The Global State of Information Security Survey 2015

2

Cyber risks: a severe & present danger

3

Cybersecurity is now a persistent business risk

• Businesses are failing to keep up with the persistence, technical expertise or tactical skillset of our adversaries

• Sophisticated attackers will continue to stay ahead of the mainstream defensive technologies we deploy

• Disruptive technologies will continue to challenge security efforts

• Demand for expertise - shortage of supply

• Impact has extended to the C-suite and the Boardroom

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

4

And the risks go beyond just devices

• Global security incidents are outpacing even the fastest

growing economies and technologies

• New regulations from the SEC and other regulatory bodies

creating new demands upon enterprises

• EU Data Protection Regulation updating in 2015 to include

breach notification

• NIST Cybersecurity Framework

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

5

More competition for solutions = more confusion for buyers

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

6

Incidents & financial impact continue to soar

7

Continued year-over-year rise is no surprise

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

8

Financial losses increase apace

A Center for Strategic and International Studies found difficulties in estimating financial impact but estimated that the annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion.

Impact from trade secret theft ranges from 1% to as much as 3% of a nation’s GDP – using the World Bank’s GDP estimate of $74.9 trillion in 2003, loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually

Many losses go unreported or are poorly measured

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

9

Insight is critical

Small companies report that

the cost of incidents actually

decreased 37% compared with

last year, while large

companies report a 53% jump

in financial damages. Medium-

size organizations landed

somewhere in the middle,

reporting that the costs of

incidents rose 25% over the

year before.

Does anyone really believe

that losses at small companies

fell?CO

ST

OF

IN

CI

DE

NT

S

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

10

Employees are the most-cited culprits of incidents

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

11

Nation-states, hackers, and organized crime groups are the cybersecurityvillains that everybody loves to hate

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

12

Who are the culprits? Insiders? Outsiders? Both?

13

Insiders and ecosystem risks

On a Performance

Improvement Plan

Just got a job offer

from your

competitor

Likes to review sales

forecasts while

waiting for a flight

Just copied your sales

database to a USB

drive, just in case

Prefers to work

remotely – from

Starbucks

Lost his company-

issued Blackberry –

forgot to tell you

Found out Jay Z is a

patient where she

works – checking it out

Way, way in

debt!

• Businesses with 1,000+

employees view Insiders

as the great risk

• Businesses with fewer

than 1,000 employees

view outsiders as the

greatest risk

Why do insiders commit

crimes?

1. Financial gain

2. Curiosity

3. Revenge Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

14

Domestic intelligence: a new source of concern

While the Edward Snowden affair has

turned attention to the NSA, it’s also

raised interest on the general concerns

outside the U.S. about domestic

surveillance by non-U.S. government

agencies.

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

15

Insider threats are not sufficiently addressed

• Awareness training would address the most common insider threats

• But, most businesses don’t do awareness training

• Threats include people clicking links, phishing e-mails, lost laptops, lost USB drive, etc.

• It’s important to understand the motivations of insiders: security incidents are most often driven by greed or financial need and they exhibit precursor characteristics that we should be looking for

• Long standing finding: insiders who exhibit precursor findings should be subjected to additional monitoring

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

16

As incidents rise, security spending falls

17

Average security budgets decrease slightly, reversing a three-year trend

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

18

But company size matters

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

19

Top spending priorities

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

20

Declines in fundamental security practices

21

Security practices must keep pace with constantly evolving threats and security requirements, but many fundamentals remain to be adopted.

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

22

Does the Board care? Sometimes

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

23

Evolving from security to cyber risk management

24

Risk Issues Touch Every Aspect of the Business

of enterprises have someone

in the CSO/CISO role

RISKISSUES

Intellectual Property & Brand Protection

Business/Competitive Intelligence

CMO

Investigations and Background Checks

Ethics

HR

Regulatory Compliance

Safety/OSHA

Legal

Physical Security

Business Continuity

COO

Fraud Prevention

Loss Prevention

CFO

Infosecurity

CIO

Privacy

CPO76%

Source: 2013 Global State of Information Security Survey, PricewaterhouseCoopers, CIO magazine, CSO magazine, September 2012

25

Pressing issues for CSOs

1. New technologies

2. Finding people

3. Partner security

4. Getting actionable intelligence from your security systems

5. External attacks

The emerging issues

1. Demands from the Board

2. New technologies

3. Shadow IT

4. Demand from business partners

5. Internal threats

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

26

Driving this is the 3rd Platform – The SMAC Stack

Social

Mobile

Analytics

Cloud

Source: IDC

27

3rd Platform – moving to Transformed Experiences

Copyright 2014 IDC

28

Disruptive Technologies Require Security…yet security is often an afterthought behind urgency to implement

Q. In your opinion, which of the following major trends will have the most profound effect on the role of the security professional in the future?

Source: State of the CSO Survey, CSO magazine, 2014

5%

10%

14%

21%

24%

27%

None of the above

Big data

Social media/Networking

Bring Your Own Device (BYOD)

Increasingly mobile workforce

Technology-as-a-service (cloud)

29

What do CSO’s expect from vendors?

0 1 2 3 4 5 6

Vendor educates about where themarket is going

Vendor has good referenceaccounts

Vendor understands my business

Vendor is financially stable

Solutions are scalable

Products fill a need

Vendor offers deep expertise in thisarea

Importance of Vendor Attributes

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

30

Where security vendors fall down…

18%

23%

26%

39%

70%

78%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Product actually exposed the businessto additional vulnerabilities

Other

Vendor dropped support for the productwe purchased

Licensing demands outstripped ourresources (money or people)

Product implementation costs weresignificantly higher than expected

Products don’t live up to their marketing hype

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

31

Verbatims…

"fog of more" -- new tools and technology need to provide actionable results that scale within the organization

product manpower and training requirements were completely misrepresented.

Implementation not done efficently

expertise in new environments (cloud) is advertised, but not there in the end.

Operational requirements were significantly higher than vendor represented

Implementation architecture is an issue

Too many cold calls and spam e-mails

Missed release dates

Support issues after purchase completed

Too long to implement given some complexity.

Too complex to absorb

Lack of trust in what they say they will deliver

Most vendors are moving to subscription model which is not scalable for most businesses. I believe this will actually hurt their business in the long run

Integration

inadequate in house or channel technical expertise

Product failed to work correctly in a complex environment

Incorrectly configured or deployed led to not realizing the full business value

Integration, data feed requirements & configuration complexity significantly under stated & estimated

Professional services are not able to execute as expected

Lack of unilateral integration and ability to utilize data from other technology.

demand outpaced vendor support capabilities, they just care to sell. No support.

Vendor acquired and expected support faltered

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

32

The 10 Cardinal Rules for Information Security Vendors

1. Understand what your solution does, how it works with everything else, and then sell the hell out of it

2. Understand what your solution does not do

3. Don’t ever over-hype what your product does – there is no magic bullet in security

4. Understand your product roadmap

5. Know your customer & what their unique challenges are

6. If you can’t explain what your solution does in 30 seconds, you have a problem

7. If you can’t explain what your solution does in three sentences on your website, you have a problem

8. Strike while the iron is hot

9. Sell high. They may kick you downstairs but you need leadership’s buy-in

10. Always be partnering with other solutions providers

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

33

The 11 Cardinal Rules for Information Security Marketers

1. Understand what your solution does, and does not do not do

2. Don’t ever over-hype what your solutions do – there is no magic bullet in security

3. Be crystal clear in your messaging

4. Buyers like snarky ads, but make sure there is substance

5. Security professionals are professional cynics and paranoids – back up your claims with proof

6. Engage with your target audience, the way they want to be engaged - and on theirschedule

7. Know your customers & what their unique challenges are

8. If you can’t explain what your solution does in 30 seconds, you have a problem

9. If you can’t explain what your solution does in three sentences on your website, you have a problem

10. Leverage what you hear in the media – breaches, etc.

11. Target your message to the audience your speaking to: for leadership, security is a business issue, not an IT issue – for technical staff, security is about integration

Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014

34

How long is the window of opportunity open? Home Depot learned that the hard way. Vendors need to move with urgency and purpose.

35

Bob BragdonVP/Publisher, CSOIDG Enterprisebbragdon@cxo.com@Bob_Bragdonwww.CSOonline.com(M) 508-250-6412

Questions?