ESG Research
Final Sponsor Report
Security Management and Operations
By Jon Oltsik, Senior Principal Analyst
With Kristine...
Research Report: Security Management and Operations 2
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Con...
Research Report: Security Management and Operations 3
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Lis...
Research Report: Security Management and Operations 4
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Lis...
Research Report: Security Management and Operations 5
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Exe...
Research Report: Security Management and Operations 6
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
one...
Research Report: Security Management and Operations 7
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
poi...
Research Report: Security Management and Operations 8
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Int...
Research Report: Security Management and Operations 9
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
• S...
Research Report: Security Management and Operations 10
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Re...
Research Report: Security Management and Operations 11
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Fi...
Research Report: Security Management and Operations 12
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
ES...
Research Report: Security Management and Operations 13
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Th...
Research Report: Security Management and Operations 14
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
or...
Research Report: Security Management and Operations 15
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Th...
Research Report: Security Management and Operations 16
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Fi...
Research Report: Security Management and Operations 17
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Fi...
Research Report: Security Management and Operations 18
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Th...
Research Report: Security Management and Operations 19
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Th...
Research Report: Security Management and Operations 20
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Th...
Research Report: Security Management and Operations 21
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Wh...
Research Report: Security Management and Operations 22
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Se...
Research Report: Security Management and Operations 23
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
CI...
Research Report: Security Management and Operations 24
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Se...
Research Report: Security Management and Operations 25
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Wh...
Research Report: Security Management and Operations 26
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Se...
Research Report: Security Management and Operations 27
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Ri...
Research Report: Security Management and Operations 28
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Fi...
Research Report: Security Management and Operations 29
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Ta...
Research Report: Security Management and Operations 30
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Se...
Research Report: Security Management and Operations 31
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
La...
Research Report: Security Management and Operations 32
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Ac...
Research Report: Security Management and Operations 33
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
En...
Research Report: Security Management and Operations 34
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Si...
Research Report: Security Management and Operations 35
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Fi...
Research Report: Security Management and Operations 36
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Se...
Research Report: Security Management and Operations 37
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
In...
Research Report: Security Management and Operations 38
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
As...
Research Report: Security Management and Operations 39
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
ES...
Research Report: Security Management and Operations 40
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Ch...
Research Report: Security Management and Operations 41
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
ma...
Research Report: Security Management and Operations 42
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Fi...
Research Report: Security Management and Operations 43
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Wi...
Research Report: Security Management and Operations 44
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
Th...
Hpesp wp esg_research-security_mgmtandoperations
Hpesp wp esg_research-security_mgmtandoperations
Hpesp wp esg_research-security_mgmtandoperations
Hpesp wp esg_research-security_mgmtandoperations
Hpesp wp esg_research-security_mgmtandoperations
Hpesp wp esg_research-security_mgmtandoperations
Hpesp wp esg_research-security_mgmtandoperations
Hpesp wp esg_research-security_mgmtandoperations
Upcoming SlideShare
Loading in...5
×

Hpesp wp esg_research-security_mgmtandoperations

194

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
194
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Hpesp wp esg_research-security_mgmtandoperations"

  1. 1. ESG Research Final Sponsor Report Security Management and Operations By Jon Oltsik, Senior Principal Analyst With Kristine Kao and Jennifer Gahm June 2012 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.
  2. 2. Research Report: Security Management and Operations 2 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Contents List of Figures................................................................................................................................................3 List of Tables .................................................................................................................................................4 Executive Summary ......................................................................................................................................5 Report Conclusions................................................................................................................................................... 5 Introduction..................................................................................................................................................8 Research Objectives ................................................................................................................................................. 8 Research Findings.......................................................................................................................................10 The ESG Security Management and Operations Segmentation Model .................................................................10 The State of Security Management and Operations..............................................................................................13 The Evolving Security Organization........................................................................................................................19 Security Organization Responsibilities ...................................................................................................................22 Security Services Trends.........................................................................................................................................24 Risk Management Strategies..................................................................................................................................27 Security Controls Effectiveness and Testing...........................................................................................................30 Situational Awareness ............................................................................................................................................34 Assessing the State of Security Information and Event Management (SIEM) .......................................................38 Changing Attitudes Towards Security Management..............................................................................................40 Research Implications.................................................................................................................................45 Research Implications for Technology Vendors .....................................................................................................45 Research Methodology...............................................................................................................................48 Respondent Demographics.........................................................................................................................49 Respondents by Role in Purchasing Decisions .......................................................................................................49 Respondents by Current Responsibility..................................................................................................................49 Respondents by Number of Employees .................................................................................................................50 Respondents by Industry........................................................................................................................................50 Respondents by Annual Revenue...........................................................................................................................51
  3. 3. Research Report: Security Management and Operations 3 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. List of Figures Figure 1. ESG Security Management and Operations Segmentation Model Criteria...............................................11 Figure 2. Survey Respondents based on ESG Security Management and Operations Segmentation Model...........11 Figure 3. Most Important Factors Driving Organization’s Information Security Strategy in 2012 ...........................13 Figure 4. Influence of Regulatory Compliance on Organization’s Information Security Strategy and Investment Decisions ......................................................................................................................................................14 Figure 5. How Security is Viewed at Organizations...................................................................................................16 Figure 6. Perception of CISO within Organization.....................................................................................................16 Figure 7. Level of Engagement of Executive Management Team.............................................................................17 Figure 8. Characterization of Executive Management Team....................................................................................17 Figure 9. Organizations Increasing Security Headcount ...........................................................................................19 Figure 10. Organizations Increasing Security Headcount by the ESG Security Management and Operations Segmentation Model....................................................................................................................................19 Figure 11. Areas of Information Security with a Shortage of Existing Skills..............................................................20 Figure 12. Current State of Information Security Professional Recruitment/Hiring.................................................21 Figure 13. Information Security Organization’s Level of Responsibility ...................................................................22 Figure 14. Groups Security Team Works With Most Closely ....................................................................................23 Figure 15. Planned Use of Third-Party Professional/Managed Services in 2012......................................................24 Figure 16. How Use of Third-Party Professional/Managed Services has Changed...................................................24 Figure 17. Reasons for Increasing Use of Third-Party Security Services...................................................................25 Figure 18. Areas of Third-Party Security Services Used ............................................................................................26 Figure 19. Formal IT Risk Management Programs in Place.......................................................................................27 Figure 20. How Formal IT Risk Management Program is Implemented ...................................................................28 Figure 21. Organization’s Rating on Standard Security Best Practices .....................................................................29 Figure 22. Frequency of Security Controls Effectiveness Testing .............................................................................30 Figure 23. Technologies/Techniques Used to Test Effectiveness of Security Controls ............................................31 Figure 24. Metrics Used to Gauge Effectiveness of Security Management..............................................................32 Figure 25. Security Technology that Most Effectively Performs Task For Which It Was Designed ..........................33 Figure 26.Organization’s Ability to Detect Suspicious Activity or an Attack.............................................................34 Figure 27.Level of Visibility of Security Status ..........................................................................................................35 Figure 28.Level of Visibility of Security Status Analyzed by the ESG Security Management and Operations Segmentation Model....................................................................................................................................35 Figure 29.Biggest Inhibitors to Having Real-Time Security Visibility.........................................................................36 Figure 30.Weakest Aspects of Incident Response ....................................................................................................37 Figure 31. SIEM Deployment.....................................................................................................................................38 Figure 32. Effectiveness of SIEM...............................................................................................................................39 Figure 33. How Security Management has Changed Over Past 24 Months .............................................................40 Figure 34. How Introduction of Technologies and Policies Altered Security Management and Operations ...........41 Figure 35. Use of Security and IT Operations Tools in Concert to Automate Security Remediation Tasks..............42 Figure 36. Automated Actions Currently Executed...................................................................................................42 Figure 37. How Security Technology Strategy Decisions Will Change......................................................................43 Figure 38. Biggest Security Management Challenges...............................................................................................44 Figure 39. Survey Respondents, by Role in Security Management Purchasing Decisions........................................49 Figure 40. Survey Respondents, by Current Responsibility ......................................................................................49 Figure 41. Survey Respondents, by Number of Employees ......................................................................................50 Figure 42. Survey Respondent, by Industry ..............................................................................................................50 Figure 43. Survey Respondents, by Annual Revenue................................................................................................51
  4. 4. Research Report: Security Management and Operations 4 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. List of Tables Table 1. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model ................15 Table 2. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model ................18 Table 3. IT Risk Management Programs Analyzed by the ESG Segmentation Model...............................................29 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
  5. 5. Research Report: Security Management and Operations 5 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Executive Summary Enterprise Strategy Group (ESG) conducted an in depth research survey on the subject of security management and operations with 315 U.S.-based security professionals working at enterprise-class (i.e., 1,000 employees or more) organizations. For the purposes of this project, survey respondents were asked a series of questions about their organization’s information security philosophy, staffing and services, as well as security management and operations technology adoption, and purchasing plans. The objectives of this report were as follows: • Appraise the current state of security management and operations. Strong information security depends upon an integrated mix that includes organizational leadership, formal policies, documented processes, skilled tacticians, and layers of complementary technical defenses. In this report, ESG looked at these areas to gather a comprehensive viewpoint on enterprise security management and operations. ESG also looked into three specific aspects of security management and operations: risk management, incident detection, and incident response. Finally, this report was intended to highlight specific security management and operations challenges and determine what, if anything, large organizations were doing to overcome them. • Understand security management and operations changes. Driven by technologies such as server virtualization, cloud computing, web-based applications, and mobile devices, enterprise IT is going through numerous simultaneous changes. At the same time, large firms also face an increasingly difficult threat landscape featuring exponential malware growth and damaging targeted attacks. This research report looks at how IT and information security trends are transforming enterprise security management and operations requirements today and in the future. • Explore the links between information security and business operations. As part of the research conducted for this report, ESG spoke with numerous enterprise security professionals. Many of these individuals indicated that executive managers were much more engaged with information security than in the past. As one CISO put it: “Every time the Wall Street Journal includes an article about a security breach, I can anticipate a call from our CEO asking if we are vulnerable to a similar type of attack.” While there is plenty of anecdotal evidence suggesting that executive managers are paying closer attention to information security, ESG wanted to take the opportunity to collect data in order to validate or refute this thesis. • Analyze the impact of security skills shortages. ESG’s 2012 IT Spending Intentions Survey found that 23% of organizations believe they have a “problematic shortage” of IT security skills, and that 39% of organizations planned to add information security staff in 2012. This data is indicative of a growing information security skills shortage that ESG continues to track. In this report, ESG pushed further to find out exactly where IT security skills are most needed and whether organizations were busy recruiting help or offloading internal security tasks to third-party service providers. • Evaluate how large organizations measure their security management and operations effectiveness. As the old adage states, “you can’t manage what you can’t measure.” With this in mind, ESG wanted to understand the methods used to gauge the effectiveness of current security programs and technical controls. Report Conclusions Based on the data collected from this survey, ESG concludes: • Most large organizations have significant security management and operations shortcomings. Based upon a number of select criteria, ESG segmented the entire survey population into three sub-groups we classified as security management “leaders,” “followers,” and” laggards.” Security management and operations “leaders” comprised just 19% of the total survey population, meaning that 81% were deficient in
  6. 6. Research Report: Security Management and Operations 6 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. one or multiple areas. Additionally, ESG found security management and operations “leaders” were not resting on their laurels. For example, these enterprises were most aggressive in terms of hiring additional security staff, engaging third-party security service providers, and investing in new types of technical controls. Even with these steps, the data suggests that most large organizations may be extremely vulnerable to future types of security attacks. • New technologies make security management and operations more difficult. More than half of security professionals say that cloud computing, mobile devices, and remote worker policies are making security management and operations “much more difficult” or “somewhat more difficult” at their organizations. This is not surprising since new IT initiatives are often based upon immature technology, emerging and/or hard-to-find skill sets, and ill-defined or inadequate controls. • Information security is becoming an enterprise-class function. The data points to an ongoing intellectual shift in which information security is increasingly perceived as a core responsibility of the organization rather than a series of IT tasks and compliance oversight. For example, 44% of organizations say that information security is aligned with corporate culture and 55% say that information security is aligned with business processes. In spite of these trends, however, information security still has a long way to go in many organizations. When asked to identify the most important factors driving their information security strategy, many companies remain grounded in classic infosec roots: 55% of large organizations say “protecting sensitive data and Intellectual Property (IP)” is driving IT security strategy, while 50% say “regulatory compliance” is driving their information security strategy. Of course, these factors remain the foundation of information security strategy but don’t extend to business processes or incorporate the entire organization beyond IT. Given the preponderance of network-based business processes and Internet/web communications, information security should be more pervasive beyond the IT organization and regulatory compliance domains alone. • Information security management and operations relies on cooperative responsibilities across the IT organization. Security management and operations tasks like establishing controls for security policy enforcement, developing security policies, and working with business units to define security needs depend upon strong collaboration between information security and other IT and business groups. As a general rule, information security teams work most closely with other functional IT groups like network operations and server administrators, and IT oversight functions like IT and regulatory compliance auditors. ESG sees deeper meaning in these data points. An organization may have world-class security expertise and best-of- breed security technology controls, but the overall effectiveness of its information security programs and strategy depends upon the working relationship, shared processes, and communication between the information security group and a number of other functional IT teams. If these relationships are dysfunctional, information security success will likely be marginal at best. • Security assessment testing frequency varies widely. Forty percent of organizations test the effectiveness of their security controls constantly, 15% test the effectiveness of their security controls on a weekly basis, 14% do so twice a month and 14% conduct these tests on a quarterly basis. This data is generally encouraging as infrequent security controls testing increases vulnerability and overall IT risk. • Security monitoring and visibility is a mixed bag. A vast majority (81%) of security professionals say that their organization’s level of visibility about its security status is either “excellent” or “good.” Nevertheless, security status visibility gaps remain. When asked to identify areas that inhibit real-time and comprehensive security visibility, 34% said they need tighter integration between security and IT operations tools, 33% said they need better security analysis/forensic skills at their organization, and 29% said they needed better automated analytics from their security intelligence tools. • Large organizations have numerous weaknesses with incident response. Twenty-seven percent of large organizations report weaknesses performing security forensics to determine the root cause of a problem, 27% say they have weaknesses determining which assets remain vulnerable to similar attacks, and 24%
  7. 7. Research Report: Security Management and Operations 7 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. point to weaknesses gathering the right data for accurate situational awareness. These deficiencies were consistent across all three groups of the ESG security management and operations segmentation model. • CISOs are increasing their use of automated security remediation. More than half of large organizations (56%) are using their security and IT operations tools in concert to automate security automation remediation tasks. In terms of common automation chores, 66% employ security/IT operations automation to block URLs or web content, 53% generate firewall or IDS/IPS rules based upon network behavior or event detection, and 51% use risk management “triggers” to launch an immediate network scan. • Security budgets remain a major obstacle. When asked to identify their most significant security management challenges, 50% of organizations pointed first and foremost to budget constraints. ESG is somewhat concerned that this response was common across security management “leaders,” “followers” and “laggards”—apparently even the best-prepared organizations still believe they are under-funded in their mission. Beyond budgetary problems, 30% say the security team spends too much of its time reacting to problems (and not enough time with proactive security management or strategic planning), 24% say they are challenged by a lack of appropriate security skills within the security organization, and 23% are challenged by too many security tools. It is also worth noting that 28% of security management and operations “laggards” are challenged by a lack of executive management support. This was much higher than the other segments. • The security skills shortage is widespread. More than half (55%) of organizations plan to increase security headcount in 2012, yet 83% say that it is “extremely difficult” or “somewhat difficult” to recruit and hire security professionals. When asked to identify the areas of information security where they have a problematic skills shortage, 43% pointed to cloud/server virtualization security. Other areas identified include endpoint/mobile device security (31%), network security (31%), security analysis/forensics (30%), and data security (30%). Clearly, security skills deficits are widespread and will likely get worse in the near future, exacerbating the need for efficient and effective security management and operations technologies and processes. • Large organizations are increasing their use of security services. Given the shortage of security skills, it is not surprising that 62% of enterprises plan on using third-party professional or managed security services in 2012. Additionally, 16% of large organizations say that their use of third-party professional or managed services has “increased substantially” over the past 24 months while 42% say that their use of third-party professional or managed services has “increased somewhat” over the same period. Security management and operations “leaders” are most active here—36% say that their use of third-party providers has “increased substantially” over the past 24 months. The top four security services currently used by organizations are security design (33% of organizations), security/risk management/regulatory compliance assessments (30%), network monitoring (30%), and threat management intelligence (30%). • New security technology decisions are on the horizon. The evolving threat landscape, along with current security weaknesses, is persuading large organizations to make significant security technology changes. For instance, 44% of large organizations say they will design and build a more integrated security architecture, 39% will include new data sources for security intelligence, and 24% plan to buy more security suites from a single vendor. While 22% of all organizations also say they will actively decrease the number of security vendors they buy from, one-third of organizations classified as security management and operations “leaders” plan to reduce the number of security technology vendors they buy from today. This may be a leading indicator of market consolidation as “followers” and “laggards” adopt similar purchasing tactics.
  8. 8. Research Report: Security Management and Operations 8 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Introduction Research Objectives In order to assess the state of information security management and operations in 2012 and beyond, ESG surveyed 315 security professionals working at enterprise-class (1,000 employees or more) organizations in North America. All respondents were personally responsible for or familiar with their organizations’ 2011 information security strategies as well as their 2012 IT security budget and spending plans at either an organizational or business unit/division/branch level. To assess current and future information security management and operations strategies, survey respondents were asked to respond to questions in areas such as: • The role of the information security within the organization. o How is the CISO (or similar role) perceived within the organization? o Is information security considered an integral part of the corporate culture? Is information security well aligned with business processes? o Is the executive management team actively engaged in information security issues? If so, how? Does the executive management team have the right level of information security knowledge and skills? • Information security organization and skills. o What are the primary responsibilities of the information security team? Which tasks are shared between information security and other IT groups? o Are organizations suffering from information security skills shortages? If so, in what areas? o How are organizations consuming third-party security services today? Is the use of third-party security services increasing? Which security services are most popular? • Security management and operations landscape. o Is information security driven solely by regulatory compliance or are there other motivating factors? o Is security management becoming progressively more difficult? o What is the impact of new technology initiatives like server virtualization, cloud computing, and mobile device support on security management and operations? o What are the security management and operations priorities for 2012 and beyond? • Risk management. o What types of policies and technical controls are in place to address IT risk? o Are these policies and technical controls mandatory or discretionary? o How effective are risk management programs? Are there particular areas of weakness? o Do organizations have real-time visibility into IT risk as business conditions change? • Incident detection and response. o How do organizations detect security attacks? o Do they have the right level of visibility to do so effectively? If not, are there particular areas where visibility is lacking? o When the organization does detect a security incident, how efficient is its response?
  9. 9. Research Report: Security Management and Operations 9 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. • Security technologies. o Which security technologies are most effective at performing the tasks they were designed for? o In particular, how effective are security information and event management (SIEM) platforms? Survey participants represented a wide range of industries including manufacturing, financial services, communications and media, retail, government, and business services. For more details, please see the Research Methodology and Respondent Demographics sections of this report.
  10. 10. Research Report: Security Management and Operations 10 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Research Findings The ESG Security Management and Operations Segmentation Model The information security management and operations discipline contains a multitude of interrelated security policies, processes, technical controls, and monitoring activities. As a result, enterprise-class security management and operations includes a number of organizational, cultural, educational, financial, and technical dependencies. Given the increasingly onerous threat landscape, the rise of Advanced Persistent Threats (APTs), and the alarming frequency of publicly-disclosed data breaches, many organizations are far more engaged with their information security strategies than they were a few years ago. While this is a positive step, ESG research indicates that security management and operations effectiveness and efficiency varies widely across enterprise organizations. To better understand the state of enterprise security management and operations, ESG developed a security management and operations model that segments organizations based on five dimensions that tend to characterize security best practices and commitment. These dimensions are: • Respondent organization’s perception of information security. A value for this dimension was calculated based upon how information security is viewed within the organization. ESG assigned a value of two (2) where information security was well aligned with corporate culture, and a value of one (1) where information security was aligned with specific business processes. Organizations offering other responses were assigned a value of zero (0) in this category. • Respondent organization’s perception of the CISO role. A value for this dimension was calculated based upon the how the CISO (or similar role) was perceived within the organization. ESG assigned a value of two (2) to organizations that perceived the CISO as a business executive, and a value of one (1) to organizations where the CISO was perceived as an IT executive. Organizations offering other responses were assigned a value of zero (0) in this category. • Level of executive management involvement with information security. A value for this dimension was calculated based upon whether the executive management team was more engaged with information security strategy and situational awareness than it was in 2010. ESG assigned a value of two (2) to organizations where the executive management team was much more engaged with information security strategy and situational awareness than it was in 2010, and a value of one (1) to organizations where the executive management team was somewhat more engaged. Organizations offering other responses were assigned a value of zero (0) in this category. • Frequency of security controls testing. A value for this dimension was calculated based upon how often an organization tested the effectiveness of its security controls. ESG assigned a value of two (2) to organizations that tested its security controls “constantly,” and a value of one (1) to organizations that tested the effectiveness of its security controls at least twice a month. Organizations offering other responses were assigned a value of zero (0) in this category. • Presence of a SIEM platform. A value for this dimension was calculated based upon whether organizations had a SIEM (security incident and event management) platform deployed. ESG assigned a value of two (2) to organizations that had a SIEM platform in place, and a value of one (1) to organizations that planned to implement a SIEM platform within the next 12 months. Organizations offering other responses were assigned a value of zero (0) in this category. As indicated above, ESG used the survey data to assign every respondent organization a score for each of the five dimensions that comprise ESG’s security management and operations segmentation model (see Figure 1). The maximum possible score was ten points and the minimum was zero. Based on each respondent organization’s aggregate score, the organization was then classified as a security management and operations “leader” (7 to 10 points), “follower” (4 to 6 points), or “laggard” (0 to 3 points).
  11. 11. Research Report: Security Management and Operations 11 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 1. ESG Security Management and Operations Segmentation Model Criteria Source: Enterprise Strategy Group, 2012. Based upon this scoring algorithm, 19% of enterprise organizations participating in this research project were classified as security management and operations “leaders,” 49% were classified as security management and operations “followers,” and 32% were classified as security management and operations “laggards” (see Figure 2). Figure 2. Survey Respondents based on ESG Security Management and Operations Segmentation Model Source: Enterprise Strategy Group, 2012. Using this market segmentation model as a guide, ESG’s analysis of the data found clear and profound differences among each market segment in a number of areas, including security management perceptions, organizational skills, use of third-party services, and security technology deployment. Presence of a SIEM platform High: SIEM platform deployed Medium: plans to deploy SIEM platform within 12 months Low: none of the above Frequency of security controls testing High: security controls tested constantly Medium: security controls tested at least twice per month Low: none of the above Executive management's involvement with security High: much more enaged than in 2010 Medium: somewhat more engaged than in 2010 Low: none of the above CISO role / perception High: CISO perceived as business executive Medium: CISO perceived as IT executive Low: none of the above Organizational perception of information security High: security aligned with corporate culture Medium: security aligned with specific business processes Low: none of the above Leaders, 19% Followers, 49% Laggards, 32% Percent of respondents by ESG security management and operations segmentation model. (Percent of respondents, N=315)
  12. 12. Research Report: Security Management and Operations 12 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. ESG’s security management and operations segmentation model is used for data analysis purposes throughout this report to illustrate varying degrees of cybersecurity activities, challenges, and strategies amongst the different groups. In aggregate, the data is indicative of a diverse population where 81% of organizations (i.e., “followers” and “laggards”) are lacking the essential security knowledge, processes, technology defenses, and organizational backing needed to adequately address IT risk, quickly detect security incidents, and respond to ongoing attacks in a timely and coordinated way. Thus it is safe to say that the vast majority of large organizations remain quite vulnerable to current and future threats.
  13. 13. Research Report: Security Management and Operations 13 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. The State of Security Management and Operations ESG found that when it comes to factors influencing information security strategy, organizations are driven by two primary motivations: protecting sensitive data / intellectual property and regulatory compliance (see Figure 3). It is worth noting that 42% of security management and operations “leaders” said that their security strategy was driven by corporate governance as compared to 30% of the overall survey population. This is understandable since “leaders” tend to weave information security into comprehensive business policies and promote security awareness training for all employees. Additionally, 55% of “leaders” are driven by improving /automating security operations as compared to 39% of the overall survey population. ESG believes that this is a harbinger of things to come: Information security is often anchored by manual tasks and individual skill sets. Security “leaders” understand that they need to supplement human resources with more automation in order to manage risk and cope with growing IT scale in real-time. Figure 3. Most Important Factors Driving Organization’s Information Security Strategy in 2012 Source: Enterprise Strategy Group, 2012. With the passage of the Health Insurance Portability and Accountability Act (HIPAA, 1996), California Senate Bill 1386 (SB 1386, 2003), and the Payment Card Industry Data Security Standard (PCI DSS, 2004), regulatory compliance requirements have had a major influence on enterprise information security strategy in recent years. While these regulations have increased information security investment and visibility, they have also had some unintended consequences. Rather than encourage holistic security best practices, these mandates have led some 24% 29% 30% 31% 33% 35% 38% 39% 41% 50% 55% 0% 20% 40% 60% Migrating from tactical security tools to a more integrated security technology architecture Understanding business risk Corporate governance Creating an appropriate security model for cloud computing initiatives Aligning security policies and controls with business processes Improving our ability to analyze security data and detect attacks in progress Addressing security issues created by the use of mobile devices Improving/automating security operations Addressing new types of threats Regulatory compliance Protecting sensitive data and IP Of the following, which would you characterize as the most important factors driving your organization’s information security strategy in 2012? (Percent of respondents, N=315, multiple responses accepted)
  14. 14. Research Report: Security Management and Operations 14 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. organizations to direct their information security efforts solely toward passing compliance audits. This has led to many firms technically complying with regulatory mandates, yet still plagued by significant security shortcomings. ESG research indicates that this compliance-oriented “check box” mentality may be waning. 45% of large organizations say that regulatory compliance has less influence on their information security strategy today than it did in the past (see Figure 4). ESG sees this as a positive step forward. While regulatory compliance remains an important component of information security strategy, CISOs are focusing their attention beyond passing compliance audits alone and putting more resources and investment into bolstering risk management programs, accelerating incident detection, and improving incident response. In other words, information security objectives are centering on protecting the organization—not just appeasing the compliance auditors. Figure 4. Influence of Regulatory Compliance on Organization’s Information Security Strategy and Investment Decisions Source: Enterprise Strategy Group, 2012. 2% 8% 13% 33% 26% 19% 0% 5% 10% 15% 20% 25% 30% 35% Don’t know / no opinion Regulatory compliance was much less influential on my organization’s information security strategy and investment decisions in 2010 than it is today Regulatory compliance was somewhat less influential on my organization’s information security strategy and investment decisions in 2010 than it is today Regulatory compliance was as influential on my organization’s information security strategy and investment decisions in 2010 as it is today Regulatory compliance was somewhat more influential on my organization’s information security strategy and investment decisions in 2010 than it is today Regulatory compliance was much more influential on my organization’s information security strategy and investment decisions in 2010 than it is today Compared to 2010, how would you characterize the influence of regulatory compliance on your organization’s information security strategy and investment decisions? (Percent of respondents, N=315)
  15. 15. Research Report: Security Management and Operations 15 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. This changing attitude was most pronounced with security management and operations “leaders,” 32% of whom say that regulatory compliance has less influence on their information security strategy today than it did in the past (see Table 1). ESG believes this shift is due to a number of factors, including a more ominous threat landscape, visible publicly-disclosed data breaches, and greater cybersecurity awareness by corporate executives. Table 1. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model Influence of regulatory compliance on organization’s information security strategy and investment decisions as compared to 2010, by segmentation Leaders (N=60) Followers (N=154) Laggards (N=101) Regulatory compliance was much more influential on my organization’s information security strategy and investment decisions in 2010 than it is today 32% 19% 11% Regulatory compliance was somewhat more influential on my organization’s information security strategy and investment decisions in 2010 than it is today 23% 29% 24% Regulatory compliance was as influential on my organization’s information security strategy and investment decisions in 2010 as it is today 32% 31% 39% Regulatory compliance was somewhat less influential on my organization’s information security strategy and investment decisions in 2010 than it is today 3% 14% 17% Regulatory compliance was much less influential on my organization’s information security strategy and investment decisions in 2010 than it is today 10% 8% 6% Don’t know 0% 1% 4% Source: Enterprise Strategy Group, 2012. Given its historical focus as an IT discipline, it is not surprising to see that 63% of organizations believe “information security is aligned with IT assets and the IT department.” Respondents also believe that “information security is aligned with regulatory compliance.” Beyond these obvious connections however, this data also points to a changing mindset around information security: 55% of organizations see an alignment between information security and business processes. This is a positive step and represents both progressive and realistic thinking. More and more business processes across all industries are anchored by IT infrastructure and the public Internet. Consequently, CISOs and business managers should understand the IT assets, employees, and third-parties involved in each business process in order to identify risk, create/enforce policies, and monitor the effectiveness of security controls. The data also indicates that 44% of large organizations believe that information security is aligned with the corporate culture. This too represents a new function for information security. Since organizational success depends upon IT services, strong security depends upon participation from all employees. By aligning information security with corporate culture, some executive managers clearly recognize and support this connection deep within the organization (see Figure 5).
  16. 16. Research Report: Security Management and Operations 16 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 5. How Security is Viewed at Organizations Source: Enterprise Strategy Group, 2012. As a function, Chief Information Security Officers (CISOs) are also perceived differently among various organizations. Nearly three-quarters of organizations still view CISOs as an IT executive or support function. However, a significant 18% of survey respondents said that the CISO was perceived as a business executive in their organization (see Figure 6), a development that will only help raise the awareness of and effective response to information security issues in those firms. Figure 6. Perception of CISO within Organization Source: Enterprise Strategy Group, 2012. Along with changing perceptions about regulatory compliance and CISOs, ESG research indicates that executive management teams are becoming increasingly engaged with information security situational awareness and strategy (see Figure 7.). 44% 45% 55% 59% 63% 0% 10% 20% 30% 40% 50% 60% 70% Information security is aligned with the corporate culture Information security is aligned with physical security Information security is aligned with business processes Information security is aligned with regulatory compliance Information security is aligned with IT assets and the IT department From an organizational perspective, which of the following statements best reflects how information security is viewed at your organization? (Percent of respondents, N=315, multiple responses accepted) As an IT executive, 51% As a support function for IT (i.e. support the CIO and others), 23% As a business executive, 18% As a support function for regulatory compliance, 5% Don’t know, 2% In your opinion, how is the CISO (or similar position) perceived at your organization? (Percent of respondents, N=315)
  17. 17. Research Report: Security Management and Operations 17 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 7. Level of Engagement of Executive Management Team Source: Enterprise Strategy Group, 2012. ESG further explored executive management involvement in several areas. As shown in Figure 8, ESG further explored whether organizations as a whole generally believe that their senior executives are putting forth a “good” or “adequate” effort when it comes to making necessary security investments, increasing their knowledge about security concepts, and being actively involved in setting information security strategy. Figure 8. Characterization of Executive Management Team Source: Enterprise Strategy Group, 2012. 1% 1% 2% 27% 40% 29% 0% 10% 20% 30% 40% 50% Don’t know / no opinion Much less engaged with information security situational awareness and strategy Less engaged with information security situational awareness and strategy About the same level of engagement with information security situational awareness and strategy Somewhat more engaged with information security situational awareness and strategy Much more engaged with information security situational awareness and strategy Compared to 2010, do you believe that the executive management team at your organization is: (Percent of respondents, N=315) 37% 39% 41% 45% 47% 47% 43% 42% 44% 40% 14% 16% 14% 10% 11% 1% 2% 3% 1% 2% 0% 20% 40% 60% 80% 100% Demonstration of information security leadership position within the organization Involvement in information security strategy decisions Interest in information security status across the organization General knowledge about information security concepts Willingness to commit to a level of security investment necessary to address risk in an appropriate way How would you characterize your organization’s executive management in the following areas? (Percent of respondents, N=315) Good Adequate Fair Poor
  18. 18. Research Report: Security Management and Operations 18 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. The data paints a different picture, however, when viewed through the lens of the ESG security management and operations segmentation model (see Table 2). For instance, the majority of security management and operations “leaders” believe their executives are doing a “good” job across all areas. However, keep in mind that “leaders” make up only 19% of the total survey population. Executive managers at “follower” and “laggard” organizations don’t fare nearly as well when it comes to being knowledgeable about, investing in, and generally supporting security initiatives. Table 2. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model How would you characterize your organization’s executive management in the following areas? Percentage of “leaders” responding “good” Percentage of “followers” responding “good” Percentage of “laggards” responding “good” Willingness to commit to a level of security investment necessary to address risk in an appropriate way 62% 53% 28% General knowledge about information security concepts 70% 50% 24% Interest in information security status across the organization 58% 47% 23% Involvement in information security strategy decisions 57% 44% 23% Demonstration of information security leadership position within the organization 58% 39% 22% Source: Enterprise Strategy Group, 2012. Overall, the ESG data points to some positive trends. Information security is slowly transforming from a back office IT and regulatory compliance function to a much more integral component of business operations. This change is impacting the role of CISOs and business executive involvement in information security. Nevertheless, these changes are extremely skewed to a progressive minority composed of security management and operations leaders. Other organizations are either caught in the past or evolving at a snail’s pace.
  19. 19. Research Report: Security Management and Operations 19 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. The Evolving Security Organization Just over one-half of large organizations surveyed by ESG will increase information security headcount in 2012, while another 40% say that the size of their security organization will remain about the same. Just 4% will actually reduce staff (see Figure 9). In particular, large organizations categorized as security management and operations “leaders” are not resting on their laurels—42% will increase headcount “significantly” in 2012 (see Figure 10). Figure 9. Organizations Increasing Security Headcount Source: Enterprise Strategy Group, 2012. Figure 10. Organizations Increasing Security Headcount by the ESG Security Management and Operations Segmentation Model Source: Enterprise Strategy Group, 2012. Yes, significantly, 17% Yes, somewhat, 38% No, it will remain about the same size, 40% No, the security organization will become somewhat smaller, 3% No, the security organization will become significantly smaller, 1% Don’t know, 2% To the best of your knowledge, will your organization increase its security headcount (i.e., hire new management/staff) in 2012? (Percent of respondents, N=315) 7% 33% 52% 5% 1% 2% 14% 45% 36% 3% 1% 1% 42% 27% 28% 2% 2% 0% 10% 20% 30% 40% 50% 60% Yes, significantly Yes, somewhat No, it will remain about the same size No, the security organization will become somewhat smaller No, the security organization will become significantly smaller Don’t know Organization's plans to increase security headcount (i.e. hire new management/staff) in 2012, by segmentation. (Percent of respondents) Laggard (N=101) Follower (N=154) Leader (N=60)
  20. 20. Research Report: Security Management and Operations 20 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. The fact that information security is becoming more closely aligned with business operations and goals is one reason why so many organizations are hiring in 2012. Unfortunately, another reason for adding headcount is related to the dearth of existing security skills. Enterprises point to a problematic shortage of existing information security skills in a multitude of areas (see Figure 11). A few aspects of this list stand out: • The biggest skills deficit is in the burgeoning area of cloud/server virtualization security. Since these are relatively new technology areas, it is likely to be extremely difficult finding seasoned professionals with this combination of skills. Alternatively, cloud/server virtualization security architects should have an assortment of high paying positions to choose from. ESG hopes that cloud, server virtualization, and security vendors recognize this critical skills shortage and will work to bridge this gap with the right automation, professional services, user training, and professional certifications. • Large organizations also have skills deficiencies in a number of core areas such as endpoint/mobile security, network security, and data security. With respect to endpoint/mobile, it is likely that BYOD (bring your own device) initiatives are exacerbating the scarcity of skills, as organizations need more specialized capabilities for securing new platforms like iOS, Android, and Macintosh. However, network and data security are not new areas. This speaks to a more systemic shortage of available bodies for core information security jobs. • A number of other specific areas such as security analytics/forensics, emerging threat/malware expertise, and application development security require highly experienced and senior professionals. Once again these skills don’t come easy or cheap as they are in high demand. Recruiting individuals with these skills will be highly competitive and very expensive. Organizations with lower pay scales or those in more rural areas will have the most difficult time here. Figure 11. Areas of Information Security with a Shortage of Existing Skills Source: Enterprise Strategy Group, 2012. 8% 20% 22% 23% 25% 28% 30% 30% 31% 31% 43% 0% 10% 20% 30% 40% 50% We do not currently have a problematic shortage of existing information security skills Application/database security Email/messaging security Security operations Application development security Emerging threat/malware expertise Security analysis/forensics Data security Network security Endpoint/mobile device security Cloud/server virtualization security In which of the following areas of information security do you believe your IT organization currently has a problematic shortage of existing skills? (Percent of respondents, N=315, multiple responses accepted)
  21. 21. Research Report: Security Management and Operations 21 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Whether general or specialized, finding information security help is becoming increasingly cumbersome. Nearly one-fifth or large organizations claim that it is “extremely difficult to recruit/hire security professionals,” while another 65% say it is “somewhat difficult to recruit/hire information security professionals” (see Figure 12). These hiring issues were consistent across the “leader, follower, and laggard” organizations of the ESG security management and operations segmentation model, suggesting that no class of organizations is immune from the current security skills crunch. Figure 12. Current State of Information Security Professional Recruitment/Hiring Source: Enterprise Strategy Group, 2012. It is extremely difficult to recruit/hire information security professionals, 18% It is somewhat difficult to recruit/hire information security professionals, 65% It is somewhat easy to recruit/hire information security professionals, 15% It is extremely easy to recruit/hire information security professionals, 1% Don’t know, 1% In your opinion, how would you characterize the current state of information security professional recruitment/hiring? (Percent of respondents, N=172)
  22. 22. Research Report: Security Management and Operations 22 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Security Organization Responsibilities As large organizations increasingly equate information security with business operations, invest in new technologies, and hire more security staff, it is important to recognize that information security is really composed of a number of shared tasks and responsibilities. As proof of this, ESG asked security professionals to identify areas where the security organization has primary responsibility and where it shares responsibilities with other IT groups. As shown in Figure 13, in the majority of areas, information security teams work hand-in-hand with other functional IT teams such as network/IT operations, DBAs, or application developers. Given this situation, CISOs and their organizations should not be held accountable for information security efficiency and effectiveness alone. Rather, strong security is only possible through a CISO/IT organization partnership, with the appropriate strategy, goals, and metrics. It is also worth noting however, that security organizations within the ESG security management and operations “leader” segment were much more likely to have primary responsibility in a number of the areas listed below. Clearly, these “leaders” recognize the value of the security team and are willing to give these teams authority to take the initiative if it leads to lower risk, rapid decision making, and greater security protection. Figure 13. Information Security Organization’s Level of Responsibility Source: Enterprise Strategy Group, 2012. 31% 34% 34% 38% 38% 39% 39% 39% 41% 42% 42% 42% 44% 45% 55% 48% 53% 47% 52% 50% 50% 51% 48% 45% 48% 52% 51% 46% 11% 14% 8% 14% 9% 9% 9% 8% 9% 10% 7% 4% 3% 6% 3% 4% 5% 2% 2% 2% 3% 2% 2% 3% 3% 2% 2% 3% 0% 20% 40% 60% 80% 100% Training non-IT employees on security policies and best practices Patch management Defining policies for cyber supply chain security Day-to-day operation of network security devices Defining secure configurations for hardware and software Researching, testing, and purchasing security technologies Incident response Regulatory compliance policies, controls, and audits Defining policies and standards for secure software development Vulnerability scanning Monitoring security status on a regular basis Working with business units to define security needs Developing security policies Establishing controls for security policy enforcement For each of the activities and tasks below, what is the information security organization’s level of responsibility? (Percent of respondents, N=315) Security organization has primary responsibility Security organization shares responsibility with other IT groups (i.e. network operations, DBAs, etc.) Security organization is not responsible Don’t know
  23. 23. Research Report: Security Management and Operations 23 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. CISOs need their teams to collaborate across IT but these requirements are especially necessary with key groups such as network operations, server administrators, and IT auditors (see Figure 14). Security management and operations “leaders” tend to work more closely with the regulatory compliance team (57% of leaders as compared with 43% of the overall survey population), DBAs (38% of leaders as compared with 25% of the overall security population), and IT auditors (52% of leaders as compared with 43% of the overall survey population). Figure 14. Groups Security Team Works With Most Closely Source: Enterprise Strategy Group, 2012. 21% 25% 25% 27% 32% 43% 43% 46% 57% 0% 10% 20% 30% 40% 50% 60% Endpoint administrators Help desk DBAs Storage administrators Applications administrators Regulatory compliance IT auditors Server administrators Network operations With which of the following groups does your organization’s security team work most closely? (Percent of respondents, N=315, multiple responses accepted)
  24. 24. Research Report: Security Management and Operations 24 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Security Services Trends Many organizations plan on using third-party security services in 2012—17% of organizations surveyed by ESG will use professional or managed services “extensively” this year, while another 45% will use third-party professional or managed services to some extent in order to meet their information security requirements (see Figure 15). ESG also finds it noteworthy that 32% of security management and operations “leaders” will use third-party professional or managed services “extensively” in 2012 as compared to 17% of the overall survey population. Why? ESG suspects that “leaders” are far more aggressive at finding mundane security tasks to outsource as well as isolating areas where they need external expertise and internal skills may be lagging. Figure 15. Planned Use of Third-Party Professional/Managed Services in 2012 Source: Enterprise Strategy Group, 2012. As information security becomes increasingly business-critical, more and more large organizations will be forced to overcome internal skills gaps and hiring challenges with third-party service alternatives. The ESG research data indicates that this is already happening: 16% of enterprises say they will increase their use of third-party managed and/or professionals services “substantially” over the next 24 months, while another 42% will increase their use of third-party managed and/or professional services “somewhat” (see Figure 16). Figure 16. How Use of Third-Party Professional/Managed Services has Changed Source: Enterprise Strategy Group, 2012. Yes, extensively, 17% Yes, somewhat, 45% No, 33% Don’t know, 5% Will your organization use third-party professional or managed services to meet its information security requirements in 2012? (Percent of respondents, N=315) Increased substantially, 16% Increased somewhat, 42% Remained about the same, 35% Decreased somewhat, 6% Decreased substantially, 1% Don’t know / no opinion, 1% How has your organization’s use of third-party professional or managed security services changed over the past 24 months? (Percent of respondents, N=196)
  25. 25. Research Report: Security Management and Operations 25 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Why are these organizations consuming more security services? ESG’s hypothesis going into this research was that security service growth was a result of the growing global shortage of security skills. The data gathered for this project verifies this theory. Large organizations are increasingly turning to service providers for specialized security skills or to supplement the internal security staff (see Figure 17). Figure 17. Reasons for Increasing Use of Third-Party Security Services Source: Enterprise Strategy Group, 2012. 20% 24% 27% 28% 29% 34% 39% 0% 10% 20% 30% 40% 50% Couldn’t recruit/hire enough security expertise so we had no choice My organization experienced a security breach which led us to seek out more security services and expertise Security is not core to the business so my organization decided to seek outside expertise Don’t have specific security skills in house so the organization decided to outsource security tasks Don’t have a large enough security staff to handle all security responsibilities New types of security threats persuaded my organization to seek outside expertise Security service providers can perform certain security tasks better than we can What are the primary reasons for increasing the use of third-party security services at your organization? (Percent of respondents, N=114, multiple responses accepted)
  26. 26. Research Report: Security Management and Operations 26 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Security services needs follow a pattern that is consistent with the general history of IT outsourcing over the decades. Enterprise companies tend to turn to service providers for specific skills (usually associated with new or changing technologies) or commonplace operational tasks. Interestingly, the list below seems weighted toward the former—i.e., specialized security skills such as security design, threat intelligence, and network monitoring (see Figure 18). Figure 18. Areas of Third-Party Security Services Used Source: Enterprise Strategy Group, 2012. 15% 18% 18% 22% 26% 28% 29% 29% 29% 30% 30% 30% 33% 0% 10% 20% 30% 40% Event/log management Managed network security Endpoint security Mail/messaging security Staff augmentation Penetration testing Vulnerability scanning Email encryption Web threat management Security/risk management/regulatory compliance assessment Network monitoring Threat management intelligence Security design Which of the following areas of third-party security services has your organization used in the past and/or does it plan to use in 2012? (Percent of respondents, N=92, multiple responses accepted)
  27. 27. Research Report: Security Management and Operations 27 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Risk Management Strategies Most security professionals agree with the old adage “an ounce of prevention is worth a pound of cure.” In that spirit, nearly three-quarters of the enterprise organizations have a formal risk management program in place (see Figure 19). Defined simply, a risk management program would include: 1. Identifying all IT assets (i.e., applications, databases, servers, storage, networking equipment, data, etc.) 2. Classifying all IT assets based upon their value to the business mission. 3. Identifying threats to IT assets and the likelihood of these threats. 4. Identifying vulnerabilities associated with these IT assets. 5. Using these inputs (i.e., assets, asset value, threats, and vulnerabilities) to calculate some measure of overall risk. 6. Implementing controls to reduce risk. 7. Continually measuring any changes (i.e., new assets, changes to assets, new threats, new vulnerabilities, etc.) that could represent an increase in risk to the organization. Figure 19. Formal IT Risk Management Programs in Place Source: Enterprise Strategy Group, 2012. Risk management programs are most effective when they are implemented throughout the enterprise as opposed to in an ad hoc or piecemeal fashion. As shown in Figure 20, nearly three-quarters of enterprise organizations say they have implemented their risk management program company-wide. Yes, 73% No, but we plan to implement one in the next 12 to 18 months, 13% No, but we are interested in implementing one, 9% No, and we have no plans or interest in implementing one, 3% Don’t know, 2% Does your organization have a formal IT risk management program in place? (Percent of respondents, N=315)
  28. 28. Research Report: Security Management and Operations 28 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 20. How Formal IT Risk Management Program is Implemented Source: Enterprise Strategy Group, 2012. Formal risk management programs are clearly a function of overall information security excellence. For example, 95% of organizations classified in the ESG segmentation model as security management and operations “leaders” have a formal risk management program in place, compared with 79% of “followers” and just 52% of “laggards” (see Table 3). Similarly, 91% of “leaders” have a formal risk management program implemented across the enterprise, compared to 69% of “followers” and 68% of “laggards.” In a best case scenario, a formal risk management program would be implemented across the enterprise. To understand whether large organizations were following these best practices, ESG combined responses from the previous two questions (i.e., Figure 19 and Figure 20). When this data is aggregated, 54% of large organizations follow risk management best practices by implementing a formal risk management program across the enterprise. These results are marginal at best and indicate that many enterprises lack the adequate metrics needed to assess IT risk at any given time. The data is even more revealing when viewed through the ESG security management and operations segmentation model. While 86% of the total “leader” population has a formal IT risk management program implemented throughout the enterprise, 55% of “followers” have a formal IT risk management program implemented throughout the enterprise, and only 35% of “laggards” have a formal IT risk management program implemented throughout the enterprise. Clearly, “followers” and “laggards” lag behind and are “flying blind” when it comes to understanding whether their organizations are vulnerable to attack or adequately protected (see Table 3).Strong security management and operations depends upon a long list of processes and skills so ESG asked security professionals to assess their organizations in a number of critical areas (see Figure 21). For the most part, enterprise firms rated their security standard best practices as either “very good” or “good.” Across the entire enterprise, 74% Across a majority of business units or divisions, but not across the entire enterprise, 24% Across some business units or divisions, but not across the entire enterprise, 1% Which of the following best describes how your organization’s IT risk management program is implemented? (Percent of respondents, N=231)
  29. 29. Research Report: Security Management and Operations 29 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Table 3. IT Risk Management Programs Analyzed by the ESG Segmentation Model ESG Security Management and Operations Segment Percentage with a formal IT risk management program Percentage with a formal IT risk management program implemented across the enterprise Percentage of the population with both a formal risk management program implemented across the enterprise Total survey population (all segments) 73% 74% 54% Leaders 95% 91% 86% Followers 79% 69% 55% Laggards 52% 68% 35% Source: Enterprise Strategy Group, 2012. Figure 21. Organization’s Rating on Standard Security Best Practices Source: Enterprise Strategy Group, 2012. 24% 25% 28% 29% 29% 30% 30% 31% 33% 34% 35% 42% 48% 57% 50% 51% 55% 47% 53% 52% 57% 54% 50% 50% 25% 15% 17% 16% 14% 19% 16% 15% 9% 10% 13% 8% 3% 3% 5% 3% 2% 3% 1% 2% 1% 2% 2% 0% 20% 40% 60% 80% 100% Mobile device security Host activity monitoring Cyber supply chain security End user security Data security controls Secure software development lifecycle training, processes, and testing Patching vulnerable systems in a timely manner Threat management Monitoring the security status of IT assets Network security management Network monitoring Deploying IT assets (i.e. hardware and software) in hardened configurations The following is a list of standard security best practices. Please rate your organization in each area. (Percent of respondents, N=315) Very good Good Fair Poor
  30. 30. Research Report: Security Management and Operations 30 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Security Controls Effectiveness and Testing Earlier in this report, ESG demonstrated that 45% of security professionals believe regulatory compliance was less of an influence on their information security strategy than it was a few years ago. One indication of this change is illustrated by how frequently enterprise firms test the effectiveness of their security controls. When regulatory compliance is the primary objective, large organizations tend to schedule security controls effectiveness testing infrequently, exclusively around actual compliance audits. Driven by the increasingly dangerous threat landscape, many organizations are now willing to be much more diligent with their testing—40% of security professionals say their organizations test the effectiveness of their security controls “constantly” rather than on an as-needed basis (see Figure 22). Figure 22. Frequency of Security Controls Effectiveness Testing Source: Enterprise Strategy Group, 2012. 40% 15% 14% 14% 10% 3% 1% 1% 3% 0% 10% 20% 30% 40% 50% Constantly Once per week Twice per month Once per month About once per quarter Twice a year Once per year Other Don’t know On average, how often does your organization test the effectiveness of its security controls? (Percent of respondents, N=304)
  31. 31. Research Report: Security Management and Operations 31 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Large organizations employ a multitude of methods to test the effectiveness of their security controls (see Figure 23). While most use fairly standard testing methods like network scans and log reviews to perform these functions, it is worth noting that 43% of security management and operations “leaders” configure and implement assets that violate security policies to assess how long it takes the security team to detect problems, as compared to 29% of “followers” and 23% of “laggards.” Seemingly, “leaders” believe it is critically important to “hack” their own networks to gain measurable experience of just how vulnerable they really are. Figure 23. Technologies/Techniques Used to Test Effectiveness of Security Controls Source: Enterprise Strategy Group, 2012. 1% 29% 30% 34% 34% 37% 43% 47% 48% 58% 0% 20% 40% 60% 80% We do not test the effectiveness of our security controls Monitor/analyze CMDB Configure and implement assets that violate security policies to assess how long it takes for the security team to detect problems Third-party penetration testing Help desk calls Penetration testing by internal employees Compliance/IT governance dashboard Monitor/analyze log files Scan for rogue systems on the network Network/system scanning Which of the following techniques/technologies does your organization use to test the effectiveness of its security controls? (Percent of respondents, N=315, multiple responses accepted)
  32. 32. Research Report: Security Management and Operations 32 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. According to ESG’s survey respondents, large organizations constantly assess their security management capabilities using a number of metrics including the number of security events discovered, the number of security/IT audit violations or failures, and the number of vulnerable systems discovered (see Figure 24). These assessments were fairly consistent across “leaders,” “followers,” and “laggards” with a few exceptions. For example, “leaders” were somewhat more diligent in all areas and tended to put more emphasis on the time to remediate a compromised system (37% as opposed to 28% of the overall survey population). Figure 24. Metrics Used to Gauge Effectiveness of Security Management Source: Enterprise Strategy Group, 2012. 21% 22% 27% 28% 30% 32% 32% 32% 38% 43% 45% 0% 10% 20% 30% 40% 50% Number of stale user accounts discovered Number or percent of employees provided with the latest security training Number of unapproved systems discovered on the network Time to remediate a compromised system Time between system compromise and detection by the security team Number of service calls related to security incidents Number of systems determined to be out of compliance with security configuration standards Number of overall security tests (system scans, penetration tests, etc.) performed by the organization Number of vulnerable systems discovered Number of security/IT audit violations/failures Number of security events discovered Which of the following metrics does your organization use to gauge the effectiveness of its security management? (Percent of respondents, N=315, multiple responses accepted)
  33. 33. Research Report: Security Management and Operations 33 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Enterprise firms depend upon a myriad of disparate security technologies at every layer of the technology stack. From a historical perspective, these tools were often purchased separately and were often operated by different IT functional groups. Alternatively, CISOs relied upon these individual tools in aggregate to provide a layered cybersecurity defense. Given this somewhat haphazard strategy, ESG wondered which of these individual tools security professionals considered to be most and least effective (see Figure 25). There is a bit of a pattern here. The tools deemed most effective tend to be those where security professionals have the most experience, like network firewalls, or those that act as independent security filters once deployed on the network (i.e., web threat management, endpoint security software, etc.). Alternatively, security professionals seem to have a more difficult time with security technologies that demand custom configurations, advanced training, or advanced analysis. Security technology vendors and service providers should take note here as there are revenue opportunities in helping large organizations gain efficiency with these products. Figure 25. Security Technology that Most Effectively Performs Task For Which It Was Designed Source: Enterprise Strategy Group, 2012. 22% 23% 33% 37% 38% 39% 40% 44% 56% 0% 10% 20% 30% 40% 50% 60% IDS/IPS SIEM Log management Messaging security Anti-malware network gateways Endpoint anti-malware software Web threat management Application firewall Network firewall Which of the following would you say most effectively performs the tasks it was designed for (i.e., delivers effective protection, ease-of-use, strong reporting, etc.)? (Percent of respondents, N=315, multiple responses accepted)
  34. 34. Research Report: Security Management and Operations 34 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Situational Awareness In addition to formal and comprehensive risk management programs, effective security management and operations depends upon a deep understanding of IT behavior. In other words, security professionals must know what represents “normal” behavior and how deviations from the norm may indicate suspicious or malicious activities. It appears that many large organizations believe they do have the right skills and knowledge around normal and anomalous IT behavior—most respondents “strongly agree” or “agree” that they can effectively detect suspicious activity or an attack in progress (see Figure 26). When analyzed by the ESG security management and operations model, responses to this question aligned in a predictable manner: 50% of “leaders” responded “strongly agree,” as compared to 22% of “followers” and only 10% of “laggards.” Figure 26.Organization’s Ability to Detect Suspicious Activity or an Attack Source: Enterprise Strategy Group, 2012. Of course, any deviations from normal behavior may indicate suspicious activity or a security attack in progress. Detecting these activities requires real-time visibility. As a group, security professionals seem relatively comfortable with their organizations’ capabilities in this area: 81% rate their organization’s level of security visibility as either excellent or good (see Figure 27). As expected, levels of visibility vary based on the ESG security management and operations segmentation model. Thirty-seven percent of leaders believe their level of security visibility is excellent as compared to 23% of “followers” and just 11% of “laggards.” Alternatively, only 7% of leaders rated their organization’s level of security visibility as fair or poor. By comparison, 12% of “followers” and 34% of “laggards” rated their organization’s level of security visibility as fair or poor (see Figure 28). Strongly agree, 23% Agree, 55% Neither agree nor disagree, 16% Disagree, 3% Strongly disagree, 2% Please respond to the following statement: I believe that my organization has a very good understanding of normal IT behavior and could easily detect anomalous/suspicious activity or an attack in progress. (Percent of respondents, N=315)
  35. 35. Research Report: Security Management and Operations 35 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 27.Level of Visibility of Security Status Source: Enterprise Strategy Group, 2012. Figure 28.Level of Visibility of Security Status Analyzed by the ESG Security Management and Operations Segmentation Model Source: Enterprise Strategy Group, 2012. 1% 3% 15% 59% 22% 0% 10% 20% 30% 40% 50% 60% 70% Don’t know Poor. We collect and analyze some data but there are many areas where we don’t have strong visibility and we depend upon manual processes and analysis for visibility into our security status. Fair. We collect and analyze all of the data we can but there are some areas where we don’t have strong visibility and we depend upon manual processes and analysis for visibility into our security status. Good. We collect and analyze all of the necessary data but we depend upon manual processes and analysis for visibility into our security status. Excellent. We have set up the right data collection, analysis, and dashboards to have real-time visibility of our security status. Which of the following statements most accurately characterizes the level of visibility your organizations has of its security status? (Percent of respondents, N=315) 11% 53% 26% 9% 2% 23% 64% 11% 1% 1% 37% 55% 7% 2% 0% 10% 20% 30% 40% 50% 60% 70% Excellent Good Fair Poor Don’t know Level of visibility organization has into its security status, by segmentation. (Percent of respondents) Laggard (N=101) Follower (N=154) Leader (N=60)
  36. 36. Research Report: Security Management and Operations 36 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Security visibility is a function of collecting and analyzing a multitude of data from all IT domains throughout the enterprise. This process can be difficult as it depends upon numerous technical, organizational, and human elements. According to the security professionals surveyed, the biggest inhibitors to real-time security visibility include the need for tighter integration between security and IT operations tools (34%), the need for better security analysis and forensic skills (33%), and the need for more automated security analytics from their security tools (29%) (see Figure 29). Figure 29.Biggest Inhibitors to Having Real-Time Security Visibility Source: Enterprise Strategy Group, 2012. 21% 22% 22% 24% 27% 28% 28% 29% 33% 34% 0% 10% 20% 30% 40% Need a better understanding of host behavior Need a better understanding of network behavior Need a better understanding of server virtualization technology behavior Need a better understanding of application behavior Need better tools to baseline normal behavior so we can detect anomalies Need a better understanding of user behavior Need for better networking visibility Need better automated analytics from our security intelligence tools Need better security analysis/forensic skills at our organization Need tighter integration between security intelligence and IT operations tools Of the following, which are the biggest inhibitors to having real-time and comprehensive security visibility at your organization? (Percent of respondents, N=315, multiple responses accepted)
  37. 37. Research Report: Security Management and Operations 37 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. In addition to security visibility, enterprise organizations need strong incident response policies and procedures when security attacks are detected. When it comes to incident response, security professionals surveyed by ESG claim that their organizations are especially weak in areas such as performing forensic analysis to determine the root cause of problems (27%), determining which assets remain vulnerable to an attack (27%), and gathering the right data for accurate situational awareness (24%) (see Figure 30). It is also interesting—and worrisome—to note that nearly one-in-four organizations (23%) say that reporting security incidents—whether inside or outside the company—is not a strength of their incident response capabilities. Figure 30.Weakest Aspects of Incident Response Source: Enterprise Strategy Group, 2012. 10% 17% 20% 22% 23% 23% 23% 24% 27% 27% 0% 10% 20% 30% None of the above Taking action to minimize the impact of an attack Understanding the impact and/or scope of a security incident Altering security controls to prevent future similar incidents Analyzing security intelligence to detect security incidents Reporting security incidents internally Reporting security incidents externally Gathering the right data for accurate situational awareness Determining which assets, if any, remain vulnerable to a similar type of attack Performing forensic analysis to determine the root cause of the problem Which of the following aspects of incident response are weakest at your organization? (Percent of respondents, N=315, multiple responses accepted)
  38. 38. Research Report: Security Management and Operations 38 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Assessing the State of Security Information and Event Management (SIEM) For the purposes of this project, security information and event management (SIEM) was defined as: Technology that provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances, or managed services, and are also used to log security data and generate reports for compliance purposes. According to the security professionals surveyed, 47% of large organizations have SIEM systems in place today while another 24% plan to implement a SIEM platform in the next 12 months (see Figure 31). Figure 31. SIEM Deployment Source: Enterprise Strategy Group, 2012. Yes, 47% No, but we plan on implementing a SIEM system in the next 12 months, 24% No, but we are interested in doing so, 16% No, no plans or interest, 9% Don’t know, 5% Based on the definition above, does your organization have a SIEM system currently deployed? (Percent of respondents, N=315)
  39. 39. Research Report: Security Management and Operations 39 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. ESG’s data suggests that organizations with SIEM solutions are an elite, security-conscious group willing to put time into implementing, learning, and tuning their SIEM systems: Respondents tended to rate their SIEM feature/functionality as “highly effective” or “effective” in most areas (see Figure 32), although ease of use and visibility into both network and end-user behavior stand out as potential areas for improvement. Figure 32. Effectiveness of SIEM Source: Enterprise Strategy Group, 2012. 31% 31% 33% 33% 35% 37% 38% 38% 39% 44% 46% 48% 55% 46% 51% 51% 53% 44% 51% 50% 49% 41% 16% 10% 18% 13% 10% 10% 13% 10% 7% 5% 10% 4% 1% 3% 2% 2% 3% 1% 3% 1% 1% 1% 3% 1% 1% 2% 1% 2% 1% 1% 1% 1% 0% 20% 40% 60% 80% 100% Visibility into user behavior Customization for specific use cases Ease-of-use Integration with other security tools Value Performance Visibility into network behavior Analytics Visibility into host behavior Scalability Event detection Please rate your organization’s SIEM system in the following areas: (Percent of respondents, N=147) Highly effective Somewhat effective Not very effective Not at all effective Don’t know
  40. 40. Research Report: Security Management and Operations 40 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Changing Attitudes Towards Security Management A majority of security professionals agree that security management has become “significantly more difficult” (18%) or “somewhat more difficult” (44%) than it was 24 months ago (see Figure 33). Interestingly, organizations classified as security “leaders” in the ESG security management and operations segmentation model seem to be experiencing this change the most—33% of “leaders” say that security management is significantly more difficult than it was 24 months ago as compared to 18% of the overall survey population. ESG believes that security “leaders” are likely aggressive IT users with complex infrastructures and leading-edge applications, so it follows that security management challenges are most pronounced in these organizations. Nevertheless, the security management challenges “leaders” face today are likely a harbinger. “Laggard” and “follower” organizations should anticipate similar security management difficulties as they move forward with new IT initiatives and plan accordingly. Figure 33. How Security Management has Changed Over Past 24 Months Source: Enterprise Strategy Group, 2012. What is making security management more difficult? ESG believes this is due to a number of factors, including: • Increasing threat volume and sophistication. • Security management’s strong dependency on individual skills and manual processes. • Pervasive security skills shortages at enterprise organizations. In addition, the introduction of new and often immature technologies can also make security management and operations more complex. To test this hypothesis, ESG presented security professionals with a list of nascent IT technologies and policies and asked them about their impact on security management and operations. Of these, 31% of security professionals believe that cloud computing is making security management and operations much more difficult while 30% of security professionals believe that mobile devices are making security management and operations much more difficult (see Figure 34). While these two areas stand out, ESG believe it is worth noting that at least 40% of security professionals believe that each of the technologies or policies listed has made security Significantly more difficult than it was 24 months ago, 18% Somewhat more difficult than it was 24 months ago, 44% About the same as it was 24 months ago, 30% Somewhat less difficult than it was 24 months ago, 3% Significantly less difficult than it was 24 months ago, 2% Don’t know / no opinion, 2% How has security management changed over the past 24 months? (Percent of respondents, N=315)
  41. 41. Research Report: Security Management and Operations 41 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. management and operations more difficult to some extent. What’s more, new technologies and policies are often concurrent, creating a multiplicative impact on security management and operations. Figure 34. How Introduction of Technologies and Policies Altered Security Management and Operations Source: Enterprise Strategy Group, 2012. As previously mentioned, security management and operations is often based upon an error-prone mix of individual skills and manual processes. Unfortunately, these dependencies are a mismatch for today’s threat landscape and complex, highly-virtualized, and rapidly-evolving IT infrastructure. Given this incongruence, it is not surprising to see that more than half of large organizations are using their security and IT operations tools together to automate security remediation tasks (see Figure 35). In these automated instances, a security “event” discovered by a security analytics tool initiates some IT operations action like blocking an Ethernet switch port, creating a new firewall rule, or quarantining a server exhibiting suspicious behavior. Security management and operations “leaders” are the most aggressive in this area: 76% are using security and IT operations tools in concert to automate security remediation tasks as compared to 60% of “followers” and 36% of “laggards.” This may be a function of the influence of the security organization and its relationship with other IT groups, primarily network operations. Security management and operations “leaders” likely have formal shared processes, strong communications, and integrated technology tools between the security and IT operations team. These elements act as a foundation for collective action and security automation. According to Figure 36, the most common automated security actions currently executed by ESG’s survey respondents include blocking URLs or web content (66%), generating firewall/IDS/IPS rules based upon network behavior or event detection (53%), and launching an immediate network scan as a result of some type of trigger event (51%). 6% 9% 13% 17% 18% 30% 31% 34% 37% 38% 30% 38% 32% 38% 41% 38% 32% 31% 29% 21% 16% 9% 11% 10% 7% 7% 9% 6% 3% 3% 4% 5% 3% 5% 3% 6% 3% 2% 10% 4% 2% 6% 0% 20% 40% 60% 80% 100% Desktop virtualization Web applications / SOA Server virtualization BYOD policies Remote worker policies Mobile devices Cloud computing How has the introduction of the following technologies and policies altered security management and operations at your organization? (Percent of respondents, N=315) Made security management and operations much more difficult Made security management and operations somewhat more difficult Had no impact on security management and operations Made security management and operations somewhat easier Made security management and operations much easier Don’t know / Not applicable
  42. 42. Research Report: Security Management and Operations 42 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. Figure 35. Use of Security and IT Operations Tools in Concert to Automate Security Remediation Tasks Source: Enterprise Strategy Group, 2012. Figure 36. Automated Actions Currently Executed Source: Enterprise Strategy Group, 2012. Yes, 56% No, but we plan on doing so within the next 12 months, 25% No, but we are interested in doing so, 13% No plans or interest, 4% Don’t know, 3% Does your organization use its security and IT operations tools in concert to automate security remediation tasks (i.e. block activities, disable a port, change access policy enforcement, etc.)? (Percent of respondents, N=315) 26% 41% 46% 47% 47% 51% 53% 66% 0% 10% 20% 30% 40% 50% 60% 70% Divert a system to a remediation VLAN/server Ask users to re-authenticate based upon some anomalous user activity Grant limited network access Remove host systems from the network based on malware detection, anomalous system behavior, etc. Enforce different access policies based upon device type, user location, time of day, etc. Launch an immediate network scan Generate firewall/IDS/IPS rules based upon network behavior or event detection Block URLs or web content Which of the following automated actions does your organization currently execute? (Percent of respondents, N=176, multiple responses accepted)
  43. 43. Research Report: Security Management and Operations 43 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. With security management and operations becoming increasingly difficult, many organizations will make a number of security technology strategy decisions over the next few years. Most significantly, security professionals say that their organizations will (see Figure 37): • Design and build a more integrated enterprise security architecture. In the past, even large security- conscious organizations addressed information security risks with a series of standalone point tools deployed independently across the network. This created “islands of security” with no central command- and-control or situational awareness. The data indicates that 44% of large organizations intend to design and build a more integrated enterprise security architecture to alleviate shortcomings associated with existing tactical defenses. • Include new data sources for security intelligence. To monitor and analyze their information security status, large organizations tended to rely on data sources like log files, NetFlow, and esoteric tools like database activity monitoring (DAM) systems. A fairly large population (39%) of the enterprise organizations surveyed plan to include new data sources for security intelligence moving forward. Examples of these sources could be full IP packet capture (PCAP), user access and behavior monitoring, or external data feeds from cloud providers. This data may foretell an emerging “big data” requirement for future security analytics platforms. Responses were fairly consistent across all of segments of the ESG security management and operations segmentation model, but It is worth noting that 35% of security “leaders” say they will actively decrease the number of vendors they buy products from, as compared to 23% of “followers,” and 13% of “laggards.” Given the data described above, it is likely that “leaders” are looking to eschew point tool-only vendors for more enterprise- class and tightly integrated alternatives from an elite few. Figure 37. How Security Technology Strategy Decisions Will Change Source: Enterprise Strategy Group, 2012. 9% 22% 24% 39% 44% 0% 10% 20% 30% 40% 50% We will not change our security technology strategy decisions over the next 24 months Actively decrease the number of security vendors we buy from Buy more security suites from a single vendor Include new data sources for security intelligence Design and build a more integrated enterprise security architecture Do you believe that your organization will change its security technology strategy decisions in any of the following ways over the next 24 months in order to improve its security management? (Percent of respondents, N=315, multiple responses accepted)
  44. 44. Research Report: Security Management and Operations 44 © 2012, The Enterprise Strategy Group, Inc. All Rights Reserved. The security professionals surveyed by ESG report a number of security management challenges that will need to be addressed moving forward. Specifically, respondents pointed to issues such as security budget constraints (50%), the amount of time spent “fire fighting” or reacting to events (30%), and a lack of appropriate security skills (24%) (see Figure 38). These challenges were consistent across all three segments of the ESG security management and operations segmentation model with one exception: While 18% of the overall survey population indicated a challenge around a lack of executive management support, these results were heavily skewed towards “laggards.” While just 12% of “leaders” and 14% of “followers” point out a lack of executive management support as a security management challenge, some 28% of “laggards” report such a lack of executive support. If is safe to assume that this lack of management buy-in is a significant factor in why these organizations are ultimately classified as security “laggards.” Figure 38. Biggest Security Management Challenges Source: Enterprise Strategy Group, 2012. 7% 14% 18% 19% 19% 23% 24% 30% 50% 0% 10% 20% 30% 40% 50% 60% None of the above Security is not considered as part of business process and IT deployment design and planning process Lack of executive management support Lack of the appropriate security skills within the security team We lack the appropriate level of security intelligence to make accurate and timely decisions Too many security tools Lack of the appropriate security skills within IT Security team spends too much of its time reacting to problems and not enough time with proactive security management or strategic planning Budget constraints Which of the following would you say are the biggest security management challenges at your organization? (Percent of respondents, N=315, multiple responses accepted)

×