Closing the Cloud Security Business Gap V17...Closing the Cloud Security Business Gap Ponemon...

Closing the Cloud Security Business Gap

Ponemon Institute© Research Report

Sponsored by Salesforce Independently conducted by Ponemon Institute LLC Publication Date: January 2018

Ponemon Institute© Research Report Page 1

Closing the Cloud Security Business Gap Ponemon Institute, January 2018

Part 1. Introduction The pace to use software as a service (SaaS) and platform as a service (PaaS) to meet IT and data processing objectives is expected to accelerate dramatically over the next two years, but will the necessary security safeguards be in place to prevent a data breach? According to the study, sponsored by Salesforce and conducted by Ponemon Institute, many companies suffer from a lack of alignment between the IT security function and the lines of business that may prevent the ability to have a cohesive strategy for security in the cloud. This may have a negative impact on a company’s ability to allocate resources necessary to secure sensitive and confidential data in the cloud. Part 3 of this report analyzes the most significant differences between these two groups. This research study examines the expert perceptions about the state of cloud security for a sample of 1,670 information security practitioners who are familiar with their organization’s approach to cloud security and have responsibility for directing cloud security control activities. Also surveyed are 1,122 non-IT business leaders. The study was conducted in North America (Canada and U.S. combined), UK, France, Germany and Netherlands. Approximately half of IT security respondents (49 percent) say their organizations’ cloud services provide a more secure data processing environment than on-premises computing. However, the importance of SaaS and PaaS seems to outweigh security concerns. As shown in Figure 1, in the next two years 67 percent and 63 percent of IT security respondents say SaaS and PaaS will be essential or very important to meeting IT and data processing objectives, a significant increase from today (46 percent and 32 percent, respectively). Based on the findings, following are eight recommendations on how to close the cloud security business gap to prevent or mitigate threats to sensitive data in the cloud. 1. The priority of cloud security should match the growing importance and use of SaaS and

PaaS. Eighty percent of IT security respondents say lines of business are not concerned about the security of cloud resources and 62 percent say IT leaders are not concerned about cloud security.

2. Organizations need to have 360 degree visibility of the sensitive or confidential data

collected, processed and/or stored in the cloud. Seventy-seven percent of respondents say

Figure 1. The importance of SaaS & PaaS in meeting IT

& data processing objectives Essential and Very important responses combined


their organizations do not have such visibility and 59 percent of respondents say an important feature from a cloud provider is such visibility.

3. Organizations need to have clear accountability and centralized control to ensure the

necessary security protocols are in place. Currently, accountability for the security of cloud services is dispersed throughout the organization. Sixty-two percent of IT security respondents do not believe they are most accountable for securing the safe use of cloud resources.

4. The IT and IT security function needs to ensure lines of business are getting approval to

select and use cloud applications. Forty-seven percent of lines of business respondents say they do not seek permission from IT or IT security before using these applications.

5. Avoid the risk of “rush to deployment” and evaluate the security of SaaS applications and

PaaS resources prior to using. Fifty-two percent of IT security practitioners say SaaS applications are evaluated for security in advance of deployment and 47 percent say PaaS resources are evaluated.

6. Reduce the risk of noncompliance with the General Data Protection Regulation (GDPR) by

understanding the resources needed to secure sensitive data in the cloud. Seventy-eight percent of respondents recognize that compliance and audit activities will increase in order to be in compliance and 42 percent of respondents say GDPR is accelerating their migration to the cloud.

7. Certain features from cloud providers are considered important or essential to cloud security.

These include: one interface to identify and authenticate users in both the on-premises and cloud environments, an encryption platform to secure sensitive and confidential data in motion and at rest, multifactor authentication before allowing access to data and applications in the cloud and event monitoring of suspicious and/or anomalous traffic in the cloud.

8. Companies should take the following steps to secure the cloud: assess the impact of cloud

services on the ability to protect and secure confidential information, assess what information that might be considered too sensitive to be in the cloud and conduct audits or assessments of cloud resources before deployment.


Part 2. Key findings In this section, we analyze the findings from the IT security practitioners participating in this research (1,670 respondents). In Part 3, we compare the findings of the IT security practitioners to leaders from lines of business (1,122 respondents). The complete audited findings are presented in the Appendix of this report. We have organized the research according to the following topics. ! How secure is the cloud? ! The growing importance of SaaS & PaaS ! How to secure the cloud ! Security posture in the cloud How secure is the cloud? A lack of concern about the security of cloud resources could increase the risk to sensitive data. As presented in Figure 2, only 20 percent of respondents say lines of business are concerned and only 38 percent say IT leaders are concerned about the security of cloud resources, which indicates cloud security is not a top priority or they are confident their cloud provider offers adequate security. Further, 23 percent of respondents say their organizations have 360 degree visibility of the sensitive or confidential data collected, processed and/or stored in the cloud and 49 percent say cloud services provide a more secure data processing environment than on-premises computing. Thirty-three percent of these IT security respondents say they are most responsible for securing their organizations’ safe use of cloud resources. Figure 2. Reasons sensitive data in the cloud is at risk Strongly agree and Agree responses combined

20%

23%

33%

38%

49%

0% 10% 20% 30% 40% 50% 60%

Line of business (LOB) leaders are concerned about the security of cloud resources

My organization has 360o degree visibility of the sensitive or confidential data collected,

processed and/or stored in the cloud

Information security department is most responsible for securing our organization’s safe

use of cloud resources

IT leaders are concerned about the security of cloud resources

Cloud services provide a more secure data processing environment than on-premises

computing


Not knowing all the cloud applications and platform in use put organizations at risk. As discussed previously, 77 percent of respondents say their organizations do not have full visibility into sensitive data collected, processed and/or stored in the cloud and 50 percent of respondents are not confident that their IT organization knows all cloud applications in use today. According to Figure 3, 69 percent rate the level of risk associated with not knowing all the cloud applications and platforms in use today as very high (33 percent of respondents) or high (36 percent of respondents). Figure 3. What is the level of risk associated with not knowing all the cloud applications in use?

33% 36%

16%

9% 6%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Very high High Moderate Low Very low


IT security is underestimating the use of unapproved cloud applications. As shown in Figure 4, only 29 percent of respondents say the lines of business are selecting and using cloud applications without the approval of IT or IT security. However, as discussed later in this report, 47 percent of lines of business respondents say they do select and use cloud applications without permission from IT. In addition, most respondents say their organizations are not conducting rigorous security auditing and testing practices to verify the security of cloud applications prior to deployment. Only 30 percent of respondents say always or most of the time this step is taken. Figure 4. The risks of insecure cloud apps Always and Most of the time responses combined

Personal data, not business data, is considered to provide the greatest exposure to potential risk or liability. As shown in Figure 5, 61 percent of respondents say health information and 52 percent of respondents say employee records are most at risk in the cloud. Figure 5. Confidential data too risky to be stored in the cloud More than one choice allowed

29%

30%

0% 5% 10% 15% 20% 25% 30% 35%

Does your organization’s lines of business (LOB) select and use cloud applications without

obtaining the approval of IT or IT security?

Does IT or IT security verify the security of cloud applications prior to deployment?

39%

39%

41%

52%

61%

0% 10% 20% 30% 40% 50% 60% 70%

Research data

Non-financial confidential business information

Intellectual property such as source code, design plans, architectural renderings

Employee records

Health information


Respondents seem to be more confident about applications processed and housed in the cloud. According to Figure 6, less than half of respondents say ERP applications, human resource and payroll applications and financial and accounting applications are too risky to be processed and housed in the cloud (49 percent, 45 percent and 43 percent, respectively). Only 26 percent of respondents say scheduling and time management applications are too risky for the cloud. Figure 6. Business applications too risky to be processed and housed in the cloud More than one choice allowed

26%

32%

43%

45%

49%

0% 10% 20% 30% 40% 50% 60%

Scheduling and time management applications

Communication applications

Financial and accounting applications

Human resource and payroll applications

ERP applications


The growing use of SaaS and PaaS Cost savings and greater efficiencies are the main drivers to use SaaS and PaaS. As shown in Figure 7, the primary reasons companies are using cloud services and platforms is to reduce cost and increase efficiencies. Figure 7. What are the primary reasons to use cloud services and/or platforms? Two responses allowed

As shown in Figure 8, 80 percent of respondents say their organizations use SaaS resources from cloud service providers versus 60 percent of respondents who say their organizations use PaaS resources from cloud providers. According to these respondents, an average of 50 percent of their organization’s business-critical applications use SaaS versus on-premises software applications. An average of only 37 percent of business-critical resources use PaaS versus on-premises infrastructure services. Figure 8. Does your organization use SaaS or PaaS from cloud service providers? Heavy user and Moderate user combined

1%

10%

11%

18%

24%

30%

52%

54%

0% 10% 20% 30% 40% 50% 60%

Other

Comply with contractual agreements or policies

Improve customer service

Increase flexibility and choice

Improve security

Faster deployment time

Increase efficiency

Reduce cost

80%

60%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Use of SaaS resources from cloud service providers

Use of PaaS resources from cloud providers


As discussed previously, IT security respondents do not feel they are most responsible for security in the cloud. As shown in Figure 9, only 20 percent of these IT security respondents say they are responsible for ensuring the security of both SaaS and PaaS. Twenty-nine percent of respondents say the cloud service provider is most responsible for ensuring the security of SaaS and 28 percent of respondents say the IT function is responsible for PaaS security. Figure 9. Who is responsible for ensuring the security of SaaS and PaaS?

Confidence in SaaS and PaaS could be higher if their security was evaluated prior to deployment. Fifty-six percent of respondents are either very confident or confident in the security of SaaS and 55 percent of respondents are very confident or confident in the security of PaaS resources used within their organization. Fifty-two percent of respondents say SaaS applications are evaluated for security prior to deployment. However, only 47 percent of respondents say PaaS resources are evaluated for security prior to deployment. Figure 10. How confident are you that SaaS and PaaS are secure? Very confident and Confident responses combined

25%

11%

20%

28%

17%

13%

15%

20%

23%

29%

0% 5% 10% 15% 20% 25% 30%

Responsibility is shared between the company and cloud service provider

End-users (e.g., LOB)

IT security function

IT function

The cloud service provider

Responsible for security of SaaS applications Responsible for PaaS resources used

56% 55%

0%

10%

20%

30%

40%

50%

60%

SaaS applications are secure PaaS resources are secure


Compliance with the General Data Protection Regulation (GDPR) is a financial burden and time-consuming process. For many companies it is a reason to accelerate migration to the cloud. According to Figure 11, cybersecurity activities will be affected by an increase in compliance and audit activities, change in workflows, reduced access to personal information and increased costs. Figure 11. How does GDPR affect cybersecurity activities? More than one choice allowed

As shown in Figure 12, 42 percent of respondents say the GDPR will accelerate cloud migration and 39 percent say it will have no impact on cloud migration. Figure 12. How will GDPR compliance requirements influence migration to the cloud?

1%

44%

45%

60%

62%

69%

78%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Other

Require hiring of security experts

Require new investments in enabling security technologies

Increase costs

Reduce access to personal information

Change workflows

Increase compliance and audit activities

42% 39%

19%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Accelerate cloud migration No impact on cloud migration Slow down cloud migration


How to secure the cloud Aggressive migration to the cloud is not gated by demands for enhanced security. More than half of respondents (53 percent) say their organizations have not stopped or slowed down the adoption of cloud services because of security concerns. Despite the increase in the use of cloud services, companies are not taking critical security steps, as shown in Figure 13. Specifically less than half (47 percent of respondents) say their organizations assess the impact cloud services may have on the ability to protect and secure confidential or sensitive information, only 44 percent of respondents say they use cloud-based software and/or platforms that are thoroughly vetted for security risks. They are also not proactive in determining data that should not be stored in the cloud or conduct an audit or assessment of cloud resources before deployment (40 percent and 39 percent of respondents, respectively). Figure 13. Steps that should be taken to secure the cloud Strongly agree and Agree responses combined

39%

40%

44%

47%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

My organization is vigilant in conducting audits or assessments of cloud resources before

deployment

My organization is proactive in assessing information that is too sensitive be stored in the

cloud

My organization uses cloud-based software and/or platforms that are thoroughly vetted for

security risks

My organization assesses the impact cloud services may have on the ability to protect and

secure confidential or sensitive information


Accountability for ensuring the security of cloud services is dispersed throughout the organization. As discussed previously, 62 percent of the IT security practitioners in this study do not believe that IT leaders are concerned about the security of cloud services. However, as shown in Figure 14, 60 percent of respondents say corporate IT is most responsible for ensuring cloud services and platforms are safe and secure. The findings also reveal that in many cases accountability is dispersed throughout the organization. Figure 14. Who is responsible for ensuring cloud services and platforms are safe and secure? Three choices allowed

As presented in Figure 15, very few third parties are in control of encryption keys when data is encrypted in the cloud. Either the organization or the cloud service provider controls the encryption keys. BYOK is considered by respondents to be an important feature offered by cloud providers, according to 66 percent of respondents (see Figure 21). Figure 15. Who is in control of encryption keys when data is encrypted in the cloud?

6%

8%

15%

19%

24%

39%

41%

43%

44%

60%

0% 10% 20% 30% 40% 50% 60% 70%

Data center management

Internal audit

Legal

Compliance

Procurement

LOB management

No one person is responsible

Information security

End-users

Corporate IT

1%

12%

21%

31%

34%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Other

A third party (i.e. neither you nor your cloud service provider)

A combination of my organization and the cloud service provider

The cloud service provider

Your organization


Most organizations have implemented single sign-on (SSO). Forty-four percent of respondents say their organizations have SSO today. In the next six months, 21 percent of respondents say they will have SSO and 14 percent of respondents say their organization plans to implement SSO in the next year. Figure 16. Has your organization adopted Single Sign-on (SSO)?

Companies are adopting 2FA to secure apps and data. Most organizations represented in this study require two-factor authentication for all cloud-based apps (31 percent), for some apps (35 percent) or plan to in the next year (10 percent). Figure 17. Has your organization deployed two-factor authentication (2FA) to secure apps and data?

44%

21%

14%

22%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

We have SSO now We plan to in the next six months

We plan to in the next year

We have no plans to implement SSO

31%

35%

10%

24%

0%

5%

10%

15%

20%

25%

30%

35%

40%

2FA on all cloud-based apps

2FA only for some apps

2FA within the next year

No plans to enforce 2FA


Security posture in the cloud Fifty percent of respondents say their organizations experienced a data breach caused by one of their cloud providers (39 percent) or are unsure (11 percent). More than one-third of respondents say as a result of the data breach their organizations terminated the relationship with the cloud service provider. As shown in Figure 18, almost half of respondents say the cause of the cloud providers’ data breach was due to human error and 43 percent say it was the result of a cyber attack. Figure 18. What was the root cause of the data breach? More than one choice allowed

According to Figure 19, system downtime and leakage of PII or PHI were the most negative consequences. Thirty-seven percent of respondents say the data breach had no impact on their business. Figure 19. What was the negative impact of the cloud providers’ data breach? More than one choice allowed

1%

9%

10%

36%

43%

48%

0% 10% 20% 30% 40% 50% 60%

Other

Do not know

Criminal or malicious insider

System glitch

Cyber attack

Human error

37%

2%

6%

9%

15%

18%

19%

21%

30%

39%

47%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

No impact

Other

Litigation or regulatory action

Customer churn

Diminished reputation and brand loss

Leakage of trade secrets

Lost transactions

Revenue loss

Productivity loss

Leakage of PII or PHI

System downtime


According to Figure 20, only 36 percent of respondents (15 percent + 21 percent) have confidence that if one of their cloud service providers had a data breach that resulted in the loss, theft, or misuse of their company’s sensitive or confidential they would inform them. Forty-six percent of respondents say if they did find out that their cloud provider had a data breach they would with certainty (23 percent of respondents) or most likely (23 percent of respondents) terminate the relationship with the cloud provider. Figure 20. Would your cloud service provider let you know if they had a data breach and would you fire them?

15%

21% 24%

31%

9%

23% 23%

29%

19%

7%

0%

5%

10%

15%

20%

25%

30%

35%

With certainty Most likely Likely Unlikely No chance

Would your cloud service provider inform you if they had a breach?

If your cloud service provider had a breach would you terminate the relationship?


Respondents say certain security protocols perform better on-premises or better in the cloud. Table 1 lists 25 security requirements that could be accomplished on-premises or in the cloud. As shown in Table 1, limiting physical access and enforcing security policies are better done on-premises. Whereas, respondents are more confident that avoiding business disruptions and monitoring traffic intelligence improves in the cloud. The percentage defines the level of confidence that each security requirement can be accomplished successfully (based on 5-point confidence scale). A positive Diff means the respondent attached a higher level of confidence in the on-premises environment. A negative Diff means the respondent attached a higher level of confidence in the cloud environment. The following are security protocols that are better on-premises: ! Limit physical access to IT infrastructure +33 percent ! Enforce security policies +24 percent ! Know where information assets are physically located +20 percent ! Control all live data used in development and testing +14 percent ! Ensure security program is adequately managed +13 percent ! Conduct training and awareness for all system users +12 percent ! Encrypt sensitive or confidential information assets wherever feasible +11 percent Security protocols that are better in the cloud: ! Prevent or curtail system downtime and business interruption + 11 percent ! Monitor traffic intelligence +10 percent ! Prevent or curtail data loss or theft + 7 percent ! Prevent or curtail external attacks + 7 percent Table 1. Level of confidence in being able to accomplish the stated security requirement on-premises or in the cloud.

On-premises Cloud Diff

Limit physical access to IT infrastructure 69% 36% 33% Enforce security policies 67% 43% 24% Know where information assets are physically located 25% 5% 19% Control all live data used in development and testing 83% 69% 14% Ensure security program is adequately managed 57% 44% 13% Conduct training and awareness for all system users 28% 16% 12% Encrypt sensitive or confidential information assets 49% 38% 11% Secure sensitive or confidential information in motion 49% 41% 9% Ensure security governance processes are effective 53% 45% 8% Secure endpoints to the network 54% 48% 6% Conduct independent audits 49% 42% 6% Secure vendor relationships before sharing information assets 48% 44% 4% Secure sensitive or confidential information at rest 39% 35% 4% Prevent or curtail system-level connections from insecure endpoints 66% 64% 1% Determine the root cause of cyber attacks 37% 35% 1% Prevent or curtail viruses and malware infection 68% 68% 0% Achieve compliance with leading regulatory frameworks 54% 56% -1% Identify and authenticate users before granting access 62% 65% -3% Access to highly qualified IT security personnel 55% 60% -5% Comply with all legal requirements 53% 57% -5% Perform patches to software promptly 50% 55% -5% Prevent or curtail external attacks 43% 50% -6% Prevent or curtail data loss or theft 55% 62% -6% Monitor traffic intelligence 46% 56% -9% Prevent or curtail system downtime and business interruption 67% 78% -11%


Companies do not want to stop migration to the cloud and say certain features would improve security. According to Figure 21, the most critical features from cloud providers are having control over the use and management of their own encryption keys (BYOK) and one interface to identify and authenticate users in both the on-premises and cloud environments, both 66 percent of respondents. The majority of respondents say all the features listed in the figure are essential or very important. Figure 21. Cloud providers’ features considered most important Essential and very important responses combined

58%

59%

60%

63%

66%

66%

0% 10% 20% 30% 40% 50% 60% 70%

The cloud provider offers event monitoring of suspicious and/or anomalous traffic in the cloud

environment

The cloud provider offers 360 degree visibility of your organization’s sensitive or confidential data

collected, processed and stored in the cloud environment

The cloud provider requires multifactor authentication before allowing access to your

organization’s data and applications in the cloud environment

The cloud provider offers an encryption platform to secure sensitive and confidential data in

motion and at rest

The cloud provider offers one interface to identify and authenticate users in both the on-premises

and cloud environments

The cloud provider allows your organization to use and manage its own encryption keys (BYOK)


Part 3. The IT security and lines of business cloud security gap In this section of the report, we present an analysis of the key differences between the perceptions of IT security and lines of business about cloud security. Respondents in both groups are familiar with their organizations’ approach to cloud security and have some level of responsibility for directing cloud security control activities. While the pattern of results across country samples is generally consistent, there are significant differences between the information security (ITS) versus lines of business (LOB) samples. Specifically, non-IT business leaders tend to hold a more favorable perception about the security of services (SaaS) and platforms (PaaS) than IT security practitioners. IT security practitioners believe on-premises computing is easier to secure and, hence, less prone to data breach and other cybersecurity exploits. Cloud service providers are seen as reducing costs, increasing efficiencies and enabling faster deployment. Figure 22, shows very different perceptions between IT security and lines of business about the value received from cloud providers. Respondents in lines of business say faster deployment is why cloud services are used. Both groups see increased efficiency as a driver to use cloud services. Figure 22. Primary reasons why cloud services and/or platforms are used Two choices allowed

0%

8%

15%

22%

12%

40%

63%

40%

1%

10%

11%

18%

24%

30%

52%

54%

0% 10% 20% 30% 40% 50% 60% 70%

Other

Comply with contractual agreements or policies

Improve customer service

Increase flexibility and choice

Improve security

Faster deployment time

Increase efficiency

Reduce cost

IT/ITS LOB


Lines of business are more likely than IT security to consider SaaS and PaaS important to their businesses. According to Figure 23, 80 percent of lines of business respondents say SaaS will be important in the next two years in contrast to 66 percent of IT security respondents. Similarly, 73 percent of lines of business respondents believe PaaS will be very important in two years. Sixty-three percent of IT security respondents say it will be important. Figure 23. The importance of SaaS and PaaS in meeting IT and data processing objectives

Lines of business are much more confident in the security of both SaaS and PaaS. According to Figure 24, there are significant differences between IT security and lines of business confidence in these cloud services. Figure 24. Confidence in the security of SaaS applications and PaaS Very confident and confident responses combined

46%

66%

32%

63% 67%

80%

55%

73%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Importance of SaaS today

Importance of SaaS in two years

Importance of PaaS today

Importance of PaaS in two years

IT/ITS LOB

56% 55%

75%

66%

0%

10%

20%

30%

40%

50%

60%

70%

80%

SaaS applications are secure PaaS resources are secure

IT/ITS LOB


Lines of business are much more likely than IT security to believe sensitive or confidential data is more secure in the cloud environment than on-premises. According to Figure 25, 46 percent of lines of business respondents say their organizations’ sensitive or confidential data is more secure in the cloud environment than on-premises versus 28 percent of IT security respondents. Thirty-three percent of IT security respondents say their function is most responsible for securing their organizations’ safe use of cloud resources versus 25 percent of lines of business. Less than half of both groups believe their cloud services provide a more secure data processing environment than on-premises computing (49 percent of IT security respondents and 45 percent of lines of business respondents). Figure 25. Differences in perceptions about cloud security Strongly agree and Agree responses combined

18%

46%

25%

37%

40%

45%

23%

28%

33%

40%

44%

49%

0% 10% 20% 30% 40% 50% 60%

My organization has 360 degree visibility of the sensitive or confidential data collected,

processed and/or stored in the cloud

My organization’s sensitive or confidential data is more secure in the cloud environment than on-

premises

My organization’s information security department is most responsible for securing our

organization’s safe use of cloud resources

My organization is proactive in assessing information that is too sensitive be stored in the

cloud

My organization uses cloud-based software and/or platforms that are thoroughly vetted for

security risks

In my organization, cloud services provide a more secure data processing environment than

on-premises computing

IT/ITS LOB


Fifty percent of IT security respondents and 65 percent of lines of business respondents are very confident or confident the IT organization knows all cloud applications and platforms in use today. As a result, as shown in Figure 26, IT security is significantly more concerned about risk associated with not knowing all the cloud applications used within their organization (69 percent of IT security respondents versus 40 percent of lines of business respondents). Figure 26. What is the level of risk associated with not knowing all the cloud applications used within their organization? Very high and High responses combined

As discussed previously, IT security respondents are in the dark about how lines of business are using cloud applications without the IT or IT security function’s approval, according to Figure 27. IT security respondents are slightly more likely to say their function verifies the security of cloud applications before deployment (30 percent of IT respondents versus 21 percent of lines of business respondents). Figure 27. Is the security of cloud applications verified before deployment and are cloud applications used without approval from IT? Always and Most of the time responses combined

69%

40%

0%

10%

20%

30%

40%

50%

60%

70%

80%

IT/ITS LOB

30% 29%

21%

47%

0% 5%

10% 15% 20% 25% 30% 35% 40% 45% 50%

IT or IT security verifies the security of cloud applications prior to deployment

Lines of business select and use cloud applications without obtaining the approval of IT

or IT security

IT/ITS LOB


Part 4. IT Security Sample Characteristics A sampling frame of 51,633 experienced IT and IT security practitioners located in North America (United States and Canada), the United Kingdom, France, Germany and the Netherlands were selected as participants in the research. Table 2 shows 1,830 total returns. Reliability checks required the removal of 160 surveys. The final sample consisted of 1,670 surveys or a 3.2 percent response. Table 2. Sample response IT Security Sampling frame 51,633 Total returns 1,830 Rejected surveys 160 Final sample 1,670 Response rate 3.2%

Pie Chart 1 reports the respondent’s organizational level within participating organizations. By design, 60 percent of respondents are at or above the supervisory levels. Pie Chart 1. Current position within the organization

As shown in Pie Chart 2, 55 percent of respondents report to the CIO and 20 percent of respondents report to the CISO. Pie Chart 2. Primary person reported to within the organization

6%

15%

22%

17%

32%

6% 1%

Senior Executive/VP

Director

Manager

Supervisor

Technician

Staff or Analyst

Other

55%

20%

8%

6%

5% 2% 1%

CIO

CISO

CTO

Chief Risk Officer

Compliance Officer

Office of General Counsel

CEO/Executive Committee

Line of Business Leader

COO


Pie Chart 3 reports the industry classification of respondents’ organizations. This chart identifies financial services (18 percent) as the largest segment, followed by manufacturing/industrial (13 percent), health and life science (12 percent) and the retail (11 percent). Pie Chart 3. Primary industry focus

Pie Chart 4 reveals 73 percent of respondents are from organizations with a global headcount of more than 1,000 employees. Pie Chart 4. Global employee headcount

18%

13%

12%

11% 10%

9%

8%

6%

4% 2% 2% 4%

Financial services Manufacturing/industrial Health & life science Retail Services Public sector Technology & software Consumer products Energy & utilities Communications Hospitality Other

11%

16%

26%

23%

14%

4% 5%

Less than 500

500 to 1,000

1,001 to 5,000

5,001 to 10,000

10,001 to 25,000

25,001 to 75,000

More than 75,000


Part 5. Line of Business Sample Characteristics A sampling frame of 36,301 non-IT business practitioners located in North America (United States and Canada), the United Kingdom, France, Germany and the Netherlands were selected as participants in the research. Table 3 shows 1,334 total returns. Reliability checks required the removal of 212 surveys. The final sample consisted of 1,122 surveys or a 3.1 percent response. Table 3. Survey response Line of business Total sampling frame 36,301 Total returns 1,334 Rejected surveys 212 Final sample 1,122 Response rate 3.1%

Pie Chart 5 reports the respondent’s organizational level within participating organizations. As shown, 64 percent of respondents are at or above the supervisory levels. Pie Chart 5. Current position within the organization

As shown in Pie Chart 6, 25 percent of respondents report to the line of business leader and 19 percent of respondents report to the sales management leader. Pie Chart 6. Primary person reported to within the organization

7%

21%

23% 13%

9%

27% Senior Executive/VP

Director

Manager

Supervisor

Technician

Staff or Analyst

25%

19%

8% 8%

8%

7%

6%

5%

5% 5% 4%

Line of Business Leader Sales Management Leader CFO Compliance Officer CMO Human Resources Leader Chief Risk Officer COO Office of General Counsel Communications Leader CEO/Executive Committee


Pie Chart 7 reports the industry classification of respondents’ organizations. This chart identifies financial services (19 percent) as the largest segment, followed by manufacturing/industrial (15 percent), retail (11 percent) and health and life science (10 percent). Pie Chart 7. Primary industry focus

Pie Chart 8 reveals 71 percent of respondents are from organizations with a global headcount of more than 1,000 employees. Pie Chart 4. Global employee headcount

19%

15%

11% 10%

10%

9%

7%

5%

4%

2% 1% Financial services Manufacturing/industrial Retail Health & life science Public sector Services Technology & software Consumer products Energy & utilities Communications Hospitality Education & research Transportation Agriculture & food services Aerospace & defense

12%

17%

23% 21%

16%

7% 4%

Less than 500

500 to 1,000

1,001 to 5,000

5,001 to 10,000

10,001 to 25,000

25,001 to 75,000

More than 75,000


Part 6. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most Web-based surveys. ! Non-response bias: The current findings are based on a sample of survey returns. We sent

surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

! Sampling-frame bias: The accuracy is based on contact information and the degree to which

the list is representative of individuals who are IT practitioners or non-IT business personnel. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings.

! Self-reported results: The quality of survey research is based on the integrity of confidential

responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.


Appendix 1: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study for two samples: IT security practitioners and non-IT business personnel. All survey responses were captured between September 26 and October 16, 2017.

Survey response ITS LOB Total sampling frame 51,633 36,301 Total returns 1,830 1,334 Rejected surveys 160 212 Final sample 1,670 1,122 Response rate 3.2% 3.1%

Screening questions S1. How familiar are you with your organization’s approach to cloud security? ITS LOB

Very familiar 38% 23% Familiar 39% 45% Somewhat familiar 23% 32% No knowledge (Stop) 0% 0% Total 100% 100%

S2. Do you have any responsibility for directing cloud security control activities? ITS LOB Yes, full responsibility 26% 15% Yes, some responsibility 56% 45% Yes, minimum responsibility 18% 40% No responsibility (Stop) 0% 0% Total 100% 100%

Part 1. Attributions about cloud security: Please use the scale provided below each statement to express your opinions about the security of cloud resources used by your organization. Strongly Agree and Agree response combined. ITS LOB Q1a. My organization assesses the impact of cloud services may have on the ability to protect and secure confidential or sensitive information. 47% 35% Q1b. My organization uses cloud-based software and/or platforms that are thoroughly vetted for security risks. 44% 40% Q1c. My organization is vigilant in conducting audits or assessments of cloud resources before deployment. 39% 29% Q1d. My organization is proactive in assessing information that is too sensitive be stored in the cloud. 40% 37% Q1e. My organization has 360 degree visibility of the sensitive or confidential data collected, processed and/or stored in the cloud. 23% 18% Q1f. My organization’s information security department is most responsible for securing our organization’s safe use of cloud resources. 33% 25% Q1g. In my organization, cloud services provide a more secure data processing environment than on-premises computing. 49% 45% Q1h. My organization’s IT leaders are concerned about the security of cloud resources. 38% 36% Q1i. My organization’s line of business (LOB) leaders are concerned about the security of cloud resources. 20% 41% Q1j. Compliance with emerging data protection regulations (such as PCI DSS, HIPAA, NIST, GDPR) is a main driver to my organization’s migration to the cloud ecosystem. 38% 48% Q1k. My organization’s sensitive or confidential data is more secure in the cloud environment than on-premises. 28% 46%


Part 2. Cloud services experience Q2a. Does your organization use SaaS resources from cloud service providers? ITS LOB

Yes, heavy use 47% 40% Yes, moderate use 33% 31% Yes, light use 6% 11% No (skip to Q3a) 14% 18% Total 100% 100%

Q2b. If yes, what percent of your organization’s business-critical applications utilizes SaaS versus on-premises software applications? ITS LOB Less than 10% 2% 15% Between 11 to 20% 5% 11% Between 21 to 30% 9% 8% Between 31 to 40% 19% 11% Between 41 to 50% 22% 10% Between 51 to 75% 22% 7% Between 76 to 90% 9% 3% More than 90% 6% 0% Don’t know 5% 35% Total 100% 100% Extrapolated value 50% 30%

Q2c. In your opinion, who is most responsible for ensuring the security of SaaS applications used within your organization? ITS LOB My company’s end-users (e.g., LOB) are most responsible 15% 31% My company’s IT function is most responsible 23% 15% My company’s IT security function is most responsible 20% 12% The cloud service provider is most responsible 29% 32% Responsibility is shared between my company and the cloud service provider 13% 10% Total 100% 100%

Q2d. How important is the use of SaaS in meeting your organization’s IT and data processing objectives?

Today ITS LOB Essential 15% 34% Very important 31% 33% Important 31% 18% Not important 15% 11% Irrelevant 8% 4% Total 100% 100%

Over the next two years ITS LOB Essential 34% 50% Very important 33% 30% Important 25% 17% Not important 7% 3% Irrelevant 1% 0% Total 100% 100%

Q2e. How confident are you that SaaS applications used within your organization are secure? ITS LOB Very confident 22% 35% Confident 34% 40% Not confident 44% 25% Total 100% 100%


Q2f. Are SaaS applications evaluated for security prior to deployment within your organization? ITS LOB Yes 52% 38% No 39% 37% Don’t know 9% 25% Total 100% 100%

Q3a. Does your organization use PaaS resources from cloud providers? ITS LOB Yes, heavy user 28% 23% Yes, moderate user 32% 35% Yes, light user 12% 24% No (skip to Q4) 28% 18% Total 100% 100%

Q3b. If yes, what percent of your organization’s business-critical resources utilizes PaaS versus on-premises infrastructure services? ITS LOB Less than 10% 7% 15% Between 11 to 20% 16% 19% Between 21 to 30% 13% 10% Between 31 to 40% 24% 8% Between 41 to 50% 17% 8% Between 51 to 75% 10% 4% Between 76 to 90% 6% 0% More than 90% 2% 0% Don’t know 7% 36% Total 100% 100% Extrapolated value 37% 23%

Q3c. In your opinion, who is most responsible for ensuring the security of PaaS resources used within your organization? ITS LOB My company’s end-users (e.g., LOB) are most responsible 11% 19% My company’s IT function is most responsible 28% 19% My company’s IT security function is most responsible 20% 13% The cloud service provider is most responsible 17% 28% Responsibility is shared between my company and the cloud service provider 25% 21% Total 100% 100%

Q3d. How important is the use of PaaS in meeting your organization’s IT and data processing objectives?

Today ITS LOB Essential 10% 24% Very important 22% 31% Important 39% 26% Not important 21% 15% Irrelevant 8% 4% Total 100% 100%

Over the next two years ITS LOB Essential 24% 35% Very important 39% 38% Important 32% 21% Not important 5% 6% Irrelevant 0% 0% Total 100% 100%


Q3e. How confident are you that PaaS resources used within your organization are secure? ITS LOB Very confident 19% 23% Confident 36% 43% Not confident 46% 34% Total 100% 100%

Q3f. Are PaaS resources evaluated for security prior to deployment within you organization? ITS LOB Yes 47% 37% No 42% 35% Don’t know 12% 28% Total 100% 100%

Q4. What are the primary reasons why cloud services and/or platforms are used within your organization? Please select only two top choices. ITS LOB Reduce cost 54% 40% Increase efficiency 52% 63% Improve security 24% 12% Faster deployment time 30% 40% Increase flexibility and choice 18% 22% Improve customer service 11% 15% Comply with contractual agreements or policies 10% 8% Other (please specify) 1% 0% Total 200% 200%

Q5. How confident are you that your IT organization knows all cloud applications and platforms in use today? ITS LOB Very confident 17% 22% Confident 33% 40% Not confident 50% 38% Total 100% 100%

Q6. What is the level of risk associated with not knowing all the cloud applications used within your organization? ITS LOB Very high 33% 15% High 36% 25% Moderate 16% 33% Low 9% 19% Very low 6% 8% Total 100% 100%

Q7. Which functions within your organization are responsible for ensuring cloud services and platforms are safe and secure? Please select no more than three choices. ITS LOB End-users 44% 54% LOB management 39% 58% Corporate IT 60% 49% Compliance 19% 11% Legal 15% 7% Procurement 24% 28% Internal audit 8% 5% Information security 43% 40% Data center management 6% 3% No one person is responsible 41% 45% Total 300% 300%


Q8. What types of confidential or sensitive information does your organization consider too risky to be stored in the cloud? ITS LOB Consumer data 28% 42% Customer information 36% 50% Credit card information 32% 29% Employee records 52% 44% Health information 61% 60% Non-financial confidential business information 39% 23% Financial business information 39% 33% Intellectual property such as source code, design plans, architectural renderings 41% 31% Research data 39% 28% Other (please specify) 2% 3% None of the above 30% 36% Total 399% 379%

Q9. What types of business applications does your organization consider too risky to be processed and housed in the cloud? ITS LOB Sales and CRM applications 18% 11% Marketing applications 18% 10% ERP applications 49% 55% Human resource and payroll applications 45% 40% Financial and accounting applications 43% 53% Engineering applications 19% 9% Manufacturing applications 16% 15% Logistics applications 20% 16% Scheduling and time management applications 26% 23% Communication applications 32% 33% Other (please specify) 2% 0% None of the above 34% 40% Total 324% 305%

Q10. Does IT or IT security verify the security of cloud applications prior to deployment? ITS LOB Always 13% 9% Most of the time 17% 12% Some of the time 33% 29% Rarely 22% 31% Never 15% 19% Total 100% 100%

Q11. Does your organization’s lines of business (LOB) select and use cloud applications without obtaining the approval of IT or IT security? ITS LOB Always 11% 20% Most of the time 18% 27% Some of the time 33% 30% Rarely 23% 15% Never 15% 8% Total 100% 100%


Part 3. Security posture (completed by respondents in the IT security sample) Q12a. A four-point scale is used to define your level of confidence in being able to

accomplish the stated security requirement on-premises. Very confident and confident responses combined. ITS LOB Determine the root cause of cyber attacks 37% Know where information assets are physically located 25% Secure sensitive or confidential information at rest 39% Secure sensitive or confidential information in motion 49% Secure endpoints to the network 54% Identify and authenticate users before granting access to information assets or IT infrastructure 62% Secure vendor relationships before sharing information assets 48% Prevent or curtail data loss or theft 55% Prevent or curtail external attacks 43% Limit physical access to IT infrastructure 69% Ensure security governance processes are effective 53% Prevent or curtail system downtime and business interruption 67% Prevent or curtail system-level connections from insecure endpoints 66% Comply with all legal requirements 53% Achieve compliance with leading regulatory frameworks including GDPR, PCI DSS, ISO, NIST and others 54% Prevent or curtail viruses and malware infection 68% Perform patches to software promptly 50% Control all live data used in development and testing 83% Enforce security policies 67% Access to highly qualified IT security personnel 55% Conduct training and awareness for all system users 28% Conduct independent audits 49% Ensure security program is adequately managed 57% Monitor traffic intelligence 46% Encrypt sensitive or confidential information assets wherever feasible 49% Average 53%


Q12b. A four-point scale is used to define your level of confidence in being able to accomplish the stated security requirement in the cloud. Very confident and confident responses combined. ITS LOB Determine the root cause of cyber attacks 35% Know where information assets are physically located 5% Secure sensitive or confidential information at rest 35% Secure sensitive or confidential information in motion 41% Secure endpoints to the network 48% Identify and authenticate users before granting access to information assets or IT infrastructure 65% Secure vendor relationships before sharing information assets 44% Prevent or curtail data loss or theft 62% Prevent or curtail external attacks 50% Limit physical access to IT infrastructure 36% Ensure security governance processes are effective 45% Prevent or curtail system downtime and business interruption 78% Prevent or curtail system-level connections from insecure endpoints 64% Comply with all legal requirements 57% Achieve compliance with leading regulatory frameworks including GDPR, PCI DSS, ISO, NIST and others 56% Prevent or curtail viruses and malware infection 68% Perform patches to software promptly 55% Control all live data used in development and testing 69% Enforce security policies 43% Access to highly qualified IT security personnel 60% Conduct training and awareness for all system users 16% Conduct independent audits 42% Ensure security program is adequately managed 44% Monitor traffic intelligence 56% Encrypt sensitive or confidential information assets wherever feasible 38% Average 48%


Part 4. Security features in the cloud Q13. Has your organization stopped or slowed down the adoption of cloud services

because of security concerns? ITS LOB Yes 39% 15% No 53% 65% Unsure 9% 20% Total 100% 100%

Q14. Who is in control of encryption keys when data is encrypted in the cloud? ITS LOB Your organization 34% 33% The cloud service provider 31% 29% A third party (i.e. neither you nor your cloud service provider) 12% 15% A combination of my organization and the cloud service provider 21% 23% Other (please specify) 1% 0% Total 100% 100%

Q15. Has your organization adopted BYOK? ITS LOB Yes, we have BYOK now 32% 35% Yes, we plan to have BYOK within the next six months 19% 21% Yes, we plan to have BYOK within the next year 15% 16% No, we have no plans to have BYOK 34% 28% Total 100% 100%

Q16. Has your organization deployed two-factor authentication (2FA) to secure apps and data? ITS LOB Yes, we require 2FA all cloud-based apps 31% 23% Yes, we require 2FA only for some apps 35% 38% Yes, we plan to enforce 2FA within the next year 10% 18% No, we have no plans to enforce 2FA 24% 21% Total 100% 100%

Q17. Has your organization implemented Single Sign-on (SSO) across your application infrastructure? ITS LOB Yes, we have SSO now 44% 39% Yes, we plan to in the next six months 21% 24% Yes, we plan to in the next year 14% 16% No, we have no plans to implement SSO 22% 21% Total 100% 100%

Please rate each feature or capability in terms of importance to your organization using the scale provided below each item. Essential and very important responses combined. ITS LOB Q18a. The cloud provider offers one interface to identify and authenticate users in both the on-premises and cloud environments. 66% 59% Q18b. The cloud provider offers 360 degree visibility of your organization’s sensitive or confidential data collected, processed and stored in the cloud environment. 59% 61% Q18c. The cloud provider requires multifactor authentication before allowing access to your organization’s data and applications in the cloud environment. 60% 56% Q18d. The cloud provider offers an encryption platform to secure sensitive and confidential data in motion and at rest. 63% 66% Q18e. The cloud provider allows your organization to use and manage its own encryption keys (BYOK). 66% 63% Q18f. The cloud provider offers event monitoring of suspicious and/or anomalous traffic in the cloud environment. 58% 53%


Part 5. General Data Privacy Regulation (GDPR) Q19. How familiar are you with the GDPR? ITS LOB

Very familiar 27% 19% Familiar 42% 49% Not familiar 22% 16% No knowledge (skip to D1) 10% 16% Total 100% 100%

Q20. How confident are you that your organization will be compliant with GDPR on or before May 25, 2018 (effective date)? ITS LOB Very confident 16% 21% Confident 19% 28% Not confident 41% 35% No confidence 24% 16% Total 100% 100%

Q21. How does GDPR affect you organization’s cybersecurity activities? ITS LOB Increase costs 60% 56% Require new investments in enabling security technologies 45% 43% Require hiring of security experts 44% 38% Change workflows 69% 73% Reduce access to personal information 62% 65% Increase compliance and audit activities 78% 63% Other (please specify) 1% 0% Total 361% 338%

Q22. Will your organization have to change the way it collects, uses and protects sensitive or confidential data in the cloud environment as a result of GDPR? ITS LOB Significant change 30% 31% Some change 56% 60% Insignificant change 10% 7% No change 5% 2% Total 100% 100%

Q23. How will GDPR compliance requirements influence your organization’s migration to the cloud environment? ITS LOB Slow down cloud migration 19% 10% Accelerate cloud migration 42% 46% No impact on cloud migration 39% 44% Total 100% 100%


Part 6. Data breach experience Q24. If one of your cloud service providers had a data breach that resulted in the loss,

theft or misuse of your company’s sensitive or confidential information, would they inform you? ITS LOB Yes, with certainty 15% 22% Yes, most likely 21% 35% Yes, likely 24% 20% No, unlikely 31% 20% No chance 9% 3% Total 100% 100%

Q25. If one of your cloud service providers had a data breach that resulted in the loss, theft or misuse of your company’s sensitive or confidential information, would you terminate the relationship? ITS LOB Yes, with certainty 23% 26% Yes, most likely 23% 30% Yes, likely 29% 31% No, unlikely 19% 11% No chance 7% 2% Total 100% 100%

Q26a. Has your organization ever experienced a data breach caused by one of your cloud service providers that resulted in the loss, theft or misuse of your company’s sensitive or confidential information? ITS LOB Yes 39% 30% No 50% 45% Unsure 11% 25% Total 100% 100%

Q26b. If yes, what best describes the root cause(s) of the data breach experienced by your cloud service provider? Please select all that apply. ITS LOB Cyber attack 43% 40% Human error 48% 42% System glitch 36% 29% Criminal or malicious insider 10% 5% Other (please specify) 1% 0% Do not know 9% 32% Total 146% 148%

Q26c. If yes, what was the negative impact to your organization as a result of the data breach experienced by your cloud service provider? Please select all that apply. ITS LOB Lost transactions 19% 22% System downtime 47% 56% Revenue loss 21% 26% Productivity loss 30% 28% Customer churn 9% 7% Diminished reputation and brand loss 15% 21% Leakage of PII or PHI 39% 40% Leakage of trade secrets 18% 15% Litigation or regulatory action 6% 3% Other (please specify) 2% 0% No impact 37% 39% Total 244% 257%


Q26d. If yes, did you terminate your relationship with the cloud service provider as a result of their data breach? ITS LOB Yes 34% 23% No 60% 52% Unsure 6% 25% Total 100% 100%

Part 7. Organizational characteristics D1. What organizational level best describes your current position? ITS LOB

Senior Executive/VP 6% 7% Director 15% 21% Manager 22% 23% Supervisor 17% 13% Technician 32% 9% Staff or Analyst 6% 27% Other (please specify) 1% 0% Total 100% 100%

D2. Check the Primary Person you or your direct manager reports to within your organization. ITS LOB CEO/Executive Committee 2% 4% Chief Operating Officer 1% 5% Chief Financial Officer 0% 8% Chief Information Officer 55% 0% Chief Information Security Officer 20% 0% Compliance Officer 5% 8% Office of General Counsel (GC) 2% 5% Chief Marketing Officer 0% 8% Line of Business Leader 2% 25% Sales Management Leader 0% 19% Communications and PR Leader 0% 5% Chief Technology Officer 8% 0% Human Resources Leader 0% 7% Chief Risk Officer 6% 6% Other (please specify) 0% 0% Total 100% 100%

D3. What industry best describes your organization’s industry concentration or focus? ITS LOB Financial services 18% 19% Manufacturing/industrial 13% 15% Health & life science 12% 10% Retail 11% 11% Services 10% 9% Public sector 9% 10% Technology & software 8% 7% Consumer products 6% 5% Energy & utilities 4% 4% Communications 2% 2% Education & research 1% 2% Transportation 1% 2% Hospitality 2% 2% Agriculture & food services 1% 1% Aerospace & defense 1% 1% Other (please specify) 0% 0% Total 100% 100%


D4. What is the worldwide headcount of your organization? ITS LOB Less than 500 11% 12% 500 to 1,000 16% 17% 1,001 to 5,000 26% 23% 5,001 to 10,000 23% 21% 10,001 to 25,000 14% 16% 25,001 to 75,000 4% 7% More than 75,000 5% 4% Total 100% 100%


Appendix 2: Expanded scale response for Q1a to Q1k

IT security sample

Strongly agree and

Agree

Strongly disagree

and Disagree Unsure

Q1a. My organization assesses the impact of cloud services may have on the ability to protect and secure confidential or sensitive information. 47% 40% 13%

Q1b. My organization uses cloud-based software and/or platforms that are thoroughly vetted for security risks. 44% 41% 15%

Q1c. My organization is vigilant in conducting audits or assessments of cloud resources before deployment. 39% 44% 17%

Q1d. My organization is proactive in assessing information that is too sensitive be stored in the cloud. 40% 41% 19% Q1e. My organization has 360 degree visibility of the sensitive or confidential data collected, processed and/or stored in the cloud. 23% 42% 35% Q1f. My organization’s information security department is most responsible for securing our organization’s safe use of cloud resources. 33% 31% 36%

Q1g. In my organization, cloud services provide a more secure data processing environment than on-premises. 49% 32% 19% Q1h. My organization’s IT leaders are concerned about the security of cloud resources. 38% 34% 28%

Q1i. My organization’s line of business (LOB) leaders are concerned about the security of cloud resources. 20% 44% 36%

Q1j. Compliance with emerging data protection regulations (such as PCI DSS, HIPAA, NIST, GDPR) is a main driver to my organization’s migration to the cloud ecosystem. 38% 31% 31%

Q1k. My organization’s sensitive or confidential data is more secure in the cloud environment than on-premises. 28% 43% 29%


Line of business sample

Strongly agree and

Agree

Strongly disagree

and Disagree Unsure

Q1a. My organization assesses the impact of cloud services may have on the ability to protect and secure confidential or sensitive information. 35% 39% 26%

Q1b. My organization uses cloud-based software and/or platforms that are thoroughly vetted for security risks. 40% 43% 17%

Q1c. My organization is vigilant in conducting audits or assessments of cloud resources before deployment. 29% 43% 28%

Q1d. My organization is proactive in assessing information that is too sensitive be stored in the cloud. 37% 44% 19% Q1e. My organization has 360 degree visibility of the sensitive or confidential data collected, processed and/or stored in the cloud. 18% 44% 38% Q1f. My organization’s information security department is most responsible for securing our organization’s safe use of cloud resources. 25% 39% 36%

Q1g. In my organization, cloud services provide a more secure data processing environment than on-premises. 45% 34% 21% Q1h. My organization’s IT leaders are concerned about the security of cloud resources. 36% 38% 26%

Q1i. My organization’s line of business (LOB) leaders are concerned about the security of cloud resources. 41% 35% 24%

Q1j. Compliance with emerging data protection regulations (such as PCI DSS, HIPAA, NIST, GDPR) is a main driver to my organization’s migration to the cloud ecosystem. 48% 23% 29%

Q1k. My organization’s sensitive or confidential data is more secure in the cloud environment than on-premises. 46% 27% 27%


Please contact [email protected] or call us at 800.887.3118 if you have any questions.

Ponemon Institute

Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

Closing the Cloud Security Business Gap V17...Closing the Cloud Security Business Gap Ponemon...

Documents

Transcript of Closing the Cloud Security Business Gap V17...Closing the Cloud Security Business Gap Ponemon...