The Global State of Information Security Survey 2015 Cyber risks: a severe & present danger 2 Cybersecurity is now a persistent business risk • Businesses are failing to keep up with the persistence, technical expertise or tactical skillset of our adversaries • Sophisticated attackers will continue to stay ahead of the mainstream defensive technologies we deploy • Disruptive technologies will continue to challenge security efforts • Demand for expertise - shortage of supply • Impact has extended to the C-suite and the Boardroom Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 3 And the risks go beyond just devices • Global security incidents are outpacing even the fastest growing economies and technologies • New regulations from the SEC and other regulatory bodies creating new demands upon enterprises • EU Data Protection Regulation updating in 2015 to include breach notification • NIST Cybersecurity Framework Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 4 More competition for solutions = more confusion for buyers Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 5 Incidents & financial impact continue to soar 6 Continued year-over-year rise is no surprise Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 7 Financial losses increase apace A Center for Strategic and International Studies found difficulties in estimating financial impact but estimated that the annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion. Impact from trade secret theft ranges from 1% to as much as 3% of a nation’s GDP – using the World Bank’s GDP estimate of $74.9 trillion in 2003, loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually Many losses go unreported or are poorly measured Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 8 C O S T O F I N C I D E N T S Insight is critical Small companies report that the cost of incidents actually decreased 37% compared with last year, while large companies report a 53% jump in financial damages. Mediumsize organizations landed somewhere in the middle, reporting that the costs of incidents rose 25% over the year before. Does anyone really believe that losses at small companies fell? Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 9 Employees are the most-cited culprits of incidents Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 10 Nation-states, hackers, and organized crime groups are the cybersecurity villains that everybody loves to hate Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 11 Who are the culprits? Insiders? Outsiders? Both? 12 Insiders and ecosystem risks Way, way in debt! On a Performance Improvement Plan Just got a job offer from your competitor Likes to review sales forecasts while waiting for a flight • • Businesses with 1,000+ employees view Insiders as the great risk Businesses with fewer than 1,000 employees view outsiders as the greatest risk Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 Just copied your sales database to a USB drive, just in case Prefers to work remotely – from Starbucks Lost his companyissued Blackberry – forgot to tell you Found out Jay Z is a patient where she works – checking it out Why do insiders commit crimes? 1. Financial gain 2. Curiosity 3. Revenge 13 Domestic intelligence: a new source of concern While the Edward Snowden affair has turned attention to the NSA, it’s also raised interest on the general concerns outside the U.S. about domestic surveillance by non-U.S. government agencies. Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 14 Insider threats are not sufficiently addressed • Awareness training would address the most common insider threats • But, most businesses don’t do awareness training • Threats include people clicking links, phishing e-mails, lost laptops, lost USB drive, etc. • It’s important to understand the motivations of insiders: security incidents are most often driven by greed or financial need and they exhibit precursor characteristics that we should be looking for • Long standing finding: insiders who exhibit precursor findings should be subjected to additional monitoring Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 15 As incidents rise, security spending falls 16 Average security budgets decrease slightly, reversing a three-year trend Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 17 But company size matters Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 18 Top spending priorities Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 19 Declines in fundamental security practices 20 Security practices must keep pace with constantly evolving threats and security requirements, but many fundamentals remain to be adopted. Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 21 Does the Board care? Sometimes Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 22 Evolving from security to cyber risk management 23 Risk Issues Touch Every Aspect of the Business 76% of enterprises have someone in the CSO/CISO role CPO Privacy CMO Intellectual Property & Brand Protection Business/Competitive Intelligence CIO HR Infosecurity RISK ISSUES CFO Investigations and Background Checks Ethics Legal Fraud Prevention Loss Prevention Regulatory Compliance Safety/OSHA COO Physical Security Business Continuity Source: 2013 Global State of Information Security Survey, PricewaterhouseCoopers, CIO magazine, CSO magazine, September 2012 24 Pressing issues for CSOs 1. 2. 3. 4. New technologies Finding people Partner security Getting actionable intelligence from your security systems 5. External attacks The emerging issues 1. 2. 3. 4. 5. Demands from the Board New technologies Shadow IT Demand from business partners Internal threats Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 25 Driving this is the 3rd Platform – The SMAC Stack Social Mobile Analytics Cloud Source: IDC 26 3rd Platform – moving to Transformed Experiences Copyright 2014 IDC 27 Disruptive Technologies Require Security…yet security is often an afterthought behind urgency to implement 27% Technology-as-a-service (cloud) 24% Increasingly mobile workforce 21% Bring Your Own Device (BYOD) 14% Social media/Networking 10% Big data None of the above 5% Q. In your opinion, which of the following major trends will have the most profound effect on the role of the security professional in the future? Source: State of the CSO Survey, CSO magazine, 2014 28 What do CSO’s expect from vendors? Importance of Vendor Attributes Vendor offers deep expertise in this area Products fill a need Solutions are scalable Vendor is financially stable Vendor understands my business Vendor has good reference accounts Vendor educates about where the market is going 0 1 2 Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 3 4 5 6 29 Where security vendors fall down… Products don’t live up to their marketing hype 78% Product implementation costs were significantly higher than expected 70% Licensing demands outstripped our resources (money or people) Vendor dropped support for the product we purchased Other Product actually exposed the business to additional vulnerabilities 39% 26% 23% 18% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 30 Verbatims… "fog of more" -- new tools and technology need to provide actionable results that scale within the organization product manpower and training requirements were completely misrepresented. Implementation not done efficently expertise in new environments (cloud) is advertised, but not there in the end. Operational requirements were significantly higher than vendor represented Implementation architecture is an issue Too many cold calls and spam e-mails Missed release dates Support issues after purchase completed Too long to implement given some complexity. Too complex to absorb Lack of trust in what they say they will deliver Most vendors are moving to subscription model which is not scalable for most businesses. I believe this will actually hurt their business in the long run Integration inadequate in house or channel technical expertise Product failed to work correctly in a complex environment Incorrectly configured or deployed led to not realizing the full business value Integration, data feed requirements & configuration complexity significantly under stated & estimated Professional services are not able to execute as expected Lack of unilateral integration and ability to utilize data from other technology. demand outpaced vendor support capabilities, they just care to sell. No support. Vendor acquired and expected support faltered Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 31 The 10 Cardinal Rules for Information Security Vendors 1. Understand what your solution does, how it works with everything else, and then sell the hell out of it 2. Understand what your solution does not do 3. Don’t ever over-hype what your product does – there is no magic bullet in security 4. Understand your product roadmap 5. Know your customer & what their unique challenges are 6. If you can’t explain what your solution does in 30 seconds, you have a problem 7. If you can’t explain what your solution does in three sentences on your website, you have a problem 8. Strike while the iron is hot 9. Sell high. They may kick you downstairs but you need leadership’s buy-in 10. Always be partnering with other solutions providers Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 32 The 11 Cardinal Rules for Information Security Marketers 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Understand what your solution does, and does not do not do Don’t ever over-hype what your solutions do – there is no magic bullet in security Be crystal clear in your messaging Buyers like snarky ads, but make sure there is substance Security professionals are professional cynics and paranoids – back up your claims with proof Engage with your target audience, the way they want to be engaged - and on their schedule Know your customers & what their unique challenges are If you can’t explain what your solution does in 30 seconds, you have a problem If you can’t explain what your solution does in three sentences on your website, you have a problem Leverage what you hear in the media – breaches, etc. Target your message to the audience your speaking to: for leadership, security is a business issue, not an IT issue – for technical staff, security is about integration Source: Global State of Information Security Survey 2015, PwC, CIO magazine, CSO, September 2014 33 How long is the window of opportunity open? Home Depot learned that the hard way. Vendors need to move with urgency and purpose. 34 Questions? Bob Bragdon VP/Publisher, CSO IDG Enterprise bbragdon@cxo.com @Bob_Bragdon www.CSOonline.com (M) 508-250-6412 35