This document summarizes the results of a 2014 data protection maturity survey. It finds that while data security is increasingly seen as a strategic initiative, organizations still struggle with sufficient resources. On average, 6% of IT budgets are spent on security. The survey assessed technical, administrative, and motivational controls to determine an organization's maturity level. Most organizations fall in the standardizing or operational categories, showing some security practices but still needing improvement. The survey aims to help organizations understand their maturity and improve data protection.

1. 2014 Data Protection
Maturity Survey
Results and Analysis
Chris Merritt | Solution Marketing
January 28, 2014
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
source: http://ec.europa.eu/justice/data-protection/minisite/images/cartoon-users.jpg

2. Data Privacy Day 2014
National Cyber Security Alliance
http://www.staysafeonline.org/data-privacy-day/
2
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

3. Data Protection Maturity Survey
• What is the purpose of this survey?
• Why should organizations be concerned?
• How was it constructed?
» Technical Controls contributes to 40% of the score
•
Considers not just controls in place but their effectiveness
» Administrative Controls 25% of the score
•
Quantifies the impact of policies and non-technical controls
» Organizational Motivation contributes 35% to the score
•
Assesses internal and external factors driving data protection
• Maturity classifications
» Optimal – Organizations that are characterized by best-of-breed data security
» Operational – Organizations that demonstrate adequate or “good” security
» Standardizing – Organizations that show some commitment and have some
technical controls in place but are still working on data protection maturity
» Ad Hoc – Organizations that merely react to security events as they occur
3
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

4. 2014 Survey Results

5. Incidents (Compare)
Have you experienced any of the following incidents in the past year (even if your
security systems prevented compromise)? (Select all that apply).
5
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

6. Access Policies (Compare)
Which of the following best describes your firm's policy for network access for
personal devices such as smart phones and tablets?
6
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

7. Technologies (2014 Only)
Which of the following technologies does your organization currently use, or plan to
deploy within the next 24 months?
7
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

8. Technologies (Ranking)
Which of the following technologies does your organization currently use, or plan to
deploy within the next 24 months?
DRM (Digital Rights Management)
Full DLP (Data Loss/Leak Prevention)
DLP Lite (limited keyword / regex filtering)
Application data encryption (e.g. database)
Email encryption
Whole disk encryption
Port / Device control
Mobile device management
Removable media or file encryption
Currently deployed
2014
2013
2012
9
9
9
8
8
7
7
7
8
6
6
6
5
4
5
4
3
3
2
2
2
3
5
4
1
1
1
Key:
1 = highest ranked
9 = lowest ranked
8
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Plan to deploy
2014
2013
2012
7
6
8
3
1
9
1
3
2
6
3
4
4
8
5
5
6
6
9
3
3
2
2
1
7
9
6
2014
1
2
3
4
5
6
7
8
9
No plans
2013
1
3
2
4
5
6
7
9
8
2012
1
2
3
4
5
6
8
9
7

9. Data Security is Strategic (Compare)
How much do you agree with this statement? "Data security is a strategic initiative
across the enterprise."
9
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

10. Data Security is Strategic (Trend)
How much do you agree with this statement? "Data security is a strategic initiative
across the enterprise."
10
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

11. IT Security Budget (Compare)
How much of your IT budget is spent on IT security? Use your best estimate.
Average Pcts
2014 = 6.09%
2013 = 5.63%
2012 = 6.13%
11
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

12. Resource Availability (Compare)
How much do you agree with this statement? "My organization has sufficient
resources to achieve compliance with data security policies and best practices."
12
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

13. Resource Adequacy (Trend)
How much do you agree with this statement? "My organization has sufficient
resources to achieve compliance with data security policies and best practices."
13
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

14. Organizational Motivation Trends
2012
2013
2014
Trend
Strategic
Avg
1.32
1.31
1.39
↑
Budget
Avg
6.13
5.63
6.09
≈
Resource
Avg
0.77
0.68
0.57
↓
14
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

15. Regulatory Impact (2014 Only)
Is your organization compliant with the following regulations, or do you plan to be
compliant within the next 24 months?
15
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

16. Data Protection Guidelines (Compare)
Which of the following organizational guidelines are included in your employee
agreements? (Select all that apply)
16
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

17. Mobile Programs (Compare)
How are personal mobile devices, such as phones (and tablets), financially and
administratively managed within your enterprise? (Select all that apply)
17
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

18. Mobile Programs (Trend)
How are personal mobile devices, such as phones (and tablets), financially and
administratively managed within your enterprise? (Select all that apply)
18
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

19. Training (Compare)
What type of data protection training is offered at your organization?
19
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

20. Data Protection Policies (Compare)
What type of IT data protection policies exist?
20
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

21. Cloud Storage (2014 Only)
Do your employees use personal cloud storage
(e.g., Dropbox, iCloud, SkyDrive, etc.)?
21
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

22. 2014 Maturity Model

23. A Model for Data Protection Maturity
5000+
23
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

24. A Model for Data Protection Maturity
5000+
24
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

25. Rising to the Challenge
Creating Policies
• Ad Hoc: Minimal or No Security Policies
• Optimal: Comprehensive & Exhaustive
Enforcing Policies
• Ad Hoc: Limited Technical Controls
• Optimal: Robust Technical Controls
Educating Staff
• Ad Hoc: One-Time or No Training
• Optimal: On-Going, Formal Training
25
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

26. Additional Information
DPD 2014 Resource Center
https://www.lumension.com/
2014-Data-Privacy-Day.aspx
Free Security Scanner Tools
» Application Scanner – discover all the apps
being used in your network
» Device Scanner – discover all the devices
being used in your network
https://www.lumension.com/resources/
premium-security-tools.aspx
Reports
» 2014 Data Protection Maturity Report
https://www.lumension.com/resources/
free-content/Lumension-2014-Data-ProtectionMaturity-Report.aspx
» SC Magazine Security Brief - Under the Radar
https://www.lumension.com/resources/
free-content/SC-Magazine-Security-Brief-Under-the-Radar.aspx
26
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

27. Global Headquarters
8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
info@lumension.com
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION