in association with · 2015 2019 what are your primary reasons for outsourcing elements of cyber...
TRANSCRIPT
In association with
EXECUTIVE SUMMARY
Please note: For the purposes of the survey, cyber security is defined as an umbrella term encompassing information security and information assurance.
CONTENTS
Executive Summary 3
The Findings 4
Investment 4
Responsibility & Ownership 6
Outsourcing 7
Security in the Supply Chain 9
Cyber Security Attacks 11
Vulnerabilities 13
Regulatory Compliance 15
Security Skills 17
About Harvey Nash and Invinsec 19
#HNCyberSurvey
Now, more than ever, boards are taking an interest in and ownership of cyber security. Recent high-profile security breaches have shown how they are not only an operational issue, but can also cause long-term reputational damage, lead to revenue loss and incur significant fines from regulators.
GDPR and comparable industry regulations have further sharpened focus in the boardroom, as highlighted by 72 per cent of this year’s respondents being concerned with the detrimental effects resulting from data loss. The burden of responsibility faced by boards filters right down through the supply chain, emphasising the importance of robust due diligence right through the procurement process. Sixty-eight per cent of this year’s respondents have changed a procurement decision as a direct result of cyber security issues.
Organisations face increasing pressure to deliver secure systems and data protection, coupled with industry-
wide skills shortages and boards are thinking hard about where to invest. GDPR is still taking up the lion’s share of investment funds but is closely followed by incident response and training programmes. Boards appear to be looking more closely at the business processes that are in place to mitigate a breach and increase awareness of cyber security issues throughout the enterprise. The use of managed security service providers (MSSPs) has almost doubled since the last survey and suggests that third-party vendors are picking up operational business with scarce in-house resources being targeted to the businesses’ primary areas of focus.
There is no let-up in the demand for skilled cyber security personnel. This year’s research shows that security operations skills are the most sought after. Perhaps in part due to a shortage of suitable talent and in part down to a maturing market, our research shows that experience and knowledge are growing in importance over the box-ticking of industry accreditation.
James Walsh – CISMPHead of Security PracticeHarvey Nash Andrew SamsonoffCEOInvinsec
HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 2019 HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 20194 5
INVESTMENT
With its introduction in May 2018, it is unsurprising that the most prominent investment priority this year has been taken up by GDPR - with almost two in three (63 per cent) listing it as a focus. More interestingly, this year’s research shows that the biggest increase in investment is for managed security service providers (MSSPs); since our 2016 research the proportion of organisations investing in this area has grown from one in ten to almost two in ten (18 per cent). As the competitive landscape for all organisations becomes harder to navigate, businesses need to improve both their output and processes, and this is where investment in outsourcing providers can prove invaluable. Just as major data centres were initially developed in-house then moved to outsourced providers before businesses embraced cloud services, it appears likely, through both quantitative and qualitative research, that security operations (SO) are following a similar life cycle. Further analysis on the drivers around outsourcing is available on page 7 of this report.
Organisations are favouring investment in outsourced provision over hiring!"#$%#&'%()*%+,#--.-/%$)%.-0'1$%.-%$".1%('#&2%3','4$%#,,%$"#$%#++,(
5678!"#$%&'%&%'()*+,( -./##0%1%234'23),( 5-.6(&,4+*(%728+42)+89 :;.0!"%<## :;.=+)(%1%>3?%(@4()8&A%4&A(84 ::.#(,3)+4?%,28'3A4&8,? :B."#$:C;;5 :D.!?>()%4E)(&4%)(F2)4+89 :D.0)2&,4+*(%728+42)+89%2G%2F(8%'23),(%+84(AA+9(8,( B:.#"H/%I22A' BC."8,+J(84%)('F28'(1%G2)(8'+,' B-.0(8(4)&4+28%4('4+89 K;.<(*(A2F%(@+'4+89%4&A(84 K:.I)&+8+89%&8J%&L&)(8('' KD.!?>()%"8,+J(84%)('F28'( MK.N<06 OB.
8%
18%
20%
20%
22%
23%
29%
29%
32%
37%
38%
40%
42%
49%
54%
63%
6%
10%
16%
19%
34%
23%
29%
31%
29%
26%
50%
48%
45%
37%
0% 10% 20% 30% 40% 50% 60% 70%
CISO as a service
MSSP / outsourcing
Reactive monitoring
PCI DSS
Hire / buy external talent
Security consultancy
ISO 27001
Cyber threat reporting
Proactive monitoring of open sourceintelligence
SIEM tools
Incident response / forensics
Penetration testing
Develop existing talent
Training and awareness
Cyber incident response
GDPR
2016
2019
What are you planning to invest in this year?
Security incident and event management (SIEM) is also receiving more interest from the board with investment in cyber incident response increasing by 46 per cent in 2018 compared with the last time we asked the question. However, only 37 per cent of respondents state that they are investing in the tools associated with this task which might also indicate a rise in outsourced provision. A corresponding fall in investment associated with hiring (down 35 per cent) also corroborates this. If SO and SIEM are outsourced effectively, IT teams will have more time to develop and improve processes and applications for the business, leaving capable third parties to deal with the day-to-day tasks around cyber security.
MSSP/outsourcing is up from
10% to 18% with more organisations investing this year
Incident analysis and forensics – investment up
by 46%
Investment in hiring down significantly
by 35%
HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 2019 HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 20196 7
RESPONSIBILITY & OWNERSHIP
Board-level ownership and recognition for cyber security has increased to
56%
Boards 25% more likely to be well informed about risk compared with last survey
Only 50% of respondents are confident that cyber security is built into the development life cycle
Since the TalkTalk breach in 2016, there has been a small but steady increase in the degree to which boards feel engaged with cyber security and within larger organisations there are questions increasingly being asked about the advisability of CIOs having autonomy and self-regulation from a security perspective. Respondents stating that their board is ‘Very well informed’ about cyber security has increased by 24 per cent in 2019 compared with 2016. But while cyber security is on the agenda at board meetings, it does not follow that board members will understand how to tackle the issue. Most board members have expertise in other forms of risk, but not in how to protect corporate assets from nation-state attackers and organised gangs of cyber criminals. It is essential that boards focus on removing the obstacles that prevent their organisations from developing a culture of proactive security. Without support from executive management and the board, companies are unlikely to develop strong cyber security practices.
Responsibility for cyber security has shifted
5%
9%
18%
56%
33%
35%
56%
54%
0% 10% 20% 30% 40% 50% 60%
Risk management
Governance / compliance
IT
Board
2016
2019
Where does the overall responsibility for cyber security sit within your organisation?
Apart from the relatively small increase in board responsibility (up 4 per cent), there has been a shift away from responsibility lying with IT, Governance and Risk management departments. This year’s research clearly shows significant drops with, for example, only 18 per cent of respondents stating that responsibility lies within IT in comparison with 56 per cent in 2016. This suggests that organisations are recognising the need to have a check and balance between IT and Security, and also that the focus on GDPR has shifted some of the emphasis towards Data Protection Officers to shoulder the burden as a dedicated role. Outsourcing to MSSPs has certainly been a factor in workloads reducing, but responsibility cannot be shifted outside the organisation. It is clear that a major shift in ownership has occurred.
OUTSOURCING
Incident management and response are growing areas for outsourcing
33% of respondents outsource network security
Third-party providers contribute significantly to training and awareness programmes
A surge in cyber threats and the administrative burden involved in staying on top of data security place pressure on organisations that wish to avoid serious data breaches and the associated reputational damage and operational disruption. Given ongoing cyber skills shortages, organisations are forced to look increasingly at outsourced providers and technologies that can help them neutralise and remediate cyber threats in the timeliest way possible. This is evidenced by the investment plans highlighted on pages 4 and 5.
Lack of in-house skills remains top reason to outsource
!"#$%&'(%'()*'(+,$-%".&%$/$0$.)%'1%,&2$+%*$,(+3)&4%51%&$*6%783,8%'.$*4
<=>?!"#$%&'()*'%+'",( -./%+&0&0,)+01)+2+%"0"** 34.56(*&#+7)*"#$%&'( 38.90#&1"0'):+0+,";"0')+01)<"*=>0*" ??.@$1&')+01)+**"**;"0' ?A.B"'2>%C)*"#$%&'()D)E&%"2+77);+0+,";"0' --.:>0&'>%&0, -F.G>%"0*&#* -F./6%"+')+**"**;"0'*)+01D>%)&0'"77&,"0#")E""1* FH.5"0"'%+'&>0)'"*'&0, 44.
51%&'(%8"#$%'()*'(+,$-%$/$0$.)*%'1%,&2$+%*$,(+3)&6%78")%"+$%)8$%:+30"+
<=>?/>);""')7",+7)>%)%",$7+'>%()%"I$&%";"0'* 3?.B>')=+%')>E)(>$%)#>%")J$*&0"** ??./>),$+%+0'"")+0)"EE"#'&K")*"#$%&'()*"%K&#" ?F.@*)=+%')>E)+)2&1"%);+0+,"1)*"%K&#")#>0'%+#' ?A.L>*')J+*"1)E+#'>%* ?M./>),$+%+0'"")*$JN"#');+''"%)"O="%'&*" ?M.P+#C)>E)&0Q6>$*")#(J"%)*"#$%&'()*C&77* -?.
A8$.%0"B3.C%:(+,8"*3.C%-$,3*3'.*%78$+$%-'%&'(%*'(+,$%&'(+%2",BC+'(.-%3.1'+
P&0C"190 ??.<"E"%%+7 AR.S+%'0"%DG>%"*'"% 44.T6&'")5+="%* AM.5"%&>1&#+7* 34.U&%"#'):+%C"'&0, 8.S>>,7")!"+%#6 F-.VK"0'* F?.
12%
22%
24%
25%
27%
27%
32%
21%
30%
41%
21%
29%
50%
41%
0% 10% 20% 30% 40% 50% 60%
To meet legal or regulatoryrequirements
Not part of your core business
To guarantee an effectivesecurity service
As part of a wider managedservice contract
Cost-based factors
To guarantee subject matterexpertise
Lack of in-house cyber securityskills
2015
2019
What are your primary reasons for outsourcing elements of cyber security?
On the subject of responsibility for cyber security, it is highly encouraging to see that responsibility is now better understood to be with the board. Accountability has always rested with the top of the organisation, but boards are now maturing to the point where they understand that the IT function should not manage and report on information risk.Bridget Kenyon, Global CISO, Thales eSecurity
Given the large number of cyber security vacancies and limited source of suitable candidates, outsourcing of cyber security has become one of the most effective solutions for meeting our needs. This is particularly key in the areas of incident management and response where these skills are in short supply.Tobi Patterson-Jones, Group Head of Information Security and Data Protection, Grafton Group plc
HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 2019 HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 20198 9
This year’s research shows that while the outsourcing of many areas of security operations (SO) has held steady over the course of the last three years, there are some notable exceptions. Just less than a quarter (22 per cent) of respondents are now outsourcing incident management and response in comparison with only 8 per cent in 2016. This is a significant increase. This year, a third of respondents are outsourcing their network security and firewall management compared with 22 per cent in 2016, which also represents a notable increase. Training and awareness around SO is another growing area where respondents tell us that they are increasingly outsourcing, up 23 per cent compared with 2016. All of these measures relieve headcount pressure within the organisation and enable more value-add activities to be performed by precious headcount.
Incident management and response has shifted to MSSPs
!"#$%&'(%'()*'(+,$-%".&%$/$0$.)%'1%,&2$+%*$,(+3)&4%51%&$*6%783,8%'.$*4%9$/$,)%"//%)8")%"::/&;
<=>?!"#$%&'()*'%+'",( -./%+&0&0,)+01)+2+%"0"** 34.56(*&#+7)*"#$%&'( 38.90#&1"0'):+0+,";"0')+01)<"*=>0*" ??.@$1&')+01)+**"**;"0' ?A.B"'2>%C)*"#$%&'()D)E&%"2+77);+0+,";"0' --.:>0&'>%&0, -F.G>%"0*&#* -F./6%"+')+**"**;"0'*)+01D>%)&0'"77&,"0#")E""1* FH.5"0"'%+'&>0)'"*'&0, 44.
51%&'(%8"#$%'()*'(+,$-%$/$0$.)*%'1%,&2$+%*$,(+3)&6%78")%"+$%)8$%:+30"+&%+$"*'.*%78&4%9$/$,)%(:%)'%)8+$$@
<=>?/>);""')7",+7)>%)%",$7+'>%()%"I$&%";"0'* 3?.B>')=+%')>E)(>$%)#>%")J$*&0"** ??./>),$+%+0'"")+0)"EE"#'&K")*"#$%&'()*"%K&#" ?F.@*)=+%')>E)+)2&1"%);+0+,"1)*"%K&#")#>0'%+#' ?A.L>*')J+*"1)E+#'>%* ?M./>),$+%+0'"")*$JN"#');+''"%)"O="%'&*" ?M.P+#C)>E)&0Q6>$*")#(J"%)*"#$%&'()*C&77* -?.
A8$.%0"B3.C%:(+,8"*3.C%-$,3*3'.*%78$+$%-'%&'(%*'(+,$%&'(+%2",BC+'(.-%3.1'+0")3'.%*,':3.C%1+'04%9$/$,)%"//%)8")%"::/&@
P&0C"190 ??.<"E"%%+7 AR.S+%'0"%DG>%"*'"% 44.T6&'")5+="%* AM.5"%&>1&#+7* 34.U&%"#'):+%C"'&0, 8.S>>,7")!"+%#6 F-.VK"0'* F?.
3%
16%
18%
22%
25%
33%
34%
34%
40%
66%
3%
13%
20%
8%
26%
22%
35%
32%
23%
78%
9%
0
0
11%
29%
22%
34%
33%
38%
76%
0% 20% 40% 60% 80% 100%
Security strategy
Training and awareness
Physical security
Incident management and response
Audit and assessment
Network security / firewallmanagement
Monitoring
Forensics
Threat assessments and/orintelligence feeds
Penetration testing
2015
2016
2019
12%
22%
24%
25%
27%
27%
32%
21%
30%
41%
21%
29%
50%
41%
0% 10% 20% 30% 40% 50% 60%
To meet legal or regulatoryrequirements
Not part of your core business
To guarantee an effectivesecurity service
As part of a wider managedservice contract
Cost based factors
To guarantee subject matterexpertise
Lack of in-house cyber securityskills
2015
2018
Have you outsourced any element of cyber security?
SECURITY IN THE SUPPLY CHAIN
Cyber security is a consideration
for 93% of procurement decisions
More than two-thirds of respondents have changed a supplier decision because of it
A quarter of all respondents feel cloud services make cyber security easier
The 2017 ‘NotPetya’ campaign began with an extremely effective supply chain attack, which had disastrous consequences for Ukraine’s national bank, airport and government departments. It went on to infect machines in a staggering 64 countries. No wonder then that 93 per cent of our respondents’ organisations consider cyber security an important factor for procurement. It is equally unsurprising given that many regulations such as GDPR, and regulators including the FCA, make it clear that organisations own the risk to their data throughout their supply chain.
Overlooking the cyber resilience of suppliers can dramatically increase an organisation’s vulnerability. Our research shows that more than two-thirds of respondents (68 per cent) have changed a procurement decision based on security considerations, highlighting encouraging levels of due diligence being undertaken.
Cyber security is a consideration for almost all procurement decisions!"#$"%#&"'()*+,#&$-+,#(+&%,).$#/0+'#123)'4#5,"&%,+1+'.#*+&)()"'(#6",#'+/#(%557)+,(89:;< 9:;= 9:;>
!"# $%& '(& ')&*+ ,& (-& ()&.+/0123/+4 (& (-& 5&
?2@+#(+&%,).$#&"'()*+,2.)"'(#+@+,#&02'4+*#2#5,"&%,+1+'.#*+&)()"'8
9:;< 9:;= 9:;>!"# ,'& ,,& 6)&*+ ()& (5& %(&.+/0123/+4 ($& 5(& (6&
A'#$"%,#@)+/#*"+(#%()'4#&7"%*#(+,@)&+(#123+#&$-+,#(+&%,).$#2#02,*+,#",#+2()+,#.2(38
789:"9 %%& ;<+=:2>22?=#@/"##28#2=#=8<2A2B+9"2C+/D@:"/C"2@/2E9+F@:"9#G8#@"9 56&*"@1H"9 )5&
93%
6%
1%
Chart Title
Yes
No
Don't know
)5&
Do you consider cyber security when making procurement decisions for new suppliers?
Cyber security in the supply chain is not limited to initial due diligence during procurement but must be embedded in the entire supplier management life cycle. Regular review of existing suppliers provides greater assurance to business about their cyber security risk profile.Hargobind Singh Ahluwalia, Group Information Security Manager, CPP Group
HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 2019 HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 201910 11
Security operations must develop a much deeper understanding of how their businesses are changing. Cloud computing is underpinning wholesale digital transformation for companies and creating a significant shift in operational risk. With the integration of cloud services now a standard part of the business landscape, we asked our respondents about whether this made it more difficult to implement effective cyber security. More than three-quarters feel that cloud either made it easier to implement security or had no direct impact on vulnerability.
A quarter of respondents feel that cloud services make cyber security easier to implementDo you consider cyber security when making procurement decisions for new suppliers?
2018 2015 2014Yes 93% 81% 84%No 6% 10% 14%Don't know 1% 10% 2%
Have security considerations ever changed a procurement decision?
2018 2015 2014Yes 68% 66% 54%No 14% 12% 31%Don't know 19% 21% 15%
In your view does using cloud services make cyber security a harder or easier task?
Harder 33% Cloud = business as usual - more confidence in providersEasier 25%Neither 42%
93%
6% 1%
Chart Title
Yes
No
Don 't know
33%
25%
42%
Chart Title
Harder
Easier
Neither
In your view does using cloud services make cyber security a harder or easier task?
CYBER SECURITY ATTACKS
Phishing and social engineering attacks remain at the top of the attack type leader board
Service interruptions and data loss attacks have almost doubled since 2016
Organisations are most concerned about possible data loss incidents
While down 16 per cent since 2016, phishing and social engineering attacks remain at the top of the list of cyber attacks experienced in the past year with 61 per cent of all respondents having suffered from them. Data loss (33 per cent) and service interruption attacks (39 per cent) have almost doubled since 2016.
Data loss and service interruption are fastest-growing types of attack
!"#$"%&#'&()*%&+'&,"-&'+..+/#)0&"(1-&*+2&32''-4-5&#)&,"-&6(3,&*-(47
89:; 89:<!"#$%$!!"# &'( &'(!)*)$+,--$./0.12/* 33( 45(#267.02$./*26689*.,/ 3:( &;(<.68-$%$=)+>)62$,8*?62)@ '4( A3(BC.-C./D$%$-,0.)+$2/D./226./D E4( F3(
='&*+2&"(1-&32''-4-5&()&(,,($>&#)&,"-&6(3,&*-(4%&/"(,&/(3&,"-&#?6($,&+)&,"-&@23#)-337&A-.-$,&(..&,"(,&(66.*
89:; 89:<G,--$,H$I)6@2*$-C)62 '( 3(G,--$,H$2I9+,J22- 5( E(G,--$,H$-899+.26$0,/H.12/02 4F( :(K298*)*.,/)+$1)I)D2 33( 3&(G,--$,H$08-*,I26$0,/H.12/02 33( 3A(G,--$,H$6272/82$,6$96,H.* A'( AE(
B"#)>#)0&(@+2,&,"-&)-C,&,/+&*-(43%&/"#$"&,"4-(,3&(4-&*+2&?+3,&$+)$-4)-5&(@+2,7&A-.-$,&26&,+&,/+D
BC.-C./D$%$-,0.)+$2/D./226./D ':(<.68-$%$=)+>)62$,8*?62)@ &&(!)*)$+,--$./0.12/* F&(!"#$%$!!"# F(#267.02$./*26689*.,/ 3A(
24%
33%
39%
41%
61%
24%
18%
20%
53%
73%
0% 20% 40% 60% 80%
DOS / DDOS
Data loss incident
Service interruption
Virus / malware outbreak
Phishing / social engineering
2016
2019
F(
Which, if any, of the following have you suffered in the past year?
Phishing remains a primary attack vector for all organisations. Given the low investment for this type of attack required for cyber criminals, it’s an obvious first choice tool in their weaponry. It is great to see this report reflect a 16% reduction in phishing and social engineering since 2016. It means that investments in defensive security technology are paying off.Katy Hinchcliffe, Head of Cyber Security, Littlefish Ltd
HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 2019 HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 201912 13
Cyber attacks are still hitting organisations primarily on their bottom line. More than half (54 per cent) of respondents state that attacks affect their revenue and profits. However, the fastest-growing effect of security breaches is a loss of supplier confidence with almost double the amount of respondents citing it as an effect compared with 2016.
Loss of supplier confidence is fastest-growing impact result
!"#$"%&#'&()*%&+'&,"-&'+..+/#)0&"(1-&*+2&32''-4-5&#)&,"-&6(3,&*-(47
89:; 89:<!"#$%$!!"# &'( &'(!)*)$+,--$./0.12/* 33( 45(#267.02$./*26689*.,/ 3:( &;(<.68-$%$=)+>)62$,8*?62)@ '4( A3(BC.-C./D$%$-,0.)+$2/D./226./D E4( F3(
='&*+2&"(1-&32''-4-5&()&(,,($>&#)&,"-&6(3,&*-(4%&/"(,&/(3&,"-&#?6($,&+)&,"-&@23#)-337&A
89:; 89:<G,--$,H$I)6@2*$-C)62 '( 3(G,--$,H$2I9+,J22- 5( E(G,--$,H$-899+.26$0,/H.12/02 4F( :(K298*)*.,/)+$1)I)D2 33( 3&(G,--$,H$08-*,I26$0,/H.12/02 33( 3A(G,--$,H$6272/82$,6$96,H.* A'( AE(
B"#)>#)0&(@+2,&,"-&)-C,&,/+&*-(43%&/"#$"&,"4-(,3&(4-&*+2&?+3,&$+)$-4)-5&(@+2,7&A-.-$,
BC.-C./D$%$-,0.)+$2/D./226./D ':(<.68-$%$=)+>)62$,8*?62)@ &&(!)*)$+,--$./0.12/* F&(!"#$%$!!"# F(#267.02$./*26689*.,/ 3A(
24%
33%
39%
41%
61%
24%
18%
20%
53%
73%
0% 20% 40% 60% 80%
DOS / DDOS
Data loss incident
Service interruption
Virus / Malware outbreak
Phishing / social engineering
2016
2019
4%
8%
17%
33%
33%
54%
3%
6%
9%
32%
35%
56%
0% 10% 20% 30% 40% 50% 60%
Loss of market share
Loss of employees
Loss of supplier confidence
Reputational damage
Loss of customer confidence
Loss of revenue or profit
2016
2019
F(
If you have suffered an attack in the past year, what was the impact on the business?
Given the possible punitive penalties instilled by regulations, such as GDPR, for negligence, it is unsurprising that data loss incidents are by far the most feared form of security breach. Almost three-quarters of respondents (72 per cent) are concerned by them.
Data loss is causing the most concern
89:;!"#$%$!!"# &'(!)*)$+,--$./0.12/* 33(#267.02$./*26689*.,/ 3:(<.68-$%$=)+>)62$,8*?62)@ '4(BC.-C./D$%$-,0.)+$2/D./226./D E4(
39%
26%
19%
12%
4%
26%
12%
39%
4%
19%
Chart Title
Phishing / social engineering
Virus / malware outbreak
Data loss incident
DOS / DDOS
Service interruption
Thinking about the next two years, which two threats are you most concerned about?
VULNERABILITIES
Just over half of respondents have fully identified assets that need protecting
(55%)
Less than a third (32%) of all respondents have systems in place to fully identify security vulnerabilities
Growing use of proactive strategy for cyber security
Just over half of all respondents (55 per cent) consider that they have fully identified the assets within their organisation that need protecting. A further 38 per cent are still on the identification journey.
Just over half of assets that need protecting have been fully identified
55%38%
6%
1%
Chart Title
Yes, fully
No, but we are in theprocess of doing this
No
Don't know
Have you identified which assets need most protection in your organisation?
Our research shows that less than a third (32 per cent) of all respondents have systems in place to fully identify security vulnerabilities. Almost one in ten (9 per cent) either have no such system or are unaware of them.
Almost one in ten have no system in place to identify new security vulnerabilities
55%38%
6%
1%
Chart Title
Yes, fully
No, but we are in theprocess of doing this
No
Don't know
32%
59%
8%
1%
Chart Title
Yes, fully
Yes, in part
No
Don't know
Do you have systems in place to identify new security vulnerabilities in your technology?
If businesses hope to avoid becoming another media headline, they must be proactive with their security programmes, stay agile and react swiftly to a crisis to avoid the accompanying financial and reputational damage. Organisations must understand their risk tolerance and have plans to safeguard against attacks and not assume that they will be left alone as some attacks have become more indiscriminate in nature. Since 2016, our respondents are being increasingly proactive, with 59 per cent now using this approach over a reactive one.
Vulnerability management is hard. It’s the constant race against exploits in known holes in your software and getting these patched. It’s not impossible though: IT and Security need to work together to ensure vulnerabilities are disclosed and prioritised. It’s worrying to see that almost two-thirds of respondents don’t have a mechanism for identifying vulnerabilities. Identification is only part of the solution – a clear process to remediate is also key.Christian Toon, CISO, Pinsent Masons LLP
HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 2019 HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 201914 15
Move towards more proactive approach to cyber security
55%38%
6%
1%
Chart Title
Yes, fully
No, but we are in theprocess of doing this
No
Don't know
32%
59%
8%
1%
Chart Title
Yes, fully
Yes, in part
No
Don't know
54%
46%
59%
41%
0% 20% 40% 60% 80%
Proactive
Reactive
2019
2016
Overall, how would you describe your organisation’s approach to cyber security?
Almost two in ten lack processes to fix vulnerabilities in a timely manner
32%
8%
1%
Chart Title
Yes, fully
Yes, in part
No
54%
46%
59%
41%
0% 20% 40% 60% 80%
Pro-active
Re-active
2018
2016
80%
18%
2%
Chart Title
Yes
No
Don't know
Do you have a process in place to fix vulnerabilities in a timely manner?
While an encouraging 80 per cent of respondents feel that they have the correct processes in place to fix vulnerabilities in a timely manner, almost two in ten (18 per cent) do not.
REGULATORY COMPLIANCE
Less than
2 in 10 were very well prepared for GDPR enforcement
DPO roles
in 94% of organisations
60% feel that regulatory bodies could provide better guidance
GDPR has focused organisations on their security compliance obligations over the last 12 months. This has been evidenced by much people-focused activity within industries: including hiring and use of consultants. It remains to be seen whether this step up in activity will be maintained over time, or if organisations will feel that they have ticked a GDPR box for the moment. Cyber security professionals will play an important role to ensure compliance is maintained long term, and if organisations have made the necessary link through to the need for early detection and timely response then activity around regulatory compliance should remain at an increased rate.
In 2018, 60 per cent of our research respondents state that the regulatory bodies that govern their organisations do not provide useful guidance on how to mitigate cyber security risks. This has increased from 54 per cent in 2016.
Respondents feel less guided by regulatory bodies
21%
42%
48%
56%
81%
22%
53%
0
34%
82%
0% 20% 40% 60% 80% 100%
HMG
PCIDSS
NIST
Cyber Essentials
IS0 27001
2015
2018
38%
54%
8%
34%
60%
6%
0%
10%
20%
30%
40%
50%
60%
70%
Yes No Don't know
2015
2018
Do you feel the regulatory bodies that govern your organisation provide useful guidance to help you manage your cyber security risk?
HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 2019 HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 201916 17
In addition to ISO 27001, one scheme that many companies are increasingly benefiting from is the Cyber Essentials scheme, a UK government-backed security standard that identifies the security controls an organisation must have in place within their IT systems. Our research shows that usage of this standard has increased by 61 per cent since 2016, which is great news.
Growing use of Cyber Essentials as regulatory compliance standard
21%
42%
48%
56%
81%
22%
53%
0
34%
82%
0% 20% 40% 60% 80% 100%
HMG
PCIDSS
NIST
Cyber Essentials
IS0 27001
2015
2018
Does your organisation use any regulatory compliance standard to mitigate cyber risk?
While Europe’s attention has been heavily focused on GDPR, there are other regulations that CISOs and cyber security professionals must manage. Most notably is the Networks and Information Systems (NIS) Directive, which aims to improve the EU’s preparedness for cyber attacks, particularly on critical infrastructure such as energy, utilities, finance, healthcare, digital infrastructure and transport. This regulation means that cyber professionals operating in these industries and the public sector will have to implement high defences against cyber attacks.
Almost two-thirds of organisations have appointed a dedicated DPOAre you or your organisation currently working on a GDPR Programme?
Yes 91%No 6% No data? Or don't deal with EU citizens?Don't know 3%
Does your current organisation have a dedicated Data Protection Officer?
Yes 63%No, but another role is covering this 31%No, and no other role is covering this 6%
Where does ownership for GDPR sit within your organisation?
Chief Information Officer 10%Chief Information Security Officer 10%Chief Risk Officer 8%Chief Financial Officer 5%Chief Executive Officer 10%Legal Counsel 22%Data Protection Officer 22%Other (please specify) 13%
How well covered/prepared do you believe your current organisation is for GDPR enforcement in May 2018?
Very well prepared/covered 19%Quite well prepared/covered 45%Partially prepared/covered 33%Not at all prepared/covered 1%Don't know 1%
63%
31%
6%
Chart Title
Yes
No, but another roleis covering this
No, and no otherrole is covering this
Does your current organisation have a dedicated Data Protection Officer?
SECURITY SKILLS
More than half of respondents are seeking security operations personnel
Experience is catching up with accreditation in recruitment decisions
Cyber leadership job opportunities are down dramatically since the last survey
The search for senior cyber leadership has tailed off dramatically with only 14 per cent of respondents indicating a skill gap this year compared with 38 per cent in 2016. The search for security operations professionals tops the requirements list with more than half (52 per cent) of respondents citing a need for more, which is interesting given the increase in outsourcing of security operations. Architects and penetration testers are also less sought after than in previous years.
Leadership in place but operations posts need to be filled
12%
14%
21%
26%
33%
36%
38%
43%
52%
20%
38%
30%
33%
50%
43%
Penetration testing
Senior cyber leadership
Security project management
Governance, risk and compliance
Security engineering
GDPR / data protection
Security architecture
Security training and awareness
Security operations
2015
2019
22%
52%
27%
30%
56%
14%
Very – it’s a key factor, we would rarely hire without it
Quite – it’s a contributory factor, although we sometimes hire
without it
Not – accreditations matter very little, only experience matters
2015
2019
If you have indicated you are lacking ‘internal cyber skills’, what skills do you feel you are lacking?
Convincing organisations that data protection is a source of competitive advantage and not a cost centre could be effective at driving greater compliance. Consumers remain doubtful about the ability of merchants and service providers to protect their personal data, in no small part due to the bad press surrounding data breaches and misuse at Facebook, Yahoo and Uber amongst others. The role of a Data Protection Officer is key but revolves around the objective to ensure consumers’ data privacy is maintained, and personal data is protected from misuse. Sixty-three per cent of respondents have a DPO in a dedicated role and a further 31 per cent have another person covering this role.
HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 2019 HARVEY NASH & INVINSEC CYBER SECURITY SURVEY 201918 19
ALL ABOUT HARVEY NASH AND INVINSEC
Harvey Nash Our Information Security Practice is our specialist team that is solely dedicated to this increasingly business-critical function. Over the past five years the team has seen over 10 per cent year-on-year increase in demand for security-related skill sets across the UK alone. This is a clear response to the ever-changing threat landscape and the challenges all organisations face in keeping data and assets secure. Our extensive global network and talent pool mean our team can provide bespoke resourcing strategies to meet this demand. Our Information Security Practice offers a complete end-to-end recruitment service. We deliver permanent, contract and statement of work resourcing solutions across technical cyber, governance, risk and strategic security transformation skill sets. We have a successful track record of placing professionals at Global Chief Information Security Officer level through to entry-level Security Analysts. Our team is also heavily involved in thought leadership and advisory services, and has contributed to articles in Computing magazine and publications by Bloomberg. James WalshHead of Security Practice
E: [email protected] T: 0121 717 1946M: 07896 019475
----------------------------------------------------------------------------------------------------------------------------
Invinsec
Invinsec is a hyper-growth, British-owned cyber security company that specialises in security monitoring (SOC/SIEM). Headquartered in Cheltenham and with offices in Birmingham, it aims to be the number one company in the UK and Europe for security monitoring by 2021. Founded in 2016, it is ripping up the rule book for security monitoring with tech you can use quickly at prices you can afford, and with first-class service too. Invinsec built and owns its cloud-based software platforms BroadBot and StopPoint, and has its own 24/7/365 SOC service with UK SOC locations in Cheltenham and Birmingham. Invinsec is staffed by veterans of the military, law enforcement and secure government agencies. It provides state-of-the-art security monitoring to businesses of all sizes – at a price they can understand and afford. A Great British company providing security monitoring for everyone.
The cyber security skills arena has matured considerably since our last survey and experience is becoming as important as accreditation. While this could also be driven in part by skills shortages, just over a quarter (27 per cent) of respondents care little about accreditation, preferring to make hiring decisions based on previous roles and experience.
Experience increasingly more important than accreditation
12%
14%
21%
26%
33%
36%
38%
43%
52%
20%
38%
30%
33%
50%
43%
Penetration testing
Senior cyber leadership
Security project management
Governance, risk and compliance
Security engineering
GDPR / data protection
Security architecture
Security training and awareness
Security operations
2015
2019
22%
52%
27%
30%
56%
14%
Very – it’s a key factor, we would rarely hire without it
Quite – it’s a contributory factor, although we sometimes hire
without it
Not – accreditations matter very little, only experience matters
2015
2019
When hiring people, how important is it for them to have some kind of accreditation?
What accreditation do you value most?
CISSPCCP
CESG
CISA
CREST
ISACA
SABSA
TOGAF
ISC2
CRISC
GIACSANS
CISMISO27001
ITIL
OSCP
EXPERIENCE
In association with