is cybersecurity about more than protection? · is cybersecurity about more than protection? the...

Is cybersecurityabout more thanprotection?

The better the question. The better the answer. The better the world works.

Global Information Security Survey2018-19 resultsInternal use only

Contents

Section 1: Strategy, innovation and growth

Section 2: Risk

Section 3: Technology

Section 4: People and organization

Section 5: Finance and legal

Demographics

Overview

EY Global Information SecuritySurvey 2018–19

► The 21st annual edition of EY Global InformationSecurity Survey captures the responses of over1,400 C-suite leaders and senior informationsecurity and IT executives/managers,representing many of the world’s largest andmost recognized global organizations.

► The research was conducted between April-July2018.

► Responses were collected from over 60countries representing all industry sectors.

Ove

rvie

w

Demographics

Global Information Security Survey 2018-195

Respondents by sector

8%

18%

19%

9%

3%

6%

2%

4%

2%

3%

5%

3%

4%

8%

4%

2%

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%

Automotive & Transportation

Banking & Capital Markets

Consumer Products & Retail

Government & Public Sector

Health

Insurance

Life Sciences

Media & Entertainment

Mining & Metals

Oil & Gas

Power & Utilities

Professional Firms & Services

Real Estate Hospitality & Construction

Technology

Telecommunications

Wealth & Asset Management

Industry

Demographics


Respondents by EY industry cluster

32%

10%

27%

14%

16%

0% 5% 10% 15% 20% 25% 30% 35%

Consumer and Mobility

Energy

Financial Services

Government and Public Services and Health

TMT

Sector cluster

Demographics


Respondents by revenue (from the last 12 months in US$)

19%

21%

25%

24%

11%

0% 5% 10% 15% 20% 25% 30%

Less than $10 million

$10 million to $100 million

$100 million to $1 billion

$1 billion to $10 billion

$10 billion or more

Revenue

Demographics


Respondents by company size (based on number of employees)

29%

12%

28%

10%

5%

3%

2%

11%

0% 5% 10% 15% 20% 25% 30% 35%

Less than 500

501-1000

1001-5000

5001-10000

10001-15000

15001-20000

20001-25000

More than 25000

Employees

Demographics


Respondents by rank

32%

27%

4%

1%

1%

0%

35%

0% 5% 10% 15% 20% 25% 30% 35% 40%

CISO

CIO/IT Director

C-suite

Internal audit director

CRO

Global Head of Cybersecurity Governance,Risk & Compliance

Other...

Rank

Demographics


Respondents by countryCountry

Demographics

19%

1%1%1%1%1%1%1%2%2%2%2%2%3%3%4%4%4%

6%6%

14%

16%

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

20%

Oth

ers

Rus

sia

Kuw

ait

Nor

way

Aust

ria

Sout

h Ko

rea

Swed

en

Net

herla

nds

Hon

g Ko

ng

Col

ombi

a

Om

an

Uni

ted

King

dom

Fran

ce

Italy

Can

ada

Philip

pine

s

Switz

erla

nd

Japa

n

Chi

na

Braz

il

Indi

a

Uni

ted

Stat

es

Section: 1 Strategy, innovation and growth


What is your total annual spend on information security (in US$)?

7%

25%

32%

24%

7%

5%

0% 5% 10% 15% 20% 25% 30% 35%

Nothing

Less than or Equal to US$100,000

Between US$100,000 and US$1 million

Between US$1 million and US$10 million

Between US$10 million and US$50 million

More than US$50 million

Question: 1

Strategy, innovation and growth


In percentage terms, what is your total spend on information security in relation to youroverall IT budget?

22%

32%

24%

9%

7%

6%

0% 5% 10% 15% 20% 25% 30% 35%

Less than 2%

2-5%

5-10%

10-15%

15-20%

More than 20%

Perc

enta

ge o

f tot

al in

form

atio

n se

curit

y sp

end

Question: 2



How has your organization's total information security budget changed in the last 12months?

12%

16%

25%

40%

4%

1%

1%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Increased by more than 25%

Increased between 15% and 25%

Increased between 5% and 15%

Stayed approximately the same (between +5% and -5%)

Decreased between 5% and 15%

Decreased between 15% and 25%

Decreased by more than 25%

Question: 3



What change to your organization's total information security budget do you expect to seein the next 12 months?

15%

22%

28%

31%

2%

1%

1%

0% 5% 10% 15% 20% 25% 30% 35%

Will increase by more than 25%

Will increase between 15% and 25%

Will increase between 5% and 15%

Will stay approximately the same (between +5% and 5%)

Will decrease between 5% and 15%

Will decrease between 15% and 25%

Will decrease by more than 25%

Question: 4



How much additional funding is needed to protect the organization? (Select one)

13%

46%

23%

6%

7%

4%

0% 10% 20% 30% 40% 50%

None

Less than 25%

26-50%

51-75%

76-100%

Over 100%

Perc

enta

ge o

f bud

get n

eede

d

Question: 5



In percentage terms, how many full time employees work solely in cybersecurity, incomparison to the total number of employees in your organization’s IT department?

39%

34%

17%

5%

3%

2%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Less than 2%

2%–5%

5–10%

10–15%

15%–20%

More than 20%

Perc

enta

ge o

f em

ploy

ees

Question: 6



How likely is it that any of the following events would encourage your organization toincrease your information security budget in the coming 12 months?

21%

5%

13%

15%

17%

25%

19%

17%

42%

19%

35%

42%

52%

43%

34%

35%

29%

39%

32%

36%

26%

26%

36%

33%

7%

37%

20%

7%

5%

6%

12%

15%

0% 25% 50% 75% 100%

Discovery of a breach with, apparently, no harm done.

Discovery of a breach that resulted in the attackers impactingthe organization.

A Distributed Denial of Service (DDoS) attack.

A cyber attack on a major competitor.

A cyber attack on a supplier.

M&A activity.

A physical loss of confidential corporate information on amobile device.

A physical loss of customer information on a mobile device.

Highly unlikely Unlikely Likely Highly likely

Question: 7



How does information security influence your business strategy and plans?Question: 8


18%

28%

7%

48%

0% 10% 20% 30% 40% 50% 60%

Fully and on a regular basis

Fully and on a yearly basis

Not at all

Somewhat

Section: 2 Risk


What information in your organization is the most valuable to cyber criminals?

17%

11%

9%

8%

6%

5%

11%

12%

5%

3%

12%

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%

Customers' personal, identifiable information

Customers' passwords

Research and development (R&D) information

Information exchanged during mergers and acquisition (M&A)activities

Patented Intellectual Property (IP)

Non-patented IP

Senior executive and board member personal information(including email accounts)

Financial information of the organization

Supplier and vendor identifable information

Supplier and vendor passwords

Corporate strategic plans

Question: 9

Risk


Which threats have most increased your risk exposure over the last 12 months?

13%

12%

8%

2%

10%

5%

20%

2%

22%

6%

0% 5% 10% 15% 20% 25%

Cyber attacks to disrupt or deface the organization

Cyber attacks to steal financial information (credit card numbers,bank information, etc.)

Cyber attacks to steal intellectual property or data

Espionage (e.g., by competitors)

Fraud

Internal attacks (e.g., by disgruntled employees)

Malware (e.g., viruses, worms and Trojan horses)

Natural disasters (storms, flooding, etc.)

Phishing

Spam

Question: 10.a

Risk


Which vulnerabilities have most increased your risk exposure over the last 12 months?

26%

34%

10%

8%

4%

5%

13%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Outdated information security controls or architecture

Careless or unaware employees

Related to cloud-computing use

Related to smartphones, tablets, etc.

Related to Internet of Things

Related to social media use

Unauthorized access (e.g., due to location of data)

Question: 10.b

Risk


Who do you consider to be the most likely source of a cyber attack?

14%

22%

8%

2%

5%

3%

15%

8%

12%

9%

1%

0% 5% 10% 15% 20% 25%

Malicious employee

Careless employee

External contractor working on our site

Customer

Supplier

Other business partner

Criminal syndicates

State sponsored attacker

Hacktivists

Lone Wolf hacker

Other

Question: 11

Risk


How do you ensure that your external partners, vendors, or contractors are protectingyour organization's information?

17%

15%

12%

18%

22%

14%

3%

0% 5% 10% 15% 20% 25%

Accurate inventories of all third party providers, networkconnections and data are kept

All third parties are risk-rated and appropriate diligence isapplied

Only critical or high-risk third parties are assessed

Self-assessments or other certifications are performed bypartners, vendors or contractors

Assessments are performed by your organization's informationsecurity, IT risk, procurement or internal audit function (e.g.,

questionnaires, site visits, security testing)

Independent external assessments of partners, vendors orcontractors (e.g., SSAE 16, ISAE-3402) are performed

Other

Question: 12

Risk


Which risks related to smartphones and tablets apply to your organization?

27%

10%

5%

10%

6%

11%

29%

3%

0% 5% 10% 15% 20% 25% 30% 35%

The loss of a smart device

Devices do not have the same software running on them

Hardware interoperability issues of devices

Network engineers cannot patch vulnerabilities fast enough

Organized cyber criminals sell hardware with Trojans orbackdoors already installed

Hijacking of devices

Poor user awareness and behavior

Other

Question: 13

Risk


Which challenges, related to Internet of Things (IoT) apply to your organization?

11%

12%

10%

11%

14%

8%

9%

7%

10%

5%

4%

0% 2% 4% 6% 8% 10% 12% 14% 16%

Keeping the high number of IoT connected devices updated withthe latest version of software

Identifying suspicious traffic over the network

Finding hidden or unknown zero-day attacks

Ensuring that the implemented security controls are meeting therequirements of today

Knowing all your assets

Managing the growth in access points to your organization

Tracking the access to data in your organization

Defining and monitoring the perimeters of your business'secosystem

Lack of skilled resources

Lack of executive awareness or support

Other

Question: 14

Risk

Section: 3 Technology


Which of the following technologies would you define as high, medium or low for yourcybersecurity this year?

11%

16%

39%

37%

36%

11%

49%

41%

27%

37%

52%

45%

45%

48%

50%

37%

44%

48%

52%

33%

15%

18%

16%

38%

14%

15%

25%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Cloud computing

Mobile computing

Artificial intelligence

Robotic process automation

Machine learning

Cybersecurity analytics

Blockchain

Biometrics

Internet of Things

Low Medium High

Question: 15.a

Technology


Compared with last year, are you spending more, less or relatively the same amount onprotecting those technologies this year?

6%

7%

11%

11%

11%

5%

15%

13%

9%

37%

58%

63%

58%

61%

43%

69%

72%

61%

57%

35%

26%

31%

27%

52%

15%

15%

29%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Cloud computing

Mobile computing

Artificial intelligence

Robotic process automation

Machine learning

Cybersecurity analytics

Blockchain

Biometrics

Internet of Things

Less Same More

Question: 15.b

Technology


Which of the following security functions are you performing in-house or are yououtsourcing?

35%

48%

39%

16%

13%

18%

39%

71%

65%

52%

61%

84%

87%

82%

61%

29%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Security monitoring

Vulnerability assessment

Self-phishing

Vendor risk management

Identity and access management

Data protection/DLP

One-time exercises (e.g., setting up ISMS)

Consultancy-specific information security activities

Outsourced In-house

Question: 16

Technology


How would you rate the following information security management processes in yourorganization in terms of maturity?

7%

6%

5%

7%

4%

4%

3%

3%

5%

4%

9%

2%

3%

5%

4%

5%

6%

5%

9%

5%

5%

8%

5%

6%

5%

5%

5%

2%

5%

5%

8%

2%

3%

4%

5%

5%

6%

4%

7%

5%

5%

5%

5%

5%

5%

5%

5%

5%

5%

5%

5%

5%

5%

4%

5%

5%

5%

5%

5%

5%

5%

4%

5%

5%

5%

5%

6%

6%

5%

5%

3%

6%

6%

6%

5%

5%

4%

5%

4%

5%

5%

4%

5%

6%

5%

5%

5%

6%

4%

6%

4%

7%

5%

7%

5%

5%

4%

5%

3%

4%

0% 20% 40% 60% 80% 100%

Architecture

Asset management

Awareness

BCP and DR

Data infrastructure

Data protection

Governance and organization

Host security

Identity and access management

Incident management

Metrics and reporting

Network security

Operations

Policy and standards framework

Privacy

Security monitoring

Software security

Strategy

Third-party management

Threat and vulnerability management

Non-existent Series2 Series3 Series4 Very mature

Question: 17

Technology


Does your company have a Security Operations Center (SOC), whether in-house,outsourced, or a combination of both?

51%49%

Yes No

Question: 18.a

Technology


What functions of your security operations center are outsourced?

52%

75%

49%

46%

54%

60%

61%

25%

48%

25%

51%

54%

46%

40%

39%

75%

Real-time network security monitoring

Incident investigation

Digital and malware forensics

Threat intelligence collection and feeds

Threat intelligence analysis

Cybersecurity exercise creation and delivery

Vulnerability scanning and management

Penetration testing

0% 10% 20% 30% 40% 50% 60% 70% 80%

In-house Outsourced

Question: 18.b

Technology


Thinking about the most recent significant cybersecurity incident, how was it discovered?

16%

24%

8%

6%

46%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Discovered by the SOC

Discovered internally by a business function

Discovered externally by a third-party

Other

We have not had a significant incident

Question: 19

Technology


Which statement best describes the maturity of your threat intelligence program?

27%

28%

5%

40%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

We do not have a program

We have a formal and up-to-date program

We have a formal but obsolete program

We have an informal program

Question: 20

Technology


Which statement best describes the maturity of your vulnerability identification capabilityprogram?

18%

41%

10%

30%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%





Question: 21

Technology


Which statement best describes the maturity of your breach detection program?

20%

36%

10%

35%

0% 5% 10% 15% 20% 25% 30% 35% 40%





Question: 22

Technology


Which statement best describes the maturity of your incident response capabilityprogram?

13%

47%

14%

26%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%





Question: 23

Technology


Which statement best describes the maturity of your data protection program?

15%

39%

14%

32%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%





Question: 24

Technology


Which statement best describes the maturity of your identity and access managementprogram?

13%

44%

19%

24%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%





Question: 25

Technology

Section: 4 People and organization


How effective are your organization’s information security reports?

21%

13%

52%

14%

0% 10% 20% 30% 40% 50% 60%

I do not receive reports

The reports do not meet my expectations

The reports meet some of my expectations

The reports meet all my expectations

Question: 26

People and organization


What information is provided in your organization's information security reports?

20%

16%

17%

5%

8%

17%

14%

3%

0% 5% 10% 15% 20% 25%

The number of cyber attacks

The number of cyber attacks successfully defended against

List of breaches

The financial impact of every significant breach

Indication that the regulator needs to be notified of aparticular breach

Areas for improvement

The overall threat level for the organization

Other...

Question: 27



Does the board/executive management team of your organization have a comprehensiveunderstanding of information security to fully evaluate the cyber risks the organization isfacing and the measures that it is taking?

39%

31%

3%

25%

2%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Yes

Limited

No, and no plans to improve

No, but they are taking positive steps to improvetheir understanding

Other...

Question: 28



Who is directly responsible for information security in your organization?

40%

48%

4%

7%

0% 10% 20% 30% 40% 50% 60%

CIO/head of IT

CISO/IT Risk/Network Security Officer

We do not have anyone who is directly responsible

Other...

Question: 29



Is the person with direct responsibility for information security a member of yourorganization's board or executive management team?

60%

40%

No, they are not on the board of our organization Yes, they are on the board of our organization

Question: 30



What is the likelihood of your organization being able to detect a sophisticated cyberattack?

18%

41%

28%

10%

3%

0% 10% 20% 30% 40% 50%

Very likely

Likely

Unlikely

Very unlikely

Don't know

Question: 31



How would you characterize the extent to which your information security function ismeeting the needs of your organization?

8%

59%

11%

18%

4%

0% 10% 20% 30% 40% 50% 60% 70%

Fully meets needs

Partially and plans to improve

Partially but no plans to improve

To be improved

Does not meet needs

Question: 32



What challenges limit the value that your information security function adds to yourorganization?

30%

25%

11%

13%

16%

4%

0% 5% 10% 15% 20% 25% 30% 35%

Lack of skilled resources

Budget constraints

Lack of executive awareness or support

Management and governance issues

Lack of quality tools for managing informationsecurity

Other

Question: 33



In case of a significant cybersecurity breach, how does your organization perform in thefollowing areas:

12%

10%

5%

10%

21%

5%

27%

23%

22%

26%

28%

19%

33%

36%

38%

36%

28%

40%

22%

23%

25%

21%

16%

27%

6%

8%

9%

7%

7%

9%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Identification of the breach

Crisis management

Communication internally

Communication externally

Forensics

Returning to business as usual

Poor Fair Good Very good Excellent

Question: 34



What was the root cause of the latest significant breach at your organization?

1%

6%

5%

12%

5%

11%

3%

1%

54%

2%

0% 10% 20% 30% 40% 50% 60%

Complex access permissions

Improper configuration

Known vulnerability/back door

Malware

Other...

Phishing attacks

Stolen passwords/credentials

Unsecured IoT devices

We did not have a significant breach

Weak passwords/credentials

Question: 35


Section: 5 Finance and legal


At what point would your organization be most likely to communicate that a significantcyber attack has taken place and that data in your organization has definitely beencompromised?

11%

15%

15%

10%

18%

14%

14%

11%

10%

17%

9%

17%

16%

14%

9%

17%

42%

36%

15%

38%

27%

32%

15%

35%

27%

15%

6%

18%

8%

14%

5%

19%

3%

6%

38%

3%

14%

11%

41%

2%

6%

11%

17%

14%

17%

14%

16%

16%

0% 20% 40% 60% 80% 100%

Notify regulators and compliance organizations

If customer information affected, notify all customers

If no customer information affected, notify all customers anyway

Individually notify only those customers impacted

Issue a press release and public statement to the media

If supplier information affected, notify all suppliers

If no supplier information affected, notify all suppliers anyway

Individually notify only those suppliers impacted

On day one Only after all investigations are complete and the issue is closed

Within the first month while investigations continue Within the first week while investigations continue

Don't know Never

Question: 36

Finance and legal


What is the estimated total financial damage related to information security incidents overthe past year at your organization? (This includes loss of productivity, regulatory fines, etc.; the estimate excludes costs or missed

revenue due to brand damage.)

1%

24%

6%

1%

3%

3%

62%

0% 10% 20% 30% 40% 50% 60% 70%

Above US$2.5m

Between US$1 and US$100,000

Between US$100,000 and US$250,000

Between US$1m and US$2.5m

Between US$250,000 and US$500,000

Between US$500,000 and US$1m

No financial loss

Question: 37

Finance and legal


What is your current level of interest in cyber insurance?

35%

5%

20%

18%

16%

5%

0% 5% 10% 15% 20% 25% 30% 35% 40%

We currently have cyber insurance that meets ourorganization's needs

We currently have cyber insurance, but it does not meetour organization's needs

We do not have cyber insurance and are actively lookingfor appropriate cover

We do not have cyber insurance and we have no plans toadopt it

We have never considered cyber insurance

Other

Question: 38

Finance and legal

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction andadvisory services. The insights and quality services we deliverhelp build trust and confidence in the capital markets and ineconomies the world over. We develop outstanding leaderswho team to deliver on our promises to all of our stakeholders.In so doing, we play a critical role in building a better workingworld for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one ormore, of the member firms of Ernst & Young Global Limited,each of which is a separate legal entity. Ernst & Young GlobalLimited, a UK company limited by guarantee, does not provideservices to clients. For more information about ourorganization, please visit ey.com.

© 2018 EYGM Limited.All Rights Reserved.

EYG no. XXXXXX

BMC AdvisoryTI 0000_00583

ED None

This material has been prepared for general informational purposes only and is notintended to be relied upon as accounting, tax, or other professional advice. Pleaserefer to your advisors for specific advice.

ey.com

is cybersecurity about more than protection? · is cybersecurity about more than protection? the...

Documents