Technology

Traditional approaches to information security are no longer sufficient

Foreword 4

Part 1. The information security model needs urgent attention 6

Part 2. Detailed study findings 16The threats to information 17

Companies’ security posture 19

Security strategy 20

Operational challenges in security 24

Enabling security technologies 27

The security talent question 30

Part 3. Study methodology and participant demographics 32

Contents2

Contents3

Forward

In a speech at a conference on cyberwarfare, Army Gen. Keith Alexander, commander of the U.S. Cyber Command and director of the U.S. National Security Agency, expressed a sentiment that increasingly has become a chorus at enterprises all over the world. “What’s been going on over the last few years in the [digital] networks…is the greatest theft that we’ve seen in history,” he said. “What we’re losing in intellectual property is astounding. [The problem is] on a massive scale that affects every industry and every sector of the economy and government, and it’s one that we have to get out in front of.”1

4

Alexander went on to say that the threats will only get worse. He indicated there is growing evidence that the principal mission of cyber-attacks has moved beyond stealing sensitive and valuable information, or disrupting computer operations, to actually destroying large-scale systems and other physical equipment.

The general’s sobering remarks—which are echoed by executives not only in the United States, but around the world—are a reminder of the dangers cyber-threats pose to commercial and government organizations (and, by extension, society itself). And they are reinforced by the findings of a comprehensive Accenture research effort on the state of information security among global enterprises.

This report makes it clear that in the past five years, the security threats against enterprises’ critical digital assets have grown substantially—in number, scope, and sophistication. As many enterprises have discovered, countering these threats can be difficult, time consuming and expensive. But the fact the threats are growing is not the only cause for concern. There is also ample evidence the attacks are increasingly successful and can be extremely damaging to an enterprise’s finances and reputation, possibly threatening its very survival.

So what has gone wrong with information security? The study highlights many issues, but overall, suggests business leaders lack confidence in the effectiveness of security. They see the risks getting bigger and more likely to arise, yet are less certain the measures they have taken will work. They do not see a good plan in place to keep pace with the threats. And in some cases, they believe their security function is overwhelmed and falling further behind. The conclusion we have drawn from our findings: The current approach to information security management is insufficient to protect organizations. They place too much emphasis on compliance with government regulations and dated industry-mandated security standards, and fail to move past such basic building blocks to keep pace with evolving threats.

Our study also highlights the need to address several underlying problems. Organizations should change the basis of their perception and sponsorship of security. Security should not be left solely to the IT function, but rather, should be a board-level, mission-critical concern. Security standards and compliance requirements must change to keep pace with business innovations and the evolving sophistication and nature of threats. New, more effective security solutions must emerge, which in turn, will mandate new security skills. Security today has to be different from what it was in the past. It is not about constructing layers of imperfect controls to discourage casual access. It is about hardening assets from professional attack—something compliance standards and audits do not always address.

A final point about security involves money. Security is not a temporary requirement, like a one-off reaction to a major incident. Rather, it is a long-term investment that has become a corporate obligation to protect the enterprise’s reputation and intellectual property; mitigate and, if possible, avoid legal liability; and meet the expectations of customers, shareholders and regulators. It is the security managers’ responsibility to ensure their boards understand that information security is essential and requires a forward-looking approach, a reasonable level of funding, and a degree of freedom and power to take decisions. In short, to address the security threats of today, enterprises should build upon and move beyond business cases and compliance processes, and encourage innovation, personal judgment and empowerment among their security professionals.

As companies continue to innovate, others will seek to exploit the vulnerabilities those innovations create—and enterprises must prepare accordingly. Through our continuing research and client work, Accenture remains committed to helping organizations identify, develop and implement the practices and capabilities used to combat these threats as they continue on their journey to high performance.

Dr. Alastair MacWillson Global Managing Director Security Practice

Forward5

The information security model needs urgent attention

Part 16

In the past five years, the threats against enterprises’ critical digital assets have grown substantially—in number, scope, and sophistication. In particular, malicious attacks by external perpetrators are on the rise. In 2008, only 12 percent of data breaches were caused by malicious attacks. That figure rose to 24 percent in 2009 and 31 percent in 2010.2 Some of the most recent high-profile events illustrate the magnitude of the problem companies face.

For example, Sony suffered a massive breach in its video game online network that led to the theft of personal data, including credit and debit card information belonging to more than 100 million user accounts. This could, in fact, be one of the most expensive breaches ever: Experts estimate the attack could cost Sony and credit card issuers $1 to $2 billion.3

Perhaps a more insidious breach was of Epsilon’s email database, which exposed personal information on consumers who shop with some of the 2,500 companies for which Epsilon conducts digital marketing campaigns. This theft could enable hackers to conduct ongoing phishing and other scams against millions of consumers of these well-known brands.4

Another high-profile incident involved EMC Corporation’s RSA business unit, in which an external party launched “an extremely sophisticated cyber attack”5 on RSA’s infrastructure, resulting in the theft of data relating to the company’s authentication products. The number of people who possibly could be affected by the theft is undetermined, but the product involved has been deployed to approximately 40 million hardware environments and 250 types of mobile devices.6

Even more damaging to companies are attacks on intellectual property (IP) and other confidential information that, if stolen, could jeopardize an organization’s competitive positioning and viability in its chosen markets. According to some estimates, the value of corporate and government information that has been stolen or lost tops $1 trillion.7 One company has lost “to adversaries” $1 billion worth of technology that took more than 20 years to develop.8 And the recently discovered five-year cyber attacks on a broad range of high-profile companies across industries, which resulted in the theft of valuable IP, served as yet another vivid warning to enterprises.9

But external parties are not the only threats companies must worry about. As a previous Accenture research study10 found, breaches are more likely to be caused by systems failure or employees—either accidentally or intentionally—than by someone from the outside. Wikileaks is by now a well-known example of such a malicious “inside job.” However, other cases of intentional disregard of corporate security policies by insiders are also common, such as employees stealing and selling information to competitors or laid-off workers downloading and taking sensitive data to new employers. And there are myriad cases in which sensitive enterprise data was compromised by employee neglect or lapses in judgment—for example, leaving a laptop unsecured in a public place, losing a jump drive, introducing malware or viruses into the corporate system by downloading infected files, or sharing information with unauthorized parties.

As many enterprises have discovered, combating these threats can be difficult. Not only is the data generated by companies multiplying rapidly, but the use of new technologies, such as cloud computing and mobile devices, can increase a company’s vulnerabilities. The perceived costs of implementing the necessary security measures and maintaining a secure infrastructure can be overwhelming.

In short, the threat companies face today is enormous. But failure to provide adequate protections against this threat could be disastrous to a business and its customers. Are companies up to the challenge?

Accenture, in collaboration with the Ponemon Institute, recently conducted a comprehensive global study to find out. The study was designed to determine the current state of information security strategy and posture (which we define as an enterprise’s ability to solve and resolve vulnerabilities) among mid and large-sized companies in 12 countries, and included a survey of 1,894 IT and non-IT practitioners around the world. Approximately half of participating respondents (48 percent) are at the director level or higher and 47 percent of represented organizations have global revenues in excess of $5 billion. (See section 3 for more details on participant demographics and research methodology.)

The study explored a number of topics, including:

• How perceptions of an organization’s information security posture differ between IT and non-IT executives

• The expansion of organizations’ IT function to solve issues affecting intellectual property, product development and the consumerization of IT

• How the IT security function and strategy have changed in the past 12 to 24 months

• How the threat landscape alters an organization’s approach to IT security

• How organizations are addressing the issue of complexity

• The most promising technologies to address security threats

Part 17

The results of our study paint a potentially troubling picture of the state of security among global enterprises. In fact, considering the findings of our study as a whole, we concluded that while companies are aware of the increasing threat to their digital assets, the current information security model in the vast majority of enterprises does not sufficiently protect sensitive information from existing and emerging threats. For the purposes of our study, “information security model” refers to the strategy, methods, approach, standards, processes and technology an enterprise uses to safeguard its digital assets. We found organizations’ approaches to security lacking in numerous critical areas across all these areas. Our study provides ample supporting evidence:

Information security, in many organizations, is flying blind—with either no strategy, or with one that does not effectively defend the organization against possible threats Twenty-nine percent of respondents said their process for establishing an information security strategy is haphazard. When asked how often they update their security strategy, 25 percent said they have no strategy, 25 percent said they update the strategy every three years or more than three years (Figure 1). Furthermore, the effectiveness of the security strategy is not measured by 35 percent, and only informally measured by 39 percent.

Information security often is not integrated with IT operations and business strategy Only 21 percent said their security operations are fully integrated with IT operations, while 45 percent said their security operations are not integrated (15 percent) or only partially integrated (30 percent) (Figure 2). This lack of integration may result in conflicting priorities for IT and IT security.

Information security strategies and business goals are often at odds According to more than half (54 percent) of respondents, the organization’s security strategy is not aligned (29 percent) or only partially aligned (25 percent) with their overall business strategies. However, it is not clear how organizations determine alignment, because 35 percent said they do not measure alignment, while 32 percent said such measurement is not part of the organization’s strategic planning process. Perhaps such lack of alignment helps explain why 60 percent of respondents said security objectives hinder business objectives such as innovation, revenue generation and productivity frequently (46 percent) or all the time (14 percent). Only 17 percent said IT security is never a barrier to achieving business goals (Figure 3).

Figure 1. Frequency with which enterprises update their security strategy

11%

14%

16%

17%

17%

25%

More than three years

Every three years

Every two years

No set schedule (updates only as needed)

Every year (annual)

No strategy

Findings reveal the security model needs urgent attention

8

Figure 4. Ways in which enterprises measure the information security organization’s effectiveness

Figure 2. Extent to which security operations are integrated with IT operations

Figure 3. Extent to which security objectives hinder business objectives

4%

7%

17%

20%

21%

31%

Not measured

Control self assessment

External audit

Internal audit

Key performance indicators (metrics)

Informal procedures (gut check)

15%

30%

34%

21%

Not integrated

Partially integrated

Mostly integrated

Fully integrated

17%

22%

46%

14%

Never

Sometimes

Frequently

All the time

Many organizations don’t understand their risk profileAlmost half (48 percent) approach determining their organization’s level of risk tolerance using informal or no analysis. Only 16 percent use formal analysis and assessment to determine their risk profile. This finding is consistent with the fact that almost one-third of respondents (31 percent) said they measure or assess the effectiveness of the security function by gut feel or informal procedures (Figure 4).

Preventing malicious or criminal attacks is not the top priority for the information security functionDespite well-publicized attacks targeting organizations’ confidential information, including intellectual property and trade secrets, the highest percentage of respondents (20 percent) said minimizing costs is the top priority followed by compliance with internal policies and procedures. Only 16 percent said it is to prevent malicious or criminal attacks, and just 11 percent said it is to prevent employee mistakes.

9

Figure 5. Steps enterprises are taking to reduce security organization complexity

1%

2%

3%

8%

10%

13%

13%

20%

31%

Engage consultants

Change leadership

Establish or enhance accountability

Establish or enhance governance practices

Combine physical, logical and virtual security functions

Nothing

Increase platform-based rather than pointsecurity solutions wherever feasible

Outsource (shed) IT security activities that are not considered essential

Reduce the number of IT security solution vendors

As the threat landscape continually evolves, companies find themselves overwhelmed by determining how to defend themselves Eighty percent of respondents said their security function has become more complex in the past 12 to 24 months, primarily because of cloud computing, the use of mobile technologies and the consumerization of IT. To reduce complexity, 31 percent are reducing the number of IT security solution vendors, followed by outsourcing security activities that are not considered essential (20 percent). Thirteen percent are doing nothing to reduce complexity (Figure 5).

Many respondents said their organizations do not have the budget and the expertise to meet their IT security mission Forty-four percent said their budget is inadequate and 42 percent said they do not have enough skilled staff to achieve their IT security objectives. Sixty-one percent said that their IT security budget is 10 percent or less of the overall IT budget. Furthermore, four in 10 respondents said their security function lacks sufficient skills or expertise to fulfill its mission.

An information security strategy based on compliance does not definitively improve a company’s information security posture Thirty-six percent said compliance improves their organization’s security posture and the same percentage said it diminishes it because over-emphasis on compliance can lead to allocating resources to lower-priority security activities. Sixteen percent said compliance significantly improves their organization’s security posture and 8 percent said compliance significantly diminishes their organization’s security posture. Many organizations (61 percent) do not believe compliance with standards and regulations is sufficient to protect their organization.

New technologies are changing the threat landscape, but many companies are not actively addressing the impact The most severe security threats facing organizations three years ago and today are the theft of information assets, followed by system downtime. However, 30 percent of respondents said there is little or no oversight or review by the security function to manage these changing threats. In response to new threats, 68 percent of respondents said their security strategy is shifting from more traditional perimeter security to more data-level or endpoint security and controls.

10

As the preceding discussion clearly illustrates, companies on average are struggling to put in place the right strategies and capabilities to protect their digital assets. Those struggles occur regardless of a company’s size, geographic location or industry.

However, further Accenture analysis has found that not all companies are experiencing the same level of difficulty. In fact, we identified 218 companies—12 percent of the overall survey sample—that appear to be doing a much better job than their peers in protecting critical enterprise information. We classified these companies as information security “leaders.”

What distinguishes leaders in security from other companies?

The key differentiating factor is that leaders employ a number of what Accenture has identified as industry-leading practices in information security. Using a set of key questions from our survey instrument, we created a diagnostic that would help us effectively evaluate the sophistication or strength of all participating companies’ information security capabilities. Among the important dimensions on which we rated companies were how companies determined their information security risk profile, how they measured the effectiveness of their security organization, whether their security organization had sufficient budget and talent to meet its objectives, how integrated their security organization is with the IT organization and the larger enterprise, and how frequently companies update their security strategy.

Using this diagnostic—which encompassed a company’s security posture, security strategy and proactivity of its security approach—we characterized as leaders companies that collectively:

• Have a superior information security posture. Leaders on average rated their security posture an 8.11 on a 10-point scale, with 10 denoting “highly effective.” In comparison, companies in our survey that weren’t leaders in security rated their posture a 4.99.

• Are far more likely to characterize their security posture as proactive and to say they are taking appropriate steps to improve their security posture.

• Align their security and business strategies. Leaders are more than twice as likely to say their security strategy is mostly or fully aligned with their overall business strategy. Just under two-thirds of non leaders indicated only partial or no alignment.

• Use formal methods to assess or evaluate various aspects of their security posture, including their information security risk profile (non leaders are more than twice as likely to use no analysis but, instead, go on instinct or “gut feel”) and the effectiveness of their security function (leaders are more likely to use either an internal or external audit to measure, while the rest are about twice as likely to use informal procedures).

• Devote sufficient resources to their security function. Leaders are twice as likely as the others to say they have adequate budget to achieve their security mission and objectives. However, that doesn’t necessarily mean they

spend more on security. In fact, leaders are more likely than non-leaders to spend less on security as a percentage of their overall IT budget. But because they are more likely to structure the security function as either a cost or revenue center, they are better able to track how their security budget is spent and, subsequently, make sure they are allocating money intelligently and where it can have a positive return. Conversely, non-leaders are more apt to treat security as overhead function, which makes it difficult for them to evaluate how effectively they are allocating that money. Leaders also overwhelmingly agree that their security function has the skills it needs to carry out its mission while a majority of non- leaders—56 percent—said they do not.

• Coordinate their security operations with other areas of the business. Leaders are much more likely to say their security operations are mostly or fully integrated with their IT operations, and that they coordinate their security operations with other risk management functions outside of the IT organization. A majority (55 percent) of non-leaders said their security operations are only partially or not at all integrated with IT, and nearly two-thirds of non-leaders (63 percent) do not coordinate security with other risk management functions.

• Have an effective security strategy that they update frequently. Nearly nine in 10 leaders, versus just four in 10 non-leaders, said their current security strategy supports the mission and purpose of their security function. Furthermore, leaders are about twice as likely as non-leaders to update their security strategy at least every two years.

Some companies emerged as information security leaders

11

Perhaps these two characteristics help explain the fact that leaders were nearly twice as likely as non leaders to rate their organization’s strategy for addressing security risks, threats and vulnerabilities as very good (i.e., 8.31 versus 4.97 on a 10-point scale, where 10=excellent).

Of course, building strong security capabilities is not the end goal. The true measure of leadership or effectiveness is whether those capabilities succeeded in keeping information safe. And on that count, the leaders in our study shone.

Overall, we found that leaders experienced not only a lower incident of serious attacks on their digital infrastructure in the past year, but also a lower incident of breaches in the same time period than other companies in our study.

For instance, 49 percent of leaders experienced only one serious attack in the past year, compared with 15 percent of all other companies in our study (Figure 6). Similarly, only 9 percent of leaders reported experiencing more than five serious attacks in the past year, compared with 32 percent of all other companies.

In terms of actual breaches, we observed a similar pattern (Figure 7). Sixty percent of leaders experienced only one data breach in the past two-year period, compared with 16 percent of other companies. Similarly, only 2 percent of leaders, versus 17 percent of other companies, had more than five data breaches in the past two years.

What these two findings show is that the use of security industry-leading practices strongly correlates with lower frequencies of attacks and breaches—and, thus, more effective protection of a company’s critical information assets.

Figure 6. Security leaders were less likely than other enterprises to have experienced serious attacks

Figure 7. Security leaders were much less likely than other companies to have experienced breaches

Leaders Other companies

49%

15%

27%24%

15%

28%

9%

32%

Only 1 2 to 3 4 to 5 More than 5

Leaders Other companies

60%

16%

24%

34%

14%

34%

2%

17%

Only 1 2 to 3 4 to 5 More than 5

12

1313

Based on our study findings—and particularly on what security leaders are doing—we have identified five key principles that can help companies achieve high performance in information security.

Principle 1: Security is not an IT issue, but an organization-wide concernWhile an enterprise’s Chief Information Security Officer (CISO) is technically responsible for information security, safeguarding critical and sensitive information is, in reality, the job of everyone, and it should be one of the top three or four business issues an enterprise deals with on a daily basis. As noted in a recent Wall Street Journal report, “Employees have more opportunities than ever to compromise company information…clicking on emails from hackers that download viruses, letting them bypass corporate firewalls[,]…circumventing company tech-support rules and doing work with personal gadgets and consumer-grade online services like Web email and cloud storage services.”11 To make awareness of and appreciation for information security a key element of an enterprise’s business agenda and corporate culture—and to mitigate the chances the aforementioned transgressions can occur—the right stakeholders must be actively engaged.

Those stakeholders include board members, C-level executives and heads of key corporate functions (including IT and risk management) who actively spread the word among employees that maintaining vigilance in keeping the enterprise’s infrastructure and information safe is absolutely critical.

Principle 2: A formal security strategy, tightly aligned with the overall business strategy and updated regularly, is the foundation of a strong security posture As our study found, nearly half of participating companies said their security strategy does not support the organization's strategy, and many companies struggle to tie their security strategy to what the business is trying to accomplish. This is a major reason that business innovations typically outpace a company’s ability to mitigate the security risks those innovations introduce. Even worse, by updating their security strategy only every few years, companies fall further behind the hackers and criminals whose own capabilities are evolving at a much faster pace. The fact is that a security strategy can become outdated rapidly, so regular review and refinement is critical. When developing a security strategy, companies should be sure it provides the appropriate level of security for the business—striking a balance between maintaining adequate controls and providing the access to information employees need to drive the business forward.

Principle 3: The primary focus of the security organization should not be meeting compliance obligationsAlthough complying with relevant industry and governmental regulations is important, our study and related Accenture experience have found that compliance alone does not equal protection. The reason is that security standards with which organizations are expected to comply have not kept pace with the evolution of business practices and innovations, nor the advancements made by hackers and other such parties. In other words, compliance is only a most fundamental level of security, and enterprises that stop with compliance are still dangerously exposed. While a company must remain compliant at all times with regulatory or industry standards, the security organization’s goal should be to protect the enterprise’s infrastructure, information, and ability to effectively conduct business in the face of increasingly sophisticated threats.

Five principles for achieving high performance in security

14

Principle 4: Effective security requires sufficient resources According to our study, many companies are not comfortable with the effectiveness of their security environment. In fact, 37 percent of executives rated the effectiveness of their security posture as a 4 or lower on a 10-point scale, where 10=highly effective—meaning in nearly four in 10 companies, security posture effectiveness is perceived as worse than average. Our study also found companies have difficulty attracting and retaining the skills that are critical to effective security, largely because the demand for those skills far outstrips the current supply. To meet their security objectives, especially given the ongoing evolution of security threats, companies must invest appropriately to shore up these critical areas of the security organization— as the security leaders in our study do. Leaders are twice as likely as non-leaders to say they have adequate budget to achieve their security mission and objectives, which helps explain why leaders also overwhelmingly agree their security function has the skills it needs to carry out its mission (compared with a majority of non-leaders that said they do not). If they do not have the resources to build all the necessary capabilities in house, companies should consider selectively using third parties to “fill in the gaps.”

Principle 5: The best defense is a good offenseGiven how quickly businesses innovate and security threats evolve, companies cannot afford to be passive. For instance, 81 percent of companies in our study said they do not address potential security threats resulting from IT innovation before such innovations are deployed, which can be a recipe for disaster. More than ever, companies must be proactive when it comes to security, and that means building on and moving beyond reliance on compliance with outdated standards and more traditional approaches to security. It means developing the ability to deliver the right insights to the right people to make the right decisions about possible threats before the threats become reality and inflict damage.

One of the keys to being proactive is devising and using formal methods and metrics to continually assess—and improve, when necessary—the security organization’s performance and the enterprise’s overall security posture. Another key, as mentioned earlier, is to regularly review and update one’s security strategy to ensure it is relevant and appropriate, and that it accurately reflects the company’s mission and the markets in which the company operates.

When it comes to information security in the next several years, we can be reasonably sure two things will be true: companies will continue to innovate as they seek to stay one step ahead of competitors and satisfy the growing needs of their customers with new, compelling offers and experiences; and hackers, criminals and thieves will continue to identify the vulnerabilities these business innovations create and try to exploit them with more pervasive and sophisticated attacks.

The threats to information are massive and growing exponentially every year, and represent a very real challenge to an enterprise’s growth and viability. Both business and security leaders must recognize this and take the steps necessary to significantly strengthen their security posture and, thus, restore their confidence in their enterprise’s ability to keep their most vital information safe from harm.

There is no question that the cost of committing to information security in the right way can be substantial. However, the cost of not doing so can be even more significant if critical information is compromised, stolen or otherwise misappropriated to cause harm to the enterprise.

In the remainder of this report, we discuss our study’s findings in greater detail—exploring threats companies are experiencing and how they are responding; the state of companies’ security posture; and the strategic, operational, technological and talent aspects of security.

15

Detailed study findings

Part 216

The threats to information

For virtually every company, information security has become an increasingly significant concern. A cursory glance at the daily news is likely to reveal a new incident in which an enterprise has experienced some sort of concerted attack on its digital assets or an actual breach of its infrastructure. The reality is that enterprises of all types must be ever-more vigilant in building and maintaining effective defenses against such invasions—as our study clearly has found.

When asked to indicate the most severe security threats their company faces today, study participants were most likely to cite theft of information assets, followed by system downtime, attacks against critical infrastructure and compliance infractions (Figure 8). Furthermore, 93 percent of executives in our study indicated their organization has experienced a cyber attack in the past two years. Such attacks were about equally likely to have involved a virus or malware, a malicious insider, a Web-based attack, malicious code, phishing, social engineering or denial of service.

Enterprises face a wide range of security threats today that have resulted in actual breaches in an overwhelming majority of companies. A variety of IT innovations have helped increase the prevalence of such threats.

Figure 8. Most severe security threats to enterprises

14%

18%

30%

38%

Compliance infractions

Attacks against critical infrastructure

System downtime (shutdown)

Theft of information assets

Part 217

Figure 9. IT innovations seen as increasing security threats

Figure 10. Obstacles preventing enterprises from taking steps to improve their security posture

5.29

7.22

7.53

7.79

Virtualization

Social media

Mobile devices (smartphones)

Cloud computing

2%

3%

4%

5%

5%

12%

Other

Turf issues with other functions

Lack of in-house expertise

Not a priority issue

Lack of clear leadership

Insufficient resources

Even worse, the vast majority of companies represented in our study (82 percent) have not only experienced threats and attacks, but also have had actual breaches. Just about one-third said these breaches were a result of a malicious criminal attack (34 percent) or negligence by an insider (33 percent). Sixteen percent reported their breaches stemmed from a system or business process glitch.

The attacks and breaches companies have experienced are not coincidental. In fact, many executives in our study believe IT innovations such as cloud computing, mobile devices and social media—and, to a lesser extent, virtualization—have increased the prevalence of security threats (Figure 9).

The preceding findings are sobering and reinforce a common refrain being heard across security and IT organizations everywhere: from an information security standpoint, the world has become a much more dangerous place, and enterprises must continually monitor potential threats and minimize or eliminate shortcomings in infrastructure, tools, processes or policies that can make their information more vulnerable to attack and compromising.

Average rating on scale: 1=Has not changed security threat 10=Has very significantly changed security threat

18

Despite the fact that executives appear to understand that cloud computing, mobile devices and social media are making their information more vulnerable, many companies seem to lack a proactive approach to managing the threats that emerge from these innovations. A majority of respondents said they conduct either an informal (28 percent) or formal (23 percent) review or assessment by IT security professionals only after innovations are deployed. Even more troubling is the fact that 30 percent of respondents said their company’s IT security function has little to no oversight or review of the potential threats these IT innovations pose to the enterprise. Only 19 percent said their IT security organization is engaged—either indirectly (11 percent) or directly (7 percent) on the issue before the innovations are deployed.

Further evidence that most companies are not being as proactive as they should be regarding security is this: On average, executives in our study described their security posture as neither proactive nor reactive—a 5.53 rating on a 10-point scale, where 1=reactive and 10=proactive.

One important—and troubling—outcome of companies’ lack of proactivity is a security posture that is only moderately effective at mitigating risks, vulnerabilities and attacks across the enterprise. Indeed, when asked to describe their security posture’s effectiveness, executives globally gave an average rating of just 5.8 on a 10-point scale, where 1=not at all effective and 10=highly effective.

Companies also appear to be struggling with the issue of compliance and its impact on their security posture. Just over half of participating executives believe compliance with generally accepted security standards

and regulations improves (36 percent) or significantly improves (16 percent) their organization’s security posture. Conversely, four in 10 respondents believe compliance diminishes (36 percent) or significantly diminishes (8 percent) their posture. Four percent said compliance has no effect.

The good news is that 71 percent of executives said their companies are taking appropriate steps to improve their information security posture. Those whose companies are not said they are limited by a number of obstacles, the most prevalent of which is a lack of resources (Figure 10). Less-common obstacles include lack of clear leadership, lack of priority in the business, and lack of in-house expertise.

As the preceding data show, many companies—while understanding the threats—are substantially and, perhaps, dangerously unprepared to address them.

Executives do not view their company’s information security posture as effective in mitigating risk, vulnerabilities and attacks. This could, in part, stem from the fact that a “reactive” mentality toward security, as well as obstacles such as lack of resources and security expertise, prevent companies from determining what their information risk profile should be and from taking proactive measures to improve their overall security posture.

Companies’ security posture

19

While companies’ largely reactive approach to security has compromised their information security posture, it is not the only factor. Challenges related to security strategy, and how that strategy relates to the enterprise at large, also appear to impede companies’ ability to forge a strong security posture.

For instance, executives participating in our study did not achieve consensus on the basic purpose of their information security function. The majority described this function’s mission as mitigating cyber-attacks, threats and vulnerabilities, or ensuring compliance with high standards and policies (Figure 11). Less-prevalent missions include preventing information loss or theft, limiting system downtime, securing the critical infrastructure, and educating and raising awareness of security throughout the organization.

Companies also appear uncertain of what the priorities of their information security function should be, and were most likely to focus on the cost of security rather than on keeping information safe. Other less-prevalent priorities were compliance with internal policies and procedures, preventing malicious or criminal attacks, limiting system downtime, compliance with laws and regulations, and preventing the likelihood of employee mistakes or negligence (Figure 12). Perhaps the focus on cost rather than positive outcomes is due to the fact that in a plurality of companies (31 percent), the head of corporate IT (for instance, the CIO or CTO) sets the priorities for the security function, while in only 15 percent of companies, priorities are set at the top of the organization—the CEO or executive committee (7 percent) or the board of directors (8 percent).

When it comes to the actual security strategies their companies employ, many executives in our study believe their companies could do better. For instance, just under half of executives surveyed (47 percent) do not believe their current security strategy supports the mission and purpose of the security function, and executives globally gave their organization’s security strategy an average rating of just 5.85 (on a 10 point scale in which 10 equals excellent) on its ability to address security risks, threats and vulnerabilities. Why the lack of perceived effectiveness? One reason could be that in nearly 30 percent of participating companies, the approach to security strategy development is described as haphazard. Another possible reason is that many security strategies could be out of date: Only 17 percent of companies update their security strategy on an annual basis, with the remainder updating far less frequently (Figure 13).

Companies’ security challenges often begin at the highest level: Executives said they have difficulty understanding what the mission, priorities and strategy of the security organization should be. In many companies participating in our study, security strategy is not seen as especially effective or aligned with the business, is developed in a haphazard fashion, and is not updated frequently enough.

Security strategy

20

Figure 11. Primary mission of enterprises’ information security function

Figure 12. Priorities of enterprises’ information security function

Figure 13. Frequency with which enterprises update their security strategy

5%

8%

13%

14%

28%

32%

Educate and raise awareness throughout the organization

Secure the critical infrastructure

Limit system downtime

Prevent information loss or theft

Ensure compliance with high standardsand policies

Minimize cyber attacks, threats and vulnerabilities

1%

6%

11%

14%

14%

16%

18%

20%

Other

Maximizing return on investment

Preventing employee mistakes (negligence)

Limiting system downtime

Compliance with laws and regulations

Preventing malicious or criminal attacks

Compliance with internal policies and procedures

Minimizing costs

11%

14%

16%

17%

17%

25%

More than three years

Every three years

Every two years

No set schedule (updates only as needed)

Every year (annual)

No strategy

21

Most executives also indicated their security strategy lacked sufficient alignment with their enterprise’s overall business strategy—whether alignment was only partial or non-existent (Figure 14). Only one-fourth reported full alignment and 23 percent indicated partial alignment. Perhaps part of the reason why such alignment is lacking in so many companies is that a large majority of companies measure alignment through an informal process only (32 percent) or do not measure alignment at all (35 percent). Just 32 percent of companies indicated they have a formal process for measuring alignment, and that that process is part of the organization’s larger strategic planning process.

Lack of alignment between security and business strategies is not simply an academic problem. To the contrary, it can have tangible business implications that include security measures that constrain the business—which appears to be the case with many of our study participants. Sixty percent indicated their IT security objectives hinder business objectives such as innovation, revenue generation and productivity either frequently (46 percent) or all the time (14 percent).

With companies experiencing so many challenges in laying the basic groundwork for security, it is little wonder so many executives believe their overall security posture is less than effective. And these strategy shortcomings, as we discuss in the following sections, have a trickle-down effect on companies’ security operations, technologies and talent.

Figure 14. Extent to which enterprises’ security strategy is aligned with the overall business strategy

23%

24%

25%

29%

Mostly aligned

Fully aligned

Partially aligned

Not aligned

22

23

While having an effective security strategy is critical to setting the tone and tenor of a company’s approach to security, security operations is really where an enterprise faces the moment of truth: Can an organization effectively defend itself against an attack or will its vulnerabilities be exploited? According to our research, many companies’ security operations appear to not be up to the challenge.

Executives acknowledged that their security functions face a number of serious operational challenges that could impede their ability to create a stronger security posture. For instance, most companies do not employ formal metrics to help them evaluate the function’s performance (Figure 15). Just 21 percent of executives said they use key performance indicators to assess their security function’s effectiveness, while 31 percent said they use informal procedures and 4 percent said they do not measure effectiveness at all.

Similarly, most companies are not as rigorous as they should be about determining their risk profile (Figure 16). Only 16 percent of executives said they conduct a formal analysis and assessment to determine their company’s information risk profile or tolerance level, while 32 percent conduct only informal analysis and 36 percent do no analysis whatsoever, relying instead on “gut feel.”

Money is also an obstacle to better security, at least in the minds of participants. In fact, 44 percent of executives indicated their budget is not adequate for their security organization to achieve its mission, thus putting companies in a potentially vulnerable position when it comes to security. In more than 60 percent of companies, the security budget represented either less than 5 percent (35 percent) or between 6 percent and 10 percent (26 percent) of their total IT budget. Perhaps one of the reasons executives believe their security organization is not adequately funded is because in nearly six in 10 companies the function is viewed as pure overhead—i.e., there is no allocation of costs or service billings to other areas of the business. This can make it difficult for security professionals to adequately track how security investments are being used and how those investments perform.

Companies’ security challenges extend to their operations, as many enterprises do not formally evaluate their security function’s performance, adequately fund the security function, or link their security operations with other areas of the business.

Figure 15. Ways in which enterprises measure the information security organization’s effectiveness

4%

7%

17%

20%

21%

31%

Not measured

Control self-assessment

External audit

Internal audit

Key performance indicators (metrics)

Informal procedures (gut check)

Operational challenges in security

24

Figure 16. Ways in which enterprises determine their risk profile

Figure 17. Factors driving increased complexity of the security organization

16%

16%

32%

36%

Other

Formal analysis and assessment

Informal analysis and assessment

No analysis (gut feel)

2%

3%

3%

3%

6%

8%

10%

11%

14%

19%

21%

Availability of resources and staffing

Availability of enabling securitytechnologies

Structural changes to the organization

Change in leadership

Expensive use of virtualization technologies

Emerging regulations and compliancerequirements

Change in the nature or scope ofvulnerabilities and threats

Change in the nature or scope of cyber attacks

Consumerization of IT

Expansive use of cloud computingresources

Expansive use of mobile technologies

Complexity is a challenge as well. A large majority—80 percent—of executives acknowledged that their security function has become more complex in the past 24 months. The largest percentage of executives said this increased complexity was due to the more expansive use of mobile technologies or cloud computing, followed by the consumerization of IT, a change in the nature or scope of cyber attacks, and a change in the nature or scope of vulnerabilities and threats (Figure 17).

In addition to becoming more complex, companies’ security functions face the challenge of forging tighter linkages with the rest of the business—and are struggling in that regard. Fifty-three percent of participants reported their security operations are not integrated with other risk management functions outside of the IT organization, and only 21 percent said their security operations are fully integrated with their IT operations.

Companies are responding to these challenges in a variety of ways. When asked which changes they had made to their security function in the past two years, the largest percentage of executives, 33 percent, said they had altered the priorities of the function’s leadership, while three in 10 indicated they had changed the enabling technologies that the function uses. In 15 percent of the companies, changes centered on either an increase or decrease in the function’s staffing, while in 11 percent of companies, there were changes to either the function’s reporting structure or available resources.

The driving forces behind these changes were manifold (Figure 18). The majority of companies cited three factors: the nature of threats and vulnerabilities, improvements in technologies, or initiatives mandated in their industry. About one in 10 executives said they made these changes because of either actual cyber attacks their company experienced or legal and compliance requirements.

Figure 18. Factors driving enterprises to make changes to their security organization

2%

4%

5%

10%

11%

20%

21%

27%

Organizational restructuring

Improvements in financial climate

Change in leadership priorities

Legal and compliance requirements

Actual cyber attacks experienced

Industry-mandated initiatives

Improvements in technologies

Nature of threats and vulnerabilities

25

Figure 20. Most promising security technologies

5%

9%

13%

14%

16%

21%

24%

Technologies that secure information assets

Technologies that secure the perimeter

Technologies that secure endpoints including mobile-connected devices

Technologies that mitigate insider threats (including negligence)

Technologies that simplify the reporting of threats (including APTs)

Technologies that provide intelligence about networks and traffic

Technologies that monitor internal attacks and fraud

We also found that most companies are changing the overall focus of their security efforts. Sixty-eight percent of executives said they are shifting attention away from traditional perimeter security in favor of data-level or endpoint security and controls, and 73 percent indicated their security function is moving outside of traditional IT to solve issues affecting intellectual property, product development and the consumerization of IT to respond to a changing risk landscape.

To combat complexity, the largest percentage of companies are either reducing the number of IT security solution vendors they use or outsourcing IT security activities they do not consider essential or core to their business (Figure 19). A smaller percentage are increasing the use of platform-based rather than point security solutions wherever feasible or doing nothing at all to reduce complexity.

Outsourcing, in fact, is popular among some companies, and not just as a solution to increasing complexity. According to our study, 42 percent of companies use outsourcing or managed services as part of their IT security strategy, and a large majority of these companies (72 percent) do not believe the use of third parties puts their organization at any greater risk. Those that do perceive increased potential risk cited countless ways to mitigate that risk, including getting proof from vendors that they comply with security standards (33 percent), creating legal agreements with indemnification by the vendor (33 percent), or conducting a thorough vetting of the vendors (20 percent). A small percentage of companies indicated they do random independent testing of managed security solutions (9 percent) or conduct audits or assessments of vendors (5 percent).

From an operational standpoint, our study reveals a number of troubling challenges—from the basic (limited to no metrics to gauge the security function’s performance) to the more advanced (achieving tighter linkage between the security function and other areas of the business). Companies will need to address these problem spots, and do so quickly, to mitigate vulnerabilities that others are eager to exploit.

Figure 19. Steps enterprises are taking to reduce security organization complexity

1%

2%

3%

8%

10%

13%

13%

20%

31%

Engage consultants

Change leadership

Establish or enhance accountability

Establish or enhance governance practices

Combine physical, logical and virtual security functions

Nothing

Increase platform-based rather than point security solutions wherever feasible

Outsource (shed) IT security activities that are not considered essential

Reduce the number of IT security solution vendors

26

When people think of information security, they generally focus on security technologies. And for good reason. While processes, practices, policies and people contribute heavily to a company’s security posture, security technologies provide the first level of defense against attacks, system glitches and other disruptions that can compromise the safety of a company’s information.

For a plurality of executives in our study, technologies that monitor internal attacks and fraud and those that provide intelligence about networks and traffic were seen as the most promising security technologies (Figure 20). Other promising technologies include those that simplify the reporting of threats (including APTs), mitigate insider threats, and secure endpoints (including mobile-connected devices).

In terms of specific tools, respondents reported using a wide range of technologies to help secure and protect information. However, based on executives’ input, these technologies appear to have varying degrees of effectiveness (Figure 21). The technologies rated most effective on average by executives are security information and event management, network/traffic intelligence, anti-virus/anti-malware, and endpoint security.

Executives in general viewed most security technologies as no more than moderately effective, and only a small percentage of executives considered their company to be an industry leader in terms of the use of IT security technologies.

Enabling security technologies

Figure 21. Overall effectiveness of security technologies

3.55

4.10

4.96

5.44

5.45

5.90

5.92

6.03

6.14

6.36

6.40

6.41

6.49

6.87

6.97

7.31

7.40

ID credentialing

Intrusion detection and prevention

Virtual private network

Identity and access management

Access governance

Encryption, data at rest

Firewalls

Other crypto technologies

Anti-theft technologies

Data loss prevention

Mobile device security

Web application firewalls

Encryption, data in motion

Endpoint security

Anti-virus/anti-malware

Network/traffic intelligence

SIEM

Average rating on scale: 1=Not at all effective 10=Completely effective

27

Figure 22. Factors influencing decision to purchase security technologies

7%

10%

10%

15%

16%

19%

24%

Post mortem (recent incident or attack)

Security risk level or need

Potential time saving (productivity)

Simplification

Compliance requirement

Best of breed

Cost relative to competitive solutions

Figure 23. How participants describe their companies in the use of security technologies

14%

17%

28%

40%

Laggard

Leader

Follower

Fast follower

At the opposite end of the spectrum were virtual private networks, intrusion detection and prevention, and ID credentialing, which were viewed as least effective by executives overall. A large number of tools were seen as being moderately effective in mitigating or reducing security risks.

One would presume that the effectiveness of a particular security technology would be the most important factor influencing a company’s investment in it. But according to executives in our study, the cost of the technology compared with competitive solutions, not the efficacy of the tool, drove the purchase decision (Figure 22). Comparatively less-prevalent factors influencing solution purchase decisions were a “best of breed” approach, compliance requirements, the solution’s potential to increase the security organization’s productivity, and the enterprise’s security risk level or need.

As might be expected, a relatively small percentage (17 percent) of companies see themselves as being at the leading edge in their adoption of security technologies (Figure 23). However, 40 percent believe they are fast followers, while about three in 10 think they are followers. Fourteen percent consider themselves laggards.

When deciding how to invest their scare resources in security technologies, companies understandably must be concerned with the cost of the solution. However, there is little point in opting for the low-cost solution if it is only moderately effective in meeting an enterprise’s security needs. The risk is too great and the potential consequences are too significant for an organization to compromise on this key element of its security posture.

28

29

Figure 24. How enterprises evaluate the performance of their security leaders

1%

5%

7%

10%

12%

14%

20%

30%

Other

Observation and feedback by board of directors

Achievement of informal objectives

Prevention of attacks against systems and dataloss

Management of budget and discretionary costs

360-performance appraisal

Achievement of specific formal objectives

Observation and feedback by C-level executive

Like most aspects of a company’s business, people are the key to information security. They are the ones who set the strategy, develop the appropriate processes and capabilities, and ensure that the enterprise’s security operations are in place and running effectively. Yet in too many companies, key security skills and talent practices are lacking—both at the leadership level as well as among those who do the daily work of keeping the enterprise’s information safe.

For example, just as companies generally do not have formal metrics for assessing the performance of their security organization, most lack formal objectives against which CISO and other security leaders are evaluated (Figure 24). In fact, only 20 percent of executives said they measured their CISO on the achievement of formal objectives. The largest percentage of companies (30 percent) evaluate security leaders via observation and feedback from other C-level executives, while 14 percent use a 360-degree performance appraisal.

Twelve percent of companies measure security leaders on how well they manage the security budget and discretionary costs, while 10 percent judge leaders’ performance on whether they have been able to prevent attacks against corporate systems and data loss. And while security leaders are responsible for protecting information assets, their power apparently only extends so far. A majority of executives (62 percent) said their IT security leader does not have the authority to deny the use of an IT innovation if it poses a risk to the larger enterprise.

Compounding the strategic, operational, and technological challenges companies face, enterprises also reported shortcomings in how their security leaders are evaluated and the skill sets they have in their security function.

The security talent question

30

Figure 25. Security skills in demand among participating enterprises

Figure 26. Security certifications valued by participating enterprises

1%

3%

4%

6%

7%

11%

12%

13%

18%

25%

Quality assurance

Law enforcement experience

Network manager

Compliance knowledge

Auditing experience

Knowledge about IT infrastructure

Intel experience

White hat/penetration testing skills

Project manager

Security architect

1%

1%

2%

2%

2%

2%

2%

3%

6%

6%

11%

13%

24%

24%

GIAC Security Engineer (GSE)

CFE

SSCP

SCNP

SCNA

GIAC Security Essentials Certification (SANS)

CWP Security Specialist

CIPP

CPP

CIW Security Analyst

CISM

CPA

CISSP

CISA

In addition to robust leadership, having the right talent in a security organization is a major factor in a company’s ability to effectively secure its information assets. Yet 42 percent of executives participating in our study said their security function does not have sufficient staff skill or expertise to meet its objectives. The most in-demand skills are security architect, project manager, white hat/penetration testing, Intel experience and IT infrastructure knowledge (Figure 25). Companies also appear to value IT security certifications, with CISA and CISSP being deemed the most important by executives, followed by CPA and CISM certifications (Figure 26).

Going forward, enterprises will need to address security talent issues in general, and the skills challenge in particular, if they hope to continue to develop and implement security capabilities that can stand up to the increasingly sophisticated and prevalent threats their companies face. And this will be no easy task, as a number of recent studies have shown talented security professionals have become quite scarce,12 and those who are available are priced out of many company’s budgets (as some professionals are commanding a 20 percent premium13). Thus, for many organizations, developing the skills of employees already in house through comprehensive training programs, or taking greater advantage of outsourcing, may be the best options.

31

Study methodology and participant demographics

Part 332

The Accenture 2011 Global Information Security Study was conducted in collaboration with the Ponemon Institute. The study involved diagnostic interviews with senior-level IT and non-IT executives that typically lasted one hour, conducted between January and July 2011.

Organizationally, companies represented in our study spanned five high-level industry segments—products, financial services, health and public service, communications, media and technology, and resources (Figure 27)—and 12 countries (Figure 28). The largest percentage of companies generated revenues of more than US $5 billion (Figure 29) and had more than 25,000 employees (Figure 30).

Of the 1,894 professionals participating in the study, 53 percent were IT practitioners and 47 percent were from non-IT disciplines. Approximately half (48 percent) of all participants were at the director level or higher, with the remainder being managers or supervisors (Figure 31).

Figure 27. Industry segments represented in the study

Figure 30. Number of employees at companies represented in the study

Figure 28. Countries represented in the study

Figure 31. Level of professionals participating in the study

Figure 29. Annual revenue of companies represented in the study

28%

25%22%

13%

12%

ProductsFinancial ServicesHealth and Public Servicecommunications, Media and TechnologyResources

5%12%

22%

20%

27%

14%

< 1,0001,001 to 5,0005,001 to 10,00010,001 to 25,00025,001 to 75,000> 75,000

20%

11%

7%

6%8%6%

5%

13%

5%

6%

8%5%

United States United KingdomCanada AustraliaJapan ChinaItaly GermanySpain FranceBrazil Argentina

4%9%

35%27%

18%

6%

ExecutiveVice presidentDirectorManagerSupervisorOther

24%

30%

47%

< $1 billion$1 to $5 billion> $5 billion

33

1 http://p.washingtontimes.com/news/2011/sep/13/computer-based-attacks-emerge-as-threat-of-future-/?page=all

2 Ponemon Institute, 2010 Annual Study: U.S. Cost of a Data Breach

3 http://www.csmonitor.com/Business/2011/ 0503/Sony-data-breach-could-be-most-expensive-ever

4 http://blogs.computerworld.com/18079/epsilon_breach_hack_of_the_century

5 http://www.rsa.com/node.aspx?id=3872

6 http://news.cnet.com/8301-27080_3- 20044775-245.html

7 http://p.washingtontimes.com/news/2011/sep/13/computer-based-attacks-emerge-as-threat-of-future-/?page=all

8 http://p.washingtontimes.com/news/2011/sep/13/computer-based-attacks-emerge-as-threat-of-future-/?page=all

9 http://www.bbc.co.uk/news/technology- 14387559

10 “How Global Organizations Approach the Challenge of Protecting Personal Data,” Accenture research report, https://microsite.accenture.com/dataprivacyreport/Documents/Accenture_Data_Privacy_Report.pdf

11 http://online.wsj.com/article/SB10001424053111904836104576556421692299218.html?mod=ITP_thejournalreport_0

12 http://www.informationweek.com/ news/government/security/223101596, http://www.globalknowledge.com/training/generic.asp?pageid=2118&country=United+States, http://www.securitymanagement.com/ news/study-highlights-it-security-skills-gap-008233?page=0%2C1

13 http://www.eweek.com/c/a/IT- Management/Security-Skills-Are-Sizzling- 681219/

Notes34

35

ACC11-1575/7-2367

About AccentureAccenture is a global management consulting, technology services and outsourcing company, with approximately 236,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world’s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$25.5 billion for the fiscal year ended Aug. 31, 2011. Its home page is www.accenture.com.

Contact usAlastair MacWillson Global Managing Director Security +44 20 7844 6131 alastair.macwillson@accenture.com

Bill Phelps North America Security Lead +1 703 947 2586 bill.phelps@accenture.com

Floris van den Dool EALA Security Lead +31 20 4938058 floris.van.den.dool@accenture.com

Paul O’Rourke APAC Security Lead +61 3 98387488 p.orourke@accenture.com

About Ponemon Institute LLCPonemon Institute conducts independent research on consumer trust, privacy, data protection and emerging data-security technologies. Their goal is to enable organizations in both the private and public sectors to have a clearer understanding of the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations. Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise.

As a member of the Council of American Survey Research Organizations (CASRO), Ponemon Institute upholds strict data confidentiality, privacy and ethical research standards. They do not collect any personally identifiable information from individuals or company identifiable information in their business research. Furthermore, they have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. For more information, visit www.ponemon.org.

Copyright © 2011 Accenture All rights reserved.

Accenture, its Signature, and High Performance Delivered are trademarks of Accenture.