, in order to better analyze the survey data, ESG’s security management and operations segmentation model divided the total survey population into three distinct groups: “leaders” (19% of respondents), “followers” (49%), and “laggards” (32%).

From a vendor perspective, this segmentation data is extremely useful when positioning and selling security products and services. Security vendors can assume that around 20% of its customers and prospects will possess an adequate level of security knowledge, skills, and resources, while the other 80% may need additional help in one or several areas. Before launching into product pitches, ESG suggests that vendors do more upfront work in qualifying customers and prospects. This approach will help vendors and their channel partners tailor their sales engagements more appropriately. For example, 78% of security management and operations “leaders” use IT operations and security tools in concert to automate security remediation tasks, as compared to 60% of “followers” and 36% of “laggards.” Based upon this data, security vendors can assume that “leaders” are most aggressive with security automation, but additional analysis reveals more about the opportunity at hand. As it turns out, 37% of “followers” either plan on automating security remediation tasks in the next 12 months or are interested in doing so, and 50% of “laggards” either plan on automating security remediation tasks in the next 12 months or are interested in doing so. Armed with this knowledge, vendors can customize their offerings with configuration recommendations for “followers “and/or professional/managed services for “laggards.”

By qualifying customers in this manner, security vendors can get a more accurate understanding of customer requirements beyond products alone. This can lead to more tailored sales engagements along with customized—and high margin—solution sales.

• Explore your customers’ and prospects’ threat management plans. Based upon this project and the 2011 ESG Research Report, U.S. Advanced Persistent Threat Analysis, ESG believes that many large organizations are assessing their threat defenses and investing in new layers of defense for protection against sophisticated attacks such as APTs. This focus on threat management is driving tactical product sales but is also forcing CISOs into a more strategic examination of every layer of the security architecture. Security technology vendors should align product and service sales by mapping them with enterprise planning. In other words, look for short-term product sales opportunities that can be part of a defensive, in-depth security architecture over time. Vendors that follow this strategy will be in a strong position for long-term high margin partnering opportunities rather than transactional product sales alone.

• Look for opportunities at the intersection of information security and new IT initiatives. Security professionals claim that new technology initiatives like cloud computing, mobile device support, and BYOD make security management more difficult. Why? ESG believes this is a result of immature security and IT technologies, limited skills, and a misalignment between existing security processes and new technology



capabilities. For example, endpoint security tools, skills, and best practices were built for Windows PCs, not smartphones and tablets. Because of this, mobile device security must be addressed as a net new set of policies, controls, operations, and monitoring capabilities. Given the pace of technology innovation, savvy security vendors should have ample opportunities to benefit from similar IT trends. It is important to remember, however, that customers and prospects need more than new security products. Vendors who supplement products with customer education, support, services, configuration templates, and reference architectures will be most successful.

• Bring business management into security requirements discussions. ESG’s research paints a compelling picture of information security progress. Security management and operations “leaders” view the CISO as a business executive while the executive management team is getting more involved with security strategy and situational awareness. As information security becomes increasingly mission-critical, leading security vendors have the opportunity to move beyond IT and provide information security products and services to directly address risk in business processes. For example, as health care facilities adopt iPads and Android tablets, they need help developing security policies, implementing network access controls, monitoring activities, and translating security metrics into useful business reports. This level of expertise and service is beyond most security product vendors today but those that have the resources and wherewithal to bolster skills, develop industry and business process capabilities, and align their security portfolios with business needs will gain a big advantage over more tactical competitors.

• Come to terms with the security skills crunch. Security skills shortages are real—and growing—which could impact security technology vendors in several ways. For example, large organizations may delay product purchases or lack the appropriate skills to implement or operate security tools effectively. Security technology vendors should monitor security skills shortages closely and maintain the assumption that customers and prospects will be under-staffed. Successful vendors will address this situation by improving product ease-of-use and automation. For example, products with hundreds of configuration settings can offer a few standard configuration templates that offer highly effective security protection out-of-the-box.

ESG research also demonstrates that information security management and operations is often composed of shared tasks between the information security and various other IT groups. Shrewd vendors will reach beyond the information security team alone to build wide and deep relationships with customers.

• Investigate short-and long-term services opportunities. Combined with the security skills shortage, security management complexity and urgency is driving a sharp increase in enterprise use of professional and managed security services in areas such as security architecture design, threat intelligence, and network monitoring. While security product vendors may not be inclined to build services practices, they should recognize this trend, supplement products with value-added services, build relationships with professional services firms, and work with channel partners to create high-margin services opportunities.

• Anticipate new requirements for incident detection and response. Based upon this research, ESG believes that incident detection is going through profound changes. Large organizations need greater visibility into network, system, data, user, and application activities. Security analytics must become more scalable to accommodate larger data sets, baseline normal behavior, and be much more intelligent and accurate at identifying anomalies. Incident detection must become far more automated than it is today in order to help large organizations overcome skills deficits in security analysis and forensics. Finally, incident detection must initiate formal and well organized processes for incident response—within IT and throughout the business.

Security vendors should approach this transition from multiple angles. First, most organizations will need lots of help understanding their needs and creating an appropriate incident response strategy. Second, log management and SIEM products will need new levels of scale, intelligence, and automation. Security management products will also need greater integration with a plethora of existing IT operations tools and data sources.



Clearly there is a lot of money to be made here but security product and services companies must remember that roughly 80% of the enterprise market (i.e., “followers” and “laggards”) won’t have the processes, resources, or skills for rapid change. Those vendors that can help customers create a long-term comprehensive transition plan, complete with products and services, will be most successful.

• Emphasize security architecture and integration. As previously mentioned, the ESG data points to a new trend: Security management and operations is becoming more of an enterprise-class, mission-critical requirement. For example, 44% of large organizations plan to design and build a more integrated security architecture while 39% will include new data sources for security intelligence. This does not mean that enterprise organizations will cease buying independent security products but it does mean that they will look to integrate security products into a cohesive architecture over time. Large vendors will likely address this architectural requirement with proprietary product suites but ESG believes that the industry as a whole should be more engaged in creating and supporting more standard data formats and APIs. There are a number of worthwhile security standards projects already at organizations such as Mitre, NIST, OASIS, and the Trusted Computing Group (TCG). ESG would like to see leading vendors and industry consortiums become more involved here. Rather than invest in proprietary technologies, security vendors may be better served by taking this more progressive, standards-based, and open development approach. It’s likely that industry will go along if visible security management and operations vendors lead the way.



Research Methodology To gather data for this report, ESG conducted a comprehensive online survey of IT managers from private- and public-sector organizations in North America between March 15, 2011 and March 26, 2011. To qualify for this survey, respondents were required to be directly involved in the planning, implementation, and/or operations of their organization’s information security policies, processes, or technical safeguards. All respondents were provided an incentive to complete the survey in the form of cash awards and/or cash equivalents.

After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on a number of criteria) for data integrity, we were left with a final total sample of 315 IT managers.

Please see the Respondent Demographics section of this report for more information on these respondents.

Note: Totals in figures and tables throughout this report may not add up to 100% due to rounding.



Respondent Demographics The data presented in this report is based on a survey of 315 qualified respondents. The figures below detail the demographics of the respondent base, including individual respondents’ role in purchasing decisions and current job responsibility, as well as respondent organizations’ total number of employees, primary industry, and annual revenue.

Respondents by Role in Purchasing Decisions

Respondents’ current role in security management purchasing decisions is shown in Figure 39.

Figure 39. Survey Respondents, by Role in Security Management Purchasing Decisions


Respondents by Current Responsibility

Respondents’ current responsibility within their organizations is shown in Figure 40.

Figure 40. Survey Respondents, by Current Responsibility


I make/approve purchase

decisions, 64%

I influence purchase

decisions, 36%

To what degree are you responsible for making purchase decisions related to information security management and operations technology

products and services? (Percent of respondents, N=315)

Senior IT management (e.g.,

CIO, VP of IT, Director of IT,

etc.), 43%

IT management, 34%

IT staff, 9%

Non-IT Business Manager, 9%

Other, 4%

Which of the following best describes your current responsibility within your organization? (Percent of respondents, N=315)



Respondents by Number of Employees

The number of employees in respondents’ organizations is shown in Figure 41. Only organizations with 1,000 or more employees qualified for this survey.

Figure 41. Survey Respondents, by Number of Employees


Respondents by Industry

Respondents were asked to identify their organization’s primary industry. In total, ESG received completed, qualified respondents from individuals in 20 distinct vertical industries, plus an “Other” category. Respondents were then grouped into the broader categories shown in Figure 42.

Figure 42. Survey Respondent, by Industry


1,000 to 2,499, 13%

2,500 to 4,999, 19%

5,000 to 9,999, 14% 10,000 to 19,999,

22%

20,000 or more, 33%

How many total employees does your organization have worldwide? (Percent of respondents, N=315)

Business Services (accounting,

consulting, legal, etc.), 10%

Financial (banking, securities,

insurance), 10%

Government (Federal/National,

State/Province/Local), 10%

Health Care, 10% Manufacturing, 10%

Communications & Media, 10%

Retail/Wholesale, 10%

Other, 10%

What is your organization’s primary industry? (Percent of respondents, N=315)



Respondents by Annual Revenue

Respondent organizations’ annual revenue is shown in Figure 43.

Figure 43. Survey Respondents, by Annual Revenue


Less than $100 million, 3% $100 million to $499

million, 11%

$500 million to $999 million, 12%

$1 billion to $4.999 billion, 19%



$20 billion or more, 23%

Not applicable (e.g., public sector, non-

profit), 8%

What is your organization’s total annual revenue ($US)? (Percent of respondents, N=315)

20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0128 | www.enterprisestrategygroup.com

hpesp wp esg_research-security_mgmtandoperations

Technology

esg security management

state of security management

state of security information

evolving security organization

research report

security services trends

research implications

research objectives