SlideShare a Scribd company logo

2016-Black-Hat-Attendee-Survey

Rob Raleigh
Rob Raleigh

The survey of 250 cybersecurity professionals attending the 2016 Black Hat conference found that concerns about major data breaches are increasing. Nearly three-quarters felt a breach at their organization in the next year was likely, up slightly from 2015. Respondents also reported shortages in security staff, budget, and training, making it difficult to address emerging threats like phishing and targeted attacks. The survey highlights how cybersecurity risks are rising as resource constraints grow.

1 of 16
Download to read offline
Previous Next Previous Next DownloadDownload SubscribeSubscribe Previous Next Previous Next www.blackhat.com July 2016 The Rising Tide of Cybersecurity Concern In our second annual survey of top security professionals, Black Hat finds that the expectation of major breaches is even higher than last year. 2016 Black Hat Attendee Survey
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next SUMMARY In 2015, we set out to get an insider’s view of the current cybersecurity environment by speaking to the most knowledgeable information security professionals in the industry. To achieve that goal, we surveyed one of the most security-savvy audiences in the industry: those who have attended the annual Black Hat USA conference. Black Hat, a forum that fea- tures some of the most advanced security research in the world, is a destination for discussion among top security minds, including leading ethical hackers, IT security management, and technology developers. The 2015 Black Hat Attendee Survey was the first of its kind, featur- ing responses from full-time IT security professionals — some two-thirds of whom had been credentialed as Certified Information Systems Security Professionals (CISSP). The results of that study were alarming, as nearly three-quarters (72%) of respondents felt it likely that their organizations would have to deal with a major data breach in the year ahead. Approximately two-thirds of respondents said they did not have enough staff, budget, or train- ing to meet those challenges. With so many security experts holding pessimistic attitudes about the coming year, it seemed as though the cybersecurity problem could not get much worse. Unfortunately, it has. The 2016 Black Hat Attendee Survey results are in — and as a rule, the most expert security professionals in the industry are even more concerned this year than they were last year. In the 2016 Black Hat Attendee Survey, the percentage of respondents who say they have“no doubt”that they will need to respond to a major security breach in the next 12 months (15%) is slightly higher than it was in 2015. The percentage of respondents who say it is“very likely”that they will face a major breach in the next year (25%) is up one percentage point. (See Figure 1.) Despite these growing concerns, security departments are still facing an alarming shortage of resources. When asked if they have enough staff to face the threats they expect to see in the EXECUTIVE 2016 Black Hat Attendee Survey July 2016 2www.blackhat.com ABOUT US For more than 18 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. More information is available at: http://www.blackhat.com.
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next coming year, 74% of respondents said no — an even higher figure than in 2015. Sixty-two percent said they do not have enough budget to defend their organizations against coming threats. And 67% say they themselves do not have enough training to do their jobs — more than who ex- pressed this concern in 2015. Of all the problems that security organizations face, the shortage of skilled staff is the most acute. When asked the reason why security initiatives fail,“a shortage of qualified people and skills”was by far the top response (37%), outpacing a lack of man- agement support (22%) and a lack of integration among security products (14%). And the pool of available security pros continues to shrink: only 11% of security professionals say they are actively looking to change jobs (down from 12% in 2015), and only 24% said they are even updating their resumes (down from 30% in 2015). But a shortage of resources is not the only problem that enterprise security organizations face today. With staffing, budget, and training all in short supply, security professionals are being forced to prioritize their activities— but frequently, the priorities set by the business are not the priorities considered most important by security professionals. When we asked security pros what they considered the most important threats and concerns that they face today, they overwhelmingly answered with two emerging threats: social engineering attacks such as phishing (46%) and sophisticated attacks targeted directly at their organization (43%). But when we asked those same security professionals how they spend their time, their top answers were measuring risk (35%), managing compliance with industry and regulatory requirements (32%), and troubleshoot- ing security vulnerabilities in internally developed applications (27%). Clearly, there is a gap between the issues and challenges that security profession- als consider the most concerning and the issues and challenges that they spend the most time working on — and that gap is larger in 2016 than it was in 2015. In the pages that follow, we offer deeper details on the survey results and the significant challenges that security professionals face today — not only in defending against attacks from outside the organi- zation, but in finding the time, people, and resources they need to maintain those defenses. 2016 Black Hat Attendee Survey July 2016 3www.blackhat.com
www.blackhat.com Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next SYNOPSIS RESEARCH Survey Name The 2016 Black Hat Attendee Survey Survey Date June 2016 Region North America Number of Respondents 250 Purpose To gauge the attitudes and plans of one of the IT security industry’s most experienced and highly-trained audiences: attendees of the Black Hat conference. Methodology In June 2016 Dark Reading and Black Hat conducted a survey of the Black Hat USA conference attendees. The online survey yielded data from 250 management and staff security professionals, predominantly at large companies, with 60% working at companies with 1,000 or more employees. The greatest possible margin of error for the total respondent base (N=250) is +/- 4.5%. UBM was responsible for all programming and data analysis. These procedures were carried out in strict accordance with standard market research practices 2016 Black Hat Attendee Survey July 2016 4
www.blackhat.com Security professionals fear they are losing the war against cybercrime — and the intensity of that fear is growing. In this year’s Black Hat Attendee Survey, nearly three-quarters of secu- rity pros (72%) said they think it likely that they willhavetorespondtoamajordatabreachinthe next 12 months. Fifteen percent said they have “no doubt”that a major breach will occur — up from 13% in 2005. Twenty-five percent said it is “highly likely”— up from 24% last year. There is good reason for this concern. Despite record levels of spending — Gartner estimates that businesses spent some $75.4 billion on security technology last year — the incidence of breaches continues to grow. Risk Based Security’s Data Breach QuickView Report cited 3,930 incidents in 2015, repre- senting more than 736 million records — all- time highs both for incidents and records. And the annual Ponemon Cost of a Data Breach report found that the average cost of a major data breach has jumped past $4 million per incident — a 29% increase since 2013 and 5% increase over last year. By almost every measure, the cybersecurity problem is worse this year than it was the last. Why are the enterprise defenders losing ground?Thechiefconcernisalackofresources. In the 2016 Black Hat Attendee Survey, nearly three-quarters (74%) of respondents said they Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next Cybersecurity in Crisis July 2016 5 How likely do you think it is that your organization will have to respond to a major security breach in the next 12 months? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 I have no doubt that we will have to respond to a major incident in the next 12 months Don’t know/not sure It’s highly unlikely It’s somewhat unlikely It’s somewhat likely It’s highly likely 15% 13% 25% 24% 32% 15% 36% 13% 7% 6% 8% 6% 2016 2015 Figure 1 2016 Black Hat Attendee Survey
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey feel they do not have enough security staff to defend their organizations against current threats — even more than in 2015. Nineteen percent said they are“completely underwater” when it comes to staffing. (See Figure 2.) Funding also continues to be a problem. Despite record spending by the industry in 2015, some 63% of security professionals who responded to the survey in 2016 say their departments do not have enough budget to defend their organizations against current threats. Twenty percent said they are“severely hampered”by a lack of funding. Training is also a major resource issue in security. In our survey, more than two-thirds of respondents (67%) said they feel they do not have enough training and skills they need to perform all of the tasks for which they are responsible — up from 64% last year. Ten percent of respondents said they feel “ill- prepared” for many of the threats and tasks they face each day. This shortage of resources is the primary rea- son why IT security efforts continue to come up short, according to the Black Hat Attendee Survey responses. When asked why security initiatives fail, some 37% of respondents said a shortage of qualified people and skills is the culprit— the number one answer. A lack of commitment and support from top manage- ment was the second-most frequently cited response with 22%. (See Figure 3.) While security teams are struggling with a lack of resources, the attackers continue to improve their game. In our survey, security professionals ranked social engineering as their most frequently cited concern (46%). Sophis- ticated and targeted attacks were the second most cited concern (43%). The growing use of ransomware by attackers was cited as the most serious new threat to emerge in the past 12 months (37%), while social engineering attacks on specific individuals was rated the number two emerging threat (20%). (See Figure 4.) Figure 2 July 2016 6 Does your organization have enough security staff to defend itself against current threats? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Yes What staff No, we are completely underwater No, we could use a little help 26% 27% 55% 51% 15% 4% 17% 5% 2016 2015 www.blackhat.com
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 7 But external attackers aren’t the only thing that keeps security professionals awake at night. When asked to identify the weakest link in the IT security chain, 28% of security pros cited end users who violate security policy, making this the top response in our survey. Seventeen percent cited“a lack of comprehen- sive security architecture and planning that goes beyond firefighting”— a clear indication that many security pros find themselves react- ing to emergencies, unable to find the time they need to comprehensively evaluate their overall defense strategies. (See Figure 5.) The Incredible Shrinking Skills Market Of all the problems and challenges cited in the 2016BlackHatAttendeeSurvey,theshortageof security skills is the most critical.While budgets and training continue to be major issues, 74% of respondents said they do not have enough people to manage the threats they face today. These results are supported by Frost & Sullivan in the latest ISC2 Global Information Security Workforce Study, which predicts that there will be a worldwide shortfall of over 1.5 million information security professionals by 2019. The security skills shortage is the primary reason why security initiatives fail, according to survey respondents, and this answer pres- ents some major challenges for the indus- try in years to come. Clearly, there is a critical need to identify and quickly train a whole new wave of security professionals. Experts say that colleges and universities must help in this ef- fort, and that professional associations and certification training initiatives will have to be ramped up significantly in coming years. But even if this training could be done Figure 3 What is the primary reason current enterprise IT security strategies and technologies fail? Base: 250 respondents in 2016; not asked in 2015 Data: UBM survey of security professionals, June 2016 A shortage of qualified people and skills There are too many vulnerabilities in the rapidly-evolving enterprise IT environment The inability of security technology to keep up with attackers’ new exploits A lack of integration in security architecture; too many single-purpose solutions A lack of commitment and support from top management A shortage of budget Other 37% 22% 14% 9% 6% 6% 6% www.blackhat.com
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 8 immediately, and hundreds of thousands of new professionals were brought into the market, it would not solve the need for highly experienced staff. At least for the next sev- eral years, it is likely that security initiatives that rely heavily on highly trained and ex- perienced people will continue to fail, sim- ply because there are not enough people who fit these crtria. In the future, then, the security industry will be forced to re-evaluate all technologies and practices that require deep skill sets and look toward automation and technologies that can be operated with a minimum of training and experience. And if you’re trying to hire new security talent this year, it’s going to be very hard — even harder than it was last year.Thirty-five percent of the respondents in the 2016 Black Hat Attendee Survey indicated that it would be very hard to convince them to leave their current organiza- tion— a substantial increase from 25% last year. Only 11% were actively looking for new work, slightly fewer than last year (12%). Only 24% of respondents said they are updating their resumes and keeping an eye out for job open- ings — down from 30% in 2015. (See Figure 6.) Why are most security pros so happy in their jobs?Someofithastodowithknowingwhere they’re going. When asked “Do you have a clear upward career growth path in your current place of employment,” 44% of re- spondents said “Yes, I know the next step or level I can get to and I am working toward it now”— a hefty jump from 38% last year. An- other 31% say they at least have some ideas about their options and they’re “pretty sure I’ll be here a while.”(See Figure 7.) With so many companies clamoring to hire What is the most serious new cyberthreat to emerge in the past 12 months? Base: 250 respondents in 2016; not asked in 2015 Data: UBM survey of security professionals, June 2016 A rapid increase in the use of ransomware Espionage and intelligence gathering by nation-states on commercial enterprises The possibility of a major data leak/dump from a trusted third party Sophisticated malware that can circumvent current defenses Social engineering attacks targeted directly at individuals in a specific enterprise New threats to mobile devices Other 37% 20% 12% 11% 9% 9% 2% Figure 4 www.blackhat.com
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next July 2016 9 more people — and with the pool of available applicants shrinking — it has become a seller’s market for the skilled cybersecurity profession- al. If they had to leave their current position, 95% of survey respondents said they believe they could find new work either “very quickly” (61%) or “without too much trouble” (34%). That’s quite a leap from most other Americans, who currently take 27.8 weeks, on average, to find new work, according to the US Bureau of Labor Statistics. The Security Priorities Gap For the second year running, security profession- als’ top concerns are social engineering (46%) and sophisticated attacks targeted directly at their organization (43%). In 2015, 57% of respon- dentscitedsophisticated,targetedattacksasone of their three main worries, earning it first place on the list.This year, that percentage tumbled to 43%, but these targeted attacks only slipped to second place in the ranks; it’s still one of the most critical security issues. Social engineering held fastat46%from2015to2016,andthusrosefrom second place to first. (See Figure 8.) These threats may be the things that keep What is the weakest link in today’s enterprise IT defenses? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 End users who violate security policy and are too easily fooled by social engineering attacks Web-based threats and the failure of SSL and digital certificates Vulnerabilities in internally-developed software Vulnerabilities in off-the-shelf software An overabundance of security information and event data that takes too long to analyze PC, Mac, and endpoint vulnerabilities Single-function security tools and products that don’t talk to each other Signature-based security products that can’t recognize new and zero-day threats Mobile device vulnerabilities Cloud services and cloud application vulnerabilities A lack of comprehensive security architecture and planning that goes beyond “firefighting” 28% 33% 17% 20% 12% 11% 7% 9% 7% 7% 6% 3% 4% 3% 4% 4% 5% 4% 4% 6% 2% 3% 2016 2015 Figure 5 www.blackhat.com
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 10 security professionals awake at night— but they aren’t necessarily the things they spend the most time and money on during the day. For the second straight year, the Black Hat At- tendee Survey revealed some clear differences between the priorities of the security pro and the priorities of those who make the sched- ules, plans, and budgets. When asked how they spend most of their time on in an average day, security profession- als cited measuring security posture and risk (first place, 35%) and maintaining compliance (second place, 32%) — both new options in the 2016 survey — as the top two time-con- sumers. “Security vulnerabilities created by my own internal application development team”— last year’s first-place answer to this question — took third place (27%). Address- ing social engineering and sophisticated, tar- geted attacks only made it to fourth place and eighth place, respectively. (See Figure 9.) When asked how they spend most of their budget, security pros gave much the same re- port. Compliance took a big chunk out of the most respondents’ budgets (31%), while risk measurement finished second (23%). Fixing the internal dev team’s errors was third (19%). Social engineering and sophisticated targeted attacks fared only slightly better at getting funding than they did getting man-hours, garnering fourth place (19%) and sixth place (16%), respectively. These results are stark in the context of the other data collected by the 2016 Black Hat Attendee Survey, which showed a clear short- age of resources such as human capital and funding. The data suggest that security profes- sionals, already underfunded and understaffed, Do you have plans to seek an IT security position anytime in the near future? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Yes, I am actively looking for employment right now No definite plans, but I am always updating my resume and looking for a better post I’m not doing any active job research, but if some other company called me, I would listen I really love my job and my employer and it would take a LOT to get me to move 2016 2015 I am an indentured servant and would be beheaded if I tried to escape 12%11% 24% 3% 30% 32% 33% 30% 24% 1% Figure 6 www.blackhat.com
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 11 are often unable to devote those limited resources to their most important priorities. Interestingly, that dichotomy is not al- ways driven by a lack of understanding among upper management. When asked what they believe are the highest security- related priorities of their top executives, Black Hat Attendee Survey respondents cited both sophisticated, targeted attacks (33%) and social engineering (24%) as be- ing among the top three. Compliance (28%) finished second. This is consistent with last year’s data, in which security pros also saw sophisticated, targeted attacks and social engineering as being high on their manage- ment’s priority lists as well. (See Figure 10.) Yet even though they see management as having many of the same priorities that they do, many security pros are losing faith that their non-security colleagues understand the threat that their organizations face today. Only 25% of respondents said their non-secu- rity managers and colleagues understand the current threat and support security efforts at their organization; this is down from 31% last year. An additional 10% said their non-security colleagues understand the threat“but have to be dragged into security conversations” (up from 9% last year). (See Figure 11.) Exactly what is the threat that security pros want their colleagues to understand? By far, the attacker that Black Hat Attendee Survey respondents fear most is the one who has inside knowledge of their organization (36%). Some security pros are more worried about attackers who have strong backing by organized crime or nation-states (18%); others are concerned about attackers who Figure 7 Do you have a clear, upward career growth path in your current place of employment? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Yes, I know the next step or level I can get to and I am working toward it now No,but I have some ideas about my options and I’m pretty sure I’ll be here a while I’m not sure, but I think I’m doing a good job and I think my employer will take care of me No, I can’t see any clear path for growth and I’m thinking about looking for another job 2016 2015 I can’t type because I’m smashed up against this glass ceiling 44% 38% 31% 11% 17% 3% 31% 11% 12% 3% www.blackhat.com
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next July 2016 12 have highly sophisticated attack skills (15%). In general, though, respondents were most con- cerned about insiders or attackers who know the most about their organizations. What will security pros worry most about in the future? For the second straight year, the security of non-computer devices and systems — the Internet of Things — was cited as the most critical issue that respondents believe they will worry about two years from now. The percentage of respondents who gave this re- sponse dropped significantly — to 28% from 36% a year ago — but IoT remained the most frequently cited concern on the horizon. This is a fascinating response because IoT barely registers as a concern (9%) among current threats. Clearly, security professionals expect IoT security to become a crucial issue over the next two years. (See Figure 12.) Conclusion Perhaps the most important conclusion we can draw from the 2016 Black Hat Attendee Survey is that the pressures on security pro- fessionals are not letting up — in fact, they are intensifying. In nearly every question and Figure 8 Of the following threats and challenges, which are of the greatest concern to you? Note: Maximum of three responses allowed Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Phishing, social network exploits, or other forms of social engineering Sophisticated attacks targeted directly at the organization Security vulnerabilities introduced by my own application development team Data theft or sabotage by malicious insiders in the organization Espionage or surveillance by foreign governments or competitors Accidental data leaks by end users who fail to follow security policy Polymorphic malware that evades signature-based defenses Ransomware or other forms of extortion perpetrated by outsiders The effort to accurately measure my organization’s security posture and/or risk Attacks or exploits on cloud services, applications, or storage systems used by my organization Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems Surveillance by my own government Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers The effort to keep my organization in compliance with industry and regulatory security guideline Attacks or exploits brought into the organization via mobile devices Digital attacks on non-computer devices and systems – the Internet of Things Attacks on suppliers, contractors, or other partners that are connected to my organization’s network 46% 46% 16% 11% 14% 13% N/A 12% 11% 11% 9% 8% 12% 7% 10% 9% 9% 9% 9% 7% 20% 20% 17% 19% 20% 21% 16% 15% 20% 15% N/A 15% N/A 13% 57% 43% 2016 2015 www.blackhat.com
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next July 2016 13 category, Black Hat attendees indicated that their environments are more at risk this year thantheywerelastyear—yettheavailabilityof resources and skills has actually decreased. The shortage of people and skills clearly jumped out as the most important issue identified in this year’s survey. To compound the resource shortage, today’s security pros are also facing an increasing gap between the priorities they themselves set for the security department and the priorities of those who control their time, people, and budgets. While they might be lying awake nights worrying about social engineering or targeted attacks, their days are spent mostly in more mundane tasks, such as maintaining compliance or troubleshooting internally de- veloped applications. To gain ground on the bad guys, security teams will have to find new ways to staff and fund their initiatives — perhaps through ad- ditional automation and by reducing the re- quirement for highly developed skills. Security pros will also need to examine new technolo- gies and practices that can reduce the need for staffing and budget, as well as new ways to make their existing team more cost-efficient. Figure 9 Which consume the greatest amount of your time during an average day? Note: Maximum of three responses allowed Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 The effort to accurately measure my organization’s security posture and/or risk The effort to keep my organization in compliance with industry and regulatory security guidelines Security vulnerabilities introduced by my own application development team Phishing, social network exploits, or other forms of social engineering Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements Accidental data leaks by end users who fail to follow security policy Sophisticated attacks targeted directly at the organization Attacks or exploits on cloud services, applications, or storage systems used by my organization Ransomware or other forms of extortion perpetrated by outsiders Attacks or exploits brought into the organization via mobile devices Espionage or surveillance by foreign governments or competitors Data theft or sabotage by malicious insiders in the organization Attacks on suppliers, contractors, or other partners that are connected to my organization’s network Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers Surveillance by my own government Polymorphic malware that evades signature- based defenses Digital attacks on non-computer devices and systems – the Internet of Things N/A N/A 35% 31% 33% 30% 26% 20% 35% 9% 7% 32% 27% 25% 21% 19% 19% 11% 11% 9% N/A 8% 7% 8% 7% 6% 7% 8% 6% 4% 3% 3% 14% 6% 6% 2% 2016 2015 www.blackhat.com
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 14www.blackhat.com APPENDIX Figure 10 Which are of greatest concern to your company’s top executives or management? Note: Maximum of three responses allowed Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Sophisticated attacks targeted directly at the organization The effort to keep my organization in compliance with industry and regulatory security guidelines Phishing, social network exploits, or other forms of social engineering Accidental data leaks by end users who fail to follow security policy The effort to accurately measure my organization’s security posture and/or risk Data theft or sabotage by malicious insiders in the organization Data theft,sabotage,or disclosure by“hacktivists” or politically-motivated attackers Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements Espionage or surveillance by foreign governments or competitors Ransomware or other forms of extortion perpetrated by outsiders Security vulnerabilities introduced by my own application development team Attacks or exploits on cloud services, applications, or storage systems used by my organization Polymorphic malware that evades signature-based defenses Attacks on suppliers, contractors, or other partners that are connected to my organization’s network Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems Attacks or exploits brought into the organization via mobile devices Digital attacks on non-computer devices and systems – the Internet of Things Surveillance by my own government 33% 28% N/A N/A N/A 44% 9% 14% 12% 1% 3% 3% 3% 3% 4% 4% 5% 7% 8% 7% 10% 5% 24% 27% 20% 19% 17% 16% 14% 27% 29% 27% 17% 13% 10% 17% 2016 2015
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 15www.blackhat.com Do non-security professionals in your organization understand the IT security threat that your organization faces today? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Yes, and they are supportive of IT security initiatives What threats? There are a few who get it, but most of them are clueless It’s a mixed bag – some of them are, some of them aren’t Yes, but they have to be dragged into the security discussion 25% 31% 10% 9% 46% 17% 41% 17% 2% 2% 2016 2015 Figure 11
Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 16 Figure 12 www.blackhat.com Which do you believe will be of greatest concern two years from now? Note: Maximum of three responses allowed Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Data theft or sabotage by malicious insiders in the organization Espionage or surveillance by foreign governments or competitors Digital attacks on non-computer devices and systems – the Internet of Things Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers The effort to accurately measure my organization’s security posture and/or risk Accidental data leaks by end users who fail to follow security policy Accidental data leaks by end users who fail to follow security policy Attacks on suppliers, contractors, or other partners that are connected to my organization’s network Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements Security vulnerabilities introduced by my own application development team The effort to keep my organization in compliance with industry and regulatory security guidelines Sophisticated attacks targeted directly at the organization Phishing, social network exploits, or other forms of social engineering Attacks or exploits brought into the organization via mobile devices Attacks or exploits on cloud services, applications, or storage systems used by my organization Polymorphic malware that evades signature-based defenses Surveillance by my own government Ransomware or other forms of extortion perpetrated by outsiders 24% 24% 20% 19% 18% 16% 16% 26% 33% 22% 22% 24% 22% 15% 13% 9% 15% N/A N/A N/A 10% 28% 36% 13% 9% 7% 10% 7% 13% 7% 8% 7% 7% 6% 7% 12% 2016 2015

Recommended

Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security Predictions
Kim Jensen
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
SelectedPresentations
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
Tam Nguyen
 
SucessfulInsiderThreat
SucessfulInsiderThreatSucessfulInsiderThreat
SucessfulInsiderThreat
HammerNJ
 
IT Security Risks Survey 2014
IT Security Risks Survey 2014IT Security Risks Survey 2014
IT Security Risks Survey 2014
- Mark - Fullbright
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - Overview
Silicon Valley Bank
 
SVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation Report
Silicon Valley Bank
 
2014 State of Backup for SMBs
2014 State of Backup for SMBs2014 State of Backup for SMBs
2014 State of Backup for SMBs
Carbonite
 

Recommended

Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security Predictions
Kim Jensen
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
SelectedPresentations
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
Tam Nguyen
 
SucessfulInsiderThreat
SucessfulInsiderThreatSucessfulInsiderThreat
SucessfulInsiderThreat
HammerNJ
 
IT Security Risks Survey 2014
IT Security Risks Survey 2014IT Security Risks Survey 2014
IT Security Risks Survey 2014
- Mark - Fullbright
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - Overview
Silicon Valley Bank
 
SVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation Report
Silicon Valley Bank
 
2014 State of Backup for SMBs
2014 State of Backup for SMBs2014 State of Backup for SMBs
2014 State of Backup for SMBs
Carbonite
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
Cognizant
 
eBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBseBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBs
Carbonite
 
Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress Report
Gov BizCouncil
 
2010 GISS EY
2010 GISS EY2010 GISS EY
2010 GISS EY
Vladimir Matviychuk
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The Economist Media Businesses
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
The Economist Media Businesses
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secure
Meg Weber
 
Sharing the blame: How companies are collaborating on data security breaches
Sharing the blame: How companies are collaborating on data security breachesSharing the blame: How companies are collaborating on data security breaches
Sharing the blame: How companies are collaborating on data security breaches
The Economist Media Businesses
 
Índice de software sin licencia en el mundo.
Índice de software sin licencia en el mundo. Índice de software sin licencia en el mundo.
Índice de software sin licencia en el mundo.
Luis Noguera
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
Lumension
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
Meg Weber
 
Ponemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data RiskPonemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data Risk
Fiona Lew
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
Arun Chinnaraju MBA, PMP, CSM, CSPO, SA
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
2016 Top Security Threats
2016 Top Security Threats2016 Top Security Threats
2016 Top Security Threats
Gail Essen, CPP, PSP
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report
Graeme Cross
 
Psychobiografia Donalda Trumpa
Psychobiografia Donalda TrumpaPsychobiografia Donalda Trumpa
Psychobiografia Donalda Trumpa
projektdecyzja
 
Acceso multiple de division FDMA, TDMA,CDMA Y PDMA
Acceso multiple de division FDMA, TDMA,CDMA Y PDMAAcceso multiple de division FDMA, TDMA,CDMA Y PDMA
Acceso multiple de division FDMA, TDMA,CDMA Y PDMA
francisco1707
 
PAA HGP AESCD 2016.2017-História Local-Sta. Comba Dão
PAA HGP AESCD 2016.2017-História Local-Sta. Comba DãoPAA HGP AESCD 2016.2017-História Local-Sta. Comba Dão
PAA HGP AESCD 2016.2017-História Local-Sta. Comba Dão
cruchinho
 
3Com 3C10402B / 655-0245
3Com 3C10402B / 655-02453Com 3C10402B / 655-0245
3Com 3C10402B / 655-0245
savomir
 
Numerical Study of Strong Free Surface Flow and Breaking Waves
Numerical Study of Strong Free Surface Flow and Breaking WavesNumerical Study of Strong Free Surface Flow and Breaking Waves
Numerical Study of Strong Free Surface Flow and Breaking Waves
Yi Liu
 

More Related Content

What's hot

Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
Cognizant
 
eBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBseBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBs
Carbonite
 
Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress Report
Gov BizCouncil
 
2010 GISS EY
2010 GISS EY2010 GISS EY
2010 GISS EY
Vladimir Matviychuk
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The Economist Media Businesses
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
The Economist Media Businesses
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secure
Meg Weber
 
Sharing the blame: How companies are collaborating on data security breaches
Sharing the blame: How companies are collaborating on data security breachesSharing the blame: How companies are collaborating on data security breaches
Sharing the blame: How companies are collaborating on data security breaches
The Economist Media Businesses
 
Índice de software sin licencia en el mundo.
Índice de software sin licencia en el mundo. Índice de software sin licencia en el mundo.
Índice de software sin licencia en el mundo.
Luis Noguera
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
Lumension
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
Meg Weber
 
Ponemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data RiskPonemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data Risk
Fiona Lew
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
Arun Chinnaraju MBA, PMP, CSM, CSPO, SA
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
2016 Top Security Threats
2016 Top Security Threats2016 Top Security Threats
2016 Top Security Threats
Gail Essen, CPP, PSP
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report
Graeme Cross
 

What's hot (17)

Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
 
eBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBseBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBs
 
Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress Report
 
2010 GISS EY
2010 GISS EY2010 GISS EY
2010 GISS EY
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secure
 
Sharing the blame: How companies are collaborating on data security breaches
Sharing the blame: How companies are collaborating on data security breachesSharing the blame: How companies are collaborating on data security breaches
Sharing the blame: How companies are collaborating on data security breaches
 
Índice de software sin licencia en el mundo.
Índice de software sin licencia en el mundo. Índice de software sin licencia en el mundo.
Índice de software sin licencia en el mundo.
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
 
Ponemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data RiskPonemon Institute Data Breaches and Sensitive Data Risk
Ponemon Institute Data Breaches and Sensitive Data Risk
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
2016 Top Security Threats
2016 Top Security Threats2016 Top Security Threats
2016 Top Security Threats
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report
 

Viewers also liked

Psychobiografia Donalda Trumpa
Psychobiografia Donalda TrumpaPsychobiografia Donalda Trumpa
Psychobiografia Donalda Trumpa
projektdecyzja
 
Acceso multiple de division FDMA, TDMA,CDMA Y PDMA
Acceso multiple de division FDMA, TDMA,CDMA Y PDMAAcceso multiple de division FDMA, TDMA,CDMA Y PDMA
Acceso multiple de division FDMA, TDMA,CDMA Y PDMA
francisco1707
 
PAA HGP AESCD 2016.2017-História Local-Sta. Comba Dão
PAA HGP AESCD 2016.2017-História Local-Sta. Comba DãoPAA HGP AESCD 2016.2017-História Local-Sta. Comba Dão
PAA HGP AESCD 2016.2017-História Local-Sta. Comba Dão
cruchinho
 
3Com 3C10402B / 655-0245
3Com 3C10402B / 655-02453Com 3C10402B / 655-0245
3Com 3C10402B / 655-0245
savomir
 
Numerical Study of Strong Free Surface Flow and Breaking Waves
Numerical Study of Strong Free Surface Flow and Breaking WavesNumerical Study of Strong Free Surface Flow and Breaking Waves
Numerical Study of Strong Free Surface Flow and Breaking Waves
Yi Liu
 
DRAFT of NEW White House Cybersecurity Executive Order leaked
DRAFT of NEW White House Cybersecurity Executive Order leakedDRAFT of NEW White House Cybersecurity Executive Order leaked
DRAFT of NEW White House Cybersecurity Executive Order leaked
David Sweigert
 
UBM Technology Research_POP Event Marketing Presentation_3 18 16
UBM Technology Research_POP Event Marketing Presentation_3 18 16UBM Technology Research_POP Event Marketing Presentation_3 18 16
UBM Technology Research_POP Event Marketing Presentation_3 18 16
Rob Raleigh
 
آزمون پیشرفت تحصیلی پایه دهم کاردانش
آزمون پیشرفت تحصیلی پایه دهم کاردانشآزمون پیشرفت تحصیلی پایه دهم کاردانش
آزمون پیشرفت تحصیلی پایه دهم کاردانش
tarasad
 
3Com 3C16702A
3Com 3C16702A3Com 3C16702A
3Com 3C16702A
savomir
 
Análisis y selección de diferentes métodos para eliminar las saponinas en dos...
Análisis y selección de diferentes métodos para eliminar las saponinas en dos...Análisis y selección de diferentes métodos para eliminar las saponinas en dos...
Análisis y selección de diferentes métodos para eliminar las saponinas en dos...
Josemaria Chavez Zeballos
 
experimento sólido-líquido
experimento sólido-líquidoexperimento sólido-líquido
experimento sólido-líquido
Pily Pparra
 
Seminario de Tesis II - 8va clase
Seminario de Tesis II - 8va claseSeminario de Tesis II - 8va clase
Seminario de Tesis II - 8va clase
Free TIC
 
Biblioteca y Web Semántica : Una historia introductoria
Biblioteca y Web Semántica : Una historia introductoriaBiblioteca y Web Semántica : Una historia introductoria
Biblioteca y Web Semántica : Una historia introductoria
Santiago Villegas Ceballos
 
Práctica de power point denisse camacho yactayo
Práctica de power point denisse camacho yactayoPráctica de power point denisse camacho yactayo
Práctica de power point denisse camacho yactayo
Free TIC
 
Gaby
GabyGaby
Gaby
Gabriela Bello
 
Sociedad De La Información
Sociedad De La InformaciónSociedad De La Información
Sociedad De La Información
Tony Valderrama
 
Autoestima
AutoestimaAutoestima
Autoestima
Alberto Leon Batallas
 
Asi Comenzó Esta Historia
Asi Comenzó Esta HistoriaAsi Comenzó Esta Historia
Asi Comenzó Esta Historia
Noemi Veliz
 
los valores humanos
los valores humanoslos valores humanos
los valores humanos
Yanet Mori de Gonzales
 
expo
expoexpo
expo
gueste61033
 

Viewers also liked (20)

Psychobiografia Donalda Trumpa
Psychobiografia Donalda TrumpaPsychobiografia Donalda Trumpa
Psychobiografia Donalda Trumpa
 
Acceso multiple de division FDMA, TDMA,CDMA Y PDMA
Acceso multiple de division FDMA, TDMA,CDMA Y PDMAAcceso multiple de division FDMA, TDMA,CDMA Y PDMA
Acceso multiple de division FDMA, TDMA,CDMA Y PDMA
 
PAA HGP AESCD 2016.2017-História Local-Sta. Comba Dão
PAA HGP AESCD 2016.2017-História Local-Sta. Comba DãoPAA HGP AESCD 2016.2017-História Local-Sta. Comba Dão
PAA HGP AESCD 2016.2017-História Local-Sta. Comba Dão
 
3Com 3C10402B / 655-0245
3Com 3C10402B / 655-02453Com 3C10402B / 655-0245
3Com 3C10402B / 655-0245
 
Numerical Study of Strong Free Surface Flow and Breaking Waves
Numerical Study of Strong Free Surface Flow and Breaking WavesNumerical Study of Strong Free Surface Flow and Breaking Waves
Numerical Study of Strong Free Surface Flow and Breaking Waves
 
DRAFT of NEW White House Cybersecurity Executive Order leaked
DRAFT of NEW White House Cybersecurity Executive Order leakedDRAFT of NEW White House Cybersecurity Executive Order leaked
DRAFT of NEW White House Cybersecurity Executive Order leaked
 
UBM Technology Research_POP Event Marketing Presentation_3 18 16
UBM Technology Research_POP Event Marketing Presentation_3 18 16UBM Technology Research_POP Event Marketing Presentation_3 18 16
UBM Technology Research_POP Event Marketing Presentation_3 18 16
 
آزمون پیشرفت تحصیلی پایه دهم کاردانش
آزمون پیشرفت تحصیلی پایه دهم کاردانشآزمون پیشرفت تحصیلی پایه دهم کاردانش
آزمون پیشرفت تحصیلی پایه دهم کاردانش
 
3Com 3C16702A
3Com 3C16702A3Com 3C16702A
3Com 3C16702A
 
Análisis y selección de diferentes métodos para eliminar las saponinas en dos...
Análisis y selección de diferentes métodos para eliminar las saponinas en dos...Análisis y selección de diferentes métodos para eliminar las saponinas en dos...
Análisis y selección de diferentes métodos para eliminar las saponinas en dos...
 
experimento sólido-líquido
experimento sólido-líquidoexperimento sólido-líquido
experimento sólido-líquido
 
Seminario de Tesis II - 8va clase
Seminario de Tesis II - 8va claseSeminario de Tesis II - 8va clase
Seminario de Tesis II - 8va clase
 
Biblioteca y Web Semántica : Una historia introductoria
Biblioteca y Web Semántica : Una historia introductoriaBiblioteca y Web Semántica : Una historia introductoria
Biblioteca y Web Semántica : Una historia introductoria
 
Práctica de power point denisse camacho yactayo
Práctica de power point denisse camacho yactayoPráctica de power point denisse camacho yactayo
Práctica de power point denisse camacho yactayo
 
Gaby
GabyGaby
Gaby
 
Sociedad De La Información
Sociedad De La InformaciónSociedad De La Información
Sociedad De La Información
 
Autoestima
AutoestimaAutoestima
Autoestima
 
Asi Comenzó Esta Historia
Asi Comenzó Esta HistoriaAsi Comenzó Esta Historia
Asi Comenzó Esta Historia
 
los valores humanos
los valores humanoslos valores humanos
los valores humanos
 
expo
expoexpo
expo
 

Similar to 2016-Black-Hat-Attendee-Survey

CAPP Conference Survey
CAPP Conference SurveyCAPP Conference Survey
CAPP Conference Survey
CynergisTek, Inc.
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary
patmisasi
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
Scalar Decisions
 
Top 5 it security threats for 2015
Top 5 it security threats for 2015Top 5 it security threats for 2015
Top 5 it security threats for 2015
Bev Robb
 
Winning the Cybersecurity Battle
Winning the Cybersecurity BattleWinning the Cybersecurity Battle
Winning the Cybersecurity Battle
GovLoop
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
galagirishp
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
- Mark - Fullbright
 
Heidi
HeidiHeidi
Heidi
kategat
 
Raytheon-NCSA_Millennial_Survey_report_2014
Raytheon-NCSA_Millennial_Survey_report_2014Raytheon-NCSA_Millennial_Survey_report_2014
Raytheon-NCSA_Millennial_Survey_report_2014
Blair Gately
 
Insights from 2016 Cyberthreat Defense Report
Insights from 2016 Cyberthreat Defense ReportInsights from 2016 Cyberthreat Defense Report
Insights from 2016 Cyberthreat Defense Report
Stephanie Brannan
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportHBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
FERMA
 
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
CMR WORLD TECH
 
Estado del ransomware en 2020
Estado del ransomware en 2020Estado del ransomware en 2020
Estado del ransomware en 2020
iDric Soluciones de TI y Seguridad Informática
 
Trends_in_my_profession(revised)
Trends_in_my_profession(revised)Trends_in_my_profession(revised)
Trends_in_my_profession(revised)
Mantenso Skido-Achulo
 
the-ciso-report for 2024 predictions by SPLUNK
the-ciso-report for 2024 predictions by SPLUNKthe-ciso-report for 2024 predictions by SPLUNK
the-ciso-report for 2024 predictions by SPLUNK
SaifAlwan2
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Ernst & Young
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
NishantSisodiya
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
Constantin Cocioaba
 
FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020 FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020
FinTech Belgium
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 

Similar to 2016-Black-Hat-Attendee-Survey (20)

CAPP Conference Survey
CAPP Conference SurveyCAPP Conference Survey
CAPP Conference Survey
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
Top 5 it security threats for 2015
Top 5 it security threats for 2015Top 5 it security threats for 2015
Top 5 it security threats for 2015
 
Winning the Cybersecurity Battle
Winning the Cybersecurity BattleWinning the Cybersecurity Battle
Winning the Cybersecurity Battle
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
 
Heidi
HeidiHeidi
Heidi
 
Raytheon-NCSA_Millennial_Survey_report_2014
Raytheon-NCSA_Millennial_Survey_report_2014Raytheon-NCSA_Millennial_Survey_report_2014
Raytheon-NCSA_Millennial_Survey_report_2014
 
Insights from 2016 Cyberthreat Defense Report
Insights from 2016 Cyberthreat Defense ReportInsights from 2016 Cyberthreat Defense Report
Insights from 2016 Cyberthreat Defense Report
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportHBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
 
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
 
Estado del ransomware en 2020
Estado del ransomware en 2020Estado del ransomware en 2020
Estado del ransomware en 2020
 
Trends_in_my_profession(revised)
Trends_in_my_profession(revised)Trends_in_my_profession(revised)
Trends_in_my_profession(revised)
 
the-ciso-report for 2024 predictions by SPLUNK
the-ciso-report for 2024 predictions by SPLUNKthe-ciso-report for 2024 predictions by SPLUNK
the-ciso-report for 2024 predictions by SPLUNK
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
 
FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020 FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 

2016-Black-Hat-Attendee-Survey

  • 1. Previous Next Previous Next DownloadDownload SubscribeSubscribe Previous Next Previous Next www.blackhat.com July 2016 The Rising Tide of Cybersecurity Concern In our second annual survey of top security professionals, Black Hat finds that the expectation of major breaches is even higher than last year. 2016 Black Hat Attendee Survey
  • 2. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next SUMMARY In 2015, we set out to get an insider’s view of the current cybersecurity environment by speaking to the most knowledgeable information security professionals in the industry. To achieve that goal, we surveyed one of the most security-savvy audiences in the industry: those who have attended the annual Black Hat USA conference. Black Hat, a forum that fea- tures some of the most advanced security research in the world, is a destination for discussion among top security minds, including leading ethical hackers, IT security management, and technology developers. The 2015 Black Hat Attendee Survey was the first of its kind, featur- ing responses from full-time IT security professionals — some two-thirds of whom had been credentialed as Certified Information Systems Security Professionals (CISSP). The results of that study were alarming, as nearly three-quarters (72%) of respondents felt it likely that their organizations would have to deal with a major data breach in the year ahead. Approximately two-thirds of respondents said they did not have enough staff, budget, or train- ing to meet those challenges. With so many security experts holding pessimistic attitudes about the coming year, it seemed as though the cybersecurity problem could not get much worse. Unfortunately, it has. The 2016 Black Hat Attendee Survey results are in — and as a rule, the most expert security professionals in the industry are even more concerned this year than they were last year. In the 2016 Black Hat Attendee Survey, the percentage of respondents who say they have“no doubt”that they will need to respond to a major security breach in the next 12 months (15%) is slightly higher than it was in 2015. The percentage of respondents who say it is“very likely”that they will face a major breach in the next year (25%) is up one percentage point. (See Figure 1.) Despite these growing concerns, security departments are still facing an alarming shortage of resources. When asked if they have enough staff to face the threats they expect to see in the EXECUTIVE 2016 Black Hat Attendee Survey July 2016 2www.blackhat.com ABOUT US For more than 18 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. More information is available at: http://www.blackhat.com.
  • 3. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next coming year, 74% of respondents said no — an even higher figure than in 2015. Sixty-two percent said they do not have enough budget to defend their organizations against coming threats. And 67% say they themselves do not have enough training to do their jobs — more than who ex- pressed this concern in 2015. Of all the problems that security organizations face, the shortage of skilled staff is the most acute. When asked the reason why security initiatives fail,“a shortage of qualified people and skills”was by far the top response (37%), outpacing a lack of man- agement support (22%) and a lack of integration among security products (14%). And the pool of available security pros continues to shrink: only 11% of security professionals say they are actively looking to change jobs (down from 12% in 2015), and only 24% said they are even updating their resumes (down from 30% in 2015). But a shortage of resources is not the only problem that enterprise security organizations face today. With staffing, budget, and training all in short supply, security professionals are being forced to prioritize their activities— but frequently, the priorities set by the business are not the priorities considered most important by security professionals. When we asked security pros what they considered the most important threats and concerns that they face today, they overwhelmingly answered with two emerging threats: social engineering attacks such as phishing (46%) and sophisticated attacks targeted directly at their organization (43%). But when we asked those same security professionals how they spend their time, their top answers were measuring risk (35%), managing compliance with industry and regulatory requirements (32%), and troubleshoot- ing security vulnerabilities in internally developed applications (27%). Clearly, there is a gap between the issues and challenges that security profession- als consider the most concerning and the issues and challenges that they spend the most time working on — and that gap is larger in 2016 than it was in 2015. In the pages that follow, we offer deeper details on the survey results and the significant challenges that security professionals face today — not only in defending against attacks from outside the organi- zation, but in finding the time, people, and resources they need to maintain those defenses. 2016 Black Hat Attendee Survey July 2016 3www.blackhat.com
  • 4. www.blackhat.com Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next SYNOPSIS RESEARCH Survey Name The 2016 Black Hat Attendee Survey Survey Date June 2016 Region North America Number of Respondents 250 Purpose To gauge the attitudes and plans of one of the IT security industry’s most experienced and highly-trained audiences: attendees of the Black Hat conference. Methodology In June 2016 Dark Reading and Black Hat conducted a survey of the Black Hat USA conference attendees. The online survey yielded data from 250 management and staff security professionals, predominantly at large companies, with 60% working at companies with 1,000 or more employees. The greatest possible margin of error for the total respondent base (N=250) is +/- 4.5%. UBM was responsible for all programming and data analysis. These procedures were carried out in strict accordance with standard market research practices 2016 Black Hat Attendee Survey July 2016 4
  • 5. www.blackhat.com Security professionals fear they are losing the war against cybercrime — and the intensity of that fear is growing. In this year’s Black Hat Attendee Survey, nearly three-quarters of secu- rity pros (72%) said they think it likely that they willhavetorespondtoamajordatabreachinthe next 12 months. Fifteen percent said they have “no doubt”that a major breach will occur — up from 13% in 2005. Twenty-five percent said it is “highly likely”— up from 24% last year. There is good reason for this concern. Despite record levels of spending — Gartner estimates that businesses spent some $75.4 billion on security technology last year — the incidence of breaches continues to grow. Risk Based Security’s Data Breach QuickView Report cited 3,930 incidents in 2015, repre- senting more than 736 million records — all- time highs both for incidents and records. And the annual Ponemon Cost of a Data Breach report found that the average cost of a major data breach has jumped past $4 million per incident — a 29% increase since 2013 and 5% increase over last year. By almost every measure, the cybersecurity problem is worse this year than it was the last. Why are the enterprise defenders losing ground?Thechiefconcernisalackofresources. In the 2016 Black Hat Attendee Survey, nearly three-quarters (74%) of respondents said they Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next Cybersecurity in Crisis July 2016 5 How likely do you think it is that your organization will have to respond to a major security breach in the next 12 months? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 I have no doubt that we will have to respond to a major incident in the next 12 months Don’t know/not sure It’s highly unlikely It’s somewhat unlikely It’s somewhat likely It’s highly likely 15% 13% 25% 24% 32% 15% 36% 13% 7% 6% 8% 6% 2016 2015 Figure 1 2016 Black Hat Attendee Survey
  • 6. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey feel they do not have enough security staff to defend their organizations against current threats — even more than in 2015. Nineteen percent said they are“completely underwater” when it comes to staffing. (See Figure 2.) Funding also continues to be a problem. Despite record spending by the industry in 2015, some 63% of security professionals who responded to the survey in 2016 say their departments do not have enough budget to defend their organizations against current threats. Twenty percent said they are“severely hampered”by a lack of funding. Training is also a major resource issue in security. In our survey, more than two-thirds of respondents (67%) said they feel they do not have enough training and skills they need to perform all of the tasks for which they are responsible — up from 64% last year. Ten percent of respondents said they feel “ill- prepared” for many of the threats and tasks they face each day. This shortage of resources is the primary rea- son why IT security efforts continue to come up short, according to the Black Hat Attendee Survey responses. When asked why security initiatives fail, some 37% of respondents said a shortage of qualified people and skills is the culprit— the number one answer. A lack of commitment and support from top manage- ment was the second-most frequently cited response with 22%. (See Figure 3.) While security teams are struggling with a lack of resources, the attackers continue to improve their game. In our survey, security professionals ranked social engineering as their most frequently cited concern (46%). Sophis- ticated and targeted attacks were the second most cited concern (43%). The growing use of ransomware by attackers was cited as the most serious new threat to emerge in the past 12 months (37%), while social engineering attacks on specific individuals was rated the number two emerging threat (20%). (See Figure 4.) Figure 2 July 2016 6 Does your organization have enough security staff to defend itself against current threats? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Yes What staff No, we are completely underwater No, we could use a little help 26% 27% 55% 51% 15% 4% 17% 5% 2016 2015 www.blackhat.com
  • 7. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 7 But external attackers aren’t the only thing that keeps security professionals awake at night. When asked to identify the weakest link in the IT security chain, 28% of security pros cited end users who violate security policy, making this the top response in our survey. Seventeen percent cited“a lack of comprehen- sive security architecture and planning that goes beyond firefighting”— a clear indication that many security pros find themselves react- ing to emergencies, unable to find the time they need to comprehensively evaluate their overall defense strategies. (See Figure 5.) The Incredible Shrinking Skills Market Of all the problems and challenges cited in the 2016BlackHatAttendeeSurvey,theshortageof security skills is the most critical.While budgets and training continue to be major issues, 74% of respondents said they do not have enough people to manage the threats they face today. These results are supported by Frost & Sullivan in the latest ISC2 Global Information Security Workforce Study, which predicts that there will be a worldwide shortfall of over 1.5 million information security professionals by 2019. The security skills shortage is the primary reason why security initiatives fail, according to survey respondents, and this answer pres- ents some major challenges for the indus- try in years to come. Clearly, there is a critical need to identify and quickly train a whole new wave of security professionals. Experts say that colleges and universities must help in this ef- fort, and that professional associations and certification training initiatives will have to be ramped up significantly in coming years. But even if this training could be done Figure 3 What is the primary reason current enterprise IT security strategies and technologies fail? Base: 250 respondents in 2016; not asked in 2015 Data: UBM survey of security professionals, June 2016 A shortage of qualified people and skills There are too many vulnerabilities in the rapidly-evolving enterprise IT environment The inability of security technology to keep up with attackers’ new exploits A lack of integration in security architecture; too many single-purpose solutions A lack of commitment and support from top management A shortage of budget Other 37% 22% 14% 9% 6% 6% 6% www.blackhat.com
  • 8. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 8 immediately, and hundreds of thousands of new professionals were brought into the market, it would not solve the need for highly experienced staff. At least for the next sev- eral years, it is likely that security initiatives that rely heavily on highly trained and ex- perienced people will continue to fail, sim- ply because there are not enough people who fit these crtria. In the future, then, the security industry will be forced to re-evaluate all technologies and practices that require deep skill sets and look toward automation and technologies that can be operated with a minimum of training and experience. And if you’re trying to hire new security talent this year, it’s going to be very hard — even harder than it was last year.Thirty-five percent of the respondents in the 2016 Black Hat Attendee Survey indicated that it would be very hard to convince them to leave their current organiza- tion— a substantial increase from 25% last year. Only 11% were actively looking for new work, slightly fewer than last year (12%). Only 24% of respondents said they are updating their resumes and keeping an eye out for job open- ings — down from 30% in 2015. (See Figure 6.) Why are most security pros so happy in their jobs?Someofithastodowithknowingwhere they’re going. When asked “Do you have a clear upward career growth path in your current place of employment,” 44% of re- spondents said “Yes, I know the next step or level I can get to and I am working toward it now”— a hefty jump from 38% last year. An- other 31% say they at least have some ideas about their options and they’re “pretty sure I’ll be here a while.”(See Figure 7.) With so many companies clamoring to hire What is the most serious new cyberthreat to emerge in the past 12 months? Base: 250 respondents in 2016; not asked in 2015 Data: UBM survey of security professionals, June 2016 A rapid increase in the use of ransomware Espionage and intelligence gathering by nation-states on commercial enterprises The possibility of a major data leak/dump from a trusted third party Sophisticated malware that can circumvent current defenses Social engineering attacks targeted directly at individuals in a specific enterprise New threats to mobile devices Other 37% 20% 12% 11% 9% 9% 2% Figure 4 www.blackhat.com
  • 9. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next July 2016 9 more people — and with the pool of available applicants shrinking — it has become a seller’s market for the skilled cybersecurity profession- al. If they had to leave their current position, 95% of survey respondents said they believe they could find new work either “very quickly” (61%) or “without too much trouble” (34%). That’s quite a leap from most other Americans, who currently take 27.8 weeks, on average, to find new work, according to the US Bureau of Labor Statistics. The Security Priorities Gap For the second year running, security profession- als’ top concerns are social engineering (46%) and sophisticated attacks targeted directly at their organization (43%). In 2015, 57% of respon- dentscitedsophisticated,targetedattacksasone of their three main worries, earning it first place on the list.This year, that percentage tumbled to 43%, but these targeted attacks only slipped to second place in the ranks; it’s still one of the most critical security issues. Social engineering held fastat46%from2015to2016,andthusrosefrom second place to first. (See Figure 8.) These threats may be the things that keep What is the weakest link in today’s enterprise IT defenses? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 End users who violate security policy and are too easily fooled by social engineering attacks Web-based threats and the failure of SSL and digital certificates Vulnerabilities in internally-developed software Vulnerabilities in off-the-shelf software An overabundance of security information and event data that takes too long to analyze PC, Mac, and endpoint vulnerabilities Single-function security tools and products that don’t talk to each other Signature-based security products that can’t recognize new and zero-day threats Mobile device vulnerabilities Cloud services and cloud application vulnerabilities A lack of comprehensive security architecture and planning that goes beyond “firefighting” 28% 33% 17% 20% 12% 11% 7% 9% 7% 7% 6% 3% 4% 3% 4% 4% 5% 4% 4% 6% 2% 3% 2016 2015 Figure 5 www.blackhat.com
  • 10. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 10 security professionals awake at night— but they aren’t necessarily the things they spend the most time and money on during the day. For the second straight year, the Black Hat At- tendee Survey revealed some clear differences between the priorities of the security pro and the priorities of those who make the sched- ules, plans, and budgets. When asked how they spend most of their time on in an average day, security profession- als cited measuring security posture and risk (first place, 35%) and maintaining compliance (second place, 32%) — both new options in the 2016 survey — as the top two time-con- sumers. “Security vulnerabilities created by my own internal application development team”— last year’s first-place answer to this question — took third place (27%). Address- ing social engineering and sophisticated, tar- geted attacks only made it to fourth place and eighth place, respectively. (See Figure 9.) When asked how they spend most of their budget, security pros gave much the same re- port. Compliance took a big chunk out of the most respondents’ budgets (31%), while risk measurement finished second (23%). Fixing the internal dev team’s errors was third (19%). Social engineering and sophisticated targeted attacks fared only slightly better at getting funding than they did getting man-hours, garnering fourth place (19%) and sixth place (16%), respectively. These results are stark in the context of the other data collected by the 2016 Black Hat Attendee Survey, which showed a clear short- age of resources such as human capital and funding. The data suggest that security profes- sionals, already underfunded and understaffed, Do you have plans to seek an IT security position anytime in the near future? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Yes, I am actively looking for employment right now No definite plans, but I am always updating my resume and looking for a better post I’m not doing any active job research, but if some other company called me, I would listen I really love my job and my employer and it would take a LOT to get me to move 2016 2015 I am an indentured servant and would be beheaded if I tried to escape 12%11% 24% 3% 30% 32% 33% 30% 24% 1% Figure 6 www.blackhat.com
  • 11. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 11 are often unable to devote those limited resources to their most important priorities. Interestingly, that dichotomy is not al- ways driven by a lack of understanding among upper management. When asked what they believe are the highest security- related priorities of their top executives, Black Hat Attendee Survey respondents cited both sophisticated, targeted attacks (33%) and social engineering (24%) as be- ing among the top three. Compliance (28%) finished second. This is consistent with last year’s data, in which security pros also saw sophisticated, targeted attacks and social engineering as being high on their manage- ment’s priority lists as well. (See Figure 10.) Yet even though they see management as having many of the same priorities that they do, many security pros are losing faith that their non-security colleagues understand the threat that their organizations face today. Only 25% of respondents said their non-secu- rity managers and colleagues understand the current threat and support security efforts at their organization; this is down from 31% last year. An additional 10% said their non-security colleagues understand the threat“but have to be dragged into security conversations” (up from 9% last year). (See Figure 11.) Exactly what is the threat that security pros want their colleagues to understand? By far, the attacker that Black Hat Attendee Survey respondents fear most is the one who has inside knowledge of their organization (36%). Some security pros are more worried about attackers who have strong backing by organized crime or nation-states (18%); others are concerned about attackers who Figure 7 Do you have a clear, upward career growth path in your current place of employment? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Yes, I know the next step or level I can get to and I am working toward it now No,but I have some ideas about my options and I’m pretty sure I’ll be here a while I’m not sure, but I think I’m doing a good job and I think my employer will take care of me No, I can’t see any clear path for growth and I’m thinking about looking for another job 2016 2015 I can’t type because I’m smashed up against this glass ceiling 44% 38% 31% 11% 17% 3% 31% 11% 12% 3% www.blackhat.com
  • 12. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next July 2016 12 have highly sophisticated attack skills (15%). In general, though, respondents were most con- cerned about insiders or attackers who know the most about their organizations. What will security pros worry most about in the future? For the second straight year, the security of non-computer devices and systems — the Internet of Things — was cited as the most critical issue that respondents believe they will worry about two years from now. The percentage of respondents who gave this re- sponse dropped significantly — to 28% from 36% a year ago — but IoT remained the most frequently cited concern on the horizon. This is a fascinating response because IoT barely registers as a concern (9%) among current threats. Clearly, security professionals expect IoT security to become a crucial issue over the next two years. (See Figure 12.) Conclusion Perhaps the most important conclusion we can draw from the 2016 Black Hat Attendee Survey is that the pressures on security pro- fessionals are not letting up — in fact, they are intensifying. In nearly every question and Figure 8 Of the following threats and challenges, which are of the greatest concern to you? Note: Maximum of three responses allowed Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Phishing, social network exploits, or other forms of social engineering Sophisticated attacks targeted directly at the organization Security vulnerabilities introduced by my own application development team Data theft or sabotage by malicious insiders in the organization Espionage or surveillance by foreign governments or competitors Accidental data leaks by end users who fail to follow security policy Polymorphic malware that evades signature-based defenses Ransomware or other forms of extortion perpetrated by outsiders The effort to accurately measure my organization’s security posture and/or risk Attacks or exploits on cloud services, applications, or storage systems used by my organization Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems Surveillance by my own government Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers The effort to keep my organization in compliance with industry and regulatory security guideline Attacks or exploits brought into the organization via mobile devices Digital attacks on non-computer devices and systems – the Internet of Things Attacks on suppliers, contractors, or other partners that are connected to my organization’s network 46% 46% 16% 11% 14% 13% N/A 12% 11% 11% 9% 8% 12% 7% 10% 9% 9% 9% 9% 7% 20% 20% 17% 19% 20% 21% 16% 15% 20% 15% N/A 15% N/A 13% 57% 43% 2016 2015 www.blackhat.com
  • 13. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next July 2016 13 category, Black Hat attendees indicated that their environments are more at risk this year thantheywerelastyear—yettheavailabilityof resources and skills has actually decreased. The shortage of people and skills clearly jumped out as the most important issue identified in this year’s survey. To compound the resource shortage, today’s security pros are also facing an increasing gap between the priorities they themselves set for the security department and the priorities of those who control their time, people, and budgets. While they might be lying awake nights worrying about social engineering or targeted attacks, their days are spent mostly in more mundane tasks, such as maintaining compliance or troubleshooting internally de- veloped applications. To gain ground on the bad guys, security teams will have to find new ways to staff and fund their initiatives — perhaps through ad- ditional automation and by reducing the re- quirement for highly developed skills. Security pros will also need to examine new technolo- gies and practices that can reduce the need for staffing and budget, as well as new ways to make their existing team more cost-efficient. Figure 9 Which consume the greatest amount of your time during an average day? Note: Maximum of three responses allowed Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 The effort to accurately measure my organization’s security posture and/or risk The effort to keep my organization in compliance with industry and regulatory security guidelines Security vulnerabilities introduced by my own application development team Phishing, social network exploits, or other forms of social engineering Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements Accidental data leaks by end users who fail to follow security policy Sophisticated attacks targeted directly at the organization Attacks or exploits on cloud services, applications, or storage systems used by my organization Ransomware or other forms of extortion perpetrated by outsiders Attacks or exploits brought into the organization via mobile devices Espionage or surveillance by foreign governments or competitors Data theft or sabotage by malicious insiders in the organization Attacks on suppliers, contractors, or other partners that are connected to my organization’s network Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers Surveillance by my own government Polymorphic malware that evades signature- based defenses Digital attacks on non-computer devices and systems – the Internet of Things N/A N/A 35% 31% 33% 30% 26% 20% 35% 9% 7% 32% 27% 25% 21% 19% 19% 11% 11% 9% N/A 8% 7% 8% 7% 6% 7% 8% 6% 4% 3% 3% 14% 6% 6% 2% 2016 2015 www.blackhat.com
  • 14. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 14www.blackhat.com APPENDIX Figure 10 Which are of greatest concern to your company’s top executives or management? Note: Maximum of three responses allowed Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Sophisticated attacks targeted directly at the organization The effort to keep my organization in compliance with industry and regulatory security guidelines Phishing, social network exploits, or other forms of social engineering Accidental data leaks by end users who fail to follow security policy The effort to accurately measure my organization’s security posture and/or risk Data theft or sabotage by malicious insiders in the organization Data theft,sabotage,or disclosure by“hacktivists” or politically-motivated attackers Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements Espionage or surveillance by foreign governments or competitors Ransomware or other forms of extortion perpetrated by outsiders Security vulnerabilities introduced by my own application development team Attacks or exploits on cloud services, applications, or storage systems used by my organization Polymorphic malware that evades signature-based defenses Attacks on suppliers, contractors, or other partners that are connected to my organization’s network Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems Attacks or exploits brought into the organization via mobile devices Digital attacks on non-computer devices and systems – the Internet of Things Surveillance by my own government 33% 28% N/A N/A N/A 44% 9% 14% 12% 1% 3% 3% 3% 3% 4% 4% 5% 7% 8% 7% 10% 5% 24% 27% 20% 19% 17% 16% 14% 27% 29% 27% 17% 13% 10% 17% 2016 2015
  • 15. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 15www.blackhat.com Do non-security professionals in your organization understand the IT security threat that your organization faces today? Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Yes, and they are supportive of IT security initiatives What threats? There are a few who get it, but most of them are clueless It’s a mixed bag – some of them are, some of them aren’t Yes, but they have to be dragged into the security discussion 25% 31% 10% 9% 46% 17% 41% 17% 2% 2% 2016 2015 Figure 11
  • 16. Previous Next Previous Next DownloadDownload RegisterRegister SubscribeSubscribe Previous Next Previous Next 2016 Black Hat Attendee Survey July 2016 16 Figure 12 www.blackhat.com Which do you believe will be of greatest concern two years from now? Note: Maximum of three responses allowed Base: 250 respondents in 2016 and 460 respondents in 2015 Data: UBM survey of security professionals, June 2016 Data theft or sabotage by malicious insiders in the organization Espionage or surveillance by foreign governments or competitors Digital attacks on non-computer devices and systems – the Internet of Things Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers The effort to accurately measure my organization’s security posture and/or risk Accidental data leaks by end users who fail to follow security policy Accidental data leaks by end users who fail to follow security policy Attacks on suppliers, contractors, or other partners that are connected to my organization’s network Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements Security vulnerabilities introduced by my own application development team The effort to keep my organization in compliance with industry and regulatory security guidelines Sophisticated attacks targeted directly at the organization Phishing, social network exploits, or other forms of social engineering Attacks or exploits brought into the organization via mobile devices Attacks or exploits on cloud services, applications, or storage systems used by my organization Polymorphic malware that evades signature-based defenses Surveillance by my own government Ransomware or other forms of extortion perpetrated by outsiders 24% 24% 20% 19% 18% 16% 16% 26% 33% 22% 22% 24% 22% 15% 13% 9% 15% N/A N/A N/A 10% 28% 36% 13% 9% 7% 10% 7% 13% 7% 8% 7% 7% 6% 7% 12% 2016 2015