cost of incidents

advertisement
The Global State of
Information Security
Survey 2015
Cyber risks: a severe & present
danger
2
Cybersecurity is
now a persistent
business risk
• Businesses are failing to keep up with the
persistence, technical expertise or tactical
skillset of our adversaries
• Sophisticated attackers will continue to stay
ahead of the mainstream defensive
technologies we deploy
• Disruptive technologies will continue to
challenge security efforts
• Demand for expertise - shortage of supply
• Impact has extended to the C-suite and the
Boardroom
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
3
And the risks go beyond just devices
• Global security incidents are outpacing even the fastest
growing economies and technologies
• New regulations from the SEC and other regulatory bodies
creating new demands upon enterprises
• EU Data Protection Regulation updating in 2015 to include
breach notification
• NIST Cybersecurity Framework
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
4
More competition for solutions = more confusion for buyers
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
5
Incidents & financial impact
continue to soar
6
Continued year-over-year rise is no surprise
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
7
Financial losses increase apace
 A Center for Strategic and International Studies found difficulties in estimating
financial impact but estimated that the annual cost of cybercrime to the global
economy ranges from $375 billion to as much as $575 billion.
 Impact from trade secret theft ranges from 1% to as much as 3% of a nation’s GDP
– using the World Bank’s GDP estimate of $74.9 trillion in 2003, loss of trade
secrets may range from $749 billion to as high as $2.2 trillion annually
 Many losses go unreported or are poorly measured
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
8
C O S T
O F
I N C I D E N T S
Insight is critical
Small companies report that
the cost of incidents actually
decreased 37% compared with
last year, while large
companies report a 53% jump
in financial damages. Mediumsize organizations landed
somewhere in the middle,
reporting that the costs of
incidents rose 25% over the
year before.
Does anyone really believe
that losses at small companies
fell?
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
9
Employees are the most-cited
culprits of incidents
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
10
Nation-states, hackers, and organized
crime groups are the cybersecurity
villains that everybody loves to hate
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
11
Who are the culprits?
Insiders? Outsiders? Both?
12
Insiders and ecosystem risks
Way, way in
debt!
On a Performance
Improvement Plan
Just got a job offer
from your
competitor
Likes to review sales
forecasts while
waiting for a flight
•
•
Businesses with 1,000+
employees view Insiders
as the great risk
Businesses with fewer
than 1,000 employees
view outsiders as the
greatest risk
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
Just copied your sales
database to a USB
drive, just in case
Prefers to work
remotely – from
Starbucks
Lost his companyissued Blackberry –
forgot to tell you
Found out Jay Z is a
patient where she
works – checking it out
Why do insiders commit
crimes?
1. Financial gain
2. Curiosity
3. Revenge
13
Domestic intelligence: a new source of concern
While the Edward Snowden affair has
turned attention to the NSA, it’s also
raised interest on the general concerns
outside the U.S. about domestic
surveillance by non-U.S. government
agencies.
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
14
Insider threats are not sufficiently addressed
• Awareness training would address the most
common insider threats
• But, most businesses don’t do awareness
training
• Threats include people clicking links,
phishing e-mails, lost laptops, lost USB drive,
etc.
• It’s important to understand the motivations
of insiders: security incidents are most often
driven by greed or financial need and they
exhibit precursor characteristics that we
should be looking for
• Long standing finding: insiders who exhibit
precursor findings should be subjected to
additional monitoring
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
15
As incidents rise, security
spending falls
16
Average security budgets decrease slightly, reversing a
three-year trend
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
17
But company size matters
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
18
Top spending priorities
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
19
Declines in fundamental security
practices
20
Security practices must keep pace
with constantly evolving threats and
security requirements, but many
fundamentals remain to be adopted.
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
21
Does the Board care? Sometimes
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
22
Evolving from security to cyber
risk management
23
Risk Issues Touch Every Aspect of the Business
76%
of enterprises have someone
in the CSO/CISO role
CPO
Privacy
CMO
Intellectual Property & Brand Protection
Business/Competitive Intelligence
CIO
HR
Infosecurity
RISK
ISSUES
CFO
Investigations and Background Checks
Ethics
Legal
Fraud Prevention
Loss Prevention
Regulatory Compliance
Safety/OSHA
COO
Physical Security
Business Continuity
Source: 2013 Global State of Information Security Survey, PricewaterhouseCoopers, CIO magazine, CSO magazine, September 2012
24
Pressing issues for CSOs
1.
2.
3.
4.
New technologies
Finding people
Partner security
Getting actionable intelligence from
your security systems
5. External attacks
The emerging issues
1.
2.
3.
4.
5.
Demands from the Board
New technologies
Shadow IT
Demand from business partners
Internal threats
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
25
Driving this is the 3rd Platform – The SMAC Stack
Social
Mobile
Analytics
Cloud
Source: IDC
26
3rd Platform – moving to Transformed Experiences
Copyright 2014 IDC
27
Disruptive Technologies Require Security…yet security is
often an afterthought behind urgency to implement
27%
Technology-as-a-service (cloud)
24%
Increasingly mobile workforce
21%
Bring Your Own Device (BYOD)
14%
Social media/Networking
10%
Big data
None of the above
5%
Q. In your opinion, which of the following major trends will have the most profound effect on the role of the security professional in
the future?
Source: State of the CSO Survey, CSO magazine, 2014
28
What do CSO’s expect from vendors?
Importance of Vendor Attributes
Vendor offers deep expertise in this
area
Products fill a need
Solutions are scalable
Vendor is financially stable
Vendor understands my business
Vendor has good reference
accounts
Vendor educates about where the
market is going
0
1
2
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
3
4
5
6
29
Where security vendors fall down…
Products don’t live up to their marketing
hype
78%
Product implementation costs were
significantly higher than expected
70%
Licensing demands outstripped our
resources (money or people)
Vendor dropped support for the product
we purchased
Other
Product actually exposed the business
to additional vulnerabilities
39%
26%
23%
18%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
30
Verbatims…

"fog of more" -- new tools and technology need to provide actionable results that scale within the organization

product manpower and training requirements were completely misrepresented.

Implementation not done efficently

expertise in new environments (cloud) is advertised, but not there in the end.

Operational requirements were significantly higher than vendor represented

Implementation architecture is an issue

Too many cold calls and spam e-mails

Missed release dates

Support issues after purchase completed

Too long to implement given some complexity.

Too complex to absorb

Lack of trust in what they say they will deliver

Most vendors are moving to subscription model which is not scalable for most businesses. I believe this will actually hurt their business in the long run

Integration

inadequate in house or channel technical expertise

Product failed to work correctly in a complex environment

Incorrectly configured or deployed led to not realizing the full business value

Integration, data feed requirements & configuration complexity significantly under stated & estimated

Professional services are not able to execute as expected

Lack of unilateral integration and ability to utilize data from other technology.

demand outpaced vendor support capabilities, they just care to sell. No support.

Vendor acquired and expected support faltered
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
31
The 10 Cardinal Rules for Information Security Vendors
1. Understand what your solution does, how it works with everything else, and then
sell the hell out of it
2. Understand what your solution does not do
3. Don’t ever over-hype what your product does – there is no magic bullet in security
4. Understand your product roadmap
5. Know your customer & what their unique challenges are
6. If you can’t explain what your solution does in 30 seconds, you have a problem
7. If you can’t explain what your solution does in three sentences on your website,
you have a problem
8. Strike while the iron is hot
9. Sell high. They may kick you downstairs but you need leadership’s buy-in
10. Always be partnering with other solutions providers
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
32
The 11 Cardinal Rules for Information Security Marketers
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Understand what your solution does, and does not do not do
Don’t ever over-hype what your solutions do – there is no magic bullet in security
Be crystal clear in your messaging
Buyers like snarky ads, but make sure there is substance
Security professionals are professional cynics and paranoids – back up your
claims with proof
Engage with your target audience, the way they want to be engaged - and on their
schedule
Know your customers & what their unique challenges are
If you can’t explain what your solution does in 30 seconds, you have a problem
If you can’t explain what your solution does in three sentences on your website,
you have a problem
Leverage what you hear in the media – breaches, etc.
Target your message to the audience your speaking to: for leadership, security is a
business issue, not an IT issue – for technical staff, security is about integration
Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014
33
How long is the window of opportunity open?
Home Depot learned that the hard way. Vendors need to move with urgency and purpose.
34
Questions?
Bob Bragdon
VP/Publisher, CSO
IDG Enterprise
bbragdon@cxo.com
@Bob_Bragdon
www.CSOonline.com
(M) 508-250-6412
35
Download