Post on 28-May-2020
The Global State of Information Security Survey 2015
2
Cyber risks: a severe & present danger
3
Cybersecurity is now a persistent business risk
• Businesses are failing to keep up with the persistence, technical expertise or tactical skillset of our adversaries
• Sophisticated attackers will continue to stay ahead of the mainstream defensive technologies we deploy
• Disruptive technologies will continue to challenge security efforts
• Demand for expertise - shortage of supply
• Impact has extended to the C-suite and the Boardroom
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
4
And the risks go beyond just devices
• Global security incidents are outpacing even the fastest
growing economies and technologies
• New regulations from the SEC and other regulatory bodies
creating new demands upon enterprises
• EU Data Protection Regulation updating in 2015 to include
breach notification
• NIST Cybersecurity Framework
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
5
More competition for solutions = more confusion for buyers
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
6
Incidents & financial impact continue to soar
7
Continued year-over-year rise is no surprise
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
8
Financial losses increase apace
A Center for Strategic and International Studies found difficulties in estimating financial impact but estimated that the annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion.
Impact from trade secret theft ranges from 1% to as much as 3% of a nation’s GDP – using the World Bank’s GDP estimate of $74.9 trillion in 2003, loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually
Many losses go unreported or are poorly measured
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
9
Insight is critical
Small companies report that
the cost of incidents actually
decreased 37% compared with
last year, while large
companies report a 53% jump
in financial damages. Medium-
size organizations landed
somewhere in the middle,
reporting that the costs of
incidents rose 25% over the
year before.
Does anyone really believe
that losses at small companies
fell?CO
ST
OF
IN
CI
DE
NT
S
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
10
Employees are the most-cited culprits of incidents
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
11
Nation-states, hackers, and organized crime groups are the cybersecurityvillains that everybody loves to hate
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
12
Who are the culprits? Insiders? Outsiders? Both?
13
Insiders and ecosystem risks
On a Performance
Improvement Plan
Just got a job offer
from your
competitor
Likes to review sales
forecasts while
waiting for a flight
Just copied your sales
database to a USB
drive, just in case
Prefers to work
remotely – from
Starbucks
Lost his company-
issued Blackberry –
forgot to tell you
Found out Jay Z is a
patient where she
works – checking it out
Way, way in
debt!
• Businesses with 1,000+
employees view Insiders
as the great risk
• Businesses with fewer
than 1,000 employees
view outsiders as the
greatest risk
Why do insiders commit
crimes?
1. Financial gain
2. Curiosity
3. Revenge Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
14
Domestic intelligence: a new source of concern
While the Edward Snowden affair has
turned attention to the NSA, it’s also
raised interest on the general concerns
outside the U.S. about domestic
surveillance by non-U.S. government
agencies.
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
15
Insider threats are not sufficiently addressed
• Awareness training would address the most common insider threats
• But, most businesses don’t do awareness training
• Threats include people clicking links, phishing e-mails, lost laptops, lost USB drive, etc.
• It’s important to understand the motivations of insiders: security incidents are most often driven by greed or financial need and they exhibit precursor characteristics that we should be looking for
• Long standing finding: insiders who exhibit precursor findings should be subjected to additional monitoring
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
16
As incidents rise, security spending falls
17
Average security budgets decrease slightly, reversing a three-year trend
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
18
But company size matters
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
19
Top spending priorities
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
20
Declines in fundamental security practices
21
Security practices must keep pace with constantly evolving threats and security requirements, but many fundamentals remain to be adopted.
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
22
Does the Board care? Sometimes
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
23
Evolving from security to cyber risk management
24
Risk Issues Touch Every Aspect of the Business
of enterprises have someone
in the CSO/CISO role
RISKISSUES
Intellectual Property & Brand Protection
Business/Competitive Intelligence
CMO
Investigations and Background Checks
Ethics
HR
Regulatory Compliance
Safety/OSHA
Legal
Physical Security
Business Continuity
COO
Fraud Prevention
Loss Prevention
CFO
Infosecurity
CIO
Privacy
CPO76%
Source: 2013 Global State of Information Security Survey, PricewaterhouseCoopers, CIO magazine, CSO magazine, September 2012
25
Pressing issues for CSOs
1. New technologies
2. Finding people
3. Partner security
4. Getting actionable intelligence from your security systems
5. External attacks
The emerging issues
1. Demands from the Board
2. New technologies
3. Shadow IT
4. Demand from business partners
5. Internal threats
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
26
Driving this is the 3rd Platform – The SMAC Stack
Social
Mobile
Analytics
Cloud
Source: IDC
27
3rd Platform – moving to Transformed Experiences
Copyright 2014 IDC
28
Disruptive Technologies Require Security…yet security is often an afterthought behind urgency to implement
Q. In your opinion, which of the following major trends will have the most profound effect on the role of the security professional in the future?
Source: State of the CSO Survey, CSO magazine, 2014
5%
10%
14%
21%
24%
27%
None of the above
Big data
Social media/Networking
Bring Your Own Device (BYOD)
Increasingly mobile workforce
Technology-as-a-service (cloud)
29
What do CSO’s expect from vendors?
0 1 2 3 4 5 6
Vendor educates about where themarket is going
Vendor has good referenceaccounts
Vendor understands my business
Vendor is financially stable
Solutions are scalable
Products fill a need
Vendor offers deep expertise in thisarea
Importance of Vendor Attributes
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
30
Where security vendors fall down…
18%
23%
26%
39%
70%
78%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Product actually exposed the businessto additional vulnerabilities
Other
Vendor dropped support for the productwe purchased
Licensing demands outstripped ourresources (money or people)
Product implementation costs weresignificantly higher than expected
Products don’t live up to their marketing hype
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
31
Verbatims…
"fog of more" -- new tools and technology need to provide actionable results that scale within the organization
product manpower and training requirements were completely misrepresented.
Implementation not done efficently
expertise in new environments (cloud) is advertised, but not there in the end.
Operational requirements were significantly higher than vendor represented
Implementation architecture is an issue
Too many cold calls and spam e-mails
Missed release dates
Support issues after purchase completed
Too long to implement given some complexity.
Too complex to absorb
Lack of trust in what they say they will deliver
Most vendors are moving to subscription model which is not scalable for most businesses. I believe this will actually hurt their business in the long run
Integration
inadequate in house or channel technical expertise
Product failed to work correctly in a complex environment
Incorrectly configured or deployed led to not realizing the full business value
Integration, data feed requirements & configuration complexity significantly under stated & estimated
Professional services are not able to execute as expected
Lack of unilateral integration and ability to utilize data from other technology.
demand outpaced vendor support capabilities, they just care to sell. No support.
Vendor acquired and expected support faltered
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
32
The 10 Cardinal Rules for Information Security Vendors
1. Understand what your solution does, how it works with everything else, and then sell the hell out of it
2. Understand what your solution does not do
3. Don’t ever over-hype what your product does – there is no magic bullet in security
4. Understand your product roadmap
5. Know your customer & what their unique challenges are
6. If you can’t explain what your solution does in 30 seconds, you have a problem
7. If you can’t explain what your solution does in three sentences on your website, you have a problem
8. Strike while the iron is hot
9. Sell high. They may kick you downstairs but you need leadership’s buy-in
10. Always be partnering with other solutions providers
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
33
The 11 Cardinal Rules for Information Security Marketers
1. Understand what your solution does, and does not do not do
2. Don’t ever over-hype what your solutions do – there is no magic bullet in security
3. Be crystal clear in your messaging
4. Buyers like snarky ads, but make sure there is substance
5. Security professionals are professional cynics and paranoids – back up your claims with proof
6. Engage with your target audience, the way they want to be engaged - and on theirschedule
7. Know your customers & what their unique challenges are
8. If you can’t explain what your solution does in 30 seconds, you have a problem
9. If you can’t explain what your solution does in three sentences on your website, you have a problem
10. Leverage what you hear in the media – breaches, etc.
11. Target your message to the audience your speaking to: for leadership, security is a business issue, not an IT issue – for technical staff, security is about integration
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
34
How long is the window of opportunity open? Home Depot learned that the hard way. Vendors need to move with urgency and purpose.
35
Bob BragdonVP/Publisher, CSOIDG Enterprisebbragdon@cxo.com@Bob_Bragdonwww.CSOonline.com(M) 508-250-6412
Questions?