2. If you want to see how a lion hunts, you don’t go to the zoo. You go to the
jungle. This is why we went exploring: friends of friends. In their comfort zones.
No scripts. No transactions.
We wanted to get into the hearts and minds of IT, so we had conversations
rather than interviews. But naturally, we dug into one of the most critical
topics in IT today: security.
4 WEEKS. 5 STATES. 9 CITIES.
20 SENIOR IT DECISION MAKERS.
12 TO 35 YEARS’ EXPERIENCE.
A RANGE OF INDUSTRIES, INCLUDING FINANCE, PHARMA,
MANUFACTURING, JOURNALISM, EDUCATION, TECHNOLOGY,
HOSPITALITY, TELECOM, ENTERTAINMENT AND REAL ESTATE.
GLOBAL AND DOMESTIC COMPANIES, FROM 50 TO 90,000 EMPLOYEES.
3. THROUGH 2016, 75% OF
CISOS WHO EXPERIENCE
PUBLICLY DISCLOSED
SECURITY BREACHES
AND LACK DOCUMENTED,
TESTED RESPONSE PLANS
WILL BE FIRED.
–Gartner
‘‘
”
4. And if the people at the top are worried about security,
you better believe all the people involved in enterprise IT
decisions are feeling the pressure.
Among almost everyone we interviewed, security came
up as the most common work-related nightmare. It is
clearly on their minds on a daily basis.
But what exactly are they worrying about, and why?
Let’s look at 10 human truths about IT pros’
approach to dealing with security.
5. Almost every IT solution is a security risk to
some extent, which can lead to some pretty
paranoid ITpros. The level of comfort and
confidence in current security measures and
models is generally low.
THEY ARE INSECURE
ABOUT SECURITY
I
6. MY COMPANY CONSTANTLY
SAYS SECURITY IS THEIR
#1 PRIORITY WITH IT. THEY
TALK THE TALK. BUT THEY
DON’T ACTUALLY DO
ENOUGH. IT’S SECURITY
THROUGH OBSCURITY.
— Tony, Automation Services Consultant
for a large bank
‘‘
”
“I mean, my systems are secure
because I’m not a dummy and I
like to sleep at night. But I can’t
say that for most of my company.”
— Mike, Senior IT Manager at a large
telecom company
96% of successful attacks on
enterprise security in 2012
were not highly difficult —
everyone is truly at risk.
> Verizon 2013 Data Breach Report
The average cost per record of a
data breach in 2011 was $222.
The average company with a data
breach that year lost $5.5 million.
> Ponemon Institute State of Web
Application Security
7. NO ONE HAS IT
FIGURED OUT
IT pros stressing about the holes
in their systems assume that their
problems are the worst, when in
reality, their peers in other companies
and industries are up against similar
threats and complications.
2
8. “Security becomes more and more challenging as
IT is shifting to the cloud and mobile devices.
Consumerization of IT caught traditional
corporate IT infrastructure totally unprepared.
Even the best of us are still trying to catch up.”
— Nico, Senior IT Project Manager at a large global
manufacturing company
YOU’VE GOT TO BE
KIDDING ME — THAT
BANK DOESN’T HAVE
PERSONAL DEVICE
SECURITY FIGURED
OUT YET? I THOUGHT
WE WERE SO FAR
BEHIND THE INDUSTRY.
— Jonathan, Global Head of Data Transformation
at a large finance company
75% of attacks are opportunistic —
not targeted at a specific individual or
company.
> Verizon 2013 Data Breach Survey
86% of all websites had at least one
serious vulnerability.
> Whitehat 2013 Website Security
Statistics Report
‘‘
”
9. RELIEF IS BRIEF
When it comes to security, there is
never a moment when it’s all under
control. The thousands of solutions and
options can’t be implemented as fast as the
potential risks evolve. Any sense of security
an IT pro might feel is likely to be short lived.
3
10. “No one is ever 100% protected.
You should never feel safe, or you’re
not being diligent.”
— Jonathan, Global Head of Data Transformation at a
large finance company
IF YOU THINK
YOU’RE
PROTECTED,
YOU’RE DOING
IT WRONG.
— Mike, Senior IT Manager at a large
telecom company
66% of the breaches took months or
even years to discover.
> Verizon 2013 Data Breach Report
“34% of urgent vulnerabilities are not
fixed.”
> Ponemon Institute, State of Web Application
Security
There are an average of 70,000 new
threats per day.
> Kaspersky Lab
‘‘
”
11. If something goes wrong, it’s a crisis
management problem — not a security
problem. The best security experts
approach it as a proactive matter.
4 THE GOAL IS PREVENTION,
NOT REACTION
12. “Security is all about
non–issues.”
– Pat, VP, IT Manager at a large
technology company
IN 2011, 97% OF
SECURITY
BREACHES COULD
HAVE BEEN AVOIDED
THROUGH SIMPLE
OR INTERMEDIATE
CONTROLS.
– Verizon 2012 Data Breach Report
“We have a company–wide
policy to treat all of our
systems as if they have
already been compromised
at all times.”
— Will, SaaS Consultant for a large
technology solutions company
13. SECURITY IS MISSION
CRITICAL
Finance and healthcare have the most
serious legal ramifications when it comes
to IT security. At the same time, companies
in every industry, big and small, are striving
to implement the security measures
needed to protect data.
5
14. 1 in 5 Americans would stop
doing business with a bank or
credit card company after a
security breach.
94% of healthcare organizations
have been breached.
I WENT FROM WORKING IN
ENTERTAINMENT WHERE I
COULD SORT OF JUST
ASSURE PEOPLE THE
SOLUTION I WANTED TO DO
WAS SAFE, TO WORKING IN
FINANCE WHERE I HAD TO
PROVE IT TO 15 PEOPLE
BEFORE IT WAS EVEN
CONSIDERED.
— Waseem, Consultant and System Administrator
for a small investment company
Security breaches cost healthcare
organizations $2.4M over 2 years
as the healthcare sector is among
the most vulnerable to hacking and
cyberattacks.
>HIT Consultant
14 % of data breaches were in the
financial sector and 255,396,710
records were exposed by the
breaches.
>Privacy Rights Clearinghouse
‘‘
”
15. SECURITY
JOB SECURITY
It is shaping the future of IT as a discipline.
Job titles, internal organization and business
practices are evolving to include internal and
third–party security experts, groups and
processes.
6
=
16. SECURITY IN
IT IS JOB
SECURITY
FOR IT.
— Waseem, Consultant and System Administrator
for a small investment company
“IT is a massively growing field. And
security is the fastest growing area
within that fastest growing area.”
— Danny, VP, System Designer at a large pharma
company
Two-thirds of security leaders
expect spending on information
security to rise over the next 2
years.
Of those 90% anticipate double-
digit growth. One in ten expects
increases of 50% or more.
> IBM CISO Study
‘‘
”
17. HACKERS ARE A
PRO’S BEST FRIEND
As security becomes more central to
all IT decision making, the number of
specialists will grow along with options for
education and training for that
specific skill set. These experts will be
unafraid to breach, bend and break tech
solutions to ensure they are secure.
7
18. “Hiring professional hackers to try to
break into our systems and identify the
holes has been the most powerful way
to convince management to pay for
security projects!”
— Nico, Senior IT Project Manager at a large global
manufacturing company
I ASK FOR A TRIAL AND THEN I
TRY TO BREAK IT. I SPEND DAYS
OR WEEKS LOOKING THROUGH
THE SOURCE CODE, PLAYING
WITH THE SETTINGS, GETTING
ALL MY MOST BRILLIANT
CODER FRIENDS TO TRY TO
BEAT THE SYSTEM AND BREAK
IN. THE BEST SECURITY
SPECIALISTS ARE HACKERS AT
HEART.
— Waseem, Consultant and System Administrator
for a small investment company
Did You Know?
If the organization has a CISO with
overall responsibility for enterprise
data protection, the average cost
of a data breach can be reduced as
much as $80 per compromised
record. Outside consultants
assisting with the breach response
can also save as much as $41per
record.
‘‘
”
19. THERE IS NO QUICK FIX
As companies strive to get a handle on
security, many are quickly realizing that
doing it well means rethinking the entire IT
security model. It’s not as simple as adding
another layer; they often find themselves
rewriting the rules on data access
altogether.
8
20. “There is NO reason for
me to ever see client–
identifying data. But
right now, I could.”
— Jonathan, Global Head of Data
Transformation at a large finance
company
“Crunchy on the
outside. Soft and
chewy in the center.”
— Danny, VP, System Designer at a
large pharma company
A NEW MODEL FOR COMPANY SECURITY
THE MOAT MODEL
the old way the new way
THE ONION MODEL
roam
free
complete
lockdown
c-suite
contractors
+ vendors
21. SECURE SOLUTIONS VS.
SECURITY SOLUTIONS
Enterprises are trying to strike the right balance
between tools they trust and tools built specifically
to further secure existing systems. As a result, no
matter what the IT solution might be, security is a
factor in the decision–making process.
9
22. THERE IS THIS PARKING LOT THAT HAS ROUGHLY 50
STOP SIGNS IN IT. IF THERE WERE 10–20 WE’D PROBABLY
STOP AT ALL OF THEM. INSTEAD, BY HAVING SO MANY,
WE ARE ALL TEMPTED TO SKIP THEM ALL. THERE’S A
TIPPING POINT WITH SECURITY SOLUTIONS.
— Will, SaaS Consultant for a large technology solutions company
“Security should be a part of any architected solution.”
— Mike, Senior IT Manager at a large telecom company
‘‘
”
23. RESISTANCE IS
REALITY
Security measures are seen as an impedance, not an
enabler. Everyone feels the pain of extra passwords
and multiple logins on productivity, so change is slow to
happen, especially when it comes to things like BYOD.
10
24. “Like anything else IT-related,
the best course of action is to
induce change by making users’
lives easier. Users are unlikely
to prioritize a system’s security
over their lives’ simplicity.”
— Will, SaaS Consultant for a large
technology solutions company
HACKERS
AREN’T
SECURITY’S
BIGGEST ENEMY.
USERS ARE.
— Bob, Full–time IT Consultant for a
class–action services company
In 2011, negligence accounted for 39%
of data breach, slightly more than the
37% that came from malicious attacks.
> Ponemon Institute State of Web Application
Security
The most common password used by
global businesses is “Password1”
because it satisfies the default MS Active
Directory complexity setting.
> 2012 Trustwave Global Security Report
‘‘
”
26. 1 EMBRACE THE COMPLEXITY
Don’t overpromise or pretend to have the silver bullet. Ignoring the complications and speed of
change means not understanding it.
2 OFFER A COMMON GROUND
Unite ITDMs in the sense of security that comes with knowing everyone is dealing with these
threats and no one has solved them.
3 ACKNOWLEDGE THE LAYERS
Talk about security as the ecosystem it is. Each business needs to find the layers and tools
that are right for them.
4 HELP THEM SPREAD THE WORD
It can be difficult for ITDMs to sell solutions to their colleagues. Arm them with ways to talk
about and show security solutions as a positive addition to the organization.
5 GET PERSONAL
Don’t just tell them what the solution can do for their business, make it about what it can do for
them. ITDMs are yearning for glory and respect.
6 BE A SOURCE OF COMFORT AND SUPPORT
With all the complexities of security, ITDMs can’t go it alone. Be the partner they can turn to
through thick and thin.