Post on 05-Jun-2020
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Nextreports.informationweek.com
September 2016
How Enterprises Are Attacking the IT Security Challenge
Sponsored by
reports
Infosec professionals have been making hard choices on the fly for some time, but the unrelenting nature of attacks and threats to users have raised the stakes.
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
CONT
ENTS
TABLE OF
Attacking the IT Security Challenge
reports.informationweek.com September 2016 2
3 Author’s Bio
4 Executive Summary
5 Research Synopsis
6 Triage Becomes Security Strategy’s Dominant Note
7 The Biggest IT Security Challenges
9 Preparedness and Most-Used Security Products and Practices
13 Security Policy and Spending
15 Security Investments and Auditing Cloud Service Providers
16 Insurance Protection
17 Threat Intelligence Services and Hiring
Figures 7 Figure 1: Biggest IT Security Challenges
8 Figure 2: Use of Mobile Device Management Software
9 Figure 3: Preparedness of Organization
10 Figure 4: Security Products in Use
11 Figure 5: Most Valuable Security Products
12 Figure 6: Security Practices and Disciplines
13 Figure 7: Most Valuable Security Practices
14 Figure 8: Security Decision Makers
15 Figure 9: Security Budget
15 Figure 10: Security Spending
16 Figure 11: Measuring the Value of Security Investments
17 Figure 12: Risk Assessment of Cloud Providers
18 Figure 13: Threat Intelligence Service
19 Figure 14: Sufficient Staffing?
20 Figure 15: SIEM System
21 Figure 16: Formal Security Incident Management Team
22 Figure 17: Cyberbreach or Cyberrisk Insurance
23 Figure 18: Insurance Amount
24 Figure 19: Mobile Device Threat
reports
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Terry SweeneyInformationWeek Reports
Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 25 years. He was part of the team that started Dark Reading 10 years ago. He has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, Network World, and InformationWeek.
In addition to information security, Sweeney has written extensively about cloud computing, wireless technologies, storage networking, and analytics. While he’s watched successive waves of technological advancement, Sweeney still prefers to chronicle the actual application of these breakthroughs by businesses and public sector organizations.
Sweeney is also the founder and chief jarhead of Paragon Jams, a “micro-artisanal” food business specializing in small-batch jams, preserves, and marmalades for adults.
Attacking the IT Security Challenge
September 2016 3
reportsTable of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
SUM
MAR
Y “Cyber fatigue” has become a fact of life for information security professionals and executives who are constantly barraged by server attacks, attempted breaches, malware outbreaks, and end-users who too quickly forget best practices with their devices and data. Consequently, the triage mentality that has always informed security pros’ outlook has become a dominant and necessary approach to keeping their organizations defended and protected.
Dark Reading’s 2016 Strategic Security Survey drilled into these issues with 300 business technology and security professionals at organizations with 100 or more employees. Among the salient data that emerged:
• Asked about their biggest security challenges, 39% of respondents cited preventing data breaches from outside attackers, a 50% increase from 2015. More than a third (34%) cited controlling user access to systems and data as their biggest challenge (up from 23% in 2015). Meeting regulatory and industry compliance requirements was cited by 33%, up from 18% in 2015.
• Mobile device management remains a top priority for more than half our sample (53%) for enforcing security policy across different device types. While that was down slightly from 2015 (55%), there’s no denying that all the smartphones and tablets out there create a moving target – literally – for infosec professionals.
• Asked which three security technologies they’d retain above all others, 41% said email security and spam filtering, followed by anti-virus/anti-malware software (40%), and VPNs (33%). Falling to the bottom of the list were endpoint protection, log analysis/security event management, and patch management.
• Respondents also reported declines in practices and end-user awareness training, incident response, and multi-factor authentication.
Attacks and threats may escalate and proliferate, but security personnel are getting smarter about how to respond, thanks to new tools, automation, and cloud-based services. Central to that approach is a necessary pragmatism that prompts that to make difficult choices about how to keep users and data best protected.
EXECUTIVE
Attacking the IT Security Challenge
September 2016 4
reportsTable of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
SYNO
PSIS
RESEARCHABOUT USInformationWeek Reports’
analysts arm business
technology decision-makers
with real-world perspective
based on qualitative and
quantitative research, business
and technology assessment
and planning tools, and
adoption best practices
gleaned from experience.
Find all of our reports at
reports.informationweek.com.
Survey Name Dark Reading Strategic Security Survey
Survey Date June 2016
Region North America
Number of Respondents 300
Purpose Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees.
Methodology InformationWeek and Dark Reading surveyed business technology decision-makers at North American companies. The survey was conducted online. Respondents were recruited via an email invitation containing an embedded link to the survey. The email invitation was sent to UBM Tech’s qualified database. The respondents included in this report had job titles that included the word “security” or reported that their primary job responsibilities include IT security.
Attacking the IT Security Challengereports
September 2016 5
Table of Contents
reports.informationweek.com
The months and years may tell us more than the days and weeks, but don’t try tell-ing that to infosec professionals. Their hours blend seamlessly together on a regular basis as they fend off external attacks, keep users connected, and ensure their organizations don’t run afoul of state and federal security, privacy, and data handling laws.
The situation where infosec professionals face down daily challenges is nothing new. What was striking in the responses to our an-nual survey on strategic security was a sense that infosec professionals are overwhelmed. They’re no longer trying to cover all the bas-es, because it’s simply not feasible, due to the finite nature of budgets, even for securi-ty. Their servers are constantly under attack, new forms of malware are wreaking untold havoc, and users with their mobile devices add exponential complexity – and risk.
It’s a lot for one person – or department – to juggle.
“We started using the term ‘cyber fatigue’ about 18 months ago and it’s only accel-erated,” said Greg Bell, KPMG’s cyber US
leader. While more than 80% of companies surveyed by KPMG admitted to being breached in the last two years, less than half invested in any information security product or service as a result.
Why the disconnect? According to Bell, it’s not just the higher volume of attacks and breaches. There’s a whole new set of risks – political, economic, and technological – that require security professionals and executives to constantly recalibrate. Where to spend is less clear than it used to be. Meanwhile, the attacks keep coming and the landscape con-tinues to shift.
That context helps to explain a clear triage mentality that emerged from our respon-dents’ answers and their comments in follow-up conversations. While making hard choices and setting priorities on the fly isn’t new to security professionals, the stakes have been raised. The ecosystem of malware writers, distributors, and profiteers is one of astonish-ing sophistication, targeting users and server ports the world over. It is also unrelenting.
First, some insight into our strategy survey
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next Triage Becomes Security Strategy’s Dominant Note
Attacking the IT Security Challengereports
September 2016 6
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Attacking the IT Security Challengereports
sample: We spoke to 300 business technology and security professionals at organizations with 100 or more employees. The four most common job titles were network/system ad-ministrator (20%), information security de-partment staff (14%), IT director/head (12%), and IT executive (9%). “Other” comprised 24%, CSOs were 1%.
Industrial sectors broke down into govern-ment (11%); healthcare (10%); education, man-ufacturing/industrial (non-computer), and IT consulting (all 9%); financial services (8%); Tele-com/ISPs (6%); consulting, energy, and IT ven-dors (all 3%); biotech/pharma, media/enter-tainment, electronics, insurance, and logistics/transportation (all 2%).
Revenues spanned $6 million to $49.9 mil-lion (17%), $5 billion or more (17%), $100 million to $499.9 million (11%), $50 million to $99.9 million (8%), and 8% of respondents selected government/nonprofit. Some 21% declined to specify.
The Biggest Security ChallengesWhen asked about their biggest security chal-lenge, IT and infosec pros reveal that they are constantly on the defensive. Thirty-nine
percent said preventing data breaches from outside attackers is their greatest challenge (up from 26% in 2015), and 34% said con-trolling user access to systems and data (up
from 23%). (See Figure 1.) One-third (33%) said meeting regulatory and industry compli-ance requirements is their biggest challenge (also up from 18%). These top three responses
Figure 1
2016 2015
Which of the following are among the biggest information or network security challenges facing your company? Biggest IT Security Challenges
Preventing data breaches from outside attackers
Controlling user access to systems and data
Managing the complexity of security
Meeting regulatory and industry compliance requirements
Assessing risk
Enforcing security policies
Spreading user awareness
Getting management buy-in or adequate funding
Preventing data theft by employees or other insiders
Getting professional resources and expertise
Other
Note: Maximum of three responses allowedBase: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
28%20%
23%34%
23%23%
26%39%
14%16%
44%33%
10%14%18%
3%1%
32%36%
31%37%
33%
September 2016 7
39%of IT and infosec pros say
preventing data breaches
from outside attackers is their
greatest security challenge.
FAST FACT
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Attacking the IT Security Challengereports
won’t surprise anyone involved in information security, and in fact are interconnected.
Given that the volume and persistence of outside attacks has either remained steady or increased in the last year, infosec profession-als have had to be extra vigilant about access, not to mention mindful of any potential com-pliance implications of what’s happening in and around their networks. Reporting criteria have gotten stricter, and nobody wants to be on the hook for noncompliance fines.
There were some significant decreases among our sample’s security challenges; chief among them was the complexity of managing security, reported by 33%, down from 44% in 2015. While cloud-based services and capa-bilities may be at least partially responsible for reduced complexity, it’s also clear we’re see-ing security professionals respond to the de-mands on their attention and expanded work-loads with ruthless pragmatism.
Another security challenge selected by few-er respondents this year was “Getting man-agement buy-in or adequate funding,” which was selected by 20%, down 8% from last year. Maybe it took a breach at a major retailer – and the CEO’s subsequent firing – to sensitize
those in the C-suites that better security was something more than nice to have, but rather something essential to protect customers, the brand, and of course, the share price on the stock market.
Finally, “Enforcing security policies” proved less challenging for security professionals this
year at 31% (down from 37%), not because they were doing less enforcement, but be-cause they were relying at least in part on more automation and cloud-based functionality.
With the proliferation of smartphones and tablets in the enterprise, we also asked whether respondents used mobile device
Figure 2
Use of Mobile Device Management Software
Base: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
Does your organization use mobile device management software to set and enforce a single security policy across different types of devices?
55%27%
14%
4%YesNo, and we have
no plans to do so
Don’t know
Not yet, but we’reevaluating or piloting
2015
53%
19%
18%
10%
Yes
No, and we haveno plans to do so
Don’t know
Not yet, but we’reevaluating or piloting
2016
September 2016 8
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Attacking the IT Security Challengereports
management software to set and enforce a single security policy across different device types. From our sample, 53% said yes (down slightly from 55% last year), and 19% said not yet, but that they were evaluating or piloting (down from 27%). (See Figure 2, p. 8.) Anoth-er 18% said they had no plans to deploy such software (up from 14%); 10% said they didn’t know (also up from 4%).
Preparedness and Most-Used Security Products and Practices When asked about their overall preparedness, respondents were mostly confident, even bullish. Some 62% said they agreed with the statement, “My organization has an effective method for measuring the current state of its security posture,” while 19% were neutral, and 15% disagreed. (See Figure 3.) Some 60% said their organization “has an effective, well-con-sidered strategy and architecture for defend-ing its most critical data.”
About half (51%) agreed that their organiza-tion has “an effective method for measuring the effectiveness/performance of its security department” and is “well-prepared to respond to a major data breach in the coming year.”
Only 41% agreed that their “organization will have to respond to a major data breach or compromise in the coming year,” with 38% selecting neutral, the highest neutral rating among the overall preparedness queries. This reflects both realism and a dash of supersti-tion as organizations continue to brace for breaches and attacks with an understanding that no network is invulnerable.
We also asked our survey sample about the security products that they use. The top vote-getters included anti-virus and anti-malware (84%), email and spam filtering (83%), virtual private networking (82%), firewalls (67%), en-cryption (64%), wireless security (60%), and intrusion prevention/detection (56%). (See Figure 4, p. 10.) No big surprises here, as these tools have been security mainstays for years.
Figure 3
Preparedness of Organization
Base: 300 respondents in 2016; not asked in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
Do you agree with this statement?
0 10 20 30 40 50 60 70 80 90 100
19% 15% 4%62%
20% 17% 3%%60%
27% 17% 5%51%
25% 20% 4%51%
38% 16% 5%41%
15% 19%66%
Agree or strongly agree Neutral Disagree or strongly disagree Don’t know
My organization has an effective method for measuring the current state of its security posture.
My organization has an effective, well-considered strategy and architecture for defending its most critical data.
My organization has an effective method for measuring the effectiveness/performance of its security department.
I believe my organization is well-prepared to respond to a major data breach in the coming year.
I believe my organization will have to respond to a major data breach or compromise in the coming year.
September 2016 9
53%of respondents use mobile
device management software
to set and enforce a single
security policy across devices.
FAST FACT
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Attacking the IT Security Challengereports
But they also show that users aren’t as susceptible to marketing pushes around the next big thing in security technology. Most of the old standbys continue to work well.
But we took respondents’ answers a step fur-ther and asked them which would they keep if they could only have three security products. The same three products floated to the top as last year, though slightly re-ordered: email and spam filtering (41%), anti-virus and anti-malware (40%), and virtual private network-ing (33%). (See Figure 5, p. 11.)
The next set of most retained security gear included encryption (30%), next-gen firewalls (25%), and intrusion prevention/detection (18%). A half-dozen security technologies that earned the fewest number of “must keep” re-sponses (2% each) were network access con-trol (NAC), tools or services for securing data in the cloud, advanced threat prevention tools, behavioral “zero-day” detection tools, sandboxing tools, and threat intelligence ser-vices. This is no reflection of the worth or ef-fectiveness of these individual technologies, but rather a statement on the triage approach of infosec professionals.
Art George, an applications manager for an
Figure 4
Which of these security products are currently in use in your organization? Security Products in Use
Note: Multiple responses allowedBase: 300 respondents in 2016; unable to trend to 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
83%
82%
67%
64%
60%
56%
56%
55%
53%
45%
45%
0 20 40 60 80 100 0 20 40 60 80 100
84%
43%
42%
33%
33%
29%
30%
26%
23%
19%
18%
15%
45%Identity management
Vulnerability assessment or penetration testing
Next-generation firewalls
Network anomaly detection tools
Data loss prevention
Managed security services
Advanced threat prevention tools
Sandboxing tools
Threat intelligence services
Tools or services for securing data in the cloud
Behavioral “zero-day” detection tools
NAC
Anti-virus and anti-malware
Email security and spam filtering
VPN
Traditional firewalls
Data encryption
Wireless security enforcement
Intrusion prevention or intrusion detection
Patch management
Endpoint protection
Web application firewalls
Log analysis, security event management, or security information management
Application and vulnerability scanning tools
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Attacking the IT Security Challengereports
unnamed services provider, views the respons-es about security products as evidence of the reactive mindset that still dominates security management and its practitioners. There’s also a fair amount of the “We’ve always done it this way” mentality. “If your car has a dirty air filter, it isn’t going to run very well,” he said. “Do you use something that looks the same, or swap it for a new one to ensure the engine behaves properly?”
Our survey also asked about which security practices or disciplines were most widely used by infosec professionals. Strong passwords led the pack (70%) as they did last year (72%), fol-lowed by virus and worm detection/analysis (59%) and end-user training (56%), which was down significantly from 2015 (72%). (See Fig-ure 6, p. 12) The use of incident response teams (43%) and multi-factor authentication (35%) were also down from last year (61% and 51%, respectively). Again, this is no reflection on the effectiveness of these approaches, but rather a difference over time about where infosec pro-fessionals are choosing to place their focus.
The practices or disciplines that generated the lowest responses were forensics/ advanced threat detection (21%), secure development
Figure 5
2016 2015
Most Valuable Security Products
Note: Maximum of three responses allowedBase: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
40%
17%33%
30%25%
3%13%
25%
3%N/A
N/A
18%22%
15%
13%36%
9%15%
2%
2%
2%
2%
N/A2%
N/A2%
1%
8%10%
8%
7%
16%
6%0 10 20 30 40 50 60 70 0 10 20 30 40 50 60 70
32%
N/A
N/A
N/A
41%
N/A6%
3%
3%
5%
6%
3%N/A
14%6%
You can keep only three security products. Which ones stay?
Email security and spam filtering
Antivirus/antimalware
VPN
Data encryption
Next-generation firewalls
Intrusion prevention or intrusion detection
Traditional firewalls
Endpoint protection
Log analysis, security event management, or security information management
Data loss prevention
Patch management
Web application firewalls
Identity management
Managed security services
Wireless security enforcement
Application/vulnerability scanning tools
Vulnerability assessment or penetration testing
Network anomaly detection tools
NAC
Tools or services for securing data in the cloud
Advanced threat prevention tools
Behavioral “zero-day” detection tools
Sandboxing tools
Threat intelligence services
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Attacking the IT Security Challengereports
processes or source-code auditing (20%), DevOps (20%), attacker attribution, and of-fensive security programs (10% each).
In tandem, we also asked which practices or disciplines they’d retain if they could only keep three. The top two replies this year were strong passwords (47%) and end-user training (36%), trading places from 2015’s results. (See Figure 7, p. 13.) Virus and worm detection/analysis was the third most-selected practice to retain (34%), replacing last year’s third-place finisher, using incident response teams (18%, down from 34% last year). Multi-factor authentica-tion was the fourth most retained practice at 23%, down from last year’s 31%. Once again, attacker attribution finished at the bottom with 1%, a small change from last year (3%).
Those results show infosec professionals working to contain the threats posed by end-users and their many devices, not to mention their seeming inability to retain security hy-giene and best practices information. Users themselves can also put lots of demands on security personnel.
“The amount of personal customization that users require is scary … you cannot please everybody,” said Gustavo Caraballo, a security
Figure 6
2016 2015
Which of these practices or disciplines are currently in use in your organization?Security Practices and Disciplines
Note: Multiple responses allowedBase: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
63%59%
51%35%
72%56% 29%
48%N/A
N/A
N/A
21%
43%61% 20%
26%14%
20%21%
37%
37%
36% 10%14%
10%14%
0 10 20 30 40 50 60 70 80 0 10 20 30 40 50 60 70 80
72%70%
N/A
N/A
N/A
36%Strong passwords
Virus and worm detection and analysis
End user security awareness training
Risk analysis and risk assessment
Incident response team
Internal security information and event analysis
Monitoring employee behavior
Malware analysis
Internal penetration testing
Multi-factor authentication
Threat intelligence analysis
Forensics or advanced threat detection
Secure development processes or source-code auditing
DevOps
Attacker attribution
Offensive security program
September 2016 12
47%of IT and infosec pros say
they’d keep strong passwords
if they could only keep three
security practices.
FAST FACT
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Attacking the IT Security Challengereports
professional for a large international company. Millennials just entering the workforce, he said, “feel entitled” to use computers the way they did in college. “With bigger companies, users can’t behave the way they do at Google or Apple, especially in the financial sector, where you’re working with other people’s money,” Caraballo added.
Security Policy and SpendingWe asked respondents who in their organiza-tion sets security policy and who sets spend-ing. Our survey revealed that policy is typically set by people in security management (42%) and risk management (42%), followed by the manager or department lead of information security/IT (39%), CISO (36%), and internal audit (31%). (See Figure 8, p. 14.) Either the CIO, the VP of IT, or the IT director sets policy among 28% of our respondents. Those results show a more consensus-driven, collaborative approach to setting security policy, as op-posed to an autocratic committee handling it in a more top-down fashion.
Still, the person who most often sets spend-ing policy for security, according to our respon-dents, was the CFO or finance director (48%),
Figure 7
2016 2015
You can keep only three of these practices. Which ones stay?Most Valuable Security Practices
Note: Multiple responses allowedBase: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
49%36% 9%
33%34% 8%
23%31%
N/A
N/A
8%
18%34% 7%
4%
9%
17%7%
16%3%
5%
1%3%
15%11%
0 10 20 30 40 50 0 10 20 30 40 50
43%47%
N/A
N/A
N/A
N/A
11%Strong passwords
End user security awareness training
Virus and worm detection and analysis
Multifactor authentication
Incident response team
Risk analysis and risk assessment
Internal security information and event analysis
Monitoring employee behavior
Internal penetration testing
Malware analysis
Forensics or advanced threat detection
Secure development processes or source-code auditing
DevOps
Threat intelligence analysis
Offensive security program
Attacker attribution
September 2016 13
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Attacking the IT Security Challengereports
followed by the president, CEO or managing director (33%). No surprise here, either, since the CEO and CFO typically retain control of all spending, especially for something as stra-tegic as security. Other spending policy set-ters include CIO and VP/director of IT/infosec (12%), security management and administra-tors (also 12%), and the manager or depart-ment lead of information security/IT (11%).
In some cases, it was the same person who handled both policy and spending decisions – typically the CIO, VP, or director of informa-tion services (52%), or sometimes the CISO (37%). The president, CEO, or managing direc-tor handled both security policy and spending among 33% of our respondents.
We also asked our sample about security bud-gets. A little more than 40% of respondents said between 1% and 10% of their IT budgets are de-voted to security. Some 24% specified that 1% to 5% of their IT budgets went to security, while 17% said 6%-10%. (See Figure 9, p. 15.) Those numbers are down slightly from last year, when just about half of our respondents said up to 10% of their IT budgets went for security purchases.
While it may be tempting to point to some sort of slowdown in IT spending, we’re not
Figure 8
Security Decision Makers
Base: 300 respondents in 2016; unable to trend to 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
Who sets policy for information security in your organization? Who sets spending?
0 10 20 30 40 50 60 70 80 90 100
42% 12% 21% 25%
42% 7% 10% 41%
39% 11% 24% 26%
36% 6% 37% 21%
31% 6% 10% 53%
28% 12% 52% 8%
28% 5% 13% 54%
25% 8% 17% 50%
15% 33% 33% 19%
12% 6% 8% 74%
6% 48% 20% 26%
Sets Policy Sets Spending Does both Neither
Security management/administrators
Risk management
Manager/department head information security/IT
Chief information security officer (CISO)/senior security management
Internal audit
CIO/VP/director of information services/IT
Cross-functional committee
Oversight committee
President/CEO/managing director
Consultant
CFO/finance director
September 2016 14
40%of respondents said their
security budgets are between
1% to 10% of their entire IT
budget.
FAST FACT
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
reports
ready to make that call just yet. Some 10% of this year’s respondents devote more than 25% of their IT budgets to security, up from 7% who checked in at this spending level last year.
Fewer respondents did say their security spending will increase – 36% this year versus 46% for 2015. (See Figure 10.) However, more expect their budgets will stay the same (46%), versus 41% in 2015. Only 2% expect a decrease, a small downtick from last year’s 5%.
Lots of respondents checked the “I don’t know” box with regard to spending. Twenty-six percent didn’t know what portion of their overall IT budget was dedicated to security, and 16% said they didn’t know how spend-ing on security compared on a year-to-year basis. (See Figure 9 and 10.) Security spend-ing is growing modestly, and those with the budget data are holding things more closely to the vest.
Security Investments and Auditing Cloud Service ProvidersSurvey respondents told us how they mea-sure the value of their security invest-ments. The leading metric (as it was in last year’s survey) at 37% is better protection of
Figure 9
Figure 10
2016 2015
Approximately what percentage of your organization's annual IT budget is allocated for information security? Security Budget
None
Less than 1%
1% to 5%
6% to 10%
11% to 15%
16% to 20%
21% to 25%
More than 25%
Don't know
Base: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
6%7%
1%1%
28%
17%23%
7%8%
5%1%
8%7%
7%10%
26%14%
0 6 12 18 24 30 0 10 20 30 40 50
24%
2015
7%
7%7%
None
24%
17%
10%
26%
1%
1%6% to 10%
11% to 15%
Don’tknow
16% to 20%
2016
Less than 1%
1% to 5%
21% to25%
Morethan25%
6%
8%
8%
None
28%
23%
7%
14%1%
5%
6% to 10%11% to 15%
Don’tknow
16% to20%
Less than 1%
1% to 5%
21% to25%
Morethan25%
How will spending on information security in 2016 compare with 2015?Security Spending
Base: 435 respondents in April 2015 and 536 respondents in April 2014 Data: InformationWeek Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
46%
41%
5%9% Increase
Decrease
Don’t know
About the same
36%
46%
2%16% IncreaseDecrease
Don’t know
About the same
2016 2015
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Attacking the IT Security Challengereports
customer records or intellectual property.(See Figure 11.) The decline in the amount of network downtime was next, at 34%, up significantly from last year’s 19%, followed by a decline in breaches (33%), also up from 28%. Respondents also cited fewer hours spent on security-related issues (32%) and better risk management strategies (27%). What’s also noteworthy is that almost a quarter – 22% – said they don’t measure the value of their security investments, a figure in line with last year’s 24%.
When asked about whether their organi-zations perform their own risk assessments of cloud service providers, 36% said yes, a number essentially unchanged from 2015 (37%). (See Figure 12, p. 17.) Another 13% said they’d like to conduct their own audits, “but providers are generally uncooperative,” up slightly from 11% in 2015. Some 33% said no, or that they use providers’ self-audit re-ports, a figure also unchanged from 2015.
More than half – 54% – said their organi-zations have a log-management or security information and event management (SIEM) system, down slightly from last year’s 64% last year. Some 23% said no, and 23% didn’t
know. (See Figure 16, p. 21.) When asked if their organization has a formal security operations center or team that manages in-cidents as they are generated, 61% said yes, 12% said they plan to build a team within the next year, and 27% have nothing in place. (See Figure 15, p. 20.)
Insurance ProtectionWith strategic thinking and planning comes the inevitable discussion about insurance – whether to buy, how much, and what exclu-sions and deductibles are included.
Organizations have endured enough breaches, attacks and losses that have made
Figure 11
2016 2015
How does your organization measure the value of its security investments?Measuring the Value of Security Investments
Better protection of customer records or intellectual property
Decline in amount of network downtime
Decline in breaches
Fewer hours spent on security-related issues
Better risk management strategies
Reduction in incident response time
External third-party audit
Less time devoted to patching
Other
We don’t measure the value
Note: Multiple responses allowedBase: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
19%34%
37%37%
28%
32%28%
27%34%
40%27%
27%27%
14%12%
3%2%
22%24%
0 10 20 30 40 0 8 16 24 32 40
33%
September 2016 16
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Attacking the IT Security Challengereports
infosec professionals more sensitized to the need for insurance protection. A total of 23% of our respondents said they’re covered for breaches under a broader business insurance policy, while 11% have an insurance policy specifically for cybersecurity breaches. An ad-ditional 21% reported they have no insurance. (See Figure 17, p. 22.)
The way they determine the amount of cov-erage they needed is more of an evolving art than an exact science. When asked about their methodology, 46% used an internal estimate of reputational impact, while 44% said they used the insurer’s recommendation. (See Fig-ure 18, p. 23.) Some 36% worked with a third-party; 32% said industry statistics of cost per record guided them; 29% used loss of em-ployee productivity; and 23% used a percent of revenue. Other methods were cited by 5%.
Threat Intelligence Services and HiringExactly half (50%) of our respondents con-tinue to subscribe to threat intelligence ser-vices to stay current on the latest risks and vulnerabilities that frequently flourish un-der the radar. (See Figure 13, p. 18.) Some 27% subscribe to more than one, a slight dip
from last year, when 37% reported multiple subscriptions. This can be read a couple differ-ent ways: Organizations are looking for ways to save money, and/or they recognize there’s
significant duplication from service to service. Despite an ongoing talent shortage among
infosec professionals and managers, two-thirds of our respondents said they have
Figure 12
2016 2015
Does your organization perform its own risk assessments of cloud service providers?Risk Assessment of Cloud Providers
Yes; we conduct our own audits
We want to conduct our own audits, but providers are generally uncooperative
No; we use providers’ self-audit reports
No
Other
We do not use cloud services
Base: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
11%13%
37%36%
20%20%
13%13%
2%2%
16%18%
0 10 20 30 40
September 2016 17
11%of respondents to this survey
have an insurance policy
specifically for cybersecurity
breaches.
FAST FACT
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next enough staff or can easily hire. Fifteen percent strongly agreed with the statement: “We have or can easily hire enough skilled people to meet the threats our organization will face this year,” (up from 12% last year), and 51% some-what agree with that statement (also up from 39%). (See Figure 14, p. 19.)
Organizations and IT departments continue to recognize the value of security disciplines, evidenced by their willingness to allocate money to increase headcounts when required.
While infosec professionals operate mostly in triage mode, they remain optimistic, and they are passionate about wanting to contribute at a strategic level. And though threats escalate and proliferate, security and IT departments are getting smarter about how to respond, thanks to new tools, automation, and cloud-based services.
Still, the cornerstone of that strategy is a nec-essary pragmatism that requires them to make shrewd choices daily. It’s all part of thinking strategically for today’s infosec professional.
Attacking the IT Security Challengereports
Figure 13
September 2016 18
Threat Intelligence Service
Base: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
Does your organization currently subscribe to a threat intelligence service or feed?
37%15%
24% 24%
Yes, one
No, but we planto add at least onein the coming year
No, and no plans
Yes, two or more
2015
27%18%
33%23%
Yes, one
No, but we planto add at least onein the coming year
No, and no plans
Yes, two or more
2016
Table of Contents
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Table of Contents
APPE
NDIX
Attacking the IT Security Challengereports
September 2016 19reports.informationweek.com
Figure 14
2016 2015
Please rate your agreement with this statement: We have or can easily hire enough skilled peopleto meet the threats our organization will face this year.
Sufficient Staffing?
Base: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
39%51%
30%23%
11%19%
0 10 20 30 40 50 60
12%15%
Strongly agree
Somewhat agree
Somewhat disagree
Strongly disagree
Table of Contents
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Table of ContentsAttacking the IT Security Challengereports
September 2016 20reports.informationweek.com
Figure 15
Does your organization have a formal security operations center or team that actively manages security incidents and events as they are generated?
Formal Security Incident Management Team
Base: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
17%61%
22%
Yes
No, but weare building
one withinthe next year
No
2015
12%
61%
27%
Yes
No, but weare building
one withinthe next year
No
2016
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Table of ContentsAttacking the IT Security Challengereports
September 2016 21reports.informationweek.com
Figure 16
Does your organization have a log-management or security information and event management (SIEM) system?
SIEM System
Base: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
24% 64%
12%YesDon’t know
No
2015
23%
54%
23%
YesDon’t know
No
2016
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Table of ContentsAttacking the IT Security Challengereports
September 2016 22reports.informationweek.com
Figure 17
Does your organization have a cyberbreach or cyberrisk insurance policy?Cyberbreach or Cyberrisk Insurance
Base: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
28%
14%
32%
Yes, we are covered for cybersecurity breaches under a broader business insurance policy
Yes, we have an insurance policy specifically for cybersecurity breachesNo
Don’tknow
2015
26%
23%
11%
45%
Yes, we are covered for cybersecurity breaches under a broader business insurance policy
Yes, we have an insurance policy specifically for cybersecurity breaches
No
Don’tknow
2016
21%
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Table of ContentsAttacking the IT Security Challengereports
September 2016 23reports.informationweek.com
Figure 18
How did your organization determine the amount of insurance needed?Insurance Amount
Industry stat of cost per record
Loss of employee productivity
Internal estimate of reputational impact
Percent of revenue
Insurer recommendation
Consultant/third-party recommendation
Other
Note: Multiple responses allowedBase: 102 who determined insurance in 2016; not asked in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
32%
29%
46%
23%
5%
44%
36%
0 10 20 30 40 50
reports.informationweek.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Table of ContentsAttacking the IT Security Challengereports
September 2016 24
Figure 19
Do you believe mobile devices, such as smartphones and tablets, pose a threat to your organization’s security?Mobile Device Threat
Base: 300 respondents in 2016 and 435 respondents in 2015 Data: Dark Reading Strategic Security Survey of business technology and security professionals at organizations with 100 or more employees
45%
40%
12%3%
Yes, a significant threatNot yet,
but they will
No
Yes, a minorthreat
2015
34%
44%
14%
8%
Yes, a significant threatNot yet,
but they will
No
Yes, a minorthreat
2016