The Need for a New IT Security Architecture: Global Study

Ponemon Institute© Research Report

Sponsored by Citrix Independently conducted by Ponemon Institute LLC Publication Date: January 2017

Ponemon Institute© Research Report Page 1

The Need for a New IT Security Architecture: Global Study Ponemon Institute, January 2017

Part 1. Introduction The Need for a New IT Security Architecture: Global Study sponsored by Citrix and conducted by Ponemon Institute reveals global trends in IT security risks and reasons why security practices and policies need to evolve in order to deal with threats from disruptive technologies, cyber crime and compliance. Changes in the workplace and problems managing IT security are also increasing risks to the organization. We surveyed 4,268 IT and IT security practitioners in Australia/New Zealand, Brazil, Canada, China, Germany, France, India, Japan, Korea, Mexico, Netherlands, United Arab Emirates, United Kingdom and the United States. The consolidated findings are presented in this report. This is the first of three reports that present the findings of this global study. In this report, we discuss the findings that concern risks created by cyber crime, employee negligence and organizational dysfunction and the technologies respondents believe are most effective at dealing with these risks. Organizations are concerned they will not be able to manage emerging risks because of outdated security solutions. As shown in Figure 1, 69 percent of respondents say their organization’s existing security solutions are outdated and inadequate. What is needed, according to 74 percent of respondents, is a new IT security framework to improve their security posture and reduce risk. A new strategy is especially important in order to manage such potential risks from the Internet of Things (75 percent of respondents). Figure 1. Why companies are at risk Strongly agree and Agree responses combined

69%

74%

75%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Some of our organization’s existing security solutions are outdated and inadequate

A new IT security framework is needed to improve our security posture and reduce risk

My organization is not fully prepared to deal with potential security risks resulting from the

“Internet of Things”

Ponemon Institute© Research Report Page 2

Trends in IT security risk We asked respondents to rate the potential negative impact of eight cyber crime risks, 10 human factor risks and seven organizational factor risks on a scale from 1 = no negative impact to 10 = significant negative impact. Shown in the figures below are the most significant risks (7+ responses) rated by participants in this research. The findings reveal that most risks, with the exception of globalization of the workforce, are very significant. The top cyber crime risks are nation state attackers (80 percent of respondents), breaches involving high-value information such intellectual property and trade secrets (79 percent of respondents), malicious or criminal insiders (76 percent of respondents) and cyber warfare or cyber terrorism (76 percent of respondents). Figure 2. Trends in cyber crime risk 7+ responses on a scale of 1 = no negative impact to 10 = significant negative impact

62%

71%

72%

72%

76%

76%

79%

80%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Emergence of cyber syndicates

Emergence of hacktivism (i.e., activist-motivated hacking attempts)

Stealth and sophistication of cyber attackers

Breaches involving large volumes of data

Cyber warfare or cyber terrorism

Malicious or criminal insiders

Breaches involving high-value information

Nation state attackers

Ponemon Institute© Research Report Page 3

The workplace is changing and so are the human factor risks. While 81 percent of respondents are concerned about the inability to hire and retain security staff with knowledge and credential, employee behaviors are creating risks that pose a significant risk. These are employee complacency about security (74 percent of respondents), lack of employee awareness of security practices (72 percent of respondents) and the inability to control employees’ devices and apps (71 percent of respondents). Figure 3. Trends in the human factor risk 7+ responses on a scale of 1 = no negative impact to 10 = significant negative impact

42%

62%

62%

66%

67%

71%

71%

72%

74%

81%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Globalization of workforce

Inability to enforce employees' compliance with policies

Contract workers

More employees working outside the office

More millenials in the workplace

Automation replaces employees

Inability to control employees' devices and apps

Lack of employee awareness of security practices

Employee complacency about security

Insufficient security staff with knowledge and credentials

Ponemon Institute© Research Report Page 4

Complexity of business and IT operations is a significant security risk. According to 83 percent of respondents, too much complexity is making organizations more vulnerable to security threats. Other trends are the growth of data assets (78 percent of respondents) and the process of integrating third parties into internal networks and applications. Figure 4. Trends in the organizational factor risk 7+ responses on a scale of 1 = no negative impact to 10 = significant negative impact

67%

67%

74%

76%

76%

78%

83%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Lack of funding to support cyber defense

Inability to integrate disparate technologies

Inability to secure access rights

Silos and the lack of collaboration between IT security and lines of business

Integration of third parties into internal networks and applications

Growth of data assets

Complexity of business and IT operations

Ponemon Institute© Research Report Page 5

Certain technologies are needed for a new IT security infrastructure. As discussed above, respondents believe their organizations’ IT security solutions are outdated and failing to mitigate the risks of cyber crime, employee behavior and organizational problems. We asked respondents to rate the importance of technologies on a scale from 1 = low importance to 10 = high importance. Shown in Figure 5 are the 7+ responses. The most important technologies are identity & access management (78 percent of respondents), machine learning (77 percent of respondents) and configuration & log management (76 percent of respondents). Figure 5. The most important technologies for a new IT security infrastructure 1 = low importance to 10 = high importance, 7 + responses reported

70%

72%

72%

73%

73%

76%

77%

78%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Big data analytics

Application management

Anti-virus & anti-malware

SIEM and security intelligence

Data management

Configuration & log management

Machine learning

Identity & access management

Ponemon Institute© Research Report Page 6

Part 2. Methods A sampling frame composed of 119,088 IT and IT security practitioners in Australia/New Zealand, Brazil, Canada, China, Germany, France, India, Japan, Korea, Mexico, Netherlands, United Arab Emirates, United Kingdom and the United States were selected for participation in this survey. As shown in Table 1, 4,917 respondents completed the survey. Screening removed 649 respondent surveys. The final sample was 4,268 respondent surveys (or a 3.6 percent response rate). Table 1. Sample response Freq Pct% Total sampling frame 119,088 100.0% Total returns 4,917 4.1% Rejected surveys 649 0.5% Final sample 4,268 3.6%

Pie Chart 1 reports the respondent’s organizational level within participating organizations. By design, more than half of the respondents (56 percent) are at or above the supervisory levels. Pie Chart 1. Position level within the organization

As shown in Pie Chart 2, 54 percent of respondents report directly to the CIO, 18 percent report to the CISO and 7 percent report to the CTO. Pie Chart 2. The primary person reported to within the organization

2% 2%

15%

22%

15%

32%

8% 3% 1%

Senior Executive Vice President Director Manager Supervisor Technician Associate/Staff Consultant Other

54%

18%

7%

5%

4% 3%

3% 2% 2% 2% Chief Information Officer

Chief Information Security Officer

Chief Technology Officer

Chief Risk Officer

Chief Security Officer

Director of Internal Audit

Compliance Officer

Chief Financial Officer

General Counsel

Other

Ponemon Institute© Research Report Page 7

Pie Chart 3 reports the primary industry focus of respondents’ organizations. This chart identifies financial services (16 percent of respondents) as the largest segment, followed by health and pharmaceuticals (10 percent of respondents) and public sector (10 percent of respondents). Pie Chart 3. Primary industry focus

According to Pie Chart 4, 47 percent of the respondents are from organizations with a global headcount of more than 5,000 employees. Pie Chart 4. Worldwide headcount of the organization

16%

10%

10%

9% 9%

8%

8%

7%

6%

5%

4% 2% 2% 3%

Financial services Health & pharmaceutical Public sector Industrial & manufacturing Retail Technology & software Services Energy & utilities Consumer products Hospitality & leisure Communications Entertainment & media Transportation Education & research Other

13%

16%

23%

23%

15%

6% 3%

Less than 100

100 to 500

501 to 5,000

5,001 to 10,000

10,001 to 25,000

25,001 to 75,000

More than 75,000

Ponemon Institute© Research Report Page 8

Please write to research@ponemon.org or call 800.877.3118 if you have any questions.

Ponemon Institute

Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advance responsible information and privacy-management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.