reports - dsimg.ubm-us.net · among the salient data that emerged: • asked about their biggest...

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Nextreports.informationweek.com

September 2016

How Enterprises Are Attacking the IT Security Challenge

Sponsored by

reports

Infosec professionals have been making hard choices on the fly for some time, but the unrelenting nature of attacks and threats to users have raised the stakes.

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

CONT

ENTS

TABLE OF

Attacking the IT Security Challenge

reports.informationweek.com September 2016 2

3 Author’s Bio

4 Executive Summary

5 Research Synopsis

6 Triage Becomes Security Strategy’s Dominant Note

7 The Biggest IT Security Challenges

9 Preparedness and Most-Used Security Products and Practices

13 Security Policy and Spending

15 Security Investments and Auditing Cloud Service Providers

16 Insurance Protection

17 Threat Intelligence Services and Hiring

Figures 7 Figure 1: Biggest IT Security Challenges

8 Figure 2: Use of Mobile Device Management Software

9 Figure 3: Preparedness of Organization

10 Figure 4: Security Products in Use

11 Figure 5: Most Valuable Security Products

12 Figure 6: Security Practices and Disciplines

13 Figure 7: Most Valuable Security Practices

14 Figure 8: Security Decision Makers

15 Figure 9: Security Budget

15 Figure 10: Security Spending

16 Figure 11: Measuring the Value of Security Investments

17 Figure 12: Risk Assessment of Cloud Providers

18 Figure 13: Threat Intelligence Service

19 Figure 14: Sufficient Staffing?

20 Figure 15: SIEM System

21 Figure 16: Formal Security Incident Management Team

22 Figure 17: Cyberbreach or Cyberrisk Insurance

23 Figure 18: Insurance Amount

24 Figure 19: Mobile Device Threat

reports

http://reports.informationweek.com/

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

Terry SweeneyInformationWeek Reports

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 25 years. He was part of the team that started Dark Reading 10 years ago. He has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, Network World, and InformationWeek.

In addition to information security, Sweeney has written extensively about cloud computing, wireless technologies, storage networking, and analytics. While he’s watched successive waves of technological advancement, Sweeney still prefers to chronicle the actual application of these breakthroughs by businesses and public sector organizations.

Sweeney is also the founder and chief jarhead of Paragon Jams, a “micro-artisanal” food business specializing in small-batch jams, preserves, and marmalades for adults.


September 2016 3

reportsTable of Contents

reports.informationweek.com

http://www.paragonjams.com/


Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

SUM

MAR

Y “Cyber fatigue” has become a fact of life for information security professionals and executives who are constantly barraged by server attacks, attempted breaches, malware outbreaks, and end-users who too quickly forget best practices with their devices and data. Consequently, the triage mentality that has always informed security pros’ outlook has become a dominant and necessary approach to keeping their organizations defended and protected.

Dark Reading’s 2016 Strategic Security Survey drilled into these issues with 300 business technology and security professionals at organizations with 100 or more employees. Among the salient data that emerged:

• Asked about their biggest security challenges, 39% of respondents cited preventing data breaches from outside attackers, a 50% increase from 2015. More than a third (34%) cited controlling user access to systems and data as their biggest challenge (up from 23% in 2015). Meeting regulatory and industry compliance requirements was cited by 33%, up from 18% in 2015.

• Mobile device management remains a top priority for more than half our sample (53%) for enforcing security policy across different device types. While that was down slightly from 2015 (55%), there’s no denying that all the smartphones and tablets out there create a moving target – literally – for infosec professionals.

• Asked which three security technologies they’d retain above all others, 41% said email security and spam filtering, followed by anti-virus/anti-malware software (40%), and VPNs (33%). Falling to the bottom of the list were endpoint protection, log analysis/security event management, and patch management.

• Respondents also reported declines in practices and end-user awareness training, incident response, and multi-factor authentication.

Attacks and threats may escalate and proliferate, but security personnel are getting smarter about how to respond, thanks to new tools, automation, and cloud-based services. Central to that approach is a necessary pragmatism that prompts that to make difficult choices about how to keep users and data best protected.

EXECUTIVE


September 2016 4

reportsTable of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

SYNO

PSIS

RESEARCHABOUT USInformationWeek Reports’

analysts arm business

technology decision-makers

with real-world perspective

based on qualitative and

quantitative research, business

and technology assessment

and planning tools, and

adoption best practices

gleaned from experience.

Find all of our reports at

reports.informationweek.com.

Survey Name Dark Reading Strategic Security Survey

Survey Date June 2016

Region North America

Number of Respondents 300

Purpose Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees.

Methodology InformationWeek and Dark Reading surveyed business technology decision-makers at North American companies. The survey was conducted online. Respondents were recruited via an email invitation containing an embedded link to the survey. The email invitation was sent to UBM Tech’s qualified database. The respondents included in this report had job titles that included the word “security” or reported that their primary job responsibilities include IT security.

Attacking the IT Security Challengereports

September 2016 5

Table of Contents




The months and years may tell us more than the days and weeks, but don’t try tell-ing that to infosec professionals. Their hours blend seamlessly together on a regular basis as they fend off external attacks, keep users connected, and ensure their organizations don’t run afoul of state and federal security, privacy, and data handling laws.

The situation where infosec professionals face down daily challenges is nothing new. What was striking in the responses to our an-nual survey on strategic security was a sense that infosec professionals are overwhelmed. They’re no longer trying to cover all the bas-es, because it’s simply not feasible, due to the finite nature of budgets, even for securi-ty. Their servers are constantly under attack, new forms of malware are wreaking untold havoc, and users with their mobile devices add exponential complexity – and risk.

It’s a lot for one person – or department – to juggle.

“We started using the term ‘cyber fatigue’ about 18 months ago and it’s only accel-erated,” said Greg Bell, KPMG’s cyber US

leader. While more than 80% of companies surveyed by KPMG admitted to being breached in the last two years, less than half invested in any information security product or service as a result.

Why the disconnect? According to Bell, it’s not just the higher volume of attacks and breaches. There’s a whole new set of risks – political, economic, and technological – that require security professionals and executives to constantly recalibrate. Where to spend is less clear than it used to be. Meanwhile, the attacks keep coming and the landscape con-tinues to shift.

That context helps to explain a clear triage mentality that emerged from our respon-dents’ answers and their comments in follow-up conversations. While making hard choices and setting priorities on the fly isn’t new to security professionals, the stakes have been raised. The ecosystem of malware writers, distributors, and profiteers is one of astonish-ing sophistication, targeting users and server ports the world over. It is also unrelenting.

First, some insight into our strategy survey

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next Triage Becomes Security Strategy’s Dominant Note


September 2016 6

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


sample: We spoke to 300 business technology and security professionals at organizations with 100 or more employees. The four most common job titles were network/system ad-ministrator (20%), information security de-partment staff (14%), IT director/head (12%), and IT executive (9%). “Other” comprised 24%, CSOs were 1%.

Industrial sectors broke down into govern-ment (11%); healthcare (10%); education, man-ufacturing/industrial (non-computer), and IT consulting (all 9%); financial services (8%); Tele-com/ISPs (6%); consulting, energy, and IT ven-dors (all 3%); biotech/pharma, media/enter-tainment, electronics, insurance, and logistics/transportation (all 2%).

Revenues spanned $6 million to $49.9 mil-lion (17%), $5 billion or more (17%), $100 million to $499.9 million (11%), $50 million to $99.9 million (8%), and 8% of respondents selected government/nonprofit. Some 21% declined to specify.

The Biggest Security ChallengesWhen asked about their biggest security chal-lenge, IT and infosec pros reveal that they are constantly on the defensive. Thirty-nine

percent said preventing data breaches from outside attackers is their greatest challenge (up from 26% in 2015), and 34% said con-trolling user access to systems and data (up

from 23%). (See Figure 1.) One-third (33%) said meeting regulatory and industry compli-ance requirements is their biggest challenge (also up from 18%). These top three responses

Figure 1

2016 2015

Which of the following are among the biggest information or network security challenges facing your company? Biggest IT Security Challenges

Preventing data breaches from outside attackers

Controlling user access to systems and data

Managing the complexity of security

Meeting regulatory and industry compliance requirements

Assessing risk

Enforcing security policies

Spreading user awareness

Getting management buy-in or adequate funding

Preventing data theft by employees or other insiders

Getting professional resources and expertise

Other

Note: Maximum of three responses allowedBase: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees

28%20%

23%34%

23%23%

26%39%

14%16%

44%33%

10%14%18%

3%1%

32%36%

31%37%

33%

September 2016 7

39%of IT and infosec pros say

preventing data breaches

from outside attackers is their

greatest security challenge.

FAST FACT

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


won’t surprise anyone involved in information security, and in fact are interconnected.

Given that the volume and persistence of outside attacks has either remained steady or increased in the last year, infosec profession-als have had to be extra vigilant about access, not to mention mindful of any potential com-pliance implications of what’s happening in and around their networks. Reporting criteria have gotten stricter, and nobody wants to be on the hook for noncompliance fines.

There were some significant decreases among our sample’s security challenges; chief among them was the complexity of managing security, reported by 33%, down from 44% in 2015. While cloud-based services and capa-bilities may be at least partially responsible for reduced complexity, it’s also clear we’re see-ing security professionals respond to the de-mands on their attention and expanded work-loads with ruthless pragmatism.

Another security challenge selected by few-er respondents this year was “Getting man-agement buy-in or adequate funding,” which was selected by 20%, down 8% from last year. Maybe it took a breach at a major retailer – and the CEO’s subsequent firing – to sensitize

those in the C-suites that better security was something more than nice to have, but rather something essential to protect customers, the brand, and of course, the share price on the stock market.

Finally, “Enforcing security policies” proved less challenging for security professionals this

year at 31% (down from 37%), not because they were doing less enforcement, but be-cause they were relying at least in part on more automation and cloud-based functionality.

With the proliferation of smartphones and tablets in the enterprise, we also asked whether respondents used mobile device

Figure 2

Use of Mobile Device Management Software

Base: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees

Does your organization use mobile device management software to set and enforce a single security policy across different types of devices?

55%27%

14%

4%YesNo, and we have

no plans to do so

Don’t know

Not yet, but we’reevaluating or piloting

2015

53%

19%

18%

10%

Yes

No, and we haveno plans to do so

Don’t know

Not yet, but we’reevaluating or piloting

2016

September 2016 8

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


management software to set and enforce a single security policy across different device types. From our sample, 53% said yes (down slightly from 55% last year), and 19% said not yet, but that they were evaluating or piloting (down from 27%). (See Figure 2, p. 8.) Anoth-er 18% said they had no plans to deploy such software (up from 14%); 10% said they didn’t know (also up from 4%).

Preparedness and Most-Used Security Products and Practices When asked about their overall preparedness, respondents were mostly confident, even bullish. Some 62% said they agreed with the statement, “My organization has an effective method for measuring the current state of its security posture,” while 19% were neutral, and 15% disagreed. (See Figure 3.) Some 60% said their organization “has an effective, well-con-sidered strategy and architecture for defend-ing its most critical data.”

About half (51%) agreed that their organiza-tion has “an effective method for measuring the effectiveness/performance of its security department” and is “well-prepared to respond to a major data breach in the coming year.”

Only 41% agreed that their “organization will have to respond to a major data breach or compromise in the coming year,” with 38% selecting neutral, the highest neutral rating among the overall preparedness queries. This reflects both realism and a dash of supersti-tion as organizations continue to brace for breaches and attacks with an understanding that no network is invulnerable.

We also asked our survey sample about the security products that they use. The top vote-getters included anti-virus and anti-malware (84%), email and spam filtering (83%), virtual private networking (82%), firewalls (67%), en-cryption (64%), wireless security (60%), and intrusion prevention/detection (56%). (See Figure 4, p. 10.) No big surprises here, as these tools have been security mainstays for years.

Figure 3

Preparedness of Organization

Base: 300 respondents in 2016; not asked in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees

Do you agree with this statement?

0 10 20 30 40 50 60 70 80 90 100

19% 15% 4%62%

20% 17% 3%%60%

27% 17% 5%51%

25% 20% 4%51%

38% 16% 5%41%

15% 19%66%

Agree or strongly agree Neutral Disagree or strongly disagree Don’t know

My organization has an effective method for measuring the current state of its security posture.

My organization has an effective, well-considered strategy and architecture for defending its most critical data.

My organization has an effective method for measuring the effectiveness/performance of its security department.

I believe my organization is well-prepared to respond to a major data breach in the coming year.

I believe my organization will have to respond to a major data breach or compromise in the coming year.

September 2016 9

53%of respondents use mobile

device management software

to set and enforce a single

security policy across devices.

FAST FACT

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


But they also show that users aren’t as susceptible to marketing pushes around the next big thing in security technology. Most of the old standbys continue to work well.

But we took respondents’ answers a step fur-ther and asked them which would they keep if they could only have three security products. The same three products floated to the top as last year, though slightly re-ordered: email and spam filtering (41%), anti-virus and anti-malware (40%), and virtual private network-ing (33%). (See Figure 5, p. 11.)

The next set of most retained security gear included encryption (30%), next-gen firewalls (25%), and intrusion prevention/detection (18%). A half-dozen security technologies that earned the fewest number of “must keep” re-sponses (2% each) were network access con-trol (NAC), tools or services for securing data in the cloud, advanced threat prevention tools, behavioral “zero-day” detection tools, sandboxing tools, and threat intelligence ser-vices. This is no reflection of the worth or ef-fectiveness of these individual technologies, but rather a statement on the triage approach of infosec professionals.

Art George, an applications manager for an

Figure 4

Which of these security products are currently in use in your organization? Security Products in Use

Note: Multiple responses allowedBase: 300 respondents in 2016; unable to trend to 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees

83%

82%

67%

64%

60%

56%

56%

55%

53%

45%

45%

0 20 40 60 80 100 0 20 40 60 80 100

84%

43%

42%

33%

33%

29%

30%

26%

23%

19%

18%

15%

45%Identity management

Vulnerability assessment or penetration testing

Next-generation firewalls

Network anomaly detection tools

Data loss prevention

Managed security services

Advanced threat prevention tools

Sandboxing tools

Threat intelligence services

Tools or services for securing data in the cloud

Behavioral “zero-day” detection tools

NAC

Anti-virus and anti-malware

Email security and spam filtering

VPN

Traditional firewalls

Data encryption

Wireless security enforcement

Intrusion prevention or intrusion detection

Patch management

Endpoint protection

Web application firewalls

Log analysis, security event management, or security information management

Application and vulnerability scanning tools

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


unnamed services provider, views the respons-es about security products as evidence of the reactive mindset that still dominates security management and its practitioners. There’s also a fair amount of the “We’ve always done it this way” mentality. “If your car has a dirty air filter, it isn’t going to run very well,” he said. “Do you use something that looks the same, or swap it for a new one to ensure the engine behaves properly?”

Our survey also asked about which security practices or disciplines were most widely used by infosec professionals. Strong passwords led the pack (70%) as they did last year (72%), fol-lowed by virus and worm detection/analysis (59%) and end-user training (56%), which was down significantly from 2015 (72%). (See Fig-ure 6, p. 12) The use of incident response teams (43%) and multi-factor authentication (35%) were also down from last year (61% and 51%, respectively). Again, this is no reflection on the effectiveness of these approaches, but rather a difference over time about where infosec pro-fessionals are choosing to place their focus.

The practices or disciplines that generated the lowest responses were forensics/ advanced threat detection (21%), secure development

Figure 5

2016 2015

Most Valuable Security Products

Note: Maximum of three responses allowedBase: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees

40%

17%33%

30%25%

3%13%

25%

3%N/A

N/A

18%22%

15%

13%36%

9%15%

2%

2%

2%

2%

N/A2%

N/A2%

1%

8%10%

8%

7%

16%

6%0 10 20 30 40 50 60 70 0 10 20 30 40 50 60 70

32%

N/A

N/A

N/A

41%

N/A6%

3%

3%

5%

6%

3%N/A

14%6%

You can keep only three security products. Which ones stay?

Email security and spam filtering

Antivirus/antimalware

VPN

Data encryption

Next-generation firewalls

Intrusion prevention or intrusion detection

Traditional firewalls

Endpoint protection

Log analysis, security event management, or security information management

Data loss prevention

Patch management

Web application firewalls

Identity management

Managed security services

Wireless security enforcement

Application/vulnerability scanning tools

Vulnerability assessment or penetration testing

Network anomaly detection tools

NAC

Tools or services for securing data in the cloud

Advanced threat prevention tools

Behavioral “zero-day” detection tools

Sandboxing tools

Threat intelligence services

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


processes or source-code auditing (20%), DevOps (20%), attacker attribution, and of-fensive security programs (10% each).

In tandem, we also asked which practices or disciplines they’d retain if they could only keep three. The top two replies this year were strong passwords (47%) and end-user training (36%), trading places from 2015’s results. (See Figure 7, p. 13.) Virus and worm detection/analysis was the third most-selected practice to retain (34%), replacing last year’s third-place finisher, using incident response teams (18%, down from 34% last year). Multi-factor authentica-tion was the fourth most retained practice at 23%, down from last year’s 31%. Once again, attacker attribution finished at the bottom with 1%, a small change from last year (3%).

Those results show infosec professionals working to contain the threats posed by end-users and their many devices, not to mention their seeming inability to retain security hy-giene and best practices information. Users themselves can also put lots of demands on security personnel.

“The amount of personal customization that users require is scary … you cannot please everybody,” said Gustavo Caraballo, a security

Figure 6

2016 2015

Which of these practices or disciplines are currently in use in your organization?Security Practices and Disciplines

Note: Multiple responses allowedBase: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees

63%59%

51%35%

72%56% 29%

48%N/A

N/A

N/A

21%

43%61% 20%

26%14%

20%21%

37%

37%

36% 10%14%

10%14%

0 10 20 30 40 50 60 70 80 0 10 20 30 40 50 60 70 80

72%70%

N/A

N/A

N/A

36%Strong passwords

Virus and worm detection and analysis

End user security awareness training

Risk analysis and risk assessment

Incident response team

Internal security information and event analysis

Monitoring employee behavior

Malware analysis

Internal penetration testing

Multi-factor authentication

Threat intelligence analysis

Forensics or advanced threat detection

Secure development processes or source-code auditing

DevOps

Attacker attribution

Offensive security program

September 2016 12

47%of IT and infosec pros say

they’d keep strong passwords

if they could only keep three

security practices.

FAST FACT

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


professional for a large international company. Millennials just entering the workforce, he said, “feel entitled” to use computers the way they did in college. “With bigger companies, users can’t behave the way they do at Google or Apple, especially in the financial sector, where you’re working with other people’s money,” Caraballo added.

Security Policy and SpendingWe asked respondents who in their organiza-tion sets security policy and who sets spend-ing. Our survey revealed that policy is typically set by people in security management (42%) and risk management (42%), followed by the manager or department lead of information security/IT (39%), CISO (36%), and internal audit (31%). (See Figure 8, p. 14.) Either the CIO, the VP of IT, or the IT director sets policy among 28% of our respondents. Those results show a more consensus-driven, collaborative approach to setting security policy, as op-posed to an autocratic committee handling it in a more top-down fashion.

Still, the person who most often sets spend-ing policy for security, according to our respon-dents, was the CFO or finance director (48%),

Figure 7

2016 2015

You can keep only three of these practices. Which ones stay?Most Valuable Security Practices


49%36% 9%

33%34% 8%

23%31%

N/A

N/A

8%

18%34% 7%

4%

9%

17%7%

16%3%

5%

1%3%

15%11%

0 10 20 30 40 50 0 10 20 30 40 50

43%47%

N/A

N/A

N/A

N/A

11%Strong passwords

End user security awareness training

Virus and worm detection and analysis

Multifactor authentication

Incident response team

Risk analysis and risk assessment

Internal security information and event analysis

Monitoring employee behavior

Internal penetration testing

Malware analysis

Forensics or advanced threat detection

Secure development processes or source-code auditing

DevOps

Threat intelligence analysis

Offensive security program

Attacker attribution

September 2016 13

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


followed by the president, CEO or managing director (33%). No surprise here, either, since the CEO and CFO typically retain control of all spending, especially for something as stra-tegic as security. Other spending policy set-ters include CIO and VP/director of IT/infosec (12%), security management and administra-tors (also 12%), and the manager or depart-ment lead of information security/IT (11%).

In some cases, it was the same person who handled both policy and spending decisions – typically the CIO, VP, or director of informa-tion services (52%), or sometimes the CISO (37%). The president, CEO, or managing direc-tor handled both security policy and spending among 33% of our respondents.

We also asked our sample about security bud-gets. A little more than 40% of respondents said between 1% and 10% of their IT budgets are de-voted to security. Some 24% specified that 1% to 5% of their IT budgets went to security, while 17% said 6%-10%. (See Figure 9, p. 15.) Those numbers are down slightly from last year, when just about half of our respondents said up to 10% of their IT budgets went for security purchases.

While it may be tempting to point to some sort of slowdown in IT spending, we’re not

Figure 8

Security Decision Makers

Base: 300 respondents in 2016; unable to trend to 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees

Who sets policy for information security in your organization? Who sets spending?

0 10 20 30 40 50 60 70 80 90 100

42% 12% 21% 25%

42% 7% 10% 41%

39% 11% 24% 26%

36% 6% 37% 21%

31% 6% 10% 53%

28% 12% 52% 8%

28% 5% 13% 54%

25% 8% 17% 50%

15% 33% 33% 19%

12% 6% 8% 74%

6% 48% 20% 26%

Sets Policy Sets Spending Does both Neither

Security management/administrators

Risk management

Manager/department head information security/IT

Chief information security officer (CISO)/senior security management

Internal audit

CIO/VP/director of information services/IT

Cross-functional committee

Oversight committee

President/CEO/managing director

Consultant

CFO/finance director

September 2016 14

40%of respondents said their

security budgets are between

1% to 10% of their entire IT

budget.

FAST FACT

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

reports

ready to make that call just yet. Some 10% of this year’s respondents devote more than 25% of their IT budgets to security, up from 7% who checked in at this spending level last year.

Fewer respondents did say their security spending will increase – 36% this year versus 46% for 2015. (See Figure 10.) However, more expect their budgets will stay the same (46%), versus 41% in 2015. Only 2% expect a decrease, a small downtick from last year’s 5%.

Lots of respondents checked the “I don’t know” box with regard to spending. Twenty-six percent didn’t know what portion of their overall IT budget was dedicated to security, and 16% said they didn’t know how spend-ing on security compared on a year-to-year basis. (See Figure 9 and 10.) Security spend-ing is growing modestly, and those with the budget data are holding things more closely to the vest.

Security Investments and Auditing Cloud Service ProvidersSurvey respondents told us how they mea-sure the value of their security invest-ments. The leading metric (as it was in last year’s survey) at 37% is better protection of

Figure 9

Figure 10

2016 2015

Approximately what percentage of your organization's annual IT budget is allocated for information security? Security Budget

None

Less than 1%

1% to 5%

6% to 10%

11% to 15%

16% to 20%

21% to 25%

More than 25%

Don't know


6%7%

1%1%

28%

17%23%

7%8%

5%1%

8%7%

7%10%

26%14%

0 6 12 18 24 30 0 10 20 30 40 50

24%

2015

7%

7%7%

None

24%

17%

10%

26%

1%

1%6% to 10%

11% to 15%

Don’tknow

16% to 20%

2016

Less than 1%

1% to 5%

21% to25%

Morethan25%

6%

8%

8%

None

28%

23%

7%

14%1%

5%

6% to 10%11% to 15%

Don’tknow

16% to20%

Less than 1%

1% to 5%

21% to25%

Morethan25%

How will spending on information security in 2016 compare with 2015?Security Spending

Base: 435 respondents in April 2015 and 536 respondents in April 2014 Data: InformationWeek Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees

46%

41%

5%9% Increase

Decrease

Don’t know

About the same

36%

46%

2%16% IncreaseDecrease

Don’t know

About the same

2016 2015

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


customer records or intellectual property.(See Figure 11.) The decline in the amount of network downtime was next, at 34%, up significantly from last year’s 19%, followed by a decline in breaches (33%), also up from 28%. Respondents also cited fewer hours spent on security-related issues (32%) and better risk management strategies (27%). What’s also noteworthy is that almost a quarter – 22% – said they don’t measure the value of their security investments, a figure in line with last year’s 24%.

When asked about whether their organi-zations perform their own risk assessments of cloud service providers, 36% said yes, a number essentially unchanged from 2015 (37%). (See Figure 12, p. 17.) Another 13% said they’d like to conduct their own audits, “but providers are generally uncooperative,” up slightly from 11% in 2015. Some 33% said no, or that they use providers’ self-audit re-ports, a figure also unchanged from 2015.

More than half – 54% – said their organi-zations have a log-management or security information and event management (SIEM) system, down slightly from last year’s 64% last year. Some 23% said no, and 23% didn’t

know. (See Figure 16, p. 21.) When asked if their organization has a formal security operations center or team that manages in-cidents as they are generated, 61% said yes, 12% said they plan to build a team within the next year, and 27% have nothing in place. (See Figure 15, p. 20.)

Insurance ProtectionWith strategic thinking and planning comes the inevitable discussion about insurance – whether to buy, how much, and what exclu-sions and deductibles are included.

Organizations have endured enough breaches, attacks and losses that have made

Figure 11

2016 2015

How does your organization measure the value of its security investments?Measuring the Value of Security Investments

Better protection of customer records or intellectual property

Decline in amount of network downtime

Decline in breaches

Fewer hours spent on security-related issues

Better risk management strategies

Reduction in incident response time

External third-party audit

Less time devoted to patching

Other

We don’t measure the value


19%34%

37%37%

28%

32%28%

27%34%

40%27%

27%27%

14%12%

3%2%

22%24%

0 10 20 30 40 0 8 16 24 32 40

33%

September 2016 16

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


infosec professionals more sensitized to the need for insurance protection. A total of 23% of our respondents said they’re covered for breaches under a broader business insurance policy, while 11% have an insurance policy specifically for cybersecurity breaches. An ad-ditional 21% reported they have no insurance. (See Figure 17, p. 22.)

The way they determine the amount of cov-erage they needed is more of an evolving art than an exact science. When asked about their methodology, 46% used an internal estimate of reputational impact, while 44% said they used the insurer’s recommendation. (See Fig-ure 18, p. 23.) Some 36% worked with a third-party; 32% said industry statistics of cost per record guided them; 29% used loss of em-ployee productivity; and 23% used a percent of revenue. Other methods were cited by 5%.

Threat Intelligence Services and HiringExactly half (50%) of our respondents con-tinue to subscribe to threat intelligence ser-vices to stay current on the latest risks and vulnerabilities that frequently flourish un-der the radar. (See Figure 13, p. 18.) Some 27% subscribe to more than one, a slight dip

from last year, when 37% reported multiple subscriptions. This can be read a couple differ-ent ways: Organizations are looking for ways to save money, and/or they recognize there’s

significant duplication from service to service. Despite an ongoing talent shortage among

infosec professionals and managers, two-thirds of our respondents said they have

Figure 12

2016 2015

Does your organization perform its own risk assessments of cloud service providers?Risk Assessment of Cloud Providers

Yes; we conduct our own audits

We want to conduct our own audits, but providers are generally uncooperative

No; we use providers’ self-audit reports

No

Other

We do not use cloud services


11%13%

37%36%

20%20%

13%13%

2%2%

16%18%

0 10 20 30 40

September 2016 17

11%of respondents to this survey

have an insurance policy

specifically for cybersecurity

breaches.

FAST FACT

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next enough staff or can easily hire. Fifteen percent strongly agreed with the statement: “We have or can easily hire enough skilled people to meet the threats our organization will face this year,” (up from 12% last year), and 51% some-what agree with that statement (also up from 39%). (See Figure 14, p. 19.)

Organizations and IT departments continue to recognize the value of security disciplines, evidenced by their willingness to allocate money to increase headcounts when required.

While infosec professionals operate mostly in triage mode, they remain optimistic, and they are passionate about wanting to contribute at a strategic level. And though threats escalate and proliferate, security and IT departments are getting smarter about how to respond, thanks to new tools, automation, and cloud-based services.

Still, the cornerstone of that strategy is a nec-essary pragmatism that requires them to make shrewd choices daily. It’s all part of thinking strategically for today’s infosec professional.


Figure 13

September 2016 18

Threat Intelligence Service


Does your organization currently subscribe to a threat intelligence service or feed?

37%15%

24% 24%

Yes, one

No, but we planto add at least onein the coming year

No, and no plans

Yes, two or more

2015

27%18%

33%23%

Yes, one

No, but we planto add at least onein the coming year

No, and no plans

Yes, two or more

2016

Table of Contents



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

Table of Contents

APPE

NDIX


September 2016 19reports.informationweek.com

Figure 14

2016 2015

Please rate your agreement with this statement: We have or can easily hire enough skilled peopleto meet the threats our organization will face this year.

Sufficient Staffing?


39%51%

30%23%

11%19%

0 10 20 30 40 50 60

12%15%

Strongly agree

Somewhat agree

Somewhat disagree

Strongly disagree

Table of Contents


Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

Table of ContentsAttacking the IT Security Challengereports


Figure 15

Does your organization have a formal security operations center or team that actively manages security incidents and events as they are generated?

Formal Security Incident Management Team


17%61%

22%

Yes

No, but weare building

one withinthe next year

No

2015

12%

61%

27%

Yes

No, but weare building

one withinthe next year

No

2016


Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next



Figure 16

Does your organization have a log-management or security information and event management (SIEM) system?

SIEM System


24% 64%

12%YesDon’t know

No

2015

23%

54%

23%

YesDon’t know

No

2016


Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next



Figure 17

Does your organization have a cyberbreach or cyberrisk insurance policy?Cyberbreach or Cyberrisk Insurance


28%

14%

32%

Yes, we are covered for cybersecurity breaches under a broader business insurance policy

Yes, we have an insurance policy specifically for cybersecurity breachesNo

Don’tknow

2015

26%

23%

11%

45%

Yes, we are covered for cybersecurity breaches under a broader business insurance policy

Yes, we have an insurance policy specifically for cybersecurity breaches

No

Don’tknow

2016

21%


Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next



Figure 18

How did your organization determine the amount of insurance needed?Insurance Amount

Industry stat of cost per record

Loss of employee productivity

Internal estimate of reputational impact

Percent of revenue

Insurer recommendation

Consultant/third-party recommendation

Other

Note: Multiple responses allowedBase: 102 who determined insurance in 2016; not asked in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees

32%

29%

46%

23%

5%

44%

36%

0 10 20 30 40 50



Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next


September 2016 24

Figure 19

Do you believe mobile devices, such as smartphones and tablets, pose a threat to your organization’s security?Mobile Device Threat


45%

40%

12%3%

Yes, a significant threatNot yet,

but they will

No

Yes, a minorthreat

2015

34%

44%

14%

8%

Yes, a significant threatNot yet,

but they will

No

Yes, a minorthreat

2016


reports - dsimg.ubm-us.net · among the salient data that emerged: • asked about their biggest...

Documents