2014 data protection maturity survey: results and analysis
TRANSCRIPT
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
2014 Data Protection Maturity Survey
Results and Analysis
January 28, 2014
Chris Merritt | Solution Marketing
source: http://ec.europa.eu/justice/data-protection/minisite/images/cartoon-users.jpg
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Data Privacy Day 2014
2
National Cyber Security Alliancehttp://www.staysafeonline.org/data-privacy-day/
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Data Protection Maturity Survey
• What is the purpose of this survey?• Why should organizations be concerned?• How was it constructed?
» Technical Controls contributes to 40% of the score• Considers not just controls in place but their effectiveness
» Administrative Controls 25% of the score• Quantifies the impact of policies and non-technical controls
» Organizational Motivation contributes 35% to the score• Assesses internal and external factors driving data protection
• Maturity classifications» Optimal – Organizations that are characterized by best-of-breed data security» Operational – Organizations that demonstrate adequate or “good” security» Standardizing – Organizations that show some commitment and have some
technical controls in place but are still working on data protection maturity» Ad Hoc – Organizations that merely react to security events as they occur
3
2014 Survey Results
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Incidents (Compare)
5
Have you experienced any of the following incidents in the past year (even if your security systems prevented compromise)? (Select all that apply).
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Access Policies (Compare)
6
Which of the following best describes your firm's policy for network access for personal devices such as smart phones and tablets?
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Technologies (2014 Only)
7
Which of the following technologies does your organization currently use, or plan to deploy within the next 24 months?
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Technologies (Ranking)
8
Which of the following technologies does your organization currently use, or plan to deploy within the next 24 months?
2014 2013 2012 2014 2013 2012 2014 2013 2012DRM (Digital Rights Management) 9 9 9 7 6 8 1 1 1Full DLP (Data Loss/Leak Prevention) 8 8 7 3 1 9 2 3 2DLP Lite (limited keyword / regex filtering) 7 7 8 1 3 2 3 2 3Application data encryption (e.g. database) 6 6 6 6 3 4 4 4 4Email encryption 5 4 5 4 8 5 5 5 5Whole disk encryption 4 3 3 5 6 6 6 6 6Port / Device control 2 2 2 9 3 3 7 7 8Mobile device management 3 5 4 2 2 1 8 9 9Removable media or file encryption 1 1 1 7 9 6 9 8 7
Currently deployed Plan to deploy No plans
Key:1 = highest ranked9 = lowest ranked
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Data Security is Strategic (Compare)
9
How much do you agree with this statement? "Data security is a strategic initiative across the enterprise."
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Data Security is Strategic (Trend)
10
How much do you agree with this statement? "Data security is a strategic initiative across the enterprise."
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
IT Security Budget (Compare)
11
How much of your IT budget is spent on IT security? Use your best estimate.
Average Pcts2014 = 6.09%2013 = 5.63%2012 = 6.13%
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Resource Availability (Compare)
12
How much do you agree with this statement? "My organization has sufficient resources to achieve compliance with data security policies and best practices."
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Resource Adequacy (Trend)
13
How much do you agree with this statement? "My organization has sufficient resources to achieve compliance with data security policies and best practices."
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Organizational Motivation Trends
14
2012 2013 2014 Trend
Strategic Avg 1.32 1.31 1.39 ↑
BudgetAvg 6.13 5.63 6.09 ≈
Resource Avg 0.77 0.68 0.57 ↓
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Regulatory Impact (2014 Only)
15
Is your organization compliant with the following regulations, or do you plan to be compliant within the next 24 months?
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Data Protection Guidelines (Compare)
16
Which of the following organizational guidelines are included in your employee agreements? (Select all that apply)
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Mobile Programs (Compare)
17
How are personal mobile devices, such as phones (and tablets), financially and administratively managed within your enterprise? (Select all that apply)
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Mobile Programs (Trend)
18
How are personal mobile devices, such as phones (and tablets), financially and administratively managed within your enterprise? (Select all that apply)
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Training (Compare)
19
What type of data protection training is offered at your organization?
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Data Protection Policies (Compare)
20
What type of IT data protection policies exist?
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Cloud Storage (2014 Only)
21
Do your employees use personal cloud storage (e.g., Dropbox, iCloud, SkyDrive, etc.)?
2014 Maturity Model
A Model for Data Protection Maturity
23PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
5000+
A Model for Data Protection Maturity
24PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
5000+
25
Rising to the Challenge
Creating Policies• Ad Hoc: Minimal or No Security Policies• Optimal: Comprehensive & Exhaustive
Educating Staff• Ad Hoc: One-Time or No Training• Optimal: On-Going, Formal Training
Enforcing Policies• Ad Hoc: Limited Technical Controls• Optimal: Robust Technical Controls
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Additional Information
26
DPD 2014 Resource Centerhttps://www.lumension.com/2014-Data-Privacy-Day.aspx
Free Security Scanner Tools» Application Scanner – discover all the apps
being used in your network» Device Scanner – discover all the devices
being used in your network
https://www.lumension.com/resources/premium-security-tools.aspx
Reports» 2014 Data Protection Maturity Report
https://www.lumension.com/resources/free-content/Lumension-2014-Data-Protection-Maturity-Report.aspx
» SC Magazine Security Brief - Under the Radarhttps://www.lumension.com/resources/free-content/SC-Magazine-Security-Brief--Under-the-Radar.aspx
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828