managing the crown jewels and other critical data · managing the crown jewels and other critical...
TRANSCRIPT
Internal Audit, Risk, Business & Technology Consulting
Managing the Crown Jewels and Other Critical DataWhen tackling cyber risk, board involvement and effective communication continue to drive performance. Learn more in this report on the key findings from Protiviti’s 2017 Security and Privacy Survey.
2017 Security and Privacy Survey · 1protiviti.com
Executive Summary
Global cybersecurity risk has never been higher, yet its magnitude is almost certain to
intensify in the months and years to come. Cybercriminal activity against global companies
surged in the past year, and there are growing signs — including expert analysis1 — suggesting
that a form of global cyberwar has commenced.
1 Belam, Martin. “We’re living through the first world cyberwar — but just haven’t called it that,” The Guardian, Dec. 30, 2016: www.theguardian.com/commentisfree/2016/dec/30/first-world-cyberwar-historians.
Although these attacks vary in their intent, businesses
remain in the crosshairs of these incursions. In addition
to being something for which a company requires
strong defenses, information security also needs to be
planned for as organizations consider and deploy new
approaches to generate revenue. Such conditions make
cybersecurity a critical organizational priority and a
top concern in the boardroom, C-suite, information
technology function and every area of the business.
It is imperative that boards and executive leadership
keep close tabs on the state of their company’s
cybersecurity programs. Protiviti’s latest Security
and Privacy Survey delivers insights on the specific
policies and qualities that distinguish top-performing
companies from other organizations with regard
to security and privacy practices. Our survey also
identifies prime opportunities companies can leverage
to strengthen their security capabilities.
As we detail in the following pages, our survey
results show cause for optimism, but there are
concerns as well. Positive signs are particularly
evident in companies where (1) the board of directors
is highly engaged in information security matters;
and (2) management has in place a robust set of key
information security policies.
2 · Protiviti
01Having an engaged board and a comprehensive set of security policies make a huge difference — In assessing the results for companies in which the board has a high level of engagement in information security, these organizations perform noticeably better than other companies in nearly all facets of information security best practices. The same holds true for organizations that have all core information security policies in place (which we define in our report). When it comes to security, these foundational qualities distinguish top-performing organizations from the rest of the pack.
02Most organizations need to enhance their data classification and management — An alarming number of companies appear unable to confidently identify or locate their most valuable data assets. Protecting these “crown jewels” requires a data classification scheme supported by effective policies in place and adhered to throughout the enterprise.
03Security effectiveness hinges on policies as well as people — Along with board engagement, incorporating a comprehensive set of information security policies is a key differentiator for organizations that have a strong security posture. These policies should be supported with effective training programs and communications throughout the organization, especially given the frequency with which the “human element” is targeted as a path to enable data and security breaches.
04Vendor risk management must mature — As the use of cloud-based storage and external data-management vendors increase, the importance of vendor risk management grows. Notable gaps currently exist between top-performing organizations and other companies when it comes to overall knowledge of vendors’ data security management programs and procedures — areas that might stand between an organization’s crown jewels and cyberattackers.
Our Key Findings
2017 Security and Privacy Survey · 3protiviti.com
Survey Methodology
Protiviti conducted its 2017 Security and Privacy Survey in the fourth quarter of 2016. More than 700 chief
information officers, chief information security officers, chief technology officers, technology vice presidents and
directors, and other technology managers and professionals completed an online questionnaire designed to assess
security and privacy policies, data governance, data retention and storage, data destruction policies, and third-
party vendors and access, among other topics. Respondent demographics can be found on page 39.
Since completion of the survey was voluntary, there is some potential for bias if those choosing to respond have
significantly different views on matters covered by the survey than those who did not respond. Therefore, our
study’s results may be limited to the extent that such a possibility exists. In addition, some respondents answered
certain questions while not answering others. Despite these limitations, we believe the results herein provide
valuable insights regarding security and privacy standards in place in organizations today.
4 · Protiviti
Board Engagement, Comprehensive Data Policies Distinguish High-Performing Information Security Programs
Based on our analysis, there are two critical success
factors present in organizations that adhere to security
and privacy best practices:
• High levels of engagement and understanding
by the board of directors regarding information
security risks
• Having all five “core” information security policies
in place
In other Protiviti research, we have observed this
correlation between board engagement in information
security and the overall security posture of the
organization, including in our 2015 IT Security and
Privacy Survey report.2 Similarly, our results this year
show a notable difference between organizations that
have all “core” information security policies in place
— specifically, a records retention/destruction policy,
a written information security policy, an acceptable
use policy, a data encryption policy, and a social
media policy — and those that do not; the former
organizations demonstrate stronger information
security practices overall.
Throughout our report, we compare the results from
these two groups of companies that exhibit the
above success factors (which we categorize as “top-
performing organizations”) with companies that do
not exhibit them, and pinpoint notable gaps.
2 The Battle Continues — Working to Bridge the Data Security Chasm: Assessing the Results of Protiviti’s 2015 IT Security and Privacy Survey, www.protiviti.com/US-en/insights/it-security-survey.
2017 Security and Privacy Survey · 5protiviti.com
How engaged is your board of directors with information security risks relating to your business?
All respondents Large Companies (≥ $1B)
Small Companies (< $1B)
Current 2015 Current 2015 Current 2015
High engagement and level of understanding by the board 33% 28% 37% 32% 26% 24%
Medium engagement and level of understanding by the board 37% 32% 37% 33% 39% 33%
Low engagement and level of understanding by the board 12% 15% 9% 11% 20% 19%
Don't know 18% 25% 17% 24% 15% 24%
Which of the following policies does your organization have in place? (Multiple responses permitted)
All respondents Large Companies (≥ $1B)
Small Companies (< $1B)
Current 2015 Current 2015 Current 2015
Acceptable use policy 80% 77% 82% 82% 77% 72%
Record retention/destruction policy 78% 74% 81% 80% 72% 71%
Data encryption policy 70% 67% 77% 79% 60% 58%
Written information security policy (WISP) 69% 66% 72% 72% 65% 60%
Social media policy 59% 55% 61% 61% 53% 50%
Insights
• One-third of all respondents describe their board’s
engagement with and understanding of information
security risks as “high.” Thirty-seven percent of
all respondents describe their board’s engagement
level as “medium.” Not surprisingly, each of these
figures indicates a promising increase compared
to the results of Protiviti’s 2015 IT Security and
Privacy Survey. The results reflect an increasing
involvement and interest from boards of directors,
which we believe is very positive. (Note that in
the remainder of our report, we define this group
of top-performing organizations as those whose
boards have a “high” level of engagement in and
level of understanding with regard to information
security in the organization.)
6 · Protiviti
3 From Cloud, Mobile, Social, IoT and Analytics to Digitization and Cybersecurity: Benchmarking Priorities for Today’s Technology Leaders, Protiviti, November 2016, www.protiviti.com/ITtrends.
• The board’s growing engagement with information
security reflects the fact that the issue is not merely
about technology, but rather represents a top
strategic risk. Other recent research from Protiviti
confirms this: Information security capabilities,
along with related incident response capabilities,
dominate the priority lists for chief information
officers, chief information security officers and
other technology executives, according to our recent
survey of technology leaders.3
• In a positive trend, the adoption of core security
and privacy policies is increasing among all
companies. The most commonly used formal
security and privacy policies include acceptable use
(in place among 80 percent of organizations), record
retention/destruction (78 percent), data encryption
(70 percent), written information security (69
percent), and social media (59 percent). That said,
there is significant progress to be made: Only 38
percent of responding companies have all five core
information security policies in place today.
Looking Ahead: Trends to Watch
• As the frequency and magnitude of information
security breaches grow and present greater long-
term risk to organizations, boards of directors are
likely to increase their engagement with security in
their organizations. They will call on management
and technology leaders to provide greater under-
standing and clarity around the organization’s
security posture.
• As organizations increase their reliance on
digital assets, information security knowledge
and engagement will become significantly more
important at every level of the organization.
Technology leaders will need to clearly communicate
relevant security matters, from policies and practices
to incidents, to a growing number of stakeholders
while ensuring their messages are effective and
relevant for each audience. What we term as “metrics
of merit” will need to be adapted to ensure they are
providing insight to these various stakeholders.
• Metrics help focus limited security resources on
the issues that matter most. Balancing security
and costs will continue to be a challenge as the
complexity of cyberthreats increases while business
pressures force security departments to compete
for dollars intended for growth and innovation.
Action Items for Technology Leaders
• If your organization is among those without all core
security policies in place, swift action is required to
implement these policies.
• Develop and improve communications with the
board — either directly or indirectly — regarding key
top-line cybersecurity risks, initiatives and metrics.
• In all forms of board communications concerning
security, recognize the importance of translating
technical matters into plain English and priori-
tizing issues based on the risks each poses to
the organization.
• Ensure that your communications to all levels of
management provide a consistent message to the
various stakeholders.
2017 Security and Privacy Survey · 7protiviti.com
News Flash: Confidence in Preventing a Breach Remains Low, Awareness of Security Exposure Rises
During a year in which cybersecurity incursions
struck numerous well-known organizations, hackers
hijacked connected devices in U.S. homes, and
geopolitical cyber breaches materialized during the
U.S. presidential election, information security risks
dominated media coverage. This coverage is driving
high interest in organizational information security
capabilities and, perhaps, increasing management’s
awareness of information security issues. However,
while rising interest and awareness are welcome, this is
not directly translating to higher levels of confidence in
information security capabilities.
How has recent press coverage on “cyberwarfare” and/or “cybersecurity” affected your interest in, and focus on, the subject of information security?
Comparing Top-Performing Organizations
Current 2015
Companies with high
board engagement
in information security
Companies without
high board engagement
in information security
Companies with all core information
security policies
Companies without all core
information security policies
Significantly more interest and focus 31% 23% 41% 30% 30% 32%
Somewhat more interest and focus 41% 36% 35% 43% 39% 42%
No change in interest and focus 27% 38% 24% 26% 31% 25%
Less interest and focus 1% 3% 0% 1% 0% 1%
8 · Protiviti
On a scale of 1 to 10, where “10” is a high level of awareness and “1” is little or no awareness, please rate senior management’s level of awareness with regard to your organization’s information security exposures:
8.7 7.2 8.3 7.4Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security
policies
Companies without all core information
security policies
On a scale of 1 to 10, where “10” is a high level of confidence and “1” is little or no confidence, rate your level of confidence that your organization is able to monitor, detect and escalate potential security incidents by a well-funded attacker:
7.9 6.6 7.9 6.8Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security
policies
Companies without all core information
security policies
2017 Security and Privacy Survey · 9protiviti.com
Is this level of confidence based on something your organization measures and communicates? (Shown: Percentage of “yes” responses to prior question)
83% 62% 75% 62%Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
On a scale of 1 to 10, where “10” is a high level of confidence and “1” is little or no confidence, rate your level of confidence that your organization is able to prevent a targeted external attack by a well-funded attacker:
7.6 6.2 7.5 6.4Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
10 · Protiviti
Insights
• Cybersecurity breaches and cyberwarfare incidents
achieved a new level of intensity during the past
year, a disquieting trend that has been documented
extensively in the press. While this attention is
driving more awareness of information security
matters among boards and senior management
teams, most technology leaders lack high confi-
dence in their organization’s ability to prevent,
monitor, detect or escalate security breaches by
a well-funded external attacker or by a company
insider. However, there is a benefit to not being
overconfident: It can stave off complacency while
helping to sustain a commitment to continually
adapt and improve current practices as cyberat-
tacks grow more sophisticated.
• As is the case with other areas examined in
this report, there are notable gaps between
top-performing organizations — those with high
board engagement in information security and
those with all core information policies in place.
Respondents in top-performing companies are
far more likely to express confidence in their
organization’s ability to prevent cyberattacks.
• Respondents in top-performing organizations are far
more likely to attribute their high confidence levels in
monitoring, detecting and escalating cyberattacks to
the measures and communication mechanisms their
organizations use to manage information security. In
addition, the fact that the board has more involvement
is likely driving clarity and consistency in reporting.
This suggests that the strength of an organization’s
information security, at least in part, comes from a
comprehensive set of processes, procedures, metrics,
relationships and interactions that support it.
On a scale of 1 to 10, where “10” is a high level of confidence and “1” is little or no confidence, rate your level of confidence that your organization is able to prevent an opportunistic breach as a result of actions by a company insider (employee or business partner):
7.5 6.2 7.4 6.4Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
2017 Security and Privacy Survey · 11protiviti.com
Looking Ahead: Trends to Watch
• Security teams should expect cybersecurity incidents
to increase and to expand in their sophistication and
format. Distributed denial of service (DDoS) attacks,
advanced persistent threats (APTs), social engineering,
insider threats and malware likely will be joined
by new modes of attack, some of which have yet to
emerge as mainstream threats. Management teams
and boards should also expect increasing media
coverage as well as a greater number of regulatory
rules related to cybersecurity. All of this should result
in boards asking more, and more detailed, questions
about organizational security efforts.
• As cybersecurity activity increases, organizations
will need to increase their focus on the human side of
security exposures in addition to the technological and
policy shortcomings of security capabilities.
Action Items for Technology Leaders
• To the extent possible, be proactive in commu-
nicating with management on a regular basis
regarding cybersecurity measures, including efforts
that comply with legal and industry regulations.
• Implement easy-to-understand metrics to show
the board and management you are attempting to
measure effectiveness and progress. There will be
expectations that controls will increase in maturity;
therefore, ensure there are measures to support
whether these controls are effective.
• Incorporate testing to ensure defenses and controls
are operating effectively and to constantly tweak
these controls against new attacks. Organizations at
higher levels of maturity will move toward increased
use of red and blue team activity integrated not
only to test defense mechanisms, but also to refine
detective controls.
• Ensure the organization has a formal and documented
crisis response plan that is tested on at least an
annual basis.
• Provide regular training to all personnel on
security-related policies and corporate practices,
including but not limited to identifying social
engineering “red flags.”
• Implement controls that combat the social
engineering attack vector — two-factor
authentication and proxy-based controls
that might catch malware before it installs
or that disrupt command and control
communications if it does install.
12 · Protiviti
Understanding the “Crown Jewels” of Security: Data Classification, Management and Policies
When it comes to information security, top-performing
companies have a comprehensive set of core policies —
formal rules that address record retention/destruction,
information security, acceptable use, data encryption
and social media. Developing, updating and adapting
these policies in the face of changing business
conditions and fast-changing cyber risks requires
ongoing work.
Therefore, it is useful to understand the data
classification and management efforts, data leakage
prevention mechanisms, and communications among
top-performing companies. Data classification and
management is particularly vital because it identifies
the organization’s most valuable digital assets (i.e.,
the “crown jewels”). Technology security functions
that possess this information are best positioned to
ensure that all data assets are protected in the most
appropriate and cost-effective manner.
How would you rate your management’s understanding of what comprises its “crown jewels” — in other words, its sensitive data and information?
Current 2015 2014
Excellent understanding 31% 29% 23%
Good understanding 50% 45% 51%
Limited understanding 14% 16% 22%
Little or no understanding 2% 3% 3%
Don’t know 3% 7% 1%
2017 Security and Privacy Survey · 13protiviti.com
Organizations in which management has an excellent understanding of what comprises its “crown jewels” — in other words, its sensitive data and information:
49% 18% 50% 19%Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
Organizations that use a technology tool to assist in identifying where their “crown jewels” exist:
43% 49% 38%All respondents Large companies (≥ $1B) Small companies (< $1B)
Insights
• Interestingly, less than half of organizations use
a tool to help them identify the location of their
crown jewels, yet more than 80 percent believe they
have an excellent or good understanding of what
comprises their crown jewels. Organizations should
consider investing in tools and technology to help
support this area, as it is difficult to protect sensitive
data if they are not clear as to where it exists.
14 · Protiviti
Does your company have a clear data classification scheme and policy in place that categorize the organization’s data and information — sensitive, confidential, public, etc.?4
Scheme Policy
Current 2015 2014 Current 2015 2014
Yes 58% 50% 58% 70% 65% 71%
No 23% 22% 33% 16% 15% 24%
Don't know 19% 28% 9% 14% 20% 5%
4 Data classification scheme: The groups or categories under which data is classified — for example: highly classified/secret, sensitive, internal use only, non-sensitive/public, etc.
Data classification policy: The guidelines dictating how, when and where the organization — including but not limited to all employees, functions and third parties working on behalf of the organization — classifies, manages and secures its data.
Organizations that have a clear data classification scheme in place that categorizes the organization’s data and information — sensitive, confidential, public, etc.:
74% 53% 72% 49%Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
2017 Security and Privacy Survey · 15protiviti.com
Organizations that have a clear data classification policy in place that categorizes the organization’s data and information — sensitive, confidential, public, etc.:
85% 66% 85% 62%Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
If you have not done a full data classification, how would you rate your level of awareness with regard to what your “crown jewels” are — in other words, your most valuable assets?
Comparing Top-Performing Organizations
Current 2015
Companies with high
board engagement
in information security
Companies without
high board engagement
in information security
Companies with all core information
security policies
Companies without all core
information security policies
Very aware 38% 40% 58% 29% 57% 28%
Somewhat aware 49% 45% 37% 56% 36% 56%
Little awareness 10% 10% 4% 13% 6% 12%
No awareness 3% 5% 1% 2% 1% 4%
16 · Protiviti
How does your organization communicate the expectations of its security policies and procedures to employees? (Multiple responses permitted)
Comparing Top-Performing Organizations
Current 2015
Companies with high
board engagement
in information security
Companies without
high board engagement
in information security
Companies with all core information
security policies
Companies without all core
information security policies
We include security policies and procedures in our annual training, which is mandatory for all employees
60% 53% 67% 57% 77% 50%
We have internally developed, security-specific training modules that we require all employees to take in addition to our standard annual training
38% 34% 41% 35% 48% 33%
We support participation by our employees in outside education on security policies and procedures
33% 23% 44% 28% 35% 31%
We do not have any formal employee communications or training related to security policies and procedures
10% 23% 4% 13% 1% 15%
Insights
• While a strong majority of companies have a good
or excellent understanding of their most sensitive
data and information, top performers are far more
likely to have an “excellent” understanding of these
crown jewels than other organizations.
• A majority (58 percent) of all companies use a data
classification scheme to categorize organizational
data, but top performers (74 percent) are signifi-
cantly more likely to have one in place.
• At its foundation, the question that companies need
to ask is, “What is it that we are trying to protect?”
Companies without a formal data classification
approach risk not knowing what, or where, their
most valuable data assets are. This lack of clarity can
expose crown jewels to much higher risk of loss or
theft and/or contribute to highly inefficient, expen-
sive data security programs. In many instances,
an organization’s lack of a data classification and
management policy has resulted in the exposure
of private employee records, pre-release quarterly
financial data and loss of intellectual property.
• Organizations that do not currently stratify their
information assets should move quickly to establish
a basic scheme, rather than become bogged down
trying to design a perfect approach. Our experience
shows that it is better to develop an initial classifi-
cation system, bare-bones or otherwise; implement
it; and then adjust as necessary.
2017 Security and Privacy Survey · 17protiviti.com
Insights
• A strong majority of organizations have in place
some form of formal employee communications or
training related to technology and data security. This
is good news, given how crucial the human factor is
in preventing breaches and cyberattacks. Once again,
top-performing organizations are more likely to have
implemented annual training, more specific training
modules and outside education programs to bolster
the security knowledge and skills of their workforces.
However, more progress is needed. If an organization
has yet to implement internal training programs, it
should consider investing in outside training sooner
rather than later.
How well do you think management communicates to the organization/all employees the need to differentiate between public and sensitive data and how each is treated?
Comparing Top-Performing Organizations
Current 2015 2014
Companies with high
board engagement
in information security
Companies without
high board engagement
in information security
Companies with all core information
security policies
Companies without all core
information security policies
Management does an excellent job of communicating these differences and how to treat each type of data
27% 23% 20% 48% 14% 39% 20%
Management does an acceptable job of commu-nicating these differences and how to treat each type of data, but there is room for improvement
47% 45% 50% 41% 50% 44% 49%
There is substantial room for improvement in how management communicates these differences and how to treat each type of data
18% 20% 22% 8% 28% 13% 22%
Management has not communicated these differences or how to treat each type of data
4% 5% 7% 0% 6% 1% 5%
Don’t know 4% 7% 1% 3% 2% 3% 4%
18 · Protiviti
From the following, please select the statement that best describes your organization’s data retention and storage process:
Current 2015 2014
We retain all data and records with no defined destruction date 11% 12% 17%
We retain all data and records for a certain period of time, with a defined destruction date
39% 45% 43%
We have a basic classification system to define data, with a few specific retention policies and destruction dates depending on the classification
22% 14% 18%
We have a detailed classification system to define data, with varying retention policies and destruction dates depending on the classification
19% 13% 15%
Our organization does not have a formal data retention and destruction policy
3% 4% 5%
Don’t know 6% 12% 2%
How would you rate your IT department’s support of the lifecycle of the organization’s data, from acquisition to retention/storage to (if applicable) destruction?
Current 2015 2014
Excellent understanding 23% 27% 27%
Good understanding 51% 47% 52%
Limited understanding 18% 14% 16%
Little or no understanding 2% 4% 3%
Don’t know 6% 8% 2%
2017 Security and Privacy Survey · 19protiviti.com
Organizations in which the IT department has an excellent understanding of the data lifecycle:
40% 14% 34% 17%Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
How well do your C-suite executives (CEO, CFO, etc.) know and understand your organization’s data retention and destruction policy?
Current 2015 2014
They know and understand the policy very well 33% 34% 26%
They have some knowledge and understanding of the policy’s general concepts
43% 40% 48%
They have limited knowledge about the policy 17% 16% 16%
They have little or no knowledge about the policy 4% 5% 4%
Our organization does not have a formal data retention and destruction policy
3% 5% 6%
20 · Protiviti
Percentage of organizations in which C-suite executives know and understand the organization’s data retention and destruction policy very well:
53% 18% 48% 24%Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
Which of the following sensitive data types does your organization specifically prioritize? (Multiple responses permitted)
Comparing Top-Performing Organizations
Current 2015
Companies with high
board engagement
in information security
Companies without
high board engagement
in information security
Companies with all core information
security policies
Companies without all core
information security policies
Payment Card Industry (PCI) data 53% 47% 60% 49% 60% 49%
Private client/customer data 80% 80% 86% 76% 87% 76%
Healthcare data 42% 51% 45% 39% 51% 37%
Organization’s intellectual property 61% 63% 69% 56% 76% 52%
2017 Security and Privacy Survey · 21protiviti.com
Insights
• A closer look at how organizations classify and
manage data — by understanding and managing the
complete data lifecycle, prioritizing certain assets
over others, and keeping the C-suite informed of
the current data retention and destruction policy —
reveals that top-performing organizations likely
embrace a more sophisticated and nuanced approach
to data classification. For example, 29 percent of
organizations with all core security policies in place
maintain a “detailed classification system to define
data, with varying retention policies and destruction
dates,” while only 13 percent of organizations without
all core policies in place maintain a similarly detailed
classification system.
• The technology department’s understanding of the
data lifecycle — from acquisition to retention/storage
to destruction — marks an important component of
a sound data classification and management system.
Top-performing organizations are more than twice
as likely as other companies to rate as excellent
their technology department’s understanding of
the data lifecycle. In fact, the numbers for other
organizations are quite low.
• Similarly, respondents from top-performing organi-
zations are two to three times more likely than other
organizations to report that C-suite executives know
and understand the data retention and destruction
policy very well.
What types of policies does your organization have in place to prevent data leakage? (Multiple responses permitted)
Current 2015 2014
Password policy (or standard) 69% 67% 77%
Data protection and privacy policy 60% 58% 67%
Network and network devices security policy 55% 56% 59%
Users (privileged) access policy 54% 56% 59%
Workstation/laptop security policy 55% 56% 59%
Encryption policy (or standard) 63% 55% NA
Information security policy 60% 54% 67%
Data classification policy 52% 46% 53%
Incident response policy 51% 45% 46%
Third-party access control policy 44% 43% 49%
Removable media policy 42% 38% 44%
Information exchange policy 37% 31% 30%
Cloud acceptable usage policy 24% 20% 24%
22 · Protiviti
What types of policies does your organization have in place to prevent data leakage? (Multiple responses permitted)
Comparing Top-Performing Organizations
Companies with high board engagement
in information security
Companies without high board
engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
Password policy (or standard) 73% 67% 86% 60%
Data protection and privacy policy 75% 52% 83% 47%
Information security policy 70% 53% 81% 47%
Network and network devices security policy 66% 50% 77% 42%
Users (privileged) access policy 62% 47% 75% 41%
Workstation/laptop security policy 65% 47% 82% 39%
Encryption policy (or standard) 74% 56% 86% 50%
Data classification policy 66% 44% 77% 37%
Third-party access control policy 53% 38% 71% 29%
Incident response policy 61% 45% 75% 37%
Removable media policy 52% 34% 71% 24%
Information exchange policy 45% 32% 57% 25%
Cloud acceptable usage policy 36% 18% 46% 12%
2017 Security and Privacy Survey · 23protiviti.com
Has the recent European Union announcement of the General Data Protection Regulation (GDPR) caused your organization to have to rework existing Safe Harbor or binding corporate rules?
Comparing Top-Performing Organizations
All respondents
Companies with high board
engagement in information
security
Companies without
high board engagement
in information security
Companies with all core information
security policies
Companies without all core
information security policies
Yes, we have done a significant amount of rework of our existing rules
14% 22% 11% 13% 14%
Yes, we have done some rework of our existing rules 25% 26% 30% 24% 26%
No, there has been no impact 35% 32% 40% 35% 35%
I am not familiar with the GDPR 26% 20% 19% 28% 25%
Insights
• When it comes to addressing data leakage, security
groups deploy a wide range of specific policies
related to password selection, network access,
device protection, encryption, third-party access
and much more. Given that most of these individual
policies are required or strongly recommended by
government regulators and industry groups, they
should be more prevalent in organizations.
• By not having these policies in place, organizations
face potential legal liability along with significant
security risks. This is especially the case concerning
the low use of privileged access and cloud acceptable
usage policies, considering the high security risks
these areas pose.
• It is interesting to see a significant year-over-year
increase in the use of encryption. Paired with the
earlier observation that organizations lack high
confidence that they can prevent a breach from
happening, encrypting sensitive data and having
good incident response practices are excellent
parallel activities.
• While top-performing organizations are more
likely to have each of these policies in place, a
surprising number have yet to implement these
types of guidelines.
Looking Ahead: Trends to Watch
• Increasing, and increasingly sophisticated, cyber-
attacks will likely result in more regulations and
oversight, as governments and regulatory authorities
seek to bolster protections of consumer and
organizational data. Many of these new rules will
impose greater pressure, including but not limited
to monetary fines, on organizations whose data
classification and management capabilities prove
ineffective in preventing high-risk breaches.
24 · Protiviti
• More attention, and possibly increased regulatory
attention, will focus on security training, commu-
nications and related “human” mechanisms as
social engineering efforts by bad actors result in
more cyberattacks.
• Organizations should review the potential impact
to them of the recent General Data Protection
Regulation requirements.5
Action Items for Technology Leaders
There is a proven logic path that organizations should
follow as they work to understand and classify their data:
• Determine what your crown jewels are, then identify
where they are via self-assessment and confirm
with the use of appropriate tools.
• Identify the threats to these crown jewels.
• Conduct a thorough threat and risk analysis.
• Identify the inherent risks — including the probability
and impact of these threats — and the processes and
systems that are in place to minimize them.
• Determine the residual risk after considering all
current processes and systems to minimize the
inherent risks.
• Based on residual risk, evaluate the organization’s
program, frameworks and implementation to
continually test and reduce residual risk, seek
trends, and monitor metrics.
• Develop an incident response plan that includes
periodic and comprehensive testing, because in all
likelihood the organization will experience a secu-
rity event of some kind.
• Assess year-over-year trends in this process to
identify where risks are receding and growing.
– Leverage outside resources who are security
experts — recognize that you may not have
the knowledge in-house to conduct effective
trainings, nor the resources to keep up-to-date
with industry regulations, current approaches to
cyberattacks, emerging security trends and more.
– Set the right tone for the organization by
establishing strong data leakage policies and
communicating them. Even basic messages to
staff are important, such as reminders to not open
email attachments from people you don’t know.
5 For additional information, read Protiviti’s Flash Report, “Preparing for the General Data Protection Regulation — The Clock Starts Ticking Now,” May 31, 2016, available at www.protiviti.com.
2017 Security and Privacy Survey · 25protiviti.com
A Look at the IT Security Organization: Structures, Budgets and Reporting Relationships
To whom does the IT security organization report in your company?
Chief Information Officer 61%
Chief Executive Officer 11%
Chief Financial Officer 6%
Chief Compliance Officer 6%
Board of Directors 2%
Other 5%
Don’t know 9%
To whom does the chief information security officer (CISO) report in your company?Base: Organizations that have a CISO
Chief Information Officer 55%
Chief Executive Officer 20%
Chief Financial Officer 5%
Board of Directors 4%
Chief Compliance Officer 4%
Other 5%
Don’t know 7%
Percentage of organizations that have a CISO:
69% 50% 69% 47%Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security
policies
Companies without all core information
security policies
Approximately how many full-time professionals are employed in your IT security organization?
Large Companies
(≥ $1B)
Small Companies
(< $1B)
More than 50 50% 17%
31 to 50 6% 9%
16 to 30 14% 15%
5 to 15 15% 23%
Less than 5 6% 29%
Don’t know 9% 7%
26 · Protiviti
Approximately what percentage of your organization’s overall IT budget is dedicated to security?Base: C-suite respondents
1% to 4% 16%
5% to 9% 29%
10% to 20% 29%
21% to 30% 8%
31% to 40% 8%
41% to 50% 2%
More than 50% 1%
Don’t know 7%
Insights
• Top-performing organizations are significantly
more likely to have a CISO. Not surprisingly, large
organizations also are more likely to have a CISO
compared to small and midsize companies. In all
organizations with CISOs, these individuals most
commonly report directly to the CIO and CEO.
• Although a majority of security organizations
report to the CIO, keep in mind that technology
and data security is an enterprisewide issue —
and one that requires training, communications,
relationships and supporting processes in all areas
of the company.
Who is responsible for creating and overseeing data governance in your organization?
Current 2015 2014
Chief Information Officer 37% 33% 41%
Chief Security Officer 29% 25% 20%
Individual department leaders (HR, Legal, Marketing, etc.) 12% 9% 14%
Chief Privacy Officer 4% 5% 4%
Chief Financial Officer 3% 4% 5%
Other 5% 7% 8%
Don’t know 10% 17% 8%
2017 Security and Privacy Survey · 27protiviti.com
Who is responsible for executing the data governance strategy/policy in your organization?
Current 2015 2014
Chief Information Officer 39% 37% 41%
Chief Security Officer 22% 19% 17%
Individual department leaders (HR, Legal, Marketing, etc.) 16% 14% 20%
Chief Privacy Officer 5% 5% 3%
Chief Financial Officer 4% 3% 2%
Other 4% 6% 8%
Don’t know 10% 16% 9%
Of the following security certifications, please note those that your organization has achieved:
Comparing Top-Performing Organizations
Companies with high board engagement
in information security
Companies without high board
engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
ISO 27001-2 65% 52% 66% 48%
NIST 800-53 53% 38% 53% 37%
BITS-AUP 45% 34% 49% 29%
SSAE-16 57% 40% 64% 35%
HITRUST 44% 30% 44% 28%
SOC 2 54% 38% 57% 34%
28 · Protiviti
Views From the C-Suite on Vendor Risk and Data Management6
Vendor risk management has become a “front burner”
issue for technology functions and management teams
as external vendors and partners become more involved
with an organization’s data management and storage.
Note that 44 percent of all organizations store at least a
portion of their most sensitive data in the cloud.
6 The data reported in this section, unless otherwise noted, is based on responses from C-suite participants (chief information officers, chief technology officers, chief security officers, chief information security officers).
Where is your company’s sensitive data stored? (Multiple responses permitted)
All respondents Large Companies (≥ $1B)
Small Companies (< $1B)
On-site servers 62% 67% 60%
Off-site servers 47% 50% 44%
Cloud-based vendor 44% 43% 48%
On users’ computers 18% 15% 23%
Don’t know 11% 7% 11%
Not stored in any centralized location 7% 8% 7%
2017 Security and Privacy Survey · 29protiviti.com
Compared to two years ago, is your organization working more today with large databases (“big data”) for business intelligence purposes?
Yes, significantly more 36%
Yes, somewhat more 43%
No, we are working with large databases for BI purposes, but at the same level as 2 years ago
11%
No, we are not working with large databases for BI purposes 8%
Don’t know 2%
From what source is that information being accessed or pulled?Base: C-suite respondents in organizations that are working more with large databases for business intelligence purposes
Existing, company-owned data 58%
Third-party data 13%
Combination of company-owned and third-party data 29%
KEY FACTS
Organizations that have ensured they have all proper contracts and policies in place (including
breach notification processes)
83%Organizations whose vendors are aware of the
sensitivity of data being shared, and they are managing and securing that data in a manner consistent with
data classification requirements
84%
30 · Protiviti
How comfortable is your organization with processing and storing sensitive data in the cloud?Base: C-suite respondents in organizations that are working more with large databases for business intelligence purposes
Our organization is comfortable doing this in either a public or private cloud environment 31%
Our organization is comfortable doing this in a private cloud environment only 45%
We have reservations about doing this in a public cloud environment, but still do so 15%
We have reservations about doing this in a private cloud environment, but still do so 2%
We do not allow this kind of data to be stored or processed in any cloud environment 7%
On a scale of 1 to 10, where “10” is highly knowledgeable and “1” is not at all knowledgeable, how would you rate your organization’s level of knowledge about the data security management programs and procedures of its third-party vendors?Base: All respondents
8.0 6.7 7.8 6.8Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
2017 Security and Privacy Survey · 31protiviti.com
Insights
• Despite great strides in cloud adoption and a large
movement of sensitive data to the cloud, many
organizations remain concerned with security over
this relatively new area.
• The growing use of business partners to support
business processes (especially those providing
cloud storage) elevates the importance of vendor
risk management policies and practices in the
context of security. Although this survey and
other research indicate that strides are being made
with regard to mitigating third-party data risks,
significant progress is needed. For example, while
44 percent of organizations store sensitive data
with cloud vendors, 45 percent of organizations are
only comfortable storing sensitive data in a private
cloud environment.
• Board engagement is a key element of high-
performing security programs; it also marks a key
component of effective vendor risk management,
according to the findings of the 2016 Vendor Risk
Management Benchmark Study conducted by the
Shared Assessments Program and Protiviti. That
research indicates that boards are less engaged
with vendor risks than they are regarding the
organization’s own information security risks.7
Looking Ahead: Trends to Watch
• Vendor risk management will become a more
important priority, and a growing board-level
concern, due to two related factors: growing reliance
on data and data-management vendors (e.g., cloud
storage and software providers), and the increasing
number and magnitude of data breaches targeting
organizations and their vendors.
• This growing focus on vendor risk management will
drive more organizations to deploy increasingly
sophisticated measures to assess their vendors,
including but not limited to calculating and distrib-
uting vendor assessment metrics, and implementing
metrics and reporting for compliance with required
training and awareness of vendor risk policies.
Action Items for Technology Leaders
• Given the increasing use of cloud-based vendors
for storing sensitive data, assess how to adapt the
organization’s security strategy for cloud or hybrid
security models.
• Consider whether your organization’s approach to
vendor risk management is commensurate with the
quantity and sensitivity of data stored with vendors
and/or in the cloud.
• While assessing improvement opportunities
related to vendor risk management processes, focus
on two areas that tend to be less mature than other
vendor risk management components, according
to the 2016 Vendor Risk Management Benchmark
Study from the Shared Assessments Program and
Protiviti: skills and expertise; and tools, measure-
ment and analysis.8
7 2016 Vendor Risk Management Benchmark Study: The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management, Shared Assessments Program and Protiviti, December 2016, www.protiviti.com/vendor-risk.
8 Ibid.
32 · Protiviti
Does your organization embrace and enforce secure application development practices?Base: C-suite respondents in organizations that are working more with large databases for business intelligence purposes
Yes, through policy only 19%
Yes, through policy and training 44%
Yes, through policy, training and technical solutions to ensure applications are secure 29%
No, secure application development is ad hoc in our organization 8%
Assessing Application Development and Security
What is your company’s policy on provisioning accounts for external access?
Create accounts within an internal active directory 28%
Create accounts within an active directory for external users only 19%
Never create such accounts and do not permit access 10%
Company has custom in-house solution 10%
Federate with external parties 7%
Federate with third-party providers 4%
Do not have such a policy 5%
Don’t know 17%
2017 Security and Privacy Survey · 33protiviti.com
What is your company’s policy on granting external access to sensitive data?
Unique credentials accessible over a secured VPN 29%
Multi-factor authentication 17%
Grant access on the premises only 15%
Never grant access 15%
SSL access over Internet 7%
Do not have such a policy 4%
Don’t know 13%
Insights
• Application development can be a major source
of vulnerability for organizations. It is somewhat
alarming that few companies are taking actions
beyond just policy and training to ensure they have
secure application development practices in place.
This suggests that applications will continue to be
an area on which attackers focus.
• It also is surprising to see that just 17 percent of
organizations use multi-factor authentication
for external access. This is a problem in today’s
sophisticated technology environments, where
relying solely on passwords is a very weak control.
34 · Protiviti
Getting Incident Response in Gear
If your organization experienced a data breach or hacking incident, does it have a formal and documented crisis response plan that would be activated and executed?
Current 2015 2014
Yes 67% 56% 56%
No 20% 24% 34%
Don’t know 13% 20% 10%
Incident response should be a mainstay of an effective
security program. While organizations are making
some strides with regard to their incident response
capabilities, most still have a long way to go, particularly
with regard to having a formal crisis response plan and
performing periodic fire drills.
2017 Security and Privacy Survey · 35protiviti.com
Organizations that have a formal and documented crisis response plan:
80% 62% 85% 56%Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
As defined in your organization’s documented crisis response plan, who needs to be involved in addressing a data breach or hacking incident? (Multiple responses permitted)
Current 2015 2014
Chief Information Officer 73% 71% 75%
Chief Security Officer 60% 63% 56%
General Counsel/ Chief Legal Officer 53% 47% 46%
Chief Executive Officer 44% 43% 43%
Chief Privacy Officer 27% 25% 26%
Corporate Communications 40% 40% 41%
Commentary
• Two-thirds of all organizations have a formal,
documented crisis response plan in place and ready
for activation when a data breach or information
security event occurs. Considering the prevalence
of cyberattacks and, for most organizations, the
growing likelihood that a breach will occur, it is
concerning that one-third of all organizations lack a
formal crisis response plan.
• As was the case in past security surveys we have
conducted, top-performing organizations are far
more likely to have formal crisis response plans
ready to be executed when a breach occurs.
36 · Protiviti
IF YES: How frequently does your organization perform its fire drills?
Current 2015 2014
Monthly 14% 9% 7%
Quarterly 35% 38% 30%
Semi-annually 30% 30% 27%
Annually 21% 23% 36%
When was your organization’s incident response plan most recently updated?
Current 2015 2014
Within the past year 51% 48% 46%
Within the past two years 27% 24% 22%
Within the past five years 11% 12% 9%
Longer than five years 2% 3% 4%
Our plan has not been updated 9% 13% 19%
With regard to IT security, does your organization periodically perform “fire drills” to test your ability to execute the organization’s incident response plan?
Current 2015 2014
Yes 52% 40% 46%
No 30% 39% 49%
Don’t know 18% 21% 5%
2017 Security and Privacy Survey · 37protiviti.com
Insights
• Compared to our 2015 study, organizations today
are more likely to perform periodic fire drills (like
tabletop exercises) to test their incident response
plans, to run these fire drills on a quarterly or
monthly basis, and to have updated their incident
response plans within the past year. While this
progress is promising, the numbers are still low.
More improvement is needed in having a higher
percentage of firms perform these drills.
• It is important for boards, senior management
teams and technology functions to understand that
the effectiveness of incident response plans hinges
on their execution, and the only way to gauge how
these plans will work in reality is to periodically test
them in simulations. The most effective incident
response plans are “living documents” that are
regularly updated to reflect rapidly changing
market conditions, emerging security risks and
internal changes. Similar principles governed
pre-digital-age business continuity management
and disaster recovery planning.
Organizations that have updated their incident response plan within the past year:
69% 39% 68% 41%Companies with high board engagement in information security
Companies without high board engagement in information security
Companies with all core information security policies
Companies without all core information
security policies
Does your organization have a forensics provider on retainer?*
Yes, we have a forensics provider on a paid retainer 33%
Yes, we have a forensics provider on an unpaid retainer 27%
No, we have in-house forensics capabilities 20%
We have no forensics capabilities either internally or through a provider 15%
Don’t know 5%
* C-suite responses shown
38 · Protiviti
Looking Ahead: Trends to Watch
• Some industry regulations and guidelines already
recommend that organizations test their incident
response plans at least annually. New industry
guidelines and business regulations that will come
out in the next 24 months may include requirements
for documented crisis response plans along with
periodic testing.
• The occurrence of a historically massive (or
otherwise unique) cyberattack would likely
motivate boards and senior management teams
to communicate to their technology leaders and
security teams to ensure incident response plans
are in place and simulations are being performed.
Action Items for Technology Leaders
• On at least an annual basis, plan and conduct
periodic testing and cybersecurity “war games,”
which are critical elements of an IT security
program. Test the plan via different use cases;
otherwise, it is unlikely to be effective.
• Conduct specific tests on social engineering and
share the results with management.
• Understand who in the IT department or broader
organization has responsibility over the lifecycle
of a cybersecurity incident, from identifying it
to managing technology remediation issues and
communicating to management, among numerous
other tasks.
• Establish relationships with federal and local
law enforcement agencies to ensure a rapid and
effective response to a cyberattack (regulatory
authorities are beginning to emphasize this more
in their guidance).
2017 Security and Privacy Survey · 39protiviti.com
Demographics
Position (title/role)
Chief Information Officer 7%
Chief Technology Officer 6%
Chief Security Officer 3%
Chief Information Security Officer 5%
IT VP/Director 26%
IT Audit VP/Director 3%
IT Manager 31%
IT Audit Manager 1%
IT Staff 8%
IT Audit Staff 2%
Other 8%
Size of Organization (by gross annual revenue)
$20 billion or greater 14%
$10 billion - $19.99 billion 10%
$5 billion - $9.99 billion 13%
$1 billion - $4.99 billion 23%
$500 million - $999.99 million 17%
$100 million - $499.99 million 12%
Less than $100 million 11%
Type of Organization
Public 51%
Private 37%
Not-for-profit 7%
Government 5%
Industry
Technology 17%
Financial Services 17%
Manufacturing 11%
Government/Education/Not-for-profit 10%
Retail 6%
Insurance 5%
Healthcare Provider 4%
Communications 4%
Energy 3%
Consumer Products 3%
Distribution 2%
Life Sciences/Biotechnology 2%
Utilities 2%
Real Estate 1%
Healthcare Payer 1%
Hospitality 1%
Other 11%
More than 700 technology executives and professionals (n = 708) participated in the survey. Following are details
regarding the respondents and the size of companies represented in the study.9
9 All demographic information was provided voluntarily by respondents. Percentages in the tables correspond to those providing this information rather than the total sample of respondents.
40 · Protiviti
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
ABOUT OUR TECHNOLOGY CONSULTING SOLUTIONS
Emerging technologies and changing business models are driving a shift in the role of IT — from leveraging technology in support of the business to the higher, more strategic goal of protecting and enhancing business value. Today, it is critical that you have strong IT processes and practices to ensure the alignment of IT and business strategy and to drive excellence through the IT infrastructure and the operations it supports.
Protiviti’s global Technology Consulting practice helps CIOs and IT leaders design and implement advanced solutions in IT governance, security, data management, applications and compliance. Protiviti works to address IT security and privacy issues and deploy advanced and customized application and data management structures that not only solve problems, but also add value to organizations. Technology will drive your future, and with Protiviti you can be confident it takes you where you want to go.
Kurt UnderwoodManaging DirectorGlobal Leader, Technology Consulting [email protected]
CONTACTS
Scott LaliberteManaging [email protected]
Cal SlempManaging [email protected]
Jeff SanchezManaging [email protected]
Mark LippmanManaging [email protected]
Chris LoudenManaging [email protected]
Michael PorierManaging [email protected]
Andrew RetrumManaging [email protected]
Ryan RubinManaging [email protected]
David StantonManaging [email protected]
David TaylorManaging [email protected]
Michael WalterManaging [email protected]
David AdamsonManaging Director+61.02.8220.9500 [email protected]
Billy GouveiaManaging Director+1.212.708.6391 [email protected]
Daniel HansenManaging Director+1.415.402.3697 [email protected]
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0217-101096 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
© 2
01
5 P
roti
viti
In
c. A
n E
qu
al O
pp
ort
un
ity
Emp
loye
r. M
/F/D
isab
ilit
y/Ve
t. P
RO
-05
15
THE AMERICAS UNITED STATESAlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasFort LauderdaleHouston
Kansas CityLos AngelesMilwaukeeMinneapolisNew YorkOrlandoPhiladelphiaPhoenixPittsburghPortlandRichmondSacramento
Salt Lake City San FranciscoSan JoseSeattleStamfordSt. LouisTampaWashington, D.C.WinchesterWoodbridge
ARGENTINA*Buenos Aires
BRAZIL*Rio de Janeiro Sao Paulo
CANADAKitchener-Waterloo Toronto
CHILE*Santiago
MEXICO*Mexico City
PERU*Lima
VENEZUELA*Caracas
EUROPE MIDDLE EAST AFRICA
FRANCEParis
GERMANYFrankfurtMunich
ITALYMilanRomeTurin
NETHERLANDSAmsterdam
UNITED KINGDOMLondon
BAHRAIN*Manama
KUWAIT*Kuwait City
OMAN*Muscat
QATAR*Doha
SAUDI ARABIA*Riyadh
SOUTH AFRICA*Johannesburg
UNITED ARAB EMIRATES*Abu DhabiDubai
ASIA-PACIFIC CHINABeijingHong KongShanghaiShenzhen
JAPANOsaka Tokyo
SINGAPORESingapore
INDIA*BangaloreHyderabadKolkataMumbaiNew Delhi
AUSTRALIABrisbaneCanberraMelbourneSydney
*MEMBER FIRM