(ISC)2 2015 Global Workforce Study Results
Overview
Regional Report:
Europe, Middle East & Africa
March 23, 2015
Project Background and Objectives
2
Research Background and Objectives
Background
The information security profession continues to undergo shifts as a
result of constantly changing regulatory environment and increasingly
sophisticated and emerging new threats. (ISC)2 has committed itself to
maintaining its leadership role and growing its membership base in key
geographic regions in which it is currently under represented.
Study Objectives
• To obtain feedback from the (ISC)2 members regarding certification,
training and educational requirements for their organizations and
their professional development.
• To identify trends and issues related to information security from
both members and non-member security professionals.
• To understand potential gaps in organizational security.
• To forecast what positions will be most highly sought after in the
next 3 to 5 years.
3
Methods
4
Methods: (ISC)2 Members Survey
• Conducted using an on-line web based survey using the (ISC)2 membership
list.
• Email invitations to complete the survey were sent out to (ISC)2 members
between October 2014 and January 2015.
• Respondents are currently employed directly by a company or organization,
employed as a contractor or work as an independent security consultant.
• A total of 11,208 (ISC)2 members were surveyed between October 2014 and
January 2015.
5
Methods: (ISC)2 Members Survey (Continued)
Sample Size
Care was taken to ensure that the sample taken from the (ISC)2
membership is representative of the current (ISC)2 membership.
An analysis of the (ISC)2 membership list by country population
proportions was undertaken and compared to country level sample
sizes for the (ISC)2 membership survey. The sample sizes by country
are representative of the total population proportions by country.
Technical Note
The sample in this study is not designed to reflect the universe of all
public and private organizations for security professionals, and the
results should not be projected across the entire population.
Note: Due to rounding errors, percentages in charts and tables, may not sum to 100.
6
Methods: (ISC)2 Members Survey (Continued)
A total of 11,208 (ISC)2 members were surveyed between October 2014 and January 2015 by Frost &
Sullivan. The table below shows the sample size by region.
Region
(Horizontal %)
Sub-Region
Worldwide
Americas
EMEA
APAC
Number of Respondents
11,208
6,793
2,736
1,679
Percentage
100%
61%
24%
12%
Americas
Latin America
282
3%
4%
-
-
North America
6,511
58%
96%
-
-
139
1%
-
5%
-
2,365
21%
-
86%
-
232
2%
-
9%
-
1,431
13%
-
-
85%
248
2%
-
-
15%
EMEA
Africa
Europe
Middle East
APAC
Asia
Oceania
7
Methods: Non-Members Survey
Respondents had the following roles and responsibilities related to IT security:
• Hire or manage IT security professionals and look for security related
credentials in their candidates
• Provide input to IT security-related policies and procedures, or execute their
companies IT security related policies and procedures
• Hold security related credentials or a member of a security-related
organization excluding (ISC)2
A total of 2,722 non-members were surveyed between October 2014 and
January 2015 by Frost & Sullivan.
8
Methods: Non-Members Survey (Continued)
A total of 2,722 non-members were surveyed between October 2014 and January 2015 by Frost &
Sullivan. The table below shows the sample size by region.
Region
(Horizontal %)
Sub-Region
Worldwide
Americas
EMEA
APAC
Number of Respondents
2,722
1536
701
485
Percentage
100%
56%
26%
18%
7%
50%
12%
-
-
88%
-
-
6%
17%
4%
-
22%
-
-
65%
-
-
14%
-
16%
2%
-
-
90%
-
-
10%
Americas
Latin America
178
North America
1,358
EMEA
Africa
152
Europe
453
Middle East
96
Asia
435
Oceania
50
APAC
9
Respondent Profile
10
South Africa
Data privacy
professional
Information
security
practitioner
United Kingdom
Software
development
professional
Information
technology
auditor
Germany
Information
assurance
professional
France
Cyber
security or
risk
professional
EMEA
Information
security
engineer
17%
13%
11%
9%
11%
16%
18%
13%
19%
16%
32%
17%
14%
17%
9%
7%
10%
5%
5%
5%
7%
9%
7%
9%
6%
9%
5%
8%
4%
2%
0
2%
5%
1%
3%
3%
4%
7%
2%
2%
3%
7%
3%
2%
1%
1%
2%
3%
1%
2%
1%
1%
1%
2%
2%
2%
1%
1%
1%
1%
1%
0
0%
40%
44%
46%
41%
47%
51%
37%
Worldwide
Security/IT
consultant
Information
technology
professional
Information
security
professional
Job Function
Information security professional is the most common job function globally, and the largest proportion
from across EMEA identify this role as their primary job function.
Job Function
Middle East
Base: All 2015 worldwide respondents (n=13,930). `
Q1a. Which of the following most closely represents your present job function?
Source: Frost & Sullivan
11
Job Title
While globally security analysts and security consultants are equally common, in EMEA the security
consultant job title is most common. This trend is driven by the UK, where this title is more than twice
as common than any others.
Job Title
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Network
administrator
Security
advisor
Security
architect
(products,
solution)
Security
engineer
(planning,
design)
Security
architect
(consulting)
Information
Assurance
Manager
Security
auditor
CSO/CISO/C
IAO
Security
consultant
(managemen
t)
Security
analyst
10%
6%
3%
8%
8%
7%
4%
9%
13%
11%
10%
18%
15%
13%
6%
8%
13%
9%
5%
7%
9%
5%
5%
7%
2%
3%
4%
8%
4%
3%
1%
6%
5%
1%
4%
4%
7%
5%
7%
9%
3%
5%
4%
3%
1%
3%
2%
5%
5%
4%
5%
11%
3%
3%
5%
4%
4%
6%
7%
9%
6%
3%
2%
3%
3%
3%
2%
1%
1%
5%
Worldwide
Base: All 2015 worldwide respondents (n=13,930).
Q7c. Which one of the following job titles or categories best describes your current position?
Source: Frost & Sullivan
12
Satisfaction With Current Position
Overall, satisfaction levels are relatively consistent throughout EMEA, with France more likely to report
that they are somewhat satisfied and less likely to be very satisfied compared with other countries in
the region.
Satisfaction With Current Position
Very satisfied
United Kingdom
11%
11%
14%
10%
11%
16%
11%
Germany
Somewhat satisfied
South Africa
Neither satisfied nor Somewhat dissatisfied
dissatisfied
Middle East
3%
2%
4%
1%
3%
3%
2%
France
9%
9%
8%
10%
11%
6%
9%
EMEA
46%
47%
56%
43%
47%
47%
46%
30%
28%
18%
33%
26%
25%
29%
Worldwide
Very dissatisfied
Base: All 2015 worldwide respondents (n=13,930).
Q10c. Overall, how satisfied are you in your current position?
Source: Frost & Sullivan
13
Professional Area
Globally, information security is the most commonly reported professional area. The trend is slightly
less common in Germany, where professionals are less likely to report that they work in information
security.
Professional Area
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Marketing
Finance
Sales/busine
ss
development
Software
development
Security
solutions and
product sales
Business
operations
Telecommun
ications
Engineering
IT auditor
Systems
administratio
n
IT consultant
IT
management
IT operations
Information
security
46%
43%
33%
46%
38%
54%
50%
41%
39%
19%
38%
33%
46%
49%
35%
42%
38%
46%
38%
36%
44%
35%
30%
25%
31%
27%
41%
32%
27%
30%
39%
25%
23%
24%
36%
19%
17%
33%
22%
13%
8%
17%
18%
22%
28%
31%
17%
19%
20%
17%
17%
9%
16%
14%
22%
22%
16%
22%
25%
20%
17%
32%
26%
14%
12%
12%
12%
11%
14%
8%
5%
6%
4%
7%
5%
9%
6%
4%
5%
3%
2%
5%
7%
6%
2%
2%
2%
1%
1%
3%
3%
82%
82%
92%
70%
85%
89%
80%
Worldwide
Base: All 2015 worldwide respondents (n=13,930). `
Q8. Would you consider yourself to be a professional in any of the following areas? Please select all that apply to you.
Source: Frost & Sullivan
14
South Africa
Sales
consulting
Software
development
United Kingdom
Security
solutions/sal
es
Incident
response
Germany
Vulnerability
assessment
and
penetratio…
Security
leadership
France
Researching
new
technologies
EMEA
Provide
advice on
security to
customers
Worldwide
Security
operations
Security
management
GRC
50%
50%
54%
43%
59%
60%
50%
45%
50%
49%
58%
52%
49%
55%
42%
38%
29%
34%
39%
45%
47%
39%
43%
44%
50%
50%
44%
30%
32%
29%
21%
29%
31%
43%
30%
29%
28%
25%
28%
35%
25%
32%
27%
25%
19%
23%
28%
26%
28%
26%
26%
20%
23%
25%
28%
30%
12%
16%
13%
17%
14%
22%
18%
10%
8%
4%
8%
7%
11%
6%
5%
7%
6%
5%
5%
11%
5%
Professional Activities
EMEA professionals are equally likely to engage in GRC and security management activities, while
GRC activities are more common globally.
Professional Activities
Middle East
Base: All 2015 worldwide respondents (n=13,930). `
Q9a. Which of the following activities consume a significant amount of your time? Please select all that apply to you.
Source: Frost & Sullivan
15
Meeting
regulatory
compliance
United Kingdom
55%
53%
43%
44%
60%
53%
49%
Germany
Developing
internal security
policies,
standards and
procedures
67%
70%
71%
72%
72%
72%
65%
France
Certifying and
monitoring
systems for
compliance
EMEA
43%
32%
23%
31%
39%
39%
39%
57%
61%
64%
66%
57%
60%
69%
47%
36%
44%
51%
24%
Worldwide
Auditing IT
security
compliance
Auditing IT
governance
compliance
37%
37%
GRC Activities
GRC Activities
South Africa
Middle East
Base: Filtered respondents (n=6,975).
Q9b. Which of the following GRC activities consume a significant amount of your time? Please select all that apply to you.
Source: Frost & Sullivan
16
Security Leadership Activities
Security Leadership Activities
EMEA
France
Germany
United Kingdom
South Africa
Middle East
46%
33%
Law, ethics, and
incident
management
29%
29%
28%
12%
29%
22%
20%
10%
10%
19%
25%
27%
Contingency
management
Security
compliance
management
40%
65%
62%
40%
63%
Security
lifecycle
management
41%
41%
35%
41%
41%
Security
leadership and
management
59%
66%
67%
65%
83%
85%
83%
87%
83%
92%
84%
Worldwide
Base: Respondents involved in security leadership activities (n=4,074).
Q9c. Which of the following security leadership activities consume a significant amount of your time? Please select all that apply to you.
Source: Frost & Sullivan
17
Selling security
to upper
management
57%
56%
41%
46%
South Africa
37%
41%
43%
31%
45%
47%
40%
23%
47%
43%
United Kingdom
Managing
information
security staff
16%
15%
11%
11%
15%
17%
23%
Germany
Managing
external
information
security
awareness
programs
57%
49%
48%
42%
42%
51%
60%
53%
38%
41%
33%
France
Managing
internal
information
security
awareness
programs
Managing
internal or
political issues
EMEA
48%
48%
47%
62%
62%
65%
63%
63%
55%
54%
Worldwide
Participating in
interdepartmental
activities and
cooperation
Gathering
metrics to justify
security
spending
39%
38%
34%
38%
40%
43%
46%
Security Management Activities
Security Management Activities
Middle East
Base: Filtered respondent (n=6,334).
Q9d. Which of the following security management activities consume a significant amount of your time? Please select all that apply to you.
Source: Frost & Sullivan
18
Security Operations Activities
Security Operations Activities
Resetting
passwords
12%
9%
6%
3%
6%
9%
16%
Middle East
Physical
security
Patching
systems
South Africa
21%
23%
13%
13%
26%
21%
35%
United Kingdom
41%
40%
30%
36%
42%
51%
45%
Monitoring the
network
Germany
64%
60%
55%
63%
59%
67%
79%
France
Event
management
EMEA
62%
61%
74%
59%
52%
70%
61%
Desktop or
mobile device
management
35%
35%
30%
24%
33%
47%
44%
Worldwide
Base: Respondents involved in security operations activities (n=5,895).
Q9e. Which of the following security operations activities consume a significant amount of your time? Please select all that apply to you.
Source: Frost & Sullivan
19
Incident Response Activities
Incident Response Activities
88%
74%
52%
52%
Middle East
34%
35%
50%
40%
41%
South Africa
92%
United Kingdom
93%
Germany
72%
France
86%
EMEA
85%
Worldwide
Forensics
Remediating attacks and malware
Base: Respondents involved in incident response activities (n=5,895).
Q9f. Which of the following incident response activities consume a significant amount of your time? Please select all that apply to you.
Source: Frost & Sullivan
20
New Research Technology Activities
New Research Technology Activities
France
Germany
United Kingdom
South Africa
Middle East
Researching new technologies
Security testing new
technologies
Implementing new security
technologies
58%
49%
58%
42%
41%
52%
50%
55%
41%
52%
62%
62%
54%
55%
45%
34%
37%
51%
35%
40%
44%
85%
88%
EMEA
84%
70%
74%
81%
85%
Worldwide
Securing the use of emerging
technologies adopted by your
organization (e.g., BYOD, social
media)
Base: Respondents involved in new technology research activities (n=4,474).
Q9g. Which of the following new technology research activities consume a significant amount of your time? Please select all that apply to you.
Source: Frost & Sullivan
21
South Africa
Mostly
security for
virtualized or
cloud…
Mostly
regulatory
compliance
United Kingdom
Mostly
software
development
Mostly data
security
Germany
Mostly threat
detection
and
remediation
Mostly
auditing
process and
procedures
France
Mostly
network
security
architecture
EMEA
Mostly GRC
(Governance
, Risk and
Compliance)
18%
18%
14%
14%
17%
15%
22%
18%
25%
24%
29%
31%
20%
18%
17%
14%
10%
11%
14%
19%
18%
12%
13%
21%
13%
13%
14%
12%
10%
10%
13%
13%
8%
11%
10%
5%
5%
4%
5%
4%
6%
8%
5%
4%
2%
6%
3%
3%
4%
5%
4%
6%
2%
4%
3%
4%
4%
3%
1%
3%
2%
7%
2%
3%
2%
2%
2%
2%
1%
1%
2%
1%
3%
1%
2%
02%
Worldwide
Mostly
operational
Mostly
security
consulting
Mostly
managerial
Current Primary Responsibility
Globally, professionals are equally likely to be primarily responsible for managerial, consulting or
operational duties, however professionals in EMEA lean more heavily toward security consulting.
Current Primary Responsibility
Middle East
Base: All 2015 worldwide respondents (n=13,930).
Q7a. Which one of the following best describes your current primary functional responsibility?
Source: Frost & Sullivan
22
Mostly
maintaining
physical
appliances
South Africa
Mostly
regulatory
compliance
United Kingdom
Mostly
software
development
Germany
Mostly
auditing
process and
procedures
Mostly
security for
virtualized or
cloud…
France
Mostly data
security
Mostly
network
security
architecture
Mostly threat
detection
and
remediation
EMEA
Mostly
operational
27%
28%
22%
20%
23%
34%
39%
18%
25%
23%
27%
31%
23%
16%
14%
14%
22%
16%
14%
19%
14%
10%
7%
3%
8%
9%
3%
7%
8%
7%
6%
8%
6%
6%
8%
5%
4%
4%
6%
3%
3%
3%
4%
3%
8%
2%
4%
1%
3%
4%
4%
4%
4%
3%
4%
4%
3%
3%
6%
4%
2%
1%
2%
3%
2%
1%
1%
2%
3%
1%
3%
2%
2%
1%
2%
1%
2%
0%
0%
0
1%
0%
1%
0%
Worldwide
Mostly GRC
(Governance
, Risk and
Compliance)
Mostly
security
consulting
Mostly
managerial
Future Primary Responsibility
Professionals in EMEA expect to transition into managerial roles or stay in their security consulting
roles.
Future Primary Responsibility
Middle East
Base: All 2015 worldwide respondents (n=13,930).
Q7b. Which one of the following best describes what you expect your primary functional responsibility to be in the next two to three years?
Source: Frost & Sullivan
23
South Africa
Internal
auditing
Sales
management
United Kingdom
Governance
or
compliance
Germany
Risk
management
Board of
directors
France
Consulting
EMEA
Operations
or
administratio
n
Worldwide
Security
department
(information
assurance)
Executive
management
(C-level or
equivalent)
IT
department
25%
23%
26%
23%
20%
22%
30%
24%
25%
18%
26%
23%
33%
27%
17%
15%
13%
17%
18%
13%
12%
7%
5%
7%
3%
5%
3%
5%
6%
7%
9%
12%
8%
5%
4%
4%
7%
3%
3%
8%
8%
6%
4%
4%
7%
2%
4%
6%
4%
3%
3%
4%
4%
4%
2%
0%
2%
3%
5%
5%
3%
2%
4%
2%
2%
2%
1%
2%
2%
5%
Reporting Structure
Across EMEA, most report to the IT department or executive management.
Reporting Structure
Middle East
Base: All 2015 worldwide respondents (n=13,930).
Q10a. Which one functional area of your organization do you primarily report to?
Source: Frost & Sullivan
24
C-Level Reporting
Among those who report to a C-level manager, most report to a CIO. This is particularly common in
South Africa.
Reporting Structure
EMEA
France
Germany
United Kingdom
South Africa
Middle East
CIO
CEO
COO
CFO
Base: Filtered respondents (n=3,102).
Q10b. Which C-level executive do you primarily report to?
Source: Frost & Sullivan
25
4%
7%
4%
4%
11%
3%
4%
13%
7%
13%
6%
19%
11%
12%
4%
12%
30%
38%
44%
28%
22%
35%
41%
43%
19%
39%
40%
68%
Worldwide
Years of Experience
The largest proportion indicate that they have between 11 and 15 years of experience.
Years of Experience
Germany
Four to six years
South Africa
Middle East
9%
5%
6%
5%
8%
1%
2%
25%
28%
28%
22%
26%
23%
11%
12%
9%
10%
10%
17%
12%
5%
5%
1%
3%
5%
6%
5%
Three years or less
United Kingdom
22%
21%
20%
26%
26%
22%
14%
France
28%
29%
35%
33%
25%
31%
31%
EMEA
36%
Worldwide
Seven to ten years
Eleven to fifteen
years
Sixteen to twenty-five More than 25 years
years
Base: All 2015 worldwide respondents (n=13,930).
Q6. How many years have you been actively involved with information or IT security?
Source: Frost & Sullivan
26
Industry
Information technology and professional services are the most common industries in EMEA.
Industry
Middle East
Healthcare
5%
2%
3%
1%
2%
2%
3%
8%
5%
6%
6%
8%
7%
14%
South Africa
Telecommunicatio
ns
Military services,
armed forces, or
defense
Banking
Government
(excluding military
services, armed
forces, or defense)
United Kingdom
10%
4%
2%
8%
4%
1%
5%
Germany
10%
14%
18%
10%
12%
15%
13%
France
10%
8%
5%
4%
8%
5%
9%
EMEA
15%
17%
23%
15%
20%
17%
10%
Professional
services
Information
technology
19%
21%
19%
26%
17%
21%
16%
Worldwide
Base: All 2015 worldwide respondents (n=13,930).
Q4a. Which one of the following industry sectors best describes your company?
Source: Frost & Sullivan
27
Government Professional Services
The prevalence of respondents who provide professional services exclusively to the government is the
highest in the Middle East.
Government Professional Services
82%
18%
100%
Middle East
0
6%
2%
0
5%
12%
South Africa
94%
United Kingdom
98%
Germany
100%
France
95%
EMEA
88%
Worldwide
Yes
No
Base: Filtered respondents (n=2,067).
Q4b. Are you providing professional services exclusively to government?
Source: Frost & Sullivan
28
Government Contractor
The numbers reporting that they are a government contractor are considerably lower in EMEA
compared to global levels.
Government Contractor
Middle East
55%
100%
75%
73%
91%
South Africa
0
9%
74%
United Kingdom
60%
Germany
45%
France
25%
28%
EMEA
26%
40%
Worldwide
Yes
No
Base: Filtered respondents (n=3,047).
Q5a. Are you currently employed as a government contractor?
Source: Frost & Sullivan
29
18%
17%
20%
South Africa
2%
8%
International/Regional
18%
/Supranational
(Excluding military
3%
services, armed
3%
forces, and defense) 0
11%
United Kingdom
4%
10%
International/Regional
0
/Supranational
(Military services,
13%
armed forces, and
8%
defense only)
0
13%
0
Germany
State/local/provincial/
district (Excluding
military services,
armed forces, and
defense)
France
14%
14%
9%
EMEA
1%
State/local/provincial/ 2%
0
district (Military
services, armed
0
forces, and defense
4%
only)
17%
0
35%
39%
45%
15%
39%
50%
27%
28%
17%
29%
70%
Worldwide
Central, federal, or
national (Excluding
military services,
armed forces, and
defense)
Central, federal, or
national (Military
services, armed
forces, and defense
only)
43%
27%
27%
Government Organization
In Germany, those who work for the government are most commonly involved in national defense. This
trend does not apply in other EMEA regions.
Government Organization
Middle East
Base: Filtered respondents (n=3,047).
Q5b. Which of the following best describes the government organization for which you currently work?
Source: Frost & Sullivan
30
Employment Status
Most in EMEA are employed directly by a company or organization.
Employment Status
Germany
United Kingdom
South Africa
Middle East
Employed directly by a company
or organization
Employed as a contractor
6%
8%
8%
6%
6%
7%
6%
12%
6%
8%
5%
9%
7%
9%
82%
France
84%
84%
EMEA
88%
85%
86%
85%
Worldwide
An independent security/IT
consultant
Base: All 2015 worldwide respondents (n=13,930)
Q2. Which of the following best describes your employment status?
Source: Frost & Sullivan
31
Organizational Revenue
Overall, the largest proportion are unable to provide their organizational revenues.
Employment Status
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Less than $50
million
3%
9%
15%
15%
18%
21%
20%
15%
14%
18%
15%
16%
22%
16%
11%
10%
9%
8%
11%
11%
12%
16%
19%
16%
16%
15%
26%
19%
43%
41%
39%
38%
38%
38%
44%
Worldwide
$50 to less than $500 million to less $10 billion or more Unable to provide
$500 million
than $10 billion
Base: All 2015 worldwide respondents (n=13,930)
Q62. What is your organization's global annual revenue? As best you can, please provide the total annual revenues for your organization in U.S.
dollars.
Source: Frost & Sullivan
32
Total Employees
The largest proportion of respondents work for large organizations with 10,000 or more employees.
Total Employees
2,500 to 9,999
employees
26%
20%
18%
16%
16%
11%
15%
16%
25%
9%
13%
12%
11%
16%
16%
30%
28%
20%
22%
24%
27%
25%
One to 499 employees 500 to 2,499 employees
Middle East
44%
South Africa
51%
United Kingdom
50%
Germany
54%
France
42%
EMEA
43%
Worldwide
10,000 employees or
more
Base: All 2015 worldwide respondents (n=13,930)
Q17. What is the total number of employees across your entire organization worldwide, including all of its branches, divisions, and subsidiaries?
Source: Frost & Sullivan
33
Age
The numbers reporting that they are a government contractor are considerably lower in EMEA
compared to global levels.
Age
Under 30 years of age
30 to 39 years of age
11%
8%
29%
17%
Middle East
16%
19%
25%
27%
South Africa
38%
49%
32%
39%
42%
United Kingdom
35%
43%
26%
30%
46%
5%
11%
3%
3%
6%
5%
6%
Germany
58%
France
37%
EMEA
33%
Worldwide
40 to 49 years of age 50 years of age or older
Base: All 2015 worldwide respondents (n=13,930)
Q64. Which of the following categories contains your age?
Source: Frost & Sullivan
34
Gender
Across the EMEA region, the profession is overwhelmingly male-dominated.
Age
United Kingdom
Middle East
4%
8%
6%
6%
5%
6%
10%
Male
South Africa
96%
Germany
92%
France
94%
94%
EMEA
95%
94%
90%
Worldwide
Female
Base: All 2015 worldwide respondents (n=13,930)
Q63. What is your gender?
Source: Frost & Sullivan
35
Salary Change
The majority received a salary increase in 2014, including 47% of South Africans whose salary
increase exceeded 5%.
Salary Change
France
Germany
United Kingdom
37%
Middle East
Yes, an increase of up Yes, an increase of Yes, an increase of
to 5%
between 5% and 10%
over 10%
3%
3%
1%
1%
2%
1%
2%
23%
9%
8%
7%
5%
10%
7%
13%
20%
40%
12%
11%
11%
10%
9%
South Africa
35%
43%
45%
42%
36%
EMEA
40%
35%
37%
41%
42%
28%
29%
Worldwide
No change in salary Received a salary or
or benefits
benefit reduction
Base: All 2015 worldwide respondents (n=13,930)
Q67. Did you receive a salary increase, including benefits and incentives, in 2014?
Source: Frost & Sullivan
36
Change in Employment Status
Change in Employment Status
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Yes, changed
employer due to a
layoff or termination
Yes, became selfemployed
1%
1%
0
3%
2%
1%
0%
2%
3%
2%
2%
5%
3%
3%
Yes, changed
employer while still
employed
3%
3%
0
3%
3%
3%
3%
14%
12%
13%
9%
16%
22%
13%
79%
81%
86%
84%
75%
71%
80%
Worldwide
Yes, became an
No change in
employee from being
employer or
self-employed
employment status in
2014
Base: All 2015 worldwide respondents (n=13,930)
Q68. Did you change your employer or employment status in 2014?
Source: Frost & Sullivan
37
Education
Education
United Kingdom
Bachelors (or equivalent
post-secondary)
Middle East
39%
2%
0
3%
8%
18%
3%
Master's (or equivalent first
stage of tertiary education)
4%
47%
42%
54%
56%
43%
11%
23%
36%
44%
5%
18%
22%
13%
3%
13%
10%
High school (or equivalent
upper secondary)
South Africa
26%
Germany
32%
France
57%
EMEA
69%
Worldwide
Doctorate (or equivalent
second stage of tertiary
education)
Base: All 2015 worldwide respondents (n=13,930)
Q65a. What is your highest level of education completed?
Source: Frost & Sullivan
38
Undergraduate Major
Education
France
Germany
United Kingdom
South Africa
Middle East
Computer and information
sciences
Engineering and
engineering technologies
Business
2%
0
4%
1%
1%
2%
4%
10%
8%
8%
7%
3%
7%
10%
29%
12%
18%
26%
25%
23%
20%
41%
49%
50%
71%
EMEA
63%
53%
49%
Worldwide
Social sciences and history
Base: Filtered respondents (n=12,512).
Q65b. What was your undergraduate major?
Source: Frost & Sullivan
39
Hiring and Workforce Issues
40
Hiring
More Middle Eastern respondents are responsible for hiring than their regional counters counterparts.
Hiring
65%
72%
Middle East
35%
28%
27%
16%
22%
23%
25%
South Africa
73%
United Kingdom
84%
Germany
78%
France
77%
EMEA
75%
Worldwide
Yes
No
Base: All 2015 worldwide respondents (n=13,930)
Q19a. Are you responsible for hiring your organization's information security staff?
Source: Frost & Sullivan
41
Important Skills
Across the EMEA region, relevant experience is the most important skill sought in new hires, however
security certifications take on special importance in South Africa and the Middle East.
Important Skills
(Very/Somewhat Important)
The candidate has
information security
certifications
The candidate has
knowledge of relevant
regulatory policies
61%
44%
26%
37%
44%
46%
54%
Middle East
66%
South Africa
48%
61%
56%
46%
61%
89%
64%
67%
66%
67%
70%
The candidate has relevant
information security
experience
United Kingdom
65%
Germany
79%
France
92%
96%
EMEA
93%
95%
91%
94%
94%
Worldwide
The candidate has an
information security or
related degree
Base: Filtered respondents (n=12,512).
Q19b. When making hiring decisions for information security staff how important is each of the following? - Top two box scores
Source: Frost & Sullivan
42
Require Security Certifications Among Staff
French firms are by far the least likely to require a security certification among their staff, and the EMEA
region generally is less likely to require them.
Require Security Certifications Among Staff
South Africa
Yes
No
Middle East
8%
5%
9%
11%
9%
9%
9%
40%
54%
48%
45%
55%
38%
34%
24%
37%
43%
United Kingdom
47%
Germany
53%
France
55%
EMEA
67%
Worldwide
Don't know
Base: All 2015 worldwide respondents (n=13,930)
Q20a. Does your organization require its IT staff to have information security certifications?
Source: Frost & Sullivan
43
Reasons For Requiring Staff to Hold Security
Certifications
Among those who require a security certification, employee competence is the most commonly cited
reason in most areas of the EMEA region, however Middle Eastern professionals are more likely to cite
quality of work.
Require Security Certifications Among Staff
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Base: Filtered respondents (n=5,946):
Q20b. What are all the reasons your organization requires staff to have information security certifications? Select as many as apply.
Legal/due
diligence
Ethical conduct
Continuing
education
requirement
Customer
requirement
Company image
or reputation
Company policy
Regulatory
requirements
(governance)
Quality of work
Employee
competence
67%
75%
69%
74%
76%
90%
66%
52%
63%
44%
59%
53%
69%
72%
51%
38%
36%
47%
40%
40%
37%
41%
44%
54%
45%
41%
38%
49%
39%
45%
49%
38%
45%
46%
39%
38%
38%
46%
43%
34%
38%
30%
36%
39%
31%
42%
39%
54%
33%
26%
27%
18%
22%
30%
54%
28%
25%
26%
8%
28%
32%
31%
24%
Worldwide
Possession of an
information security
degree
South Africa
Legal knowledge
United Kingdom
Business management
skills
Project management
skills
Germany
Possession of an
information security
certification
Leadership skills
France
Security policy
formulation and
application
EMEA
Knowledge of relevant
regulatory policy
Technical knowledge
Worldwide
Awareness and
understanding of the
latest security threats
Broad understanding of
the security field
Communication skills
90%
88%
88%
91%
90%
91%
88%
90%
91%
89%
91%
92%
98%
90%
89%
87%
84%
86%
88%
96%
88%
87%
80%
74%
80%
78%
86%
86%
71%
68%
65%
68%
71%
75%
73%
70%
70%
74%
69%
67%
81%
80%
69%
62%
66%
50%
66%
75%
74%
63%
58%
55%
50%
56%
79%
72%
59%
52%
50%
52%
43%
54%
67%
53%
50%
29%
44%
53%
62%
59%
40%
39%
41%
39%
31%
34%
49%
35%
35%
39%
31%
19%
39%
55%
Factors Contributing to Success
Consistently in all countries, communication skills, a broad understanding of the security field and an
awareness of the latest security threats are the most important skills.
Factors Contributing to Success
(Very/Somewhat Important)
Middle East
Base: All 2015 worldwide respondents (n=13,930)
Q21. How would you rate the importance of each of the following in contributing to being a successful information security professional? - Top two
box scores
Source: Frost & Sullivan
45
Employment Gaps
Across the EMEA region, entry level positions are in highest demand.
Future Employment Gaps
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Executive
management
C-level
Executive
2%
3%
1%
3%
1%
3%
5%
Director/Middle
manager
2%
3%
13%
2%
1%
0
4%
6%
6%
3%
5%
5%
5%
8%
Manager
Individual
Contributor/Entr
y Level
12%
16%
19%
18%
17%
19%
17%
78%
72%
64%
71%
77%
73%
67%
Worldwide
Base: All 2015 worldwide respondents (n=13,930)
Q22. Thinking of your organization, at what experience level is there the most demand for new hires?
Source: Frost & Sullivan
46
Demand for Training and Education
In most regions in the EMEA region, cloud computing is the area requiring the most training and
education, however in the UK, South Africa and the Middle East, training on BYOD is ranked a close
second.
Demand for Training and Education
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Security
management
End-user
security
awareness
Access control
systems and
methodology
Applications
and system
development
security
Forensics
Mobile device
management
Information risk
management
Incidence
response
Bring-your-owndevice (BYOD)
Cloud
computing
57%
55%
52%
55%
58%
61%
51%
47%
45%
31%
35%
52%
56%
45%
47%
41%
33%
35%
45%
49%
48%
47%
44%
44%
43%
46%
57%
50%
41%
38%
33%
34%
41%
44%
37%
41%
38%
30%
38%
36%
54%
45%
35%
32%
28%
32%
32%
33%
34%
33%
32%
20%
22%
33%
37%
38%
32%
33%
26%
29%
36%
43%
35%
32%
31%
19%
31%
34%
29%
35%
Worldwide
Base: Filtered respondents (n=7,985).
Q23. In which areas of information security do you see growing demand for training and education within the next three years? Select as many as
apply.
Source: Frost & Sullivan
47
Acquisition/Procureme
nt (supply chain)
South Africa
Software system
development
Virtualization
United Kingdom
Business and business
development skills
Engineering
Germany
Data administration
and management
Incident investigation
and response
France
Platform or technology
specific skills
Architecture
EMEA
Governance, risk
management, and
compliance (GRC)
Worldwide
InfoSystems and
security operations
management
Risk assessment and
management
Analytical skills
Communications skills
98%
98%
99%
99%
98%
100%
99%
97%
97%
90%
97%
96%
97%
98%
94%
93%
91%
94%
94%
95%
94%
90%
88%
79%
85%
88%
95%
94%
89%
88%
96%
83%
88%
95%
96%
86%
87%
88%
90%
81%
95%
89%
86%
84%
69%
86%
82%
86%
87%
85%
84%
71%
79%
83%
93%
95%
80%
75%
68%
72%
72%
78%
82%
80%
76%
88%
72%
67%
71%
83%
76%
74%
57%
66%
75%
84%
78%
66%
61%
56%
63%
52%
69%
70%
60%
55%
46%
50%
52%
57%
58%
48%
46%
36%
38%
40%
41% 63%
Significant Skills for Achieving Success
Communication skills are the most important for achieving success in all regions, followed by analytical
skills and risk assessment and management skills.
Significant Skills for Achieving Success
(Very/Somewhat Significant)
Middle East
Base: Filtered respondents (n=7,985).
Q24. How significant were each of the following skills and competencies in information security in achieving your current position or level? - Top two
box scores
Source: Frost & Sullivan
48
Software system
development
South Africa
Data administration
and management
Engineering
United Kingdom
Business and business
development skills
Platform or technology
specific skills
Germany
Virtualization
InfoSystems and
security operations
management
France
Communications skills
EMEA
Architecture
Analytical skills
55%
52%
46%
51%
54%
64%
64%
52%
48%
41%
40%
50%
64%
60%
48%
47%
52%
43%
51%
64%
53%
42%
38%
19%
42%
29%
55%
49%
38%
41%
33%
35%
43%
55%
46%
37%
36%
31%
41%
34%
41%
34%
36%
31%
15%
24%
35%
45%
40%
33%
30%
26%
35%
27%
31%
41%
30%
28%
20%
26%
29%
33%
31%
20%
20%
14%
15%
20%
21%
21%
19%
14%
9%
15%
13%
22%
18%
18%
16%
10%
13%
14%
21%
21%
17%
14%
10%
9%
13%
22%
16%
Worldwide
Governance, risk
management, and
compliance (GRC)
Incident investigation
and response
Risk assessment and
management
Future Skills and Competencies
Risk assessment and management ranks as the top overall future skill among professionals in the
EMEA. Generally, professionals in the Middle East and South Africa are more likely to place emphasis
on any given skill or competency.
Future Skills and Competencies
Middle East
Base: Filtered respondents (n=7,985).
Q25. What are the skills and competencies that you will need to acquire or strengthen to be in position to respond to the threat landscape over the
next three years? Select all that apply.
Source: Frost & Sullivan
49
Acquisition/Procureme
nt (supply chain)
South Africa
Software system
development
Business and business
development skills
United Kingdom
Virtualization
Data administration
and management
Engineering
Germany
Governance, risk
management, and
compliance (GRC)
France
Architecture
Incident investigation
and response
EMEA
InfoSystems and
security operations
management
Worldwide
Platform or technology
specific skills
Risk assessment and
management
Analytical skills
Communications skills
98%
97%
93%
99%
98%
95%
99%
97%
96%
81%
97%
96%
96%
96%
92%
92%
92%
89%
94%
93%
95%
90%
88%
84%
91%
88%
91%
93%
89%
89%
82%
87%
91%
95%
87%
89%
88%
86%
83%
90%
89%
92%
86%
88%
87%
89%
87%
89%
90%
86%
86%
85%
82%
90%
85%
90%
80%
75%
85%
68%
68%
78%
78%
79%
76%
65%
76%
76%
82%
81%
75%
73%
72%
78%
65%
73%
77%
68%
68%
55%
57%
74%
69%
70%
67%
64%
55%
63%
60%
51%
62%
43%
43%
29%
37%
36%
42%
54%
Future Skills and Competencies in New Recruits
Communication skills and analytical skills are nearly unanimously seen as important skills in new
recruits.
Future Skills and Competencies in New Recruits
(Very/Somewhat Important)
Middle East
Base: Filtered respondents (n=7,534)
Q26. How important are each of the following skills and competencies when recruiting new entry to mid-level information security professionals to
your organization? - Top two box scores
Source: Frost & Sullivan
50
Software system
development
South Africa
Business and business
development skills
Sponsoring executive
leadership programs
United Kingdom
Virtualization
Sponsoring mentorship
programs
Germany
Active participation in
company-wide
recognition programs
and events
Encouraging and
paying for attendance
at industry events
France
Encouraging role
diversity
EMEA
Supporting remote or
flexible working
arrangements
Offering flexible work
schedules
94%
93%
86%
93%
94%
96%
96%
93%
91%
92%
93%
92%
98%
90%
92%
90%
87%
92%
91%
98%
96%
92%
89%
84%
96%
89%
89%
89%
90%
88%
81%
92%
93%
87%
85%
87%
88%
86%
86%
88%
91%
89%
87%
83%
72%
78%
85%
95%
89%
82%
82%
75%
76%
85%
91%
87%
76%
74%
69%
72%
73%
84%
85%
75%
73%
72%
78%
65%
73%
77%
71%
71%
66%
74%
66%
84%
86%
68%
68%
55%
57%
74%
69%
70%
67%
64%
55%
63%
60%
51%
62%
Worldwide
Improving
compensation
packages
Paying for professional
security certification
expenses
Offering training
programs
Employee Retention Activities
Training programs, paying for professional development and offering flexible work schedules are
among the most important employee retention activities in each country.
Employee Retention Activities
(Very/Somewhat Important)
Middle East
Base: Filtered respondents (n=7,985).
Q27. How important are each of the following initiatives for the retention of information security professionals at your organization? - Top two box
scores
Source: Frost & Sullivan
51
Number of Security Workers
A majority from each country indicate that there are too few security workers in their organization.
Number of Security Workers
Too many
Too few
9%
10%
6%
8%
14%
8%
9%
The right number
Middle East
61%
64%
South Africa
25%
24%
27%
27%
32%
29%
26%
4%
2%
2%
2%
0
2%
2%
63%
United Kingdom
64%
Germany
54%
France
61%
EMEA
62%
Worldwide
Don't know
Base: Filtered respondents (n=7,985).
Q28a. Would you say that your organization currently has the right number of information security workers, too few, or too many?
Source: Frost & Sullivan
52
Number of Security Workers Increase
A third indicate that they would like to see a 15% or greater increase in the security workforce in their
organization.
Number of Security Workers Increase
34%
32%
37%
Middle East
One to five percent
Six to 10 percent
11 to 15 percent
More than 15 percent
Don't know
Base: Filtered respondents (n=4,969).
Q28b. How many MORE information security staff should there be?
Source: Frost & Sullivan
53
3%
5%
8%
6%
8%
6%
6%
16%
11%
17%
17%
18%
16%
15%
25%
22%
26%
22%
24%
26%
23%
19%
11%
16%
18%
18%
18%
South Africa
40%
United Kingdom
33%
Germany
37%
France
35%
EMEA
32%
Worldwide
Number of Security Workers Decrease
Of the small number who would like to see a decrease in the number of security workers, the largest
proportion indicate that 6 to 10% cut would suffice. That said, 63% of UK professionals would prefer a
15% or more cut to their workforce.
Number of Security Workers Decrease
EMEA
France
Germany
United Kingdom
South Africa
Middle East
One to five percent
Six to 10 percent
11 to 15 percent
More than 15 percent
13%
0
13%
0
9%
10%
0
0
0
13%
29%
25%
0
0
13%
0
13%
40%
20%
18%
25%
0
0
13%
22%
27%
0
0
0
20%
20%
38%
60%
63%
100%
Worldwide
Don't know
Base: Filtered respondents (n=154).
Q28b. How many LESS information security staff should there be?
Source: Frost & Sullivan
54
Organizational Gaps
Security analysts are in shortest supply in most countries, however South African firms report a
shortage of forensic analysts in greater numbers than the rest of the region.
Organizational Gaps
(Top 10)
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Security
systems
administrator
Security
tester
Web security
Security
engineer
(planning,
design)
Security
engineer
(application)
Incident
handler
(organization)
Forensic
analyst
Security
architect
(products,
solution)
Security
auditor
Security
analyst
46%
40%
31%
31%
51%
41%
40%
32%
32%
37%
23%
28%
32%
41%
32%
34%
20%
31%
39%
32%
28%
30%
32%
18%
36%
27%
57%
34%
28%
25%
12%
21%
22%
30%
38%
27%
23%
31%
23%
22%
24%
22%
26%
21%
16%
25%
20%
32%
19%
25%
23%
27%
22%
24%
16%
25%
25%
26%
12%
26%
20%
32%
34%
24%
21%
18%
18%
20%
16%
22%
Worldwide
Base: Filtered respondents (n=7,985).
Q28c. Of which of the following job titles or categories are there currently not enough of within your organization?
Source: Frost & Sullivan
55
Reasons for Worker Shortage
Most often, businesses cannot support additional personnel, or report that it is difficult to find qualified
personnel. Businesses in France are the most likely to report that they cannot find the qualified personnel
that they require.
Reasons for Worker Shortage
Business conditions It is difficult to find the Leadership in our
can't support
qualified personnel we organization has
additional personnel
require
insufficient
at this time
understanding of the
requirement for
information security
There is no clear
career path for
information security
workers
26%
19%
26%
23%
37%
21%
Middle East
24%
31%
27%
28%
33%
South Africa
43%
33%
31%
48%
51%
40%
United Kingdom
41%
33%
43%
43%
Germany
50%
54%
41%
55%
61%
France
44%
44%
39%
EMEA
49%
44%
39%
37%
44%
45%
Worldwide
It is difficult to retain
security workers
Base: Filtered respondents (n=4,969).
Q28d. What are the reasons that your organization has too few information security workers? Select as many as apply.
Source: Frost & Sullivan
56
Impact of Worker Shortage
In most cases, workers in the Middle East are more likely to report that the worker shortage they
experience has an impact on multiple facets of their jobs.
Impact of Worker Shortage
(Very Great/Great Impact)
France
Germany
United Kingdom
South Africa
Middle East
On the existing information
security workforce
On the organization as a
whole
On security breaches
50%
51%
44%
52%
43%
45%
48%
60%
51%
43%
48%
45%
48%
50%
61%
54%
54%
55%
43%
54%
59%
62%
77%
EMEA
73%
66%
55%
66%
71%
Worldwide
On customers
Base: Filtered respondents (n=4,969).
Q28e. What is the impact of your organization's shortage of information security workers on each of the following? - Top two box scores
Source: Frost & Sullivan
57
Certification and Training
58
4%
15%
12%
5%
10%
18%
9%
8%
12%
6%
6%
7%
3%
4%
2%
9%
3%
7%
5%
3%
3%
South Africa
BS 7799/ISO 27001
ISMS Auditor
CRISC - Certified in
Risk and Information
Systems Control
12%
6%
20%
United Kingdom
PMP - Project
Management
Professional
CEH - Certified Ethical
Hacker
Germany
11%
11%
5%
11%
18%
21%
13%
11%
15%
13%
13%
18%
24%
12%
France
CISM - Certified
Information Security
Manager
CISA - Certified
Information Systems
Auditor
15%
18%
11%
12%
EMEA
18%
12%
7%
15%
7%
2%
9%
28%
32%
22%
19%
25%
23%
27%
79%
69%
68%
Worldwide
Security+
ITIL
CISSP - Certified
Information Systems
Security Professional
76%
76%
88%
84%
Vendor Neutral Certifications
Vendor Neutral Certifications
Middle East
Base: All 2015 worldwide respondents (n=13,930). :
Q11a. Which of the following vendor-neutral certifications and designations have you acquired and maintain? Please read carefully and select all
that apply to you.
Source: Frost & Sullivan
59
2%
2%
1%
ITIL 2%
3%
6%
2%
2%
1%
1%
Security+ 1%
1%
0
0%
1%
1%
CEH - Certified Ethical 1%
1%
2%
Hacker
2%
2%
1%
0%
GSEC - GIAC Security 1%
0%
Essentials Certification 1%
1%
0
1%
CISA - Certified
1%
1%
Information Systems 0
1%
2%
Auditor
2%
1%
CISSP - ISSAP,
1%
2%
Information Systems 1%
1%
Security Architecture… 01%
1%
CISSP - Certified
1%
1%
Information Systems 1%
1%
Security Professional 1%
2%
1%
PMP - Project 1%
1%
Management 1%
0%
Professional 02%
1%
CISM - Certified
1%
1%
Information Security 0
1%
1%
Manager
2%
1%
0%
GCIH - GIAC Certified 0
1%
0
Incident Handler
0
1%
1%
1%
BS 7799/ISO 27001 4%
1%
1%
ISMS Auditor
1%
2%
None
79%
81%
82%
85%
79%
78%
73%
Lapsed Vendor Neutral Certifications
Lapsed Vendor Neutral Certifications
Worldwide
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Base: All 2015 worldwide respondents (n=13,930).
Q11b. Which of the following vendor-neutral certifications and designations have you acquired but have allowed to lapse or expire? Please read
carefully and select all that apply to you.
Source: Frost & Sullivan
60
6%
CSIDS - Cisco Secure
Intrusion Detection
Systems (CSIDS)
South Africa
EnCE - EnCase
Certified Examiner
CCSK
United Kingdom
CSPFA - Cisco Secure
PIX Firewall Advanced
(CSPFA)
Sun Certified Security
Administrator for
Solaris
Germany
CSVPN - Cisco Secure
Virtual Private
Networks (CSVPN)
France
CCSE - Check Point
Certified Security
Expert
CCSA - Check Point
Certified Security
Administrator
EMEA
CCSP - Cisco Certified
Security Professional
5%
5%
2%
4%
4%
6%
12%
2%
3%
1%
3%
3%
5%
8%
2%
3%
1%
5%
3%
5%
6%
2%
3%
1%
5%
3%
0
4%
1%
1%
1%
0%
1%
1%
3%
1%
1%
0
1%
1%
0
2%
1%
1%
1%
0%
1%
2%
3%
1%
1%
1%
1%
1%
0
1%
1%
0%
0
1%
0%
2%
0
1%
1%
1%
0
0%
0
3%
Worldwide
MCSA: Security Microsoft Certified
Systems…
MCSE: Security 7%
2%
6%
Microsoft Certified
7%
Systems Engineer:… 8%
13%
None
79%
76%
89%
74%
81%
66%
62%
Vendor Specific Certifications
Vendor Specific Certifications
Middle East
Base: All 2015 worldwide respondents (n=13,930).
Q12a. To date, which of the following vendor-specific certifications and designations have you acquired and maintain? Please read carefully and
select all that apply to you.
Source: Frost & Sullivan
61
4%
RSA/CA - RSA
SecurID Certified
Administrator
South Africa
CSVPN - Cisco Secure
Virtual Private
Networks (CSVPN)
CCSE Plus - Check
Point Certified Security
Expert Plus
United Kingdom
CSIDS - Cisco Secure
Intrusion Detection
Systems (CSIDS)
CSPFA - Cisco Secure
PIX Firewall Advanced
(CSPFA)
Germany
Sun Certified Security
Administrator for
Solaris
France
CCSP - Cisco Certified
Security Professional
CCSE - Check Point
Certified Security
Expert
EMEA
MCSA: Security Microsoft Certified
Systems…
3%
4%
10%
5%
4%
3%
2%
2%
2%
0
1%
2%
6%
4%
2%
3%
8%
5%
4%
0
2%
2%
2%
2%
2%
2%
1%
5%
1%
1%
0
1%
1%
3%
2%
1%
1%
1%
2%
1%
0
2%
1%
1%
0
1%
1%
1%
2%
1%
1%
4%
2%
1%
0
2%
1%
1%
0
1%
1%
0
2%
1%
1%
1%
1%
1%
1%
0%
Worldwide
CCSA - Check Point
Certified Security
Administrator
MCSE: Security 4%
1%
Microsoft Certified 4%
6%
9%
Systems Engineer:… 6%
None
83%
81%
83%
83%
82%
75%
71%
Lapsed Vendor Specific Certifications
Lapsed Vendor Specific Certifications
Middle East
Base: All 2015 worldwide respondents (n=13,930).
Q12b. Which of the following vendor-specific certifications and designations have you acquired but have allowed to lapse? Please read carefully and
select all that apply to you.
Source: Frost & Sullivan
62
Additional Security Certifications
Professionals in South Africa and the Middle East are the most likely to seek out additional
certifications in the next year.
Additional Security Certifications
Germany
South Africa
Middle East
Yes
26%
18%
40%
39%
43%
41%
60%
61%
58%
63%
59%
United Kingdom
37%
France
74%
EMEA
82%
Worldwide
No
Base: All 2015 worldwide respondents (n=13,930).
Q13a. Are you planning to acquire additional security certifications in the next 12 months?
Source: Frost & Sullivan
63
BS 7799/ISO 27001 ISMS
Auditor
South Africa
CCSP - Cisco Certified Security
Professional
HCISPP - Healthcare Information
Security and Privacy Practitioner
United Kingdom
CCSK - Certificate of Cloud
Security Knowledge
CISSP - ISSEP, Information
Systems Security Engineering
Professional
CRISC - Certified in Risk and
Information Systems Control
Germany
CISSP - ISSMP, Information
Systems Security Management
Professional
PMP - Project Management
Professional
France
ITIL
CISSP - ISSAP, Information
Systems Security Architecture
Professional
EMEA
CISA - Certified Information
Systems Auditor
Worldwide
CISM - Certified Information
Security Manager
CEH - Certified Ethical Hacker
CISSP - Certified Information
Systems Security Professional
Not sure at this time
18%
19%
20%
27%
23%
14%
11%
15%
15%
10%
5%
13%
13%
20%
14%
12%
8%
12%
9%
18%
10%
12%
15%
11%
10%
13%
24%
20%
10%
10%
9%
10%
5%
12%
11%
6%
6%
11%
7%
6%
8%
7%
6%
6%
4%
4%
4%
10%
12%
5%
3%
1%
1%
1%
0
11%
5%
5%
5%
5%
6%
8%
7%
5%
6%
5%
6%
8%
10%
6%
3%
1%
1%
1%
2%
8%
1%
3%
3%
2%
2%
4%
3%
5%
3%
1%
0
0
0
1%
2%
3%
2%
0
1%
2%
1%
3%
3%
4%
10%
4%
6%
0
9%
Additional Security Certifications
Additional Certifications
Middle East
Base: Filtered Respondent (n=8,285)
Q13b. Which of the following certifications are you planning to acquire in the next 12 months? Please read carefully and select all that apply to you.
Source: Frost & Sullivan
64
Current Certifications
Current Certifications
EMEA
France
Germany
United Kingdom
South Africa
Middle East
3%
3%
3%
4%
3%
0
3%
CSA Cloud Security
Alliance
IEEE
OWASP
5%
4%
1%
4%
4%
4%
7%
ISSA
4%
3%
4%
3%
2%
1%
3%
6%
2%
2%
1%
4%
0
3%
12%
12%
6%
12%
15%
6%
20%
EC Council
SANS
14%
9%
9%
7%
7%
4%
12%
20%
10%
4%
10%
11%
28%
16%
CompTIA
ISACA
(ISC)2
26%
30%
20%
23%
25%
40%
40%
78%
78%
90%
90%
80%
68%
70%
Worldwide
Base: All 2015 worldwide respondents (n=13,930).
Q14a. From which of the following security organizations have you received certification or hold a membership? Please select all that apply to you.
Source: Frost & Sullivan
65
Critical Security Organizations
In each country and throughout the region as a whole, (ISC)2 is considered to be the most critical for
career development.
Critical Security Organizations
(Very/Somewhat Critical)
EMEA
France
Germany
United Kingdom
South Africa
Middle East
BCI (Business
Continuity
Institute)
ISF Information
Security Forum
ISSA
CompTIA
CSA Cloud
Security Alliance
EC Council
IEEE
OWASP
ISACA
41%
32%
36%
26%
27%
49%
50%
36%
40%
33%
33%
31%
66%
62%
27%
26%
33%
23%
23%
29%
36%
18%
14%
12%
16%
12%
22%
19%
17%
16%
14%
9%
13%
24%
28%
17%
15%
21%
15%
14%
20%
22%
14%
7%
5%
9%
6%
14%
14%
12%
7%
5%
3%
6%
8%
16%
10%
14%
9%
13%
16%
25%
12%
10%
11%
10%
5%
8%
24%
22%
SANS
(ISC)2
77%
72%
72%
74%
75%
80%
81%
Worldwide
Base: Filtered sample (n=12,568)
Q14b. Thinking about your own career and role within your organization, how critical is each of the following security organizations to your career
development? - Top two box scores
Source: Frost & Sullivan
66
Training and Education (Past 12 Months)
European professionals are the least likely to have seen an increase in training in 2014, while African
and Middle Eastern professionals are the most likely to have seen an increase.
Training and Education (Past 12 Months)
United Kingdom
South Africa
Remained the same
Decreased
2%
2%
1%
1%
3%
1%
1%
16%
12%
21%
16%
21%
17%
36%
16%
Increased
Middle East
46%
47%
Germany
54%
46%
47%
France
46%
47%
40%
EMEA
30%
28%
30%
35%
37%
Worldwide
Don't know
Base: Filtered sample (n=12,568)
Q15a. In the past 12 months has the amount of information security training and education you received increased, decreased, or remained the
same? Please include both internal and external training and education.
Source: Frost & Sullivan
67
Training and Education (Next 12 Months)
South African and Middle Eastern professionals are the most likely to expect an increase in training in
2015.
Training and Education (Next 12 Months)
United Kingdom
Middle East
Remain the same
Decrease
3%
3%
3%
2%
9%
3%
3%
6%
8%
10%
9%
7%
8%
33%
27%
7%
Increase
South Africa
50%
Germany
53%
42%
46%
45%
37%
36%
42%
43%
45%
France
58%
EMEA
61%
Worldwide
Don't know
Base: Filtered sample (n=12,568)
Q15b. Over the next 12 months do you expect the amount of information security training and education you receive to increase, decrease, or
remain the same? Please include both internal and external training and education.
Source: Frost & Sullivan
68
Training and Education (Increase)
In every country, the largest proportion of professionals expect a 6 to 10% increase in training.
Training and Education (Increase)
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Five percent or
less
21 to 25 percent
8%
17%
14%
15%
17%
18%
19%
16 to 20 percent
10%
9%
4%
4%
9%
10%
12%
15%
15%
16%
13%
19%
19%
15%
Six to 10 percent 11 to 15 percent
9%
9%
10%
10%
9%
14%
7%
15%
15%
19%
17%
11%
16%
17%
31%
24%
28%
29%
29%
25%
41%
Worldwide
More than 25
percent
Base: Filtered respondents (n=6,252).
Q15c. What percentage [INCREASE] are you expecting in the amount of information security training and education that you will receive in the next
12 months? Please provide your best estimate below.
Source: Frost & Sullivan
69
Training and Education (Decrease)
Of the few who expect a decrease in training, most expect it will drop dramatically by 25% or more.
Training and Education (Decrease)
10%
11%
12%
9%
19%
11%
25%
10%
12%
10%
18%
3%
7%
24%
0
7%
11%
10%
0
10%
11%
13%
16 to 20 percent
10%
10%
9%
13%
11%
Six to 10 percent 11 to 15 percent
0
0
4%
5%
27%
5%
5%
Five percent or
less
Middle East
38%
South Africa
25%
United Kingdom
45%
54%
Germany
18%
France
46%
44%
EMEA
38%
Worldwide
21 to 25 percent
More than 25
percent
Base: Filtered respondents(n=975).
Q15c. What percentage [DECREASE] are you expecting in the amount of information security training and education that you will receive in the next
12 months? Please provide your best estimate below.
Source: Frost & Sullivan
70
Training and Education Resources
Professionals are split as to whether their organization offers sufficient training and professional
development opportunities. Generally, a majority or close to a majority believes that the resources are
sufficient.
Adequate Training and Resources
Yes
No
Middle East
8%
5%
6%
9%
11%
7%
7%
38%
29%
28%
36%
37%
South Africa
42%
United Kingdom
46%
Germany
50%
France
48%
56%
EMEA
62%
61%
57%
56%
Worldwide
Don't know
Base: All 2015 worldwide respondents (n=13,930).
Q15d. Does your organization provide adequate resources for training and professional development opportunities for your information security
workforce?
Source: Frost & Sullivan
71
Payment for Training
Overall, Middle Eastern professionals are the most likely to pay for their training entirely themselves.
European countries fare better, with more than half reporting that their employer paid for their training.
Payment for Training
Middle East
1%
0
0
1%
2%
1%
2%
29%
29%
27%
14%
29%
South Africa
39%
United Kingdom
32%
35%
35%
51%
45%
35%
26%
21%
11%
15%
19%
22%
Germany
50%
France
61%
EMEA
69%
Worldwide
Paid for completely myself Paid for completely by my Paid partially by me and my Completely or partially paid
employer
employer
by government grants
Base: All 2015 worldwide respondents (n=13,930).
Q15e. How is your information security training and education currently paid?
Source: Frost & Sullivan
72
Preferred Training Channel
Where European and Middle Eastern countries prefer face-to face training, South Africa reports the
highest approval of online training.
Preferred Training Channel
Middle East
34%
36%
47%
32%
33%
39%
46%
Study guide
Web conferencing
review (textbooks)
(live online)
South Africa
41%
36%
34%
33%
31%
47%
47%
Internet-based
learning (elearning, selfpaced)
United Kingdom
54%
49%
44%
50%
51%
57%
57%
Face-to-face (in
classroom)
Germany
57%
57%
44%
53%
56%
67%
64%
France
72%
68%
59%
67%
66%
82%
74%
EMEA
74%
74%
82%
69%
76%
66%
81%
Worldwide
Cyber-range
based training
(simulated cyber
war games)
Study group
Base: All 2015 worldwide respondents (n=13,930).
Q15f. How would you rate the relevance of each of the following methods of receiving information security training and education? - Top two box
scores
Source: Frost & Sullivan
73
Success of Cyber-Range Based Training
In each country, reviews of cyber-range based training are positive, with a large majority in each region
rating it at least somewhat successful.
Success of Cyber-Range Based Training
(Very/Somewhat Successful)
South Africa
Middle East
Somewhat successful Neither successful nor Not very successful
unsuccessful
0
0
0%
0
0
0%
0%
1%
2%
2%
1%
2%
2%
1%
3%
7%
8%
6%
16%
6%
7%
Very successful
United Kingdom
62%
53%
63%
51%
53%
Germany
26%
29%
France
16%
28%
20%
24%
26%
60%
EMEA
58%
Worldwide
Not at all successful
Base: Filtered respondents (n=5,658).
Q15g. You indicated that you think cyber-range based training is at least somewhat relevant. Please rate how successful you believe that cyberrange training has been in developing skills and techniques to meet ever-evolving security threats?
Source: Frost & Sullivan
74
Security Importance and Incident Response
75
South Africa
Internet
delivered
security services
Virtualized or
cloud security
services
United Kingdom
Hardware
appliance
solutions
Software
solutions
Germany
Secure software
development
Having access
to executive
management
France
Budget allocated
for security
EMEA
Training of staff
on security
policy
Worldwide
Adherence to
security policy
Management
support of
security policies
Qualified
security staff
88%
87%
79%
89%
82%
98%
90%
85%
84%
81%
78%
89%
90%
89%
85%
83%
76%
85%
88%
93%
89%
81%
81%
78%
80%
87%
86%
86%
81%
79%
75%
75%
81%
86%
83%
68%
71%
75%
65%
70%
83%
79%
66%
65%
56%
68%
65%
74%
70%
53%
49%
33%
41%
48%
67%
59%
49%
43%
31%
36%
46%
57%
55%
48%
45%
38%
41%
44%
55%
55%
43%
41%
48%
32%
39%
64%
53%
Factors Driving Effective Security
The top three factors driving effective security are qualified staff, adherence to policy and support from
management.
Factors Driving Effective Security
(Very/Somewhat Important)
Middle East
Base: All 2015 worldwide respondents (n=13,930).
Q29. How would you rate the importance of each of the following in effectively securing your organization? - Top two box scores
Source: Frost & Sullivan
76
Organized crime
South Africa
Hacktivists
State sponsored acts
United Kingdom
Contractors
Corporate espionage
Trusted third parties
Germany
Cyber terrorism
Cloud-based services
France
Internal employees
Hackers
EMEA
Faulty network/system
configuration
72%
70%
74%
68%
70%
74%
74%
71%
66%
49%
55%
68%
79%
80%
65%
63%
48%
58%
67%
78%
73%
60%
60%
56%
57%
58%
76%
66%
59%
58%
54%
50%
58%
67%
64%
59%
56%
49%
53%
51%
76%
71%
54%
52%
45%
41%
53%
72%
65%
49%
46%
47%
42%
48%
48%
49%
48%
42%
35%
41%
46%
53%
58%
42%
41%
27%
37%
42%
64%
54%
42%
43%
42%
47%
37%
64%
56%
41%
40%
43%
34%
38%
62%
54%
41%
34%
25%
41%
38%
29%
50%
40%
37%
23%
32%
42%
53%
55%
38%
42%
34%
45%
45%
49% 69%
Worldwide
Mobile devices
Configuration
mistakes/oversights
Malware
Application
vulnerabilities
Top Security Threats
Overall, application vulnerabilities and malware are the top security threats identified by professionals
in the EMEA region. Surprisingly, South African and Middle Eastern professionals identify internal
employees as a top threat.
Top Security Threats
(Top/High Concern)
Middle East
Base: Filtered respondents (n=7,985).
Q30. Thinking about your own organization, please rate the following potential security threats on the degree of concern you have for each. - Top
two box scores
Source: Frost & Sullivan
77
Organizational Priorities
Consistently, protecting the organization’s reputation is an important priority in each country. Typically,
South African and Middle Eastern professionals place greater emphasis on each priority.
Organizational Priorities
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Reduced
shareholder
value
Lawsuits
Competitive
intelligence
Theft of
intellectual
property
Health and
safety
Customer
identity theft
or fraud
Customer
privacy
violations
Breach of
laws and
regulations
Service
downtime
Damage to
the
organization'
s reputation
82%
84%
75%
81%
90%
95%
83%
75%
75%
62%
74%
77%
81%
78%
75%
73%
70%
70%
80%
81%
72%
72%
72%
62%
74%
76%
83%
68%
65%
66%
64%
64%
69%
83%
67%
58%
58%
52%
58%
58%
60%
67%
58%
56%
52%
52%
56%
76%
69%
50%
50%
46%
37%
51%
69%
63%
48%
46%
47%
36%
44%
57%
61%
47%
51%
44%
48%
53%
67%
58%
Worldwide
Base: Filtered respondents (n=7,985).
Q31. Please rate the following in terms of their priority to your organization. - Top two box scores
Source: Frost & Sullivan
78
Assessment of Performance Under Attack Scenarios
(Perform Better)
In each scenario, South Africans and Middle Eastern firms believe they would perform better in greater
numbers than their European counterparts.
Preferred Training Channel
Discovering a security breach
55%
55%
42%
Middle East
40%
62%
44%
47%
52%
48%
50%
56%
45%
42%
45%
46%
48%
Having systems in place to prepare
for a security incident
South Africa
45%
United Kingdom
44%
Germany
46%
France
57%
EMEA
69%
Worldwide
Recovering from a security breach
Base: All 2015 worldwide respondents (n=13,930).
Q32. Compared to a year ago, please indicate how your organization would perform if its systems or data were compromised by a targeted attack? Perform better
Source: Frost & Sullivan
79
Threat Response Time
The largest proportion in each country indicate that they would be able to remediate a threat within a
week.
Threat Response Time
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Within one day
Two to seven
days
Eight to twenty
days
Three to five
weeks
Six weeks or more
16%
17%
24%
17%
19%
12%
14%
4%
3%
8%
1%
4%
5%
2%
4%
4%
4%
3%
4%
5%
4%
5%
9%
11%
11%
12%
16%
12%
20%
19%
14%
16%
15%
22%
27%
44%
46%
37%
47%
47%
50%
44%
Worldwide
Don't know
Base: Filtered respondents (n=7,985).
Q33a. If your organization's systems or data were compromised by a targeted attack, how quickly do you predict it would take to remediate the
damage?
Source: Frost & Sullivan
80
Factors Improving Security Activities
In most countries in the region, network monitoring and intelligence coupled with improved intrusion
detection are highlighted as technologies that will improve security activities.
Factors Improving Security Activities
Network monitoring
and intelligence
Improved intrusion
detection and
prevention
technologies
Policy management
and audit tools
Web security
applications
52%
45%
41%
45%
69%
Middle East
45%
44%
54%
57%
45%
38%
South Africa
45%
47%
49%
53%
41%
54%
50%
52%
57%
United Kingdom
59%
Germany
72%
74%
73%
69%
France
58%
70%
72%
81%
81%
80%
EMEA
62%
49%
71%
75%
Worldwide
Automated identity
management software
Base: Filtered respondents (n=7,985).
Q33b. What security technologies do you believe will provide significant improvements to the security of your organization? Select as many as you
feel apply.
Source: Frost & Sullivan
81
Security Threats
Across all regions, phishing is the most common security threat.
Top 10 Security Threats
(Very/Somewhat Common)
France
Germany
United Kingdom
South Africa
Middle East
Brute force
Backdoor
Command
and control
Downloader
SQL Injection
Denial of
service and
distributed
denial of…
Privilege
abuse
Web
application
attacks
36%
34%
32%
39%
30%
50%
41%
35%
36%
41%
47%
31%
36%
41%
34%
35%
30%
32%
32%
59%
48%
33%
36%
31%
40%
35%
41%
41%
31%
30%
32%
44%
23%
31%
38%
29%
27%
20%
32%
25%
38%
38%
27%
26%
29%
29%
22%
33%
37%
26%
24%
20%
30%
18%
34%
36%
25%
23%
21%
31%
19%
29%
29%
EMEA
Scan network
Phishing
54%
51%
49%
53%
53%
64%
61%
Worldwide
Base: Filtered respondents (n=7,985).
Q33c. Please indicate how common each of the security threats listed below are for your organization. - Top two box scores
Source: Frost & Sullivan
82
Security Breaches Attributable to Known Vulnerabilities
Known vulnerabilities account for less than 25% of breaches in the largest proportion of nations in the
EMEA region.
Security Breaches Attributable to Known Vulnerabilities
25 to less than 50%
50 to less than 75%
75 to 100%
21%
31%
15%
10%
11%
11%
18%
12%
10%
15%
12%
10%
19%
9%
13%
11%
15%
21%
15%
19%
13%
15%
14%
26%
24%
24%
22%
27%
28%
Less than 25%
Middle East
40%
South Africa
27%
United Kingdom
38%
Germany
32%
France
36%
EMEA
34%
Worldwide
Don't know
Base: Filtered respondents (n=7,985).
Q33d. Approximately what percentage of all detected security breaches in your organization over the past year can you attribute to known
vulnerabilities?
Source: Frost & Sullivan
83
Security Breaches Attributable to Insecure Software
Insecure software accounts for less than 25% of breaches in the largest proportion of nations in the
EMEA region.
Security Breaches Attributable to Insecure Software
France
Germany
United Kingdom
South Africa
Middle East
75 to 100%
42%
29%
8%
6%
7%
7%
6%
10%
22%
50 to less than 75%
12%
14%
9%
10%
16%
13%
13%
34%
38%
25 to less than 50%
11%
21%
14%
14%
22%
12%
17%
17%
36%
34%
29%
18%
26%
29%
29%
Less than 25%
33%
EMEA
45%
Worldwide
Don't know
Base: Filtered respondents (n=7,985).
Q33e. Approximately what percentage of all detected security breaches in your organization over the past year can you attribute to insecure
software applications?
Source: Frost & Sullivan
84
Effectiveness of Global Government Initiatives
Global government initiatives garner much more favorable reviews among South African and Middle
Eastern professionals than they do among other EMEA countries.
Effectiveness of Global Government Initiatives
South Africa
Middle East
32%
26%
8%
3%
9%
12%
14%
24%
9%
8%
15%
12%
28%
10%
11%
9%
15%
15%
26%
12%
12%
13%
17%
17%
United Kingdom
34%
Germany
14%
France
31%
EMEA
34%
Worldwide
Internet Governance Forum World Economic Forum
Cyber Resilience Initiative
Impact-ITU Global Cyber
Security Agenda
Commonwealth Internet
Governance Forum
Base: Filtered respondents (n=7,985).
Q33f. Please rate the effectiveness of each of the following government initiatives in providing security guidance and standards.
Source: Frost & Sullivan
85
Adoption of Framework for Improving Infrastructure
Cybersecurity
No more than one tenth of organizations in EMEA countries have adopted FIIC.
Adoption of FIIC
EMEA
France
Germany
United Kingdom
South Africa
Middle East
35%
26%
46%
55%
51%
44%
46%
56%
48%
37%
47%
52%
9%
0
7%
8%
2%
5%
12%
43%
74%
Worldwide
Yes
No
Don't know
Base: Filtered Respondents (n=7,985)
Q33h. In 2014, the United States government released the Framework for Improving Infrastructure Cybersecurity. Has your company adopted any of
the measured outlined in this framework?
Source: Frost & Sullivan
86
Internet Governance
The majority of South African, French and UK professionals favor internet governance, while their
counterparts in Germany do not.
Internet Governance
South Africa
Middle East
No
17%
7%
17%
21%
15%
17%
18%
28%
26%
35%
40%
54%
United Kingdom
25%
26%
Yes
Germany
40%
49%
59%
43%
42%
France
55%
EMEA
67%
Worldwide
Don't know
Base: Filtered Respondents (n=7,985)
Q33j. Do you believe there is a need to implement a form of governance on the Internet?
Source: Frost & Sullivan
87
Approaches to Internet Governance
Among those who favor internet governance, the largest proportion from each country save France
advocate a collaborative approach among global governments. France, on the other hand, endorse a
proscribed approach from an international organization such as the UN.
Approaches to Internet Governance
EMEA
France
United Kingdom
South Africa
Middle East
Based on a collaborative The responsibility of an
approach amongst
organization specifically
governments globally
established for such a
task
Proscribed top down by
an organization such as
the United Nations
The responsibility of a
private sector
organization such as
ICANN
2%
2%
2%
2%
2%
3%
0
14%
10%
17%
11%
8%
8%
9%
26%
22%
14%
16%
43%
Germany
14%
21%
30%
31%
23%
29%
15%
27%
27%
24%
42%
40%
43%
42%
41%
40%
Worldwide
Other
Base: Filtered Respondents (n=3,385)
Q33k. In your opinion, which of the following is the best approach to Internet governance?
Source: Frost & Sullivan
88
Confidence in Legislators
Professionals in the EMEA region are divided regarding their confidence in legislators' understanding of
information security. Notably, more than half of professionals in South Africa are not confident in their
legislators.
Confidence in Legislators
Very confident
Germany
United Kingdom
South Africa
Middle East
Somewhat
unconfident
22%
14%
9%
7%
11%
18%
14%
38%
20%
20%
24%
16%
16%
20%
20%
13%
18%
22%
15%
21%
23%
31%
Somewhat confident Neither confident nor
unconfident
12%
France
44%
41%
43%
EMEA
29%
34%
9%
12%
9%
18%
8%
5%
22%
Worldwide
Not confident at all
Base: Filtered Respondents (n=3,385)
Q33l. How confident are you that your country's legislators understand the importance of security enough to provide sufficient funding to support
your key information security initiatives?
Source: Frost & Sullivan
89
Government Information Security
Overall in the EMEA region, slightly more believe that government information security is better off now
than it was a year ago, however one in five believe that it is worse off. This trend is reversed in France,
however, where three in ten believe government security is worse off.
Government Information Security
Better off
United Kingdom
South Africa
Middle East
About the same
Worse off
13%
8%
4%
25%
29%
9%
9%
13%
25%
8%
12%
13%
17%
29%
33%
25%
45%
Germany
52%
29%
45%
47%
40%
France
25%
40%
32%
EMEA
14%
32%
27%
Worldwide
Don't know
Base: Filtered Respondents (n=1,615).
QG5a. Overall, is the government's information security better or worse off than a year ago?
Source: Frost & Sullivan
90
Government Information Security (Better)
The largest proportion who believe that government security is better than it was a year ago indicate
that awareness has improved and that risk management has improved.
Government Information Security (Better)
58%
25%
43%
0
24%
34%
19%
25%
50%
38%
31%
0
0
50%
63%
57%
Improved security
Improved
Improving ability Effective security
awareness
understanding of to keep pace with
guidance or
risk management
threats
standards
100%
Middle East
100%
South Africa
100%
45%
49%
58%
38%
51%
46%
United Kingdom
100%
Germany
0
42%
50%
43%
50%
0
58%
45%
86%
0
63%
76%
70%
France
100%
88%
EMEA
100%
Worldwide
Better or more
qualified
professionals
available
Adequate funding
for security
initiatives
Base: Filtered respondents (n=441).
QG5b. Why do you say that government security is better off than a year ago?
Source: Frost & Sullivan
91
Government Information Security (Worse)
Those who believe that government security is worse than it was a year ago most commonly cite an
inability to keep pace with threats.
Government Information Security (Worse)
100%
50%
0
33%
25%
58%
45%
75%
33%
75%
100%
72%
77%
50%
25%
Middle East
100%
South Africa
100%
100%
66%
55%
50%
50%
49%
55%
50%
33%
50%
75%
33%
25%
United Kingdom
100%
Germany
100%
France
100%
66%
55%
75%
100%
EMEA
50%
77%
71%
100%
100%
Worldwide
Inability to keep
pace with threats
Inadequate
Ineffective security
funding for
guidance or
security initiatives
standards
Not enough
qualified
professionals
available
Poor
Security
understanding of awareness is still
risk management
too low
within government
Base: Filtered respondents (n=271).
QG5c. Why do you say that government security is worse off than a year ago?
Source: Frost & Sullivan
92
Important Factors in Securing Organizational
Infrastructure
Professionals in EMEA agree that hiring and retaining qualified information security professionals is the
most important influencer in securing organizational infrastructure.
Important Factors in Securing Organizational Infrastructure
(Very/Somewhat Important)
United Kingdom
South Africa
Middle East
Hiring and
Improved agency Public awareness Develop a national Expand cyber
retaining qualified funding for and
cyber incident
coordination
information
enforcement of
response
capabilities to
security
security mandates
capability
states and the
professionals
private sector
40%
52%
29%
40%
49%
25%
53%
54%
61%
43%
52%
53%
50%
57%
70%
100%
Germany
61%
70%
57%
60%
72%
France
63%
69%
43%
76%
60%
75%
77%
EMEA
70%
63%
71%
56%
53%
75%
80%
85%
82%
57%
84%
79%
100%
93%
Worldwide
International
outreach,
collaboration and
deterrence
strategy
Base: Filtered respondents (n=1,615).
QG6. How would you rate the importance of each of the following in effectively securing your organization's infrastructure? - Top two box scores
Source: Frost & Sullivan
93
Attitudes Toward Strict Government Requirements
The majority of information security professionals in the EMEA region agree that there should be
specific, mandatory security requirements in every major IT procurement. Nowhere is the belief held
more firmly than in France and the UK, where three quarters strongly agree with this sentiment.
Attitudes Toward Strict Government Requirements
France
Germany
United Kingdom
South Africa
Middle East
Agree somewhat
Neither agree nor
disagree
Disagree somewhat
0
0
7%
8%
3%
3%
0
0
0
3%
4%
0
3%
1%
0
6%
0
Agree completely
10%
16%
10%
11%
30%
25%
34%
24%
29%
28%
32%
50%
48%
60%
71%
58%
51%
EMEA
75%
Worldwide
Disagree completely
Base: Filtered Sample (n=1,615)
QG7. How much do you agree that the government should include specific, mandatory security requirements in every major IT procurement?
Source: Frost & Sullivan
94
Impact of Security Posture
In each country, the majority report having an impact on security posture.
Impact of Security Posture
EMEA
France
Germany
United Kingdom
South Africa
Middle East
People listen to what I say I have a significant impact. People sometimes ask for
about security and follow People frequently ask for my advice, but generally
my suggestions most of the my advice and implement implement security controls
time
my recommendations
they have determined to be
appropriate and
3%
0
2%
12%
0
8%
4%
0
13%
15%
8%
29%
14%
18%
53%
25%
47%
28%
43%
38%
33%
30%
36%
52%
29%
44%
41%
75%
Worldwide
I am somewhat
marginalized within my
department
Base: Filtered Sample (n=1,615)
QG9. How would you rate your own impact on the security posture of your department or agency?
Source: Frost & Sullivan
95
Outsourcing
Source: Frost & Sullivan
96
Outsourcing Security Operations
Overall, firms in the EMEA are the least likely to outsource risk and compliance management. As a
proportion, the French outsource the most threat intelligence, research, detection, forensics and
remediation.
Security Operations Outsourced
(Average %)
EMEA
France
Germany
United Kingdom
South Africa
Middle East
26
20
14
20
21
8
6
9
13
10
11
Security asset management and
monitoring (e.g., firewall, IPS)
19
19
21
25
23
18
21
19
24
28
Worldwide
Risk and compliance management
Threat intelligence, research,
detection, forensics, and remediation
Base: Filtered respondents (n=7,985)
Q34a. Which areas of your security operations do you outsource today? Please select the percent outsourced for each operation
Source: Frost & Sullivan
97
Future Outsourcing of Security Asset Management
Future Outsourcing of Security Asset Management
Germany
United Kingdom
South Africa
Middle East
Decrease more Decrease 11 to Decrease 1 to
than 20%
20%
10%
4%
6%
3%
5%
6%
5%
7%
8%
0
7%
8%
5%
3%
16%
20%
12%
15%
13%
14%
15%
16%
8%
5%
5%
6%
5%
3%
4%
5%
5%
0
5%
5%
3%
9%
4%
4%
4%
3%
3%
1%
10%
47%
64%
France
61%
EMEA
61%
59%
67%
59%
Worldwide
No change
Increase 1 to
10%
Increase 11 to Increase more
20%
than 20%
Base: Filtered respondents (n=2,925)
Q34b_1. How will your outsourcing change over the next 12 months? - Security asset management and monitoring (e.g., firewall, IPS)
Source: Frost & Sullivan
98
Future Outsourcing of Risk and Compliance
Management
Future Outsourcing of Risk and Compliance
Germany
United Kingdom
South Africa
Middle East
Decrease more Decrease 11 to Decrease 1 to
than 20%
20%
10%
No change
Increase 1 to
10%
6%
5%
4%
3%
3%
6%
12%
3%
0
2%
0
5%
5%
3%
4%
12%
14%
20%
14%
12%
13%
6%
7%
5%
7%
7%
7%
8%
6%
7%
3%
5%
4%
3%
4%
6%
8%
3%
4%
4%
10%
2%
47%
59%
63%
63%
67%
France
59%
EMEA
76%
Worldwide
Increase 11 to Increase more
20%
than 20%
Base: Filtered respondents (n=2,274)
Q34b_2. How will your outsourcing change over the next 12 months? - Risk and compliance management
Source: Frost & Sullivan
99
Future Outsourcing of Threat Intelligence, Research,
Detection and Remediation
Future Outsourcing of Risk and Compliance
Germany
United Kingdom
South Africa
Middle East
5%
4%
5%
5%
2%
3%
13%
13%
7%
4%
7%
9%
9%
7%
14%
13%
11%
14%
13%
18%
17%
9%
8%
0
6%
6%
2%
2%
10%
4%
3%
4%
5%
2%
5%
5%
4%
4%
3%
4%
7%
3%
49%
63%
France
58%
EMEA
60%
59%
60%
62%
Worldwide
Decrease more Decrease 11 to Decrease 1 to
than 20%
20%
10%
No change
Increase 1 to
10%
Increase 11 to Increase more
20%
than 20%
Base: Filtered respondents (n=3,268)
Q34b_3. How will your outsourcing change over the next 12 months? - Threat intelligence, research, detection and remediation
Source: Frost & Sullivan
100
Outsourcing Professional Services
In each case, France and firms in the Middle East are the most likely to outsource professional
services.
Outsourcing Professional Services
31%
31%
45%
38%
Middle East
41%
36%
South Africa
34%
38%
33%
30%
United Kingdom
38%
44%
36%
29%
29%
Germany
33%
France
39%
EMEA
29%
37%
30%
26%
Worldwide
Security advisory (security strategy, Technical services (security audit, Implementation services (integration,
security governance and compliance, breach management, residency)
security product installation and
training)
migration, security product life cycle
Base: Filtered respondents (n=7,985)
Q35a. Please indicate whether you or your organization outsources any of the following professional services
Source: Frost & Sullivan
101
Future Outsourcing of Security Advisory
Future Outsourcing of Security Advisory
Germany
United Kingdom
South Africa
Middle East
Decrease more Decrease 11 to Decrease 1 to
than 20%
20%
10%
No change
Increase 1 to
10%
4%
4%
0
8%
6%
11%
4%
4%
9%
2%
0
6%
7%
6%
24%
24%
23%
19%
23%
24%
23%
12%
7%
3%
0
3%
4%
5%
3%
3%
0
3%
4%
3%
6%
4%
2%
3%
4%
3%
5%
18%
41%
49%
France
58%
EMEA
60%
54%
62%
55%
Worldwide
Increase 11 to Increase more
20%
than 20%
Base: Filtered respondents (n=2,083)
Q35b_1. How will your outsourcing change over the next 12 months? - Security advisory
Source: Frost & Sullivan
102
Future Outsourcing of Technical Services
Future Outsourcing of Technical Services
Decrease more Decrease 11 to Decrease 1 to
than 20%
20%
10%
Middle East
No change
Increase 1 to
10%
3%
0
4%
5%
10%
2%
3%
18%
11%
0
0
8%
8%
10%
21%
16%
18%
17%
17%
15%
24%
11%
8%
4%
5%
5%
10%
2%
4%
2%
South Africa
0
3%
3%
5%
4%
5%
1%
4%
3%
3%
3%
4%
United Kingdom
49%
Germany
63%
France
58%
EMEA
60%
57%
58%
55%
Worldwide
Increase 11 to Increase more
20%
than 20%
Base: Filtered respondents (n=2,668)
Q35b_2. How will your outsourcing change over the next 12 months? - Technical services
Source: Frost & Sullivan
103
Future Outsourcing of Implementation Services
Future Outsourcing of Implementation Services
Germany
United Kingdom
13%
5%
4%
0
5%
7%
11%
7%
16%
13%
3%
10%
10%
9%
23%
19%
18%
13%
18%
19%
1%
Decrease more Decrease 11 to Decrease 1 to
than 20%
20%
10%
Middle East
32%
36%
14%
7%
0
1%
5%
4%
9%
3%
2%
3%
3%
3%
6%
14%
5%
3%
3%
3%
3%
4%
South Africa
43%
France
57%
EMEA
56%
54%
49%
54%
Worldwide
No change
Increase 1 to
10%
Increase 11 to Increase more
20%
than 20%
Base: Filtered respondents (n=2,687)
Q35b_3. How will your outsourcing change over the next 12 months? - Implementation services
Source: Frost & Sullivan
104
Reasons for Outsourcing
Lack of in-house skills is the most common reason for outsourcing services.
Reasons for Outsourcing
It is less
expensive
Recruiting
limitations
South Africa
Middle East
18%
16%
9%
15%
16%
12%
26%
Lack of in-house Temporary need
skills
for flex force
capacity
United Kingdom
23%
19%
14%
18%
22%
27%
20%
Germany
26%
32%
40%
40%
27%
44%
46%
France
30%
29%
32%
31%
33%
22%
29%
EMEA
30%
31%
40%
45%
28%
22%
18%
49%
51%
57%
59%
47%
61%
56%
Worldwide
Alleviating the
burden of tedious
tasks
Difficulty in
retaining staff
Base: Filtered respondents (n=5,070)
Q36. What are all of your reasons for outsourcing?
Source: Frost & Sullivan
105
Criteria for Service Provider Selection
Price is among the most important criteria for selecting a service provider, particularly in South Africa.
Service level agreements are also highly important in South Africa and the Middle East.
Criteria for Service Provider Selection
Pricing
17%
20%
27%
25%
17%
24%
28%
Middle East
19%
25%
25%
24%
18%
34%
33%
South Africa
20%
26%
25%
33%
22%
40%
37%
22%
24%
18%
16%
21%
24%
39%
United Kingdom
30%
25%
18%
28%
30%
40%
28%
Germany
33%
37%
38%
43%
27%
45%
54%
France
49%
54%
54%
61%
51%
62%
58%
EMEA
50%
50%
48%
49%
49%
66%
59%
55%
59%
52%
57%
60%
72%
62%
Worldwide
Service Quality and Number of Breadth of Brand name Location of Geographic Size of the
Level
number of years in
service
the
proximity organization
Agreement security
business
provider's
people
base of
operations
Base: Filtered respondents (n=7,985)
Q37. What criteria do you use in selecting a managed or professional security services provider? Please select all that apply.
Source: Frost & Sullivan
106
Single Most Important Criterion for Service Provider
Selection
When forced to choose the most important criterion influencing service provider selection, most agree
that quality is the single most important determinant.
Most Important Criterion for Service Provider Selection
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Quality and Service
number of
Level
security Agreement
people
Pricing
1%
1%
2%
1%
1%
0
1%
1%
2%
2%
1%
2%
2%
2%
1%
3%
2%
5%
2%
3%
3%
3%
3%
5%
3%
2%
2%
5%
3%
4%
3%
3%
3%
7%
5%
5%
4%
2%
5%
4%
5%
4%
13%
13%
11%
11%
17%
19%
11%
17%
16%
16%
17%
12%
16%
19%
29%
33%
34%
35%
29%
29%
37%
Worldwide
Breadth of Brand name Number of Location of Geographic Size of the
service
years in
the
proximity organization
business provider's
base of
operations
Base: Filtered respondents (7,985)
Q38. Please select the single most important criterion that you use when selecting a managed or professional security services provider?
Source: Frost & Sullivan
107
Permanency of Service Provider
The largest proportion describe their relationship with their service provider as somewhat permanent.
Permanency of Service Provider
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Completely permanent
Somewhat permanent
Somewhat temporary
14%
10%
5%
9%
11%
9%
9%
29%
19%
21%
18%
22%
22%
15%
10%
7%
11%
16%
8%
10%
10%
25%
41%
34%
34%
36%
35%
56%
Worldwide
Completely temporary
Base: Filtered respondents (n=5,070)
Q39. Would you describe your use of a managed security service provider as temporary or permanent? Please indicate the level of permanence
using the scale below.
Source: Frost & Sullivan
108
Secure Software Development
109
Frequency of Security Scans on Applications (Always)
In each case, French firms are less likely to always perform scans on applications.
Frequency of Security Scans on Applications (Always)
33%
35%
45%
38%
Middle East
28%
38%
39%
45%
South Africa
46%
46%
41%
34%
41%
United Kingdom
45%
40%
34%
29%
40%
48%
Germany
42%
France
42%
48%
48%
EMEA
50%
43%
36%
44%
49%
Worldwide
Internally developed
Internally developed
Externally developed
Externally developed
applications that are hosted applications that are hosted applications that are hosted applications that are hosted
in your private data centers
in a public cloud
in private data centers
in a public cloud
environment
environment
Base: Filtered respondents (n=8,849)
Q40. Please indicate the frequency with which security scans are conducted on the following applications. - Always
Source: Frost & Sullivan
110
Frequency of Security Scans on Applications (Never)
In each case, firms in France and South Africa are among the most likely to never perform scans on
applications.
Frequency of Security Scans on Applications (Never)
24%
27%
16%
17%
22%
11%
9%
10%
16%
16%
11%
21%
15%
16%
24%
Middle East
24%
South Africa
21%
United Kingdom
11%
9%
9%
6%
13%
14%
11%
10%
Germany
27%
France
20%
EMEA
21%
Worldwide
Internally developed
Internally developed
Externally developed
Externally developed
applications that are hosted applications that are hosted applications that are hosted applications that are hosted
in your private data centers
in a public cloud
in private data centers
in a public cloud
environment
environment
Base: Filtered respondents (n=8,849)
Q40. Please indicate the frequency with which security scans are conducted on the following applications. - Never
Source: Frost & Sullivan
111
Frequency of Security Scans by Organizational Group
Generally, the security operations group is the most likely to perform security scans in each country.
Frequency of Security Scans By Organizational Group
(% Always/Sometimes)
A professional
security
services
provider
The security
architecture
group
Middle East
53%
53%
49%
55%
51%
60%
55%
An external
consultant
South Africa
65%
64%
64%
66%
65%
65%
62%
United Kingdom
66%
64%
68%
66%
60%
69%
71%
Germany
69%
74%
75%
76%
79%
82%
74%
The security The compliance
operations
auditing group
group
France
71%
75%
75%
68%
75%
82%
80%
EMEA
72%
70%
73%
72%
69%
85%
78%
88%
86%
85%
79%
88%
91%
88%
Worldwide
The software A committee of
development personnel from
group
some or all of
these groups
Base: Filtered respondents (n=8,849)
Q41. Please indicate the frequency with which the following groups within your organization conduct application security scans? - Top two box
scores
Source: Frost & Sullivan
112
Security Scans on Internally Developed Applications
Professionals in each country are the least likely to perform a scan during code development, and the
most likely to perform a scan after a breach has been detected.
Security Scans on Internally Developed Applications
(% Always/Sometimes)
During code
development
During application
testing
80%
86%
82%
85%
77%
82%
Middle East
81%
88%
84%
92%
90%
South Africa
88%
88%
89%
87%
86%
91%
United Kingdom
91%
87%
88%
88%
Germany
83%
75%
86%
87%
88%
85%
France
63%
84%
EMEA
67%
74%
74%
67%
69%
70%
Worldwide
After the application After a data breach or We use externallyhas been placed into intrusion has been
developed
production
discovered
applications
Base: Filtered respondents (n=8,849):
Q42. How frequently are security scans conducted on internally developed applications? - Top two box scores
Source: Frost & Sullivan
113
We view the risk of insecure
software code as immaterial
South Africa
We usually don't know or are
unsure how to correct the
software code
We have sufficient secondary
means to reduce the risks
attributable to insecure software
code
United Kingdom
The scans are incomplete
The scanning produces
irrelevant results
On externally-developed
applications, we trust the
vendors to thoroughly scan and
correct their applications for…
Germany
Our internal software
developers practice secure
software coding practices
It is usually too late in the
development or testing
processes to modify the code
prior to implementation
France
We don't have the expertise to
interpret the scanning results
effectively
EMEA
Scanning products are too
expensive
Scanning takes too much time
38%
36%
36%
45%
25%
35%
22%
22%
28%
24%
20%
25%
21%
19%
19%
24%
19%
18%
22%
15%
18%
19%
38%
15%
16%
19%
17%
17%
19%
32%
22%
14%
22%
23%
16%
16%
18%
17%
13%
38%
17%
15%
15%
28%
11%
14%
14%
15%
12%
12%
7%
13%
15%
17%
10%
11%
12%
7%
12%
9%
21%
13%
11%
10%
4%
15%
9%
8%
10%
11%
10%
11%
15%
7%
6%
11%
10%
12%
10%
6%
11%
16%
15%
7%
5%
1%
4%
4%
8%
11%
4%
4%
5%
4%
1%
3%
6%
17%
Worldwide
Scanning interferes with the
application development and
implementation process
On externally-developed
applications, we have little
influence on vendors to modify
their software code
None of the above reasons
explain why application security
scans are not conducted
Reasons for Not Conducting Application Security Scans
Reasons for Not Conducting Application Security Scans
Middle East
Base: Filtered respondents (n=8,849)
Q43. Which of the following reasons explains why application security scans are NOT conducted in your organization? Select all that apply
Source: Frost & Sullivan
114
Sowtware Development Concerns
Overall, concern among professionals in the EMEA region is highest for changes introduced by illinformed or careless developers or with the adoption of out of date third-part libraries that contain
vulnerabilities. In each case, South Africa and Middle Eastern professionals are more likely to express
concern over these software development issues than their European counterparts.
Software Development Concerns
(% Top/High Concern)
60%
58%
53%
60%
59%
73%
69%
59%
58%
49%
50%
61%
73%
66%
57%
55%
51%
49%
53%
70%
67%
54%
50%
48%
51%
51%
56%
61%
Addition of
unannounced
features that pose
security risks
IT-driven products
shipping without
adequate
information security
applications
A lack of knowledge
of information
security features
and procedures
among end-market
customers
Budgeting for
features without the
security training or
services to secure
them
Middle East
62%
61%
58%
61%
63%
68%
68%
South Africa
Software for which
secure configuration
is not supported by
the developer or
distributor
United Kingdom
Addition of out of
date third-party
libraries that contain
vulnerabilities
Germany
63%
62%
54%
61%
66%
79%
70%
France
65%
62%
64%
57%
68%
78%
67%
EMEA
Vulnerable changes
introduced by illinformed, careless
or malicious
developers
Worldwide
Base: Filtered respondents (n=8,849)
Q44. Please indicate your level of concern for each secure software development issue. - Top two box scores
Source: Frost & Sullivan
115
Procedures for Screening External Applications
Firms in the UK have procedures in place to screen external applications in greater numbers than firms
outside of the UK.
Procedures for Screening External Applications
Worldwide
EMEA
France
Germany
United Kingdom
South Africa
Middle East
64%
58%
57%
54%
56%
56%
49%
44%
42%
46%
51%
44%
43%
36%
Yes
No
Base: Filtered respondents (n=8,849)
Q45. Does your organization have a procedure in place to screen external appliances and applications for flawed programming or malicious
software?
Source: Frost & Sullivan
116
Protocols for Screening External Applications
Most often, organizations ensure that they purchase only from trusted vendors in order to avoid
vulnerabilities in applications. The notable exception in this trend is France, where purchasing from
trusted vendors is less prevalent.
Protocols for Screening External Applications
Rely on the
vendor's assertion
of their
development
practices
Assess previous
code reviews
18%
17%
4%
19%
18%
13%
26%
Middle East
19%
16%
15%
13%
14%
35%
19%
52%
28%
Rely on third-party
audits of the
solution
26%
28%
28%
22%
27%
28%
29%
35%
21%
31%
29%
29%
Perform Dynamic
Code analysis
South Africa
Rely on third-party
audits of the
development
practices
30%
25%
24%
19%
24%
32%
34%
United Kingdom
Perform Static
Code analysis
Internally audit the
solution
Germany
30%
26%
26%
23%
27%
16%
27%
61%
64%
61%
69%
60%
74%
65%
France
Conduct
penetration testing
of the solution
EMEA
64%
69%
70%
55%
79%
65%
66%
Purchase only
from trusted
vendors
71%
69%
46%
64%
76%
77%
69%
Worldwide
Base: Filtered respondents (n=5,115)
Q46. Please indicate the procedures or protocols that your organization follows to ensure that external appliances and applications do not contain
flawed programming or malicious code.
Source: Frost & Sullivan
117
Sprawl
118
Information Security Architecture
The majority in each country have an information security architecture.
Information Security Architecture
United Kingdom
South Africa
Middle East
Yes
27%
27%
17%
12%
18%
20%
19%
63%
Germany
62%
72%
France
73%
EMEA
62%
67%
67%
Worldwide
No
Base: Filtered respondents (n=8,849)
Q47a. Does your organization have an information security architecture?
Source: Frost & Sullivan
119
Frequency of Information Security Architecture Update
UK organizations are the most vigilant in updating their security architecture; nearly half update their
systems every year.
Frequency of Information Security Architecture Update
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Every year
1%
1%
2%
1%
0%
0
2%
0%
0%
0
0
1%
0
0
1%
1%
0
1%
1%
3%
0
0
8%
8%
9%
15%
11%
7%
27%
28%
20%
34%
26%
23%
29%
39%
47%
29%
32%
42%
41%
59%
Worldwide
Every two to three Every four to five Every six to seven Every eight to nine We update less
years
years
years
years
once than every
10 years
Base: Filtered respondents (n=5,911).
Q47b. How often is your security architecture updated?
Source: Frost & Sullivan
120
Concern About Architecture Sprawl
Middle Eastern firms have the greatest concern regarding infrastructure sprawl, with nearly two in five
reporting they are very concerned, and two thirds indicating they are at least somewhat concerned.
Concern About Architecture Sprawl
Very concerned
United Kingdom
South Africa
Middle East
39%
40%
47%
41%
39%
Germany
Somewhat concerned Neither concerned nor
unconcerned
Somewhat
unconcerned
2%
5%
5%
6%
7%
5%
5%
4%
10%
7%
7%
10%
7%
7%
11%
14%
15%
13%
14%
15%
23%
29%
43%
France
18%
12%
15%
22%
23%
42%
EMEA
37%
Worldwide
Not at all concerned
Base: Filtered respondents (n=8,849)
Q48. Overall, how concerned are you about ineffective architecture or sprawl?
Source: Frost & Sullivan
121
Rely on third-party
audits of the solution
35%
19%
18%
13%
26%
4%
18%
17%
19%
South Africa
Rely on the vendor's
assertion of their
development practices
Assess previous code
reviews
19%
16%
15%
13%
14%
52%
United Kingdom
28%
Germany
Rely on third-party
audits of the
development practices
28%
29%
35%
21%
31%
29%
29%
Perform Dynamic Code
analysis
France
26%
28%
28%
22%
27%
30%
25%
24%
19%
24%
32%
34%
Perform Static Code
analysis
61%
64%
61%
69%
60%
74%
65%
EMEA
30%
26%
26%
23%
27%
16%
27%
64%
76%
77%
69%
64%
69%
70%
55%
79%
65%
66%
46%
Worldwide
Internally audit the
solution
Conduct penetration
testing of the solution
Purchase only from
trusted vendors
71%
69%
Implications of Sprawl
Implications of Sprawl
Middle East
Base: Filtered respondents (n=6,999)
Q49. Please indicate your level of concern for each of the following implications of technology sprawl. - Top two box scores
Source: Frost & Sullivan
122
Reasons For Sprawl
In all countries in the region save for the UK, professionals cite the ever evolving nature of security
threats as the primary reason for sprawl, however in the UK professionals indicate that their
organization has undertaken mergers and acquisitions that has resulted in architecture sprawl.
Reasons for Sprawl
France
Germany
United Kingdom
South Africa
Middle East
16%
16%
15%
12%
17%
16%
20%
My organization
inherited the
situation
Vendors prefer to
create standalone
products rather
than add new
functionality to
existing products
6%
6%
5%
7%
5%
5%
5%
17%
16%
19%
14%
20%
13%
19%
We are following
a best-of-breed
approach
We have adopted
Infrastructure as a
Service (IaaS)
and our
equipment does
not have a cloudfriendly option
17%
18%
10%
14%
17%
17%
21%
22%
20%
13%
19%
19%
24%
25%
There is
decentralized
purchasing of
security
technologies
21%
18%
24%
26%
23%
26%
36%
EMEA
My organization
has undertaken
mergers and
acquisitions
Security threats
are evolving
faster than
vendors can
evolve their
existing products
32%
29%
22%
32%
34%
32%
32%
Worldwide
Base: Filtered respondents (n=8,849).
Q50. Please indicate which, if any, of the reasons below explain why your organization has security architecture sprawl? Select all that apply.
Source: Frost & Sullivan
123
Start or increase
outsourcing the
management of
our security
technologies
South Africa
39%
41%
United Kingdom
26%
26%
21%
23%
24%
Germany
Place a
moratorium on
purchasing
security
technologies from
a new vendor
France
26%
26%
25%
13%
28%
27%
35%
29%
32%
39%
23%
30%
36%
40%
Retire on-premise
security
technologies and
enhance in-house
staff
EMEA
Retire our security
technologies and
replace with
Security as a
Service
alternatives
32%
30%
25%
27%
29%
36%
45%
Avoid new security
vendors' products
unless we retire an
existing product
Worldwide
37%
39%
33%
37%
38%
48%
40%
Reduce the
number of security
vendors over next
12 months
39%
42%
37%
41%
45%
50%
51%
Strategies to Combat Sprawl
In most cases, South Africa and Middle Eastern countries are more likely to adopt measures to combat
sprawl.
Strategies to Combat Sprawl
(Very/Somewhat Likely)
Middle East
Base: Filtered respondents (n=5,630).
Q51. Please indicate how likely you or your organization is to use the following strategies to combat security technology sprawl? - Top two box
scores
Source: Frost & Sullivan
124
Active Security Contracts
Active Security Contracts
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Six to 10
11 to 20
21 to 30
41 to 50
0
1%
31 to 40
4%
4%
6%
8%
5%
1%
1%
0
1%
1%
0
1%
One to five
security product
vendors under
contract
1%
1%
0
2%
1%
0
1%
0
4%
4%
3%
6%
2%
4%
10%
11%
10%
12%
11%
13%
13%
20%
20%
23%
17%
19%
25%
26%
21%
17%
22%
25%
26%
33%
33%
Worldwide
More than 50
security product
vendors under
contract
Base: Filtered respondents (n=8,849)
Q52. With how many security product vendors do you or your organization have an active contract?
Source: Frost & Sullivan
125
Active Security Consoles
Active Security Consoles
EMEA
France
Germany
United Kingdom
Middle East
11 to 20
21 to 30
41 to 50
0
0%
31 to 40
3%
3%
5%
4%
3%
0%
1%
0
0
1%
0
1%
Six to 10
1%
1%
0
1%
1%
2%
0%
4%
2%
2%
3%
4%
2%
7%
7%
7%
9%
7%
11%
8%
18%
19%
14%
16%
18%
0
One to five
security
management
consoles in use
South Africa
29%
27%
35%
33%
21%
23%
28%
30%
29%
Worldwide
More than 50
security
management
consoles in use
Base: Filtered respondents (n=8,849)
Q53. How many security management consoles does your security organization use?
Source: Frost & Sullivan
126
Proactive Security Analytics
127
Implementation of Advanced Analytics Solutions
Advanced analytics solution adoption is highest in Germany, while Middle Eastern and British
professionals are the most likely to have no plans to implement these solutions.
Implementation of Advanced Analytics Solutions
Currently implementing
16%
19%
23%
Middle East
11%
9%
14%
11%
South Africa
2%
2%
4%
6%
6%
Already implemented
United Kingdom
18%
18%
Germany
17%
18%
14%
22%
17%
17%
19%
France
14%
14%
18%
14%
12%
16%
16%
EMEA
21%
22%
21%
21%
23%
26%
19%
Worldwide
Selecting a solution(s)
Evaluating options
No plans for
implementation
Base: Filtered respondents (n=7,985)
Q54. What is your organization's status on implementing advanced analytics solutions for the detection of advanced malware?
Source: Frost & Sullivan
128
Approaches for Advanced Analytics Implementation
In each country, respondents are most likely to prefer a solution using internal staff, relying on the
provider for technical assistance when needed.
Approaches for Advanced Analytics Solutions Implementation
Middle East
Engage a managed securities Engage a professional security
Implement and operate a
provider to implement and
services provider to implement a solution using internal staff,
operate
solution to be operated by
relying only on the solution
internal staff
provider's team for technical use
assistance
19%
17%
17%
22%
14%
18%
17%
54%
South Africa
53%
47%
56%
42%
52%
United Kingdom
52%
61%
53%
43%
Germany
40%
41%
47%
France
43%
46%
43%
EMEA
32%
34%
36%
36%
32%
Worldwide
Evaluating options
Base: Filtered respondents (n=7,985)
Q55. In implementing an advanced analytics solutions, how likely is it that your organization will utilize each of the following approaches? - Top two
box scores
Source: Frost & Sullivan
129
Anticipated Change in Required Skills
Additional training is the expected consequence of implementing advanced analytics solutions.
Anticipated Change in Required Skills
Germany
Additional training for existing
security staff
South Africa
Middle East
35%
36%
23%
26%
22%
28%
27%
35%
40%
24%
29%
22%
26%
27%
60%
51%
52%
45%
52%
53%
United Kingdom
67%
France
79%
83%
EMEA
73%
75%
65%
75%
72%
Worldwide
Hiring of security professionals Hiring non-security professionals
Some positions within the
with specialized skills or
with specialized skills such as security staff will be downsized
expertise in advanced analytics
data scientists or other
or eliminated as new positions
specialized skilled professionals are developed for advanced
analytics positions
Base: Filtered respondents (n=7,985)
Q56. How do you anticipate that the skills requirements of security teams will change as advanced analytics solutions are implemented? - Top two
box scores
Source: Frost & Sullivan
130
Cloud Computing
131
Prioritizing Cloud Computing
In each country, prioritization of cloud computing is expected to increase.
Prioritizing Cloud Computing
(Top/High Priority)
Worldwide
EMEA
France
Germany
United Kingdom
South Africa
63%
57%
49%
43%
43%
47%
48%
56%
56%
Middle East
61%
63%
46%
46%
33%
Now (currently)
In the near future (within two years)
Base: Filtered respondents (n=8,849)
Q57. To what extent is cloud computing a priority for your organization now and in the future? - Top two box scores
Source: Frost & Sullivan
132
South Africa
Dealing with demand
surges/spikes
Storage of PII and/or
other sensitive data
United Kingdom
Processing customer
orders
Providing access for
suppliers and providing
organizational data
Germany
Providing security
Application
development
France
Big data
processing/warehousin
g
EMEA
Providing
communications/netwo
rk
38%
38%
45%
34%
41%
39%
25%
35%
32%
41%
24%
34%
31%
22%
30%
33%
25%
40%
32%
32%
23%
26%
24%
30%
29%
25%
27%
22%
26%
24%
27%
18%
28%
15%
13%
22%
20%
19%
15%
21%
22%
22%
18%
21%
17%
21%
21%
19%
17%
15%
18%
19%
23%
17%
12%
14%
15%
12%
11%
12%
16%
10%
9%
15%
12%
19%
11%
16%
8%
10%
Worldwide
Storage of
organizational data
Delivering
applications/services to
remote/mobile users
Application hosting
58%
59%
55%
56%
59%
53%
52%
Cloud Usage
Cloud Usage
Middle East
Base: Filtered respondents (n=7,553)
Q58a. For which of the following services are you using cloud? Select all that apply.
Source: Frost & Sullivan
133
Cloud Usage
Cloud Usage
(Average %)
Worldwide
44
EMEA
47
43
43
44
41
France
Germany
United Kingdom
South Africa
Middle East
43
32
24
25
26
26
26
25
32
31
34
35
31
27
20
Software as a service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Base: Filtered respondents (n=7,553)
Q58b. Considering all of your cloud computing usage, how is this proportioned according to the different approaches shown below? - Mean scores
Source: Frost & Sullivan
134
Cloud Usage
Cloud Usage
(Average %)
Worldwide
EMEA
France
52
Germany
59
56 58 55
United Kingdom
South Africa
Middle East
51
46
22
22 23
19 21 17 20 18 20
10 10
Public cloud computing services
(e.g., Amazon AWS)
Private cloud computing
services (e.g., a dedicated
environment that uses
virtualization)
14
6
7
9
11
16 15 15 14 14
Community cloud computing Hybrid cloud computing services
services
Base: Filtered respondents (n=7,553)
Q58c. Considering all of your cloud computing usage, how is this proportioned according to the different approaches shown below? - Mean scores
Source: Frost & Sullivan
135
49%
47%
43%
44%
48%
58%
57%
49%
46%
42%
40%
46%
51%
57%
Inability to conduct security
assessments due to the
working environment
Inability to support forensic
investigations
Disruptions in the
continuous operation of the
data service (i.e.,
uninterrupted availability)
United Kingdom
South Africa
Inability to quantify risk
50%
48%
39%
41%
54%
58%
59%
Limitations on incident
response
Germany
48%
48%
41%
43%
52%
51%
58%
50%
47%
40%
46%
51%
55%
57%
France
Inability to audit cloud
service provider
Weak system or application
access controls
EMEA
51%
52%
45%
52%
51%
60%
59%
53%
53%
47%
48%
54%
56%
64%
Data leakage due to multitenancy
59%
55%
54%
60%
57%
58%
62%
69%
70%
70%
71%
71%
76%
69%
Worldwide
55%
56%
54%
43%
57%
64%
67%
Susceptibility to cyberattacks
Exposure of confidential or
sensitive information to
unauthorized systems or
personnel
Top Concerns About Cloud Computing
Top 10 Concerns About Cloud Computing
Middle East
Base: Filtered respondents (n=8,305)
Q60a. Thinking about the different security aspects of cloud computing, how much of a security concern is each of the following for your
organization? - Top two box scores
Source: Frost & Sullivan
136
Cloud Service Alliance Threats
In most cases, South African respondents report greater concern with Service Alliance Threats.
Cloud Service Alliance Threats
Malicious
Insiders
Middle East
57%
54%
46%
59%
57%
65%
62%
Denial of
Service
55%
53%
56%
46%
55%
67%
57%
Insecure APIs
South Africa
59%
58%
59%
50%
57%
70%
68%
Account
Hijacking
United Kingdom
56%
56%
53%
53%
56%
62%
63%
Germany
56%
55%
52%
55%
56%
68%
60%
89%
77%
Data loss
France
61%
61%
70%
62%
57%
67%
68%
Data breaches
EMEA
73%
72%
74%
63%
74%
76%
76%
77%
73%
78%
83%
79%
Worldwide
Abuse and Insufficient Due
Nefarious Use
Diligence
Base: Filtered respondents (n=8,849).
Q60b. Thinking of the Cloud Security Alliance's recently identified 'Notorious 9 Security Threats', how much of a concern are each of the following? Top two box scores
Source: Frost & Sullivan
137
Cloud Security Certification
For the majority in the EMEA region, a cloud security certification would be at least somewhat relevant.
Cloud Service Alliance Threats
Germany
Somewhat relevant
Neither relevant nor not
relevant
South Africa
Middle East
Not very relevant
2%
8%
5%
6%
6%
5%
5%
6%
2%
5%
8%
7%
6%
6%
9%
10%
13%
14%
16%
12%
11%
Very relevant
United Kingdom
43%
38%
42%
41%
41%
France
35%
33%
29%
27%
30%
30%
31%
39%
EMEA
38%
Worldwide
Not at all relevant
Base: Filtered respondents (n=8,849)
Q60c. If it were offered by a credible organization, how relevant do you believe that a Cloud Security and Certification program would be to you?
Source: Frost & Sullivan
138
6%
5%
2%
4%
4%
2%
8%
4%
1%
1%
3%
1%
2%
2%
Implementing
identity based
network solutions
Employ Role Based
Access Controls
(RBAC)
Implementing
FedRAMP security
controls
4%
4%
4%
5%
3%
3%
5%
South Africa
Employing security
professionals with
recognized
qualifications/certific
ations
United Kingdom
2%
Germany
0
6%
5%
4%
4%
5%
6%
5%
Adopting security
governance
France
4%
4%
9%
5%
4%
7%
9%
10%
4%
12%
13%
9%
31%
EMEA
Detailing and
sharing (with clients)
information security
policies and
procedures
9%
9%
8%
6%
9%
13%
6%
11%
9%
10%
8%
8%
6%
15%
18%
19%
17%
Worldwide
Incorporating
security into
software design and
implementation
Continuous
monitoring
Strong encryption of
data
18%
21%
22%
Elevating Cloud Assurance
Strong data encryption is the top overall choice for elevating cloud information assurance, particularly in
Germany.
Elevating Cloud Assurance
Middle East
Base: Filtered respondents (n=8,849)
Q60d. Which one of the following offers the greatest chance of elevating information assurance in the cloud?
Source: Frost & Sullivan
139
Cloud Security Concerns in Government Agencies
In each case, South African respondents indicate that they have the most concern about each security
issue.
Cloud Security Concerns in Government Agencies
(Top/High Concern)
Data loss prevention
South Africa
Middle East
57%
60%
42%
42%
50%
46%
39%
60%
47%
58%
67%
59%
100%
United Kingdom
59%
67%
71%
58%
83%
70%
66%
73%
Germany
100%
France
100%
86%
88%
EMEA
50%
79%
74%
Worldwide
Ensuring that existing IT security Ensuring that data and systems Integration of cloud and mobility
policy is replicated in the cloud
meet established COOP
(continuity of operations)
guidelines
Base: Filtered respondents (n=1,783)
QG10. How much of a security concern is each of the following for your government department agency when implementing cloud computing? - Top
two box scores
Source: Frost & Sullivan
140
Elevating Information Assurance
In the greatest proportion of cases in each country, all of the listed information assurance measures are
an important facet of cloud security.
Elevating Information Assurance
EMEA
France
Germany
United Kingdom
South Africa
Middle East
Strong encryption
of data
Continuous
monitoring
37%
38%
23%
2%
2%
3%
2%
1%
3%
3%
3%
3%
1%
3%
1%
0
1%
5%
5%
6%
7%
5%
6%
8%
5%
6%
6%
6%
5%
2%
6%
11%
11%
14%
9%
13%
17%
11%
18%
11%
18%
15%
20%
13%
29%
34%
35%
39%
48%
Worldwide
Employ Role
Implementing
Improved failover
Improved
Based Access
identity based
and service-level performance and
Controls (RBAC) network solutions
performance
availability
All of the above
Base: Filtered respondents (n=8,849)
Q61a. Which one of the following offers the greatest chance of elevating information assurance in the cloud?
Source: Frost & Sullivan
141
New Skill Development for Cloud
The majority of respondents in each country believe that new skills are important for mastering cloud
security.
New Skill Development for Cloud
Worldwide
73%
75%
EMEA
72%
France
78%
71%
Germany
76%
United Kingdom
Middle East
75%
16%
Yes
South Africa
16%
15%
21%
13%
19%
13%
No
Base: Filtered respondents (n=8,849)
Q61b. In your opinion, does cloud computing require information security professionals to develop new skills not previously required?
Source: Frost & Sullivan
142
South Africa
Service level agreement
skills
Security engineering
United Kingdom
Audit
Data/information centric
approaches to security
Germany
Knowledge of compliance
issues
France
Enhanced knowledge of
multi-tenancy architecture
EMEA
Risk management
66%
62%
53%
58%
68%
75%
56%
65%
62%
50%
59%
65%
75%
65%
62%
59%
49%
61%
65%
67%
52%
59%
56%
53%
51%
56%
56%
64%
56%
53%
55%
49%
61%
71%
50%
53%
49%
43%
46%
51%
65%
50%
49%
47%
37%
35%
52%
56%
52%
48%
47%
45%
31%
44%
50%
52%
48%
43%
38%
43%
37%
54%
53%
48%
43%
25%
41%
45%
60%
50%
Worldwide
An enhanced
understanding of cloud
security guidelines and
reference architectures
Knowledge of risks,
vulnerabilities and threats
Application of security
controls to cloud
environments
New Skills Needed for Cloud
New Skill Development for Cloud
(Top 10)
Middle East
Base: Filtered respondents (n=8,849)
Q61c. What skills will be required for dealing with cloud computing? Select as many as apply.
Source: Frost & Sullivan
143
The Frost & Sullivan Story
144
The Frost & Sullivan Story
Pioneered Emerging Market
& Technology Research
Partnership Relationship
with Clients
Visionary Innovation
• Global Footprint Begins
• Growth Partnership Services
• Mega Trends Research
• Country Economic Research
• GIL Global Events
• CEO 360 Visionary Perspective
• Market & Technical Research
• GIL University
• GIL Think Tanks
• Best Practice Career Training
• Growth Team Membership™
• GIL Global Community
• MindXChange Events
• Growth Consulting
• Communities of Practice
145
What Makes Us Unique
Focused on
Growth
All services aligned on growth to help clients develop and implement
innovative growth strategies
Industry
Coverage
Continuous monitoring of industries and their convergence, giving
clients first mover advantage in emerging opportunities
Global
Footprint
More than 40 global offices ensure that clients gain global perspective
to mitigate risk and sustain long term growth
360 Degree
Perspective
Proprietary Team Methodology integrates 7 critical research
perspectives to optimize growth investments
Career Best
Practices
Career research and case studies for the CEOs’ Growth Team to ensure
growth strategy implementation at best practice levels
Visionary
Innovation Partner
Close collaboration with clients in developing their research based
visionary perspective to drive GIL
146
TEAM Methodology
Frost & Sullivan’s proprietary TEAM Methodology ensures that clients have a complete 360 Degree
PerspectiveTM from which to drive decision making. Technical, Econometric, Application, and Market
information ensures that clients have a comprehensive view of industries, markets, and technology.
Technical
Real-time intelligence on technology, including emerging technologies, new
R&D breakthroughs, technology forecasting, impact analysis, groundbreaking
research, and licensing opportunities.
Econometric
In-depth qualitative and quantitative research focused on timely and critical
global, regional, and country-specific trends, including the political,
demographic, and socioeconomic landscapes.
Application
Insightful strategies, networking opportunities, and best practices that can be
applied for enhanced market growth; interactions between the client, peers,
and Frost & Sullivan representatives that result in added value and
effectiveness.
Market
Global and regional market analysis, including drivers and restraints, market
trends, regulatory changes, competitive insights, growth forecasts, industry
challenges, strategic recommendations, and end-user perspectives.
147
Our Global Footprint 40+ Offices
Scanning the Globe for Opportunities and Innovation
148