is cybersecurity about more than protection? · is cybersecurity about more than protection? the...
TRANSCRIPT
Is cybersecurityabout more thanprotection?
The better the question. The better the answer. The better the world works.
Global Information Security Survey2018-19 resultsInternal use only
Contents
Section 1: Strategy, innovation and growth
Section 2: Risk
Section 3: Technology
Section 4: People and organization
Section 5: Finance and legal
Demographics
Overview
EY Global Information SecuritySurvey 2018–19
► The 21st annual edition of EY Global InformationSecurity Survey captures the responses of over1,400 C-suite leaders and senior informationsecurity and IT executives/managers,representing many of the world’s largest andmost recognized global organizations.
► The research was conducted between April-July2018.
► Responses were collected from over 60countries representing all industry sectors.
Ove
rvie
w
Demographics
Global Information Security Survey 2018-195
Respondents by sector
8%
18%
19%
9%
3%
6%
2%
4%
2%
3%
5%
3%
4%
8%
4%
2%
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
Automotive & Transportation
Banking & Capital Markets
Consumer Products & Retail
Government & Public Sector
Health
Insurance
Life Sciences
Media & Entertainment
Mining & Metals
Oil & Gas
Power & Utilities
Professional Firms & Services
Real Estate Hospitality & Construction
Technology
Telecommunications
Wealth & Asset Management
Industry
Demographics
Global Information Security Survey 2018-196
Respondents by EY industry cluster
32%
10%
27%
14%
16%
0% 5% 10% 15% 20% 25% 30% 35%
Consumer and Mobility
Energy
Financial Services
Government and Public Services and Health
TMT
Sector cluster
Demographics
Global Information Security Survey 2018-197
Respondents by revenue (from the last 12 months in US$)
19%
21%
25%
24%
11%
0% 5% 10% 15% 20% 25% 30%
Less than $10 million
$10 million to $100 million
$100 million to $1 billion
$1 billion to $10 billion
$10 billion or more
Revenue
Demographics
Global Information Security Survey 2018-198
Respondents by company size (based on number of employees)
29%
12%
28%
10%
5%
3%
2%
11%
0% 5% 10% 15% 20% 25% 30% 35%
Less than 500
501-1000
1001-5000
5001-10000
10001-15000
15001-20000
20001-25000
More than 25000
Employees
Demographics
Global Information Security Survey 2018-199
Respondents by rank
32%
27%
4%
1%
1%
0%
35%
0% 5% 10% 15% 20% 25% 30% 35% 40%
CISO
CIO/IT Director
C-suite
Internal audit director
CRO
Global Head of Cybersecurity Governance,Risk & Compliance
Other...
Rank
Demographics
Global Information Security Survey 2018-1910
Respondents by countryCountry
Demographics
19%
1%1%1%1%1%1%1%2%2%2%2%2%3%3%4%4%4%
6%6%
14%
16%
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
20%
Oth
ers
Rus
sia
Kuw
ait
Nor
way
Aust
ria
Sout
h Ko
rea
Swed
en
Net
herla
nds
Hon
g Ko
ng
Col
ombi
a
Om
an
Uni
ted
King
dom
Fran
ce
Italy
Can
ada
Philip
pine
s
Switz
erla
nd
Japa
n
Chi
na
Braz
il
Indi
a
Uni
ted
Stat
es
Section: 1 Strategy, innovation and growth
Global Information Security Survey 2018-1912
What is your total annual spend on information security (in US$)?
7%
25%
32%
24%
7%
5%
0% 5% 10% 15% 20% 25% 30% 35%
Nothing
Less than or Equal to US$100,000
Between US$100,000 and US$1 million
Between US$1 million and US$10 million
Between US$10 million and US$50 million
More than US$50 million
Question: 1
Strategy, innovation and growth
Global Information Security Survey 2018-1913
In percentage terms, what is your total spend on information security in relation to youroverall IT budget?
22%
32%
24%
9%
7%
6%
0% 5% 10% 15% 20% 25% 30% 35%
Less than 2%
2-5%
5-10%
10-15%
15-20%
More than 20%
Perc
enta
ge o
f tot
al in
form
atio
n se
curit
y sp
end
Question: 2
Strategy, innovation and growth
Global Information Security Survey 2018-1914
How has your organization's total information security budget changed in the last 12months?
12%
16%
25%
40%
4%
1%
1%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Increased by more than 25%
Increased between 15% and 25%
Increased between 5% and 15%
Stayed approximately the same (between +5% and -5%)
Decreased between 5% and 15%
Decreased between 15% and 25%
Decreased by more than 25%
Question: 3
Strategy, innovation and growth
Global Information Security Survey 2018-1915
What change to your organization's total information security budget do you expect to seein the next 12 months?
15%
22%
28%
31%
2%
1%
1%
0% 5% 10% 15% 20% 25% 30% 35%
Will increase by more than 25%
Will increase between 15% and 25%
Will increase between 5% and 15%
Will stay approximately the same (between +5% and 5%)
Will decrease between 5% and 15%
Will decrease between 15% and 25%
Will decrease by more than 25%
Question: 4
Strategy, innovation and growth
Global Information Security Survey 2018-1916
How much additional funding is needed to protect the organization? (Select one)
13%
46%
23%
6%
7%
4%
0% 10% 20% 30% 40% 50%
None
Less than 25%
26-50%
51-75%
76-100%
Over 100%
Perc
enta
ge o
f bud
get n
eede
d
Question: 5
Strategy, innovation and growth
Global Information Security Survey 2018-1917
In percentage terms, how many full time employees work solely in cybersecurity, incomparison to the total number of employees in your organization’s IT department?
39%
34%
17%
5%
3%
2%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Less than 2%
2%–5%
5–10%
10–15%
15%–20%
More than 20%
Perc
enta
ge o
f em
ploy
ees
Question: 6
Strategy, innovation and growth
Global Information Security Survey 2018-1918
How likely is it that any of the following events would encourage your organization toincrease your information security budget in the coming 12 months?
21%
5%
13%
15%
17%
25%
19%
17%
42%
19%
35%
42%
52%
43%
34%
35%
29%
39%
32%
36%
26%
26%
36%
33%
7%
37%
20%
7%
5%
6%
12%
15%
0% 25% 50% 75% 100%
Discovery of a breach with, apparently, no harm done.
Discovery of a breach that resulted in the attackers impactingthe organization.
A Distributed Denial of Service (DDoS) attack.
A cyber attack on a major competitor.
A cyber attack on a supplier.
M&A activity.
A physical loss of confidential corporate information on amobile device.
A physical loss of customer information on a mobile device.
Highly unlikely Unlikely Likely Highly likely
Question: 7
Strategy, innovation and growth
Global Information Security Survey 2018-1919
How does information security influence your business strategy and plans?Question: 8
Strategy, innovation and growth
18%
28%
7%
48%
0% 10% 20% 30% 40% 50% 60%
Fully and on a regular basis
Fully and on a yearly basis
Not at all
Somewhat
Section: 2 Risk
Global Information Security Survey 2018-1921
What information in your organization is the most valuable to cyber criminals?
17%
11%
9%
8%
6%
5%
11%
12%
5%
3%
12%
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
Customers' personal, identifiable information
Customers' passwords
Research and development (R&D) information
Information exchanged during mergers and acquisition (M&A)activities
Patented Intellectual Property (IP)
Non-patented IP
Senior executive and board member personal information(including email accounts)
Financial information of the organization
Supplier and vendor identifable information
Supplier and vendor passwords
Corporate strategic plans
Question: 9
Risk
Global Information Security Survey 2018-1922
Which threats have most increased your risk exposure over the last 12 months?
13%
12%
8%
2%
10%
5%
20%
2%
22%
6%
0% 5% 10% 15% 20% 25%
Cyber attacks to disrupt or deface the organization
Cyber attacks to steal financial information (credit card numbers,bank information, etc.)
Cyber attacks to steal intellectual property or data
Espionage (e.g., by competitors)
Fraud
Internal attacks (e.g., by disgruntled employees)
Malware (e.g., viruses, worms and Trojan horses)
Natural disasters (storms, flooding, etc.)
Phishing
Spam
Question: 10.a
Risk
Global Information Security Survey 2018-1923
Which vulnerabilities have most increased your risk exposure over the last 12 months?
26%
34%
10%
8%
4%
5%
13%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Outdated information security controls or architecture
Careless or unaware employees
Related to cloud-computing use
Related to smartphones, tablets, etc.
Related to Internet of Things
Related to social media use
Unauthorized access (e.g., due to location of data)
Question: 10.b
Risk
Global Information Security Survey 2018-1924
Who do you consider to be the most likely source of a cyber attack?
14%
22%
8%
2%
5%
3%
15%
8%
12%
9%
1%
0% 5% 10% 15% 20% 25%
Malicious employee
Careless employee
External contractor working on our site
Customer
Supplier
Other business partner
Criminal syndicates
State sponsored attacker
Hacktivists
Lone Wolf hacker
Other
Question: 11
Risk
Global Information Security Survey 2018-1925
How do you ensure that your external partners, vendors, or contractors are protectingyour organization's information?
17%
15%
12%
18%
22%
14%
3%
0% 5% 10% 15% 20% 25%
Accurate inventories of all third party providers, networkconnections and data are kept
All third parties are risk-rated and appropriate diligence isapplied
Only critical or high-risk third parties are assessed
Self-assessments or other certifications are performed bypartners, vendors or contractors
Assessments are performed by your organization's informationsecurity, IT risk, procurement or internal audit function (e.g.,
questionnaires, site visits, security testing)
Independent external assessments of partners, vendors orcontractors (e.g., SSAE 16, ISAE-3402) are performed
Other
Question: 12
Risk
Global Information Security Survey 2018-1926
Which risks related to smartphones and tablets apply to your organization?
27%
10%
5%
10%
6%
11%
29%
3%
0% 5% 10% 15% 20% 25% 30% 35%
The loss of a smart device
Devices do not have the same software running on them
Hardware interoperability issues of devices
Network engineers cannot patch vulnerabilities fast enough
Organized cyber criminals sell hardware with Trojans orbackdoors already installed
Hijacking of devices
Poor user awareness and behavior
Other
Question: 13
Risk
Global Information Security Survey 2018-1927
Which challenges, related to Internet of Things (IoT) apply to your organization?
11%
12%
10%
11%
14%
8%
9%
7%
10%
5%
4%
0% 2% 4% 6% 8% 10% 12% 14% 16%
Keeping the high number of IoT connected devices updated withthe latest version of software
Identifying suspicious traffic over the network
Finding hidden or unknown zero-day attacks
Ensuring that the implemented security controls are meeting therequirements of today
Knowing all your assets
Managing the growth in access points to your organization
Tracking the access to data in your organization
Defining and monitoring the perimeters of your business'secosystem
Lack of skilled resources
Lack of executive awareness or support
Other
Question: 14
Risk
Section: 3 Technology
Global Information Security Survey 2018-1929
Which of the following technologies would you define as high, medium or low for yourcybersecurity this year?
11%
16%
39%
37%
36%
11%
49%
41%
27%
37%
52%
45%
45%
48%
50%
37%
44%
48%
52%
33%
15%
18%
16%
38%
14%
15%
25%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Cloud computing
Mobile computing
Artificial intelligence
Robotic process automation
Machine learning
Cybersecurity analytics
Blockchain
Biometrics
Internet of Things
Low Medium High
Question: 15.a
Technology
Global Information Security Survey 2018-1930
Compared with last year, are you spending more, less or relatively the same amount onprotecting those technologies this year?
6%
7%
11%
11%
11%
5%
15%
13%
9%
37%
58%
63%
58%
61%
43%
69%
72%
61%
57%
35%
26%
31%
27%
52%
15%
15%
29%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Cloud computing
Mobile computing
Artificial intelligence
Robotic process automation
Machine learning
Cybersecurity analytics
Blockchain
Biometrics
Internet of Things
Less Same More
Question: 15.b
Technology
Global Information Security Survey 2018-1931
Which of the following security functions are you performing in-house or are yououtsourcing?
35%
48%
39%
16%
13%
18%
39%
71%
65%
52%
61%
84%
87%
82%
61%
29%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Security monitoring
Vulnerability assessment
Self-phishing
Vendor risk management
Identity and access management
Data protection/DLP
One-time exercises (e.g., setting up ISMS)
Consultancy-specific information security activities
Outsourced In-house
Question: 16
Technology
Global Information Security Survey 2018-1932
How would you rate the following information security management processes in yourorganization in terms of maturity?
7%
6%
5%
7%
4%
4%
3%
3%
5%
4%
9%
2%
3%
5%
4%
5%
6%
5%
9%
5%
5%
8%
5%
6%
5%
5%
5%
2%
5%
5%
8%
2%
3%
4%
5%
5%
6%
4%
7%
5%
5%
5%
5%
5%
5%
5%
5%
5%
5%
5%
5%
5%
5%
4%
5%
5%
5%
5%
5%
5%
5%
4%
5%
5%
5%
5%
6%
6%
5%
5%
3%
6%
6%
6%
5%
5%
4%
5%
4%
5%
5%
4%
5%
6%
5%
5%
5%
6%
4%
6%
4%
7%
5%
7%
5%
5%
4%
5%
3%
4%
0% 20% 40% 60% 80% 100%
Architecture
Asset management
Awareness
BCP and DR
Data infrastructure
Data protection
Governance and organization
Host security
Identity and access management
Incident management
Metrics and reporting
Network security
Operations
Policy and standards framework
Privacy
Security monitoring
Software security
Strategy
Third-party management
Threat and vulnerability management
Non-existent Series2 Series3 Series4 Very mature
Question: 17
Technology
Global Information Security Survey 2018-1933
Does your company have a Security Operations Center (SOC), whether in-house,outsourced, or a combination of both?
51%49%
Yes No
Question: 18.a
Technology
Global Information Security Survey 2018-1934
What functions of your security operations center are outsourced?
52%
75%
49%
46%
54%
60%
61%
25%
48%
25%
51%
54%
46%
40%
39%
75%
Real-time network security monitoring
Incident investigation
Digital and malware forensics
Threat intelligence collection and feeds
Threat intelligence analysis
Cybersecurity exercise creation and delivery
Vulnerability scanning and management
Penetration testing
0% 10% 20% 30% 40% 50% 60% 70% 80%
In-house Outsourced
Question: 18.b
Technology
Global Information Security Survey 2018-1935
Thinking about the most recent significant cybersecurity incident, how was it discovered?
16%
24%
8%
6%
46%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Discovered by the SOC
Discovered internally by a business function
Discovered externally by a third-party
Other
We have not had a significant incident
Question: 19
Technology
Global Information Security Survey 2018-1936
Which statement best describes the maturity of your threat intelligence program?
27%
28%
5%
40%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
We do not have a program
We have a formal and up-to-date program
We have a formal but obsolete program
We have an informal program
Question: 20
Technology
Global Information Security Survey 2018-1937
Which statement best describes the maturity of your vulnerability identification capabilityprogram?
18%
41%
10%
30%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
We do not have a program
We have a formal and up-to-date program
We have a formal but obsolete program
We have an informal program
Question: 21
Technology
Global Information Security Survey 2018-1938
Which statement best describes the maturity of your breach detection program?
20%
36%
10%
35%
0% 5% 10% 15% 20% 25% 30% 35% 40%
We do not have a program
We have a formal and up-to-date program
We have a formal but obsolete program
We have an informal program
Question: 22
Technology
Global Information Security Survey 2018-1939
Which statement best describes the maturity of your incident response capabilityprogram?
13%
47%
14%
26%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
We do not have a program
We have a formal and up-to-date program
We have a formal but obsolete program
We have an informal program
Question: 23
Technology
Global Information Security Survey 2018-1940
Which statement best describes the maturity of your data protection program?
15%
39%
14%
32%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
We do not have a program
We have a formal and up-to-date program
We have a formal but obsolete program
We have an informal program
Question: 24
Technology
Global Information Security Survey 2018-1941
Which statement best describes the maturity of your identity and access managementprogram?
13%
44%
19%
24%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
We do not have a program
We have a formal and up-to-date program
We have a formal but obsolete program
We have an informal program
Question: 25
Technology
Section: 4 People and organization
Global Information Security Survey 2018-1943
How effective are your organization’s information security reports?
21%
13%
52%
14%
0% 10% 20% 30% 40% 50% 60%
I do not receive reports
The reports do not meet my expectations
The reports meet some of my expectations
The reports meet all my expectations
Question: 26
People and organization
Global Information Security Survey 2018-1944
What information is provided in your organization's information security reports?
20%
16%
17%
5%
8%
17%
14%
3%
0% 5% 10% 15% 20% 25%
The number of cyber attacks
The number of cyber attacks successfully defended against
List of breaches
The financial impact of every significant breach
Indication that the regulator needs to be notified of aparticular breach
Areas for improvement
The overall threat level for the organization
Other...
Question: 27
People and organization
Global Information Security Survey 2018-1945
Does the board/executive management team of your organization have a comprehensiveunderstanding of information security to fully evaluate the cyber risks the organization isfacing and the measures that it is taking?
39%
31%
3%
25%
2%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Yes
Limited
No, and no plans to improve
No, but they are taking positive steps to improvetheir understanding
Other...
Question: 28
People and organization
Global Information Security Survey 2018-1946
Who is directly responsible for information security in your organization?
40%
48%
4%
7%
0% 10% 20% 30% 40% 50% 60%
CIO/head of IT
CISO/IT Risk/Network Security Officer
We do not have anyone who is directly responsible
Other...
Question: 29
People and organization
Global Information Security Survey 2018-1947
Is the person with direct responsibility for information security a member of yourorganization's board or executive management team?
60%
40%
No, they are not on the board of our organization Yes, they are on the board of our organization
Question: 30
People and organization
Global Information Security Survey 2018-1948
What is the likelihood of your organization being able to detect a sophisticated cyberattack?
18%
41%
28%
10%
3%
0% 10% 20% 30% 40% 50%
Very likely
Likely
Unlikely
Very unlikely
Don't know
Question: 31
People and organization
Global Information Security Survey 2018-1949
How would you characterize the extent to which your information security function ismeeting the needs of your organization?
8%
59%
11%
18%
4%
0% 10% 20% 30% 40% 50% 60% 70%
Fully meets needs
Partially and plans to improve
Partially but no plans to improve
To be improved
Does not meet needs
Question: 32
People and organization
Global Information Security Survey 2018-1950
What challenges limit the value that your information security function adds to yourorganization?
30%
25%
11%
13%
16%
4%
0% 5% 10% 15% 20% 25% 30% 35%
Lack of skilled resources
Budget constraints
Lack of executive awareness or support
Management and governance issues
Lack of quality tools for managing informationsecurity
Other
Question: 33
People and organization
Global Information Security Survey 2018-1951
In case of a significant cybersecurity breach, how does your organization perform in thefollowing areas:
12%
10%
5%
10%
21%
5%
27%
23%
22%
26%
28%
19%
33%
36%
38%
36%
28%
40%
22%
23%
25%
21%
16%
27%
6%
8%
9%
7%
7%
9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Identification of the breach
Crisis management
Communication internally
Communication externally
Forensics
Returning to business as usual
Poor Fair Good Very good Excellent
Question: 34
People and organization
Global Information Security Survey 2018-1952
What was the root cause of the latest significant breach at your organization?
1%
6%
5%
12%
5%
11%
3%
1%
54%
2%
0% 10% 20% 30% 40% 50% 60%
Complex access permissions
Improper configuration
Known vulnerability/back door
Malware
Other...
Phishing attacks
Stolen passwords/credentials
Unsecured IoT devices
We did not have a significant breach
Weak passwords/credentials
Question: 35
People and organization
Section: 5 Finance and legal
Global Information Security Survey 2018-1954
At what point would your organization be most likely to communicate that a significantcyber attack has taken place and that data in your organization has definitely beencompromised?
11%
15%
15%
10%
18%
14%
14%
11%
10%
17%
9%
17%
16%
14%
9%
17%
42%
36%
15%
38%
27%
32%
15%
35%
27%
15%
6%
18%
8%
14%
5%
19%
3%
6%
38%
3%
14%
11%
41%
2%
6%
11%
17%
14%
17%
14%
16%
16%
0% 20% 40% 60% 80% 100%
Notify regulators and compliance organizations
If customer information affected, notify all customers
If no customer information affected, notify all customers anyway
Individually notify only those customers impacted
Issue a press release and public statement to the media
If supplier information affected, notify all suppliers
If no supplier information affected, notify all suppliers anyway
Individually notify only those suppliers impacted
On day one Only after all investigations are complete and the issue is closed
Within the first month while investigations continue Within the first week while investigations continue
Don't know Never
Question: 36
Finance and legal
Global Information Security Survey 2018-1955
What is the estimated total financial damage related to information security incidents overthe past year at your organization? (This includes loss of productivity, regulatory fines, etc.; the estimate excludes costs or missed
revenue due to brand damage.)
1%
24%
6%
1%
3%
3%
62%
0% 10% 20% 30% 40% 50% 60% 70%
Above US$2.5m
Between US$1 and US$100,000
Between US$100,000 and US$250,000
Between US$1m and US$2.5m
Between US$250,000 and US$500,000
Between US$500,000 and US$1m
No financial loss
Question: 37
Finance and legal
Global Information Security Survey 2018-1956
What is your current level of interest in cyber insurance?
35%
5%
20%
18%
16%
5%
0% 5% 10% 15% 20% 25% 30% 35% 40%
We currently have cyber insurance that meets ourorganization's needs
We currently have cyber insurance, but it does not meetour organization's needs
We do not have cyber insurance and are actively lookingfor appropriate cover
We do not have cyber insurance and we have no plans toadopt it
We have never considered cyber insurance
Other
Question: 38
Finance and legal
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction andadvisory services. The insights and quality services we deliverhelp build trust and confidence in the capital markets and ineconomies the world over. We develop outstanding leaderswho team to deliver on our promises to all of our stakeholders.In so doing, we play a critical role in building a better workingworld for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one ormore, of the member firms of Ernst & Young Global Limited,each of which is a separate legal entity. Ernst & Young GlobalLimited, a UK company limited by guarantee, does not provideservices to clients. For more information about ourorganization, please visit ey.com.
© 2018 EYGM Limited.All Rights Reserved.
EYG no. XXXXXX
BMC AdvisoryTI 0000_00583
ED None
This material has been prepared for general informational purposes only and is notintended to be relied upon as accounting, tax, or other professional advice. Pleaserefer to your advisors for specific advice.
ey.com