the global state of information security survey 2015

The Global State of Information Security Survey 2015

2

Cyber risks: a severe & present danger

3

Cybersecurity is now a persistent business risk

• Businesses are failing to keep up with the persistence, technical expertise or tactical skillset of our adversaries

• Sophisticated attackers will continue to stay ahead of the mainstream defensive technologies we deploy

• Disruptive technologies will continue to challenge security efforts

• Demand for expertise - shortage of supply

• Impact has extended to the C-suite and the BoardroomSource: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

4

And the risks go beyond just devices

• Global security incidents are outpacing even the fastest growing economies and technologies

• New regulations from the SEC and other regulatory bodies creating new demands upon enterprises

• EU Data Protection Regulation updating in 2015 to include breach notification

• NIST Cybersecurity Framework

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

5

More competition for solutions = more confusion for buyers


6

Incidents & financial impact continue to soar

7

Continued year-over-year rise is no surprise

66% CAGR

Growth of security incidents since 2004


8

Financial losses increase apace

A Center for Strategic and International Studies found difficulties in estimating financial impact but estimated that the annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion.

Impact from trade secret theft ranges from 1% to as much as 3% of a nation’s GDP – using the World Bank’s GDP estimate of $74.9 trillion in 2003, loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually

Many losses go unreported or are poorly measured


9

Insight is critical

Small companies report that the cost of incidents actually decreased 37% compared with last year, while large companies report a 53% jump in financial damages. Medium-size organizations landed somewhere in the middle, reporting that the costs of incidents rose 25% over the year before.

Does anyone really believe that losses at small companies fell?

CO

ST O

F I

NC

IDEN

TS


10

Employees are the most-cited culprits of incidents


11

Nation-states, hackers, and organized crime groups are the cybersecurity villains that everybody loves to hate


12

Who are the culprits? Insiders? Outsiders? Both?

13

Insiders and ecosystem risks

On a Performance Improvement

Plan

Just got a job offer from your

competitor

Likes to review sales forecasts

while waiting for a flight

Just copied your sales database to a USB drive, just

in case

Prefers to work remotely – from

Starbucks

Lost his company-issued

Blackberry – forgot to tell you

Found out Jay Z is a patient where she works – checking it

out

Way, way in debt!

• Businesses with 1,000+ employees view Insiders as the great risk

• Businesses with fewer than 1,000 employees view outsiders as the greatest risk

Why do insiders commit crimes?1. Financial gain2. Curiosity3. Revenge


14

Domestic intelligence: a new source of concern

While the Edward Snowden affair has turned attention to the NSA, it’s also raised interest on the general concerns outside the U.S. about domestic surveillance by non-U.S. government agencies.


15

Insider threats are not sufficiently addressed

• Awareness training would address the most common insider threats

• But, most businesses don’t do awareness training

• Threats include people clicking links, phishing e-mails, lost laptops, lost USB drive, etc.

• It’s important to understand the motivations of insiders: security incidents are most often driven by greed or financial need and they exhibit precursor characteristics that we should be looking for

• Long standing finding: insiders who exhibit precursor findings should be subjected to additional monitoring


16

As incidents rise, security spending falls

17

Average security budgets decrease slightly, reversing a three-year trend


18

But company size matters


19

Top spending priorities


20

Declines in fundamental security practices

21

Security practices must keep pace with constantly evolving threats and security requirements, but many fundamentals remain to be adopted.


22

Does the Board care? Sometimes


23

Evolving from security to cyber risk management

24

Risk Issues Touch Every Aspect of the Business

of enterprises have someone in the CSO/CISO role

RISKISSUES

Intellectual Property & Brand ProtectionBusiness/Competitive Intelligence

CMO

Investigations and Background ChecksEthics

HR

Regulatory ComplianceSafety/OSHA

Legal

Physical SecurityBusiness Continuity

COO

Fraud PreventionLoss Prevention

CFO

InfosecurityCIO

PrivacyCPO76%

Source: 2013 Global State of Information Security Survey, PricewaterhouseCoopers, CIO magazine, CSO magazine, September 2012

25

Pressing issues for CSOs1. New technologies

2. Finding people

3. Partner security

4. Getting actionable intelligence from your security systems

5. External attacks

The emerging issues1. Demands from the Board

2. New technologies

3. Shadow IT

4. Demand from business partners

5. Internal threats


26

Driving this is the 3rd Platform – The SMAC Stack

Social

Mobile

Analytics

Cloud

Source: IDC

27

3rd Platform – moving to Transformed Experiences

Copyright 2014 IDC

28

Disruptive Technologies Require Security…yet security is often an afterthought behind urgency to implement

Q. In your opinion, which of the following major trends will have the most profound effect on the role of the security professional in the future?

Source: State of the CSO Survey, CSO magazine, 2014

None of the above

Big data

Social media/Networking

Bring Your Own Device (BYOD)

Increasingly mobile workforce

Technology-as-a-service (cloud)

5%

10%

14%

21%

24%

27%

29

What do CSO’s expect from vendors?

Vendor educates about where the market is going

Vendor has good reference accounts

Vendor understands my business

Vendor is financially stable

Solutions are scalable

Products fill a need

Vendor offers deep expertise in this area

0 1 2 3 4 5 6

Importance of Vendor Attributes


30

Where security vendors fall down…

Product actually exposed the business to additional vulnerabilities

Other

Vendor dropped support for the product we purchased

Licensing demands outstripped our resources (money or people)

Product implementation costs were significantly higher than expected

Products don’t live up to their marketing hype

0% 20% 40% 60% 80% 100%

18%

23%

26%

39%

70%

78%


31

Verbatims…

"fog of more" -- new tools and technology need to provide actionable results that scale within the organization

product manpower and training requirements were completely misrepresented.

Implementation not done efficently

expertise in new environments (cloud) is advertised, but not there in the end.

Operational requirements were significantly higher than vendor represented

Implementation architecture is an issue

Too many cold calls and spam e-mails

Missed release dates

Support issues after purchase completed

Too long to implement given some complexity.

Too complex to absorb

Lack of trust in what they say they will deliver

Most vendors are moving to subscription model which is not scalable for most businesses. I believe this will actually hurt their business in the long run

Integration

inadequate in house or channel technical expertise

Product failed to work correctly in a complex environment

Incorrectly configured or deployed led to not realizing the full business value

Integration, data feed requirements & configuration complexity significantly under stated & estimated

Professional services are not able to execute as expected

Lack of unilateral integration and ability to utilize data from other technology.

demand outpaced vendor support capabilities, they just care to sell. No support.

Vendor acquired and expected support faltered


32

The 10 Cardinal Rules for Information Security Vendors1. Understand what your solution does, how it works with everything else,

and then sell the hell out of it

2. Understand what your solution does not do

3. Don’t ever over-hype what your product does – there is no magic bullet in security

4. Understand your product roadmap

5. Know your customer & what their unique challenges are

6. If you can’t explain what your solution does in 30 seconds, you have a problem

7. If you can’t explain what your solution does in three sentences on your website, you have a problem

8. Strike while the iron is hot

9. Sell high. They may kick you downstairs but you need leadership’s buy-in

10.Always be partnering with other solutions providers


33

The 11 Cardinal Rules for Information Security Marketers1. Understand what your solution does, and does not do not do

2. Don’t ever over-hype what your solutions do – there is no magic bullet in security

3. Be crystal clear in your messaging

4. Buyers like snarky ads, but make sure there is substance

5. Security professionals are professional cynics and paranoids – back up your claims with proof

6. Engage with your target audience, the way they want to be engaged - and on their schedule

7. Know your customers & what their unique challenges are

8. If you can’t explain what your solution does in 30 seconds, you have a problem

9. If you can’t explain what your solution does in three sentences on your website, you have a problem

10.Leverage what you hear in the media – breaches, etc.

11.Target your message to the audience your speaking to: for leadership, security is a business issue, not an IT issue – for technical staff, security is about integration


34

How long is the window of opportunity open? Home Depot learned that the hard way. Vendors need to move with urgency and purpose.

35

Bob BragdonVP/Publisher, CSOIDG [email protected]@Bob_Bragdonwww.CSOonline.com(M) 508-250-6412

Questions?

http://www.CSOonline.com/

the global state of information security survey 2015

Documents

cio magazine

security effortsdemand

global economy

incidents financial

financial losses

costs of incidents

buyers source

cost of incidentssource