• Save
IANS NESCO Survey
Upcoming SlideShare
Loading in...5
×
 

IANS NESCO Survey

on

  • 287 views

Joint benchmark IT security survey with IANS and NESCO.

Joint benchmark IT security survey with IANS and NESCO.

Statistics

Views

Total Views
287
Views on SlideShare
274
Embed Views
13

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 13

http://www.us-nesco.org 13

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

IANS NESCO Survey IANS NESCO Survey Presentation Transcript

  • IANS/EnergySec Benchmark Survey: Results Overview Ed Moyle IANS Faculty MemberCopyright © 2010-2011 IANS . The contents of this presentation are confidential . All rights reserved.
  • Agenda  About the survey  Results overview –Staffing –Spending  ConclusionsCopyright © 2010-2011 IANS . The contents of this presentation are confidential. All rights reserved. 2
  • About the Survey Industry Sector Aerospace/Defense 82%  33 Data points Consulting/Business Services  84 Respondents Education  Largest response from Energy/Utilities energy/utilities Government/Military 6% 4% 2% 3% 2%1% Healthcare/Hospital Organization Size Industry Segment 48% 25% 1 – 99 20% Distribution 100 – 499 Generation 500 – 999 Transmission 1,000 or more 37% 23% Other 18% Unspecified 18% 7% 4%Copyright © 2010-2011 IANS . The contents of this presentation are confidential. All rights reserved. 3
  • Results: Security Staffing  Security staffing levels on the Staffing Levels (FTEs) increase  Largely due to CIP  Interesting conclusion: Security FTE – Overall levels slightly up CIP FTE – CIP trending sharply up – Conclusion: not new staff, current staff reallocated to CIP 0-10 11-20 21-30 30+ CIP Staffing Security Staffing (18 months) Increased No change Increased Decreased No changeCopyright © 2010-2011 IANS . The contents of this presentation are confidential. All rights reserved. 4
  • Results: Spending Security Spending (as a % of IT)  Security spending overall staying low 96%  CIP spending on average around 25%  Majority of spending going to product 0-25% purchases 26-50% 4% CIP Spending Categories % of Security Budget Spent on CIP 0-25 26-50 51-75 76-100 Staffing Products Services Other 0-25% 26-50% 51-75% 75%+Copyright © 2010-2011 IANS . The contents of this presentation are confidential. All rights reserved. 5
  • Results: Spending, continued CIP Spending, Levels  Average cost of spending on Staffing Products Technical Feasibility Exceptions Services – USD $123,384/year Other  Average spending per year on incidents – USD $119,037 <= 10 11-25 26-49 50-74 75-89 90+ – 3x multiple compared to non- Spending by Segment energy (mean $43,000 per McAfee)* Distribution Generation Transmission Staffing Products Services Other *McAfee report, “The Security Paradox” (http://www.mcafee.com/us/resources/reports/rp-security-paradox.pdf)Copyright © 2010-2011 IANS . The contents of this presentation are confidential. All rights reserved. 6
  • Results, Selected Technical Controls Two-Factor for Remote Access  97% estimated < 25% of personnel with remote access to control network 67% Don’t know 19%  Most (67%) respondents require Sometimes used Used for control networks two-factor for all remote access Always used  Majority (71%) using hard tokens 11% 3% (e.g. hardware-based OTP) Two-Factor Implementation Don’t know Hard tokens Soft tokens OtherCopyright © 2010-2011 IANS . The contents of this presentation are confidential. All rights reserved. 7
  • Some Interesting Conclusions  Research bears out a few assumptions – Security staff increasing (but slowly) – CIP staff increasing sharply – Suggests conversion vs. hiring  Leading CIP spend in staffing and product deployment  3x incident spend multiplier vs. non-energy – Suggests higher rate/impact of attack  Data suggests control networks with insufficient auth – 97% remote access to control network – 78% know of two factor for that remote access – Potential gap of up to 20%Copyright © 2010-2011 IANS . The contents of this presentation are confidential. All rights reserved. 8