the global state of information security survey 2015
TRANSCRIPT
The Global State of Information Security Survey 2015
2
Cyber risks: a severe & present danger
3
Cybersecurity is now a persistent business risk
• Businesses are failing to keep up with the persistence, technical expertise or tactical skillset of our adversaries
• Sophisticated attackers will continue to stay ahead of the mainstream defensive technologies we deploy
• Disruptive technologies will continue to challenge security efforts
• Demand for expertise - shortage of supply
• Impact has extended to the C-suite and the BoardroomSource: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
4
And the risks go beyond just devices
• Global security incidents are outpacing even the fastest growing economies and technologies
• New regulations from the SEC and other regulatory bodies creating new demands upon enterprises
• EU Data Protection Regulation updating in 2015 to include breach notification
• NIST Cybersecurity Framework
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
5
More competition for solutions = more confusion for buyers
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
6
Incidents & financial impact continue to soar
7
Continued year-over-year rise is no surprise
66% CAGR
Growth of security incidents since 2004
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
8
Financial losses increase apace
A Center for Strategic and International Studies found difficulties in estimating financial impact but estimated that the annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion.
Impact from trade secret theft ranges from 1% to as much as 3% of a nation’s GDP – using the World Bank’s GDP estimate of $74.9 trillion in 2003, loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually
Many losses go unreported or are poorly measured
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
9
Insight is critical
Small companies report that the cost of incidents actually decreased 37% compared with last year, while large companies report a 53% jump in financial damages. Medium-size organizations landed somewhere in the middle, reporting that the costs of incidents rose 25% over the year before.
Does anyone really believe that losses at small companies fell?
CO
ST O
F I
NC
IDEN
TS
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
10
Employees are the most-cited culprits of incidents
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
11
Nation-states, hackers, and organized crime groups are the cybersecurity villains that everybody loves to hate
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
12
Who are the culprits? Insiders? Outsiders? Both?
13
Insiders and ecosystem risks
On a Performance Improvement
Plan
Just got a job offer from your
competitor
Likes to review sales forecasts
while waiting for a flight
Just copied your sales database to a USB drive, just
in case
Prefers to work remotely – from
Starbucks
Lost his company-issued
Blackberry – forgot to tell you
Found out Jay Z is a patient where she works – checking it
out
Way, way in debt!
• Businesses with 1,000+ employees view Insiders as the great risk
• Businesses with fewer than 1,000 employees view outsiders as the greatest risk
Why do insiders commit crimes?1. Financial gain2. Curiosity3. Revenge
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
14
Domestic intelligence: a new source of concern
While the Edward Snowden affair has turned attention to the NSA, it’s also raised interest on the general concerns outside the U.S. about domestic surveillance by non-U.S. government agencies.
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
15
Insider threats are not sufficiently addressed
• Awareness training would address the most common insider threats
• But, most businesses don’t do awareness training
• Threats include people clicking links, phishing e-mails, lost laptops, lost USB drive, etc.
• It’s important to understand the motivations of insiders: security incidents are most often driven by greed or financial need and they exhibit precursor characteristics that we should be looking for
• Long standing finding: insiders who exhibit precursor findings should be subjected to additional monitoring
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
16
As incidents rise, security spending falls
17
Average security budgets decrease slightly, reversing a three-year trend
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
18
But company size matters
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
19
Top spending priorities
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
20
Declines in fundamental security practices
21
Security practices must keep pace with constantly evolving threats and security requirements, but many fundamentals remain to be adopted.
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
22
Does the Board care? Sometimes
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
23
Evolving from security to cyber risk management
24
Risk Issues Touch Every Aspect of the Business
of enterprises have someone in the CSO/CISO role
RISKISSUES
Intellectual Property & Brand ProtectionBusiness/Competitive Intelligence
CMO
Investigations and Background ChecksEthics
HR
Regulatory ComplianceSafety/OSHA
Legal
Physical SecurityBusiness Continuity
COO
Fraud PreventionLoss Prevention
CFO
InfosecurityCIO
PrivacyCPO76%
Source: 2013 Global State of Information Security Survey, PricewaterhouseCoopers, CIO magazine, CSO magazine, September 2012
25
Pressing issues for CSOs1. New technologies
2. Finding people
3. Partner security
4. Getting actionable intelligence from your security systems
5. External attacks
The emerging issues1. Demands from the Board
2. New technologies
3. Shadow IT
4. Demand from business partners
5. Internal threats
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
26
Driving this is the 3rd Platform – The SMAC Stack
Social
Mobile
Analytics
Cloud
Source: IDC
27
3rd Platform – moving to Transformed Experiences
Copyright 2014 IDC
28
Disruptive Technologies Require Security…yet security is often an afterthought behind urgency to implement
Q. In your opinion, which of the following major trends will have the most profound effect on the role of the security professional in the future?
Source: State of the CSO Survey, CSO magazine, 2014
None of the above
Big data
Social media/Networking
Bring Your Own Device (BYOD)
Increasingly mobile workforce
Technology-as-a-service (cloud)
5%
10%
14%
21%
24%
27%
29
What do CSO’s expect from vendors?
Vendor educates about where the market is going
Vendor has good reference accounts
Vendor understands my business
Vendor is financially stable
Solutions are scalable
Products fill a need
Vendor offers deep expertise in this area
0 1 2 3 4 5 6
Importance of Vendor Attributes
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
30
Where security vendors fall down…
Product actually exposed the business to additional vulnerabilities
Other
Vendor dropped support for the product we purchased
Licensing demands outstripped our resources (money or people)
Product implementation costs were significantly higher than expected
Products don’t live up to their marketing hype
0% 20% 40% 60% 80% 100%
18%
23%
26%
39%
70%
78%
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
31
Verbatims…
"fog of more" -- new tools and technology need to provide actionable results that scale within the organization
product manpower and training requirements were completely misrepresented.
Implementation not done efficently
expertise in new environments (cloud) is advertised, but not there in the end.
Operational requirements were significantly higher than vendor represented
Implementation architecture is an issue
Too many cold calls and spam e-mails
Missed release dates
Support issues after purchase completed
Too long to implement given some complexity.
Too complex to absorb
Lack of trust in what they say they will deliver
Most vendors are moving to subscription model which is not scalable for most businesses. I believe this will actually hurt their business in the long run
Integration
inadequate in house or channel technical expertise
Product failed to work correctly in a complex environment
Incorrectly configured or deployed led to not realizing the full business value
Integration, data feed requirements & configuration complexity significantly under stated & estimated
Professional services are not able to execute as expected
Lack of unilateral integration and ability to utilize data from other technology.
demand outpaced vendor support capabilities, they just care to sell. No support.
Vendor acquired and expected support faltered
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
32
The 10 Cardinal Rules for Information Security Vendors1. Understand what your solution does, how it works with everything else,
and then sell the hell out of it
2. Understand what your solution does not do
3. Don’t ever over-hype what your product does – there is no magic bullet in security
4. Understand your product roadmap
5. Know your customer & what their unique challenges are
6. If you can’t explain what your solution does in 30 seconds, you have a problem
7. If you can’t explain what your solution does in three sentences on your website, you have a problem
8. Strike while the iron is hot
9. Sell high. They may kick you downstairs but you need leadership’s buy-in
10.Always be partnering with other solutions providers
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
33
The 11 Cardinal Rules for Information Security Marketers1. Understand what your solution does, and does not do not do
2. Don’t ever over-hype what your solutions do – there is no magic bullet in security
3. Be crystal clear in your messaging
4. Buyers like snarky ads, but make sure there is substance
5. Security professionals are professional cynics and paranoids – back up your claims with proof
6. Engage with your target audience, the way they want to be engaged - and on their schedule
7. Know your customers & what their unique challenges are
8. If you can’t explain what your solution does in 30 seconds, you have a problem
9. If you can’t explain what your solution does in three sentences on your website, you have a problem
10.Leverage what you hear in the media – breaches, etc.
11.Target your message to the audience your speaking to: for leadership, security is a business issue, not an IT issue – for technical staff, security is about integration
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
34
How long is the window of opportunity open? Home Depot learned that the hard way. Vendors need to move with urgency and purpose.
35
Bob BragdonVP/Publisher, CSOIDG [email protected]@Bob_Bragdonwww.CSOonline.com(M) 508-250-6412
Questions?