This document summarizes the key findings of a cybersecurity preparedness benchmarking study conducted by Berkeley Research Group. The study surveyed over 100 organizations across different sectors to evaluate their cybersecurity programs, governance, and incident response capabilities. Some of the main findings include that current employees were the likely source of most cybersecurity breaches, viruses and malware caused most data breaches, and many organizations lack strategies for emerging technologies like the Internet of Things. The report also found that organizations need to improve security awareness training and invest more in cybersecurity budgets.
CompTIA’s Trends in Information Security study provides insights into the behaviors, techniques and opportunities with IT security as businesses use new technology.
The top challenges to expect in network security in 2019 survey report Bricata, Inc.
The Bricata team conducted a survey to ask cybersecurity professionals about the challenges and opportunities they face in network security.
64% of respondents say network security is harder this year as compared to last and for a range of reasons. This includes the sophistication of threats, but also the proliferation of IT infrastructure and the complexity of environments given that changes stemming from cloud, IoT and BYOD, among others.
While insider threats (44%) and IT infrastructure (42%) topped the list of network security challenges no single topic drew a simple majority. Lack of leadership support, security technology interoperability, shadow IT, BYOD and the deluge of security alerts were among the top 10.
Most organizations used between 1-10 tools for the purpose of network security. About one-third of respondents said these tools were not integrated, while another 28% said these tools were just somewhat integrated. No respondents indicated tools in their environment were completely integrated.
About a quarter (26%) of respondents say their organization receives 1,000 or more security alerts per day. More importantly, the vast majority (84%) say these require 5 or more minutes each to triage. “A decent number of false-positives waste quite a bit of time,” wrote one respondent. “On the other hand, some alerts are- -critical, but we are missing vital information, which we then spend ages trying to locate.” Some admit they just can’t review all alerts.
While just about one-third (32%) say they are doing threat hunting today – a majority (61%) of respondents believe that threat hunting will be either more important or much more important in the next 12 months.
Security analytics, security integration and behavioral analysis were the top three areas of security respondents said organizations should focus on over the next year. Interestingly, collaboration out ranked machine learning and AI as a recommended area of focus.
Some 34% of respondents said the relationship between security and DevOps is strong, while 27% said it isn’t. By contrast, 51% of respondents said the relationship between security and the business is strong, while 22% said it isn’t.
CompTIA’s Trends in Information Security study provides insights into the behaviors, techniques and opportunities with IT security as businesses use new technology.
The top challenges to expect in network security in 2019 survey report Bricata, Inc.
The Bricata team conducted a survey to ask cybersecurity professionals about the challenges and opportunities they face in network security.
64% of respondents say network security is harder this year as compared to last and for a range of reasons. This includes the sophistication of threats, but also the proliferation of IT infrastructure and the complexity of environments given that changes stemming from cloud, IoT and BYOD, among others.
While insider threats (44%) and IT infrastructure (42%) topped the list of network security challenges no single topic drew a simple majority. Lack of leadership support, security technology interoperability, shadow IT, BYOD and the deluge of security alerts were among the top 10.
Most organizations used between 1-10 tools for the purpose of network security. About one-third of respondents said these tools were not integrated, while another 28% said these tools were just somewhat integrated. No respondents indicated tools in their environment were completely integrated.
About a quarter (26%) of respondents say their organization receives 1,000 or more security alerts per day. More importantly, the vast majority (84%) say these require 5 or more minutes each to triage. “A decent number of false-positives waste quite a bit of time,” wrote one respondent. “On the other hand, some alerts are- -critical, but we are missing vital information, which we then spend ages trying to locate.” Some admit they just can’t review all alerts.
While just about one-third (32%) say they are doing threat hunting today – a majority (61%) of respondents believe that threat hunting will be either more important or much more important in the next 12 months.
Security analytics, security integration and behavioral analysis were the top three areas of security respondents said organizations should focus on over the next year. Interestingly, collaboration out ranked machine learning and AI as a recommended area of focus.
Some 34% of respondents said the relationship between security and DevOps is strong, while 27% said it isn’t. By contrast, 51% of respondents said the relationship between security and the business is strong, while 22% said it isn’t.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
When asked if their organization’s incident response efficiency and effectiveness is limited by the time and effort required for manual processes, 93% of the cybersecurity professionals surveyed responded, “yes”, according to The State of Incident Response ESG report.
This poses as a real problem since 22% of organizations find it challenging to keep up with the volume of security alerts.
Access this ESG research report and take a closer look at these obstacles while providing important factors for incident response excellence.
Organizations are improving cyber resilience and showing they can perform better under greater pressure as the number of targeted attacks more than doubles.
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
This year, CSO partnered with the CERT® Division of Software Engineering Institute at Carnegie Mellon University, U.S. Secret Service and KnowBe4 to evaluate trends in the frequency and impact of cybersecurity incidents
In its second year, IDG’s 2018 Security Priorities study was conducted to gain a better understanding of organization’s current and future security posture.
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
This was presented at the AISA national seminar day. It is a helicopter view on how to implement a security strategy that is aligned with the business.
The Cyber Security Readiness of Canadian OrganizationsScalar Decisions
Highlights of the 2015 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2015. The full report can be downloaded at: http://hubs.ly/y0tFbr0
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.
EXPERT WEBINAR: Convergence of Cybersecurity & Privacy with Herjavec GroupFeroot
With so much overlap between Privacy and Cybersecurity, why are we spending valuable resources duplicating efforts? Can there be more alignment and synergy between these two areas?
Join Tabitha Gallo of the Herjavec Group and Ivan Tsarynny of Feroot Privacy to start a discussion on Converging Privacy and Cybersecurity practices.
In this webinar, you will learn:
- How to effectively use, re-use and re-purpose existing operational processes and procedures (PCI, ISO and NERC) to satisfy privacy requirements
- What areas to extend existing cybersecurity processes to address GDPR, CCPA and other privacy laws
- New ways and opportunities for aligning privacy and cybersecurity and to become more synergistic
Learn more about Feroot software as an Automation & GDPR Compliance Tool: https://www.feroot.com/
Learn more about Herjavec Security & Privacy services: https://www.herjavecgroup.com/
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
Executive Summary of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016/
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
Learn how cognitive security may be a powerful tool in addressing challenges security professionals face.
New capabilities for a
challenging era
Security leaders are working to address three gaps
in their current capabilities
—
in intelligence, speed
and accuracy. Some organizations are beginning to
explore the potential of cognitive security solutions
to address these gaps and get ahead of their risks
and threats. There are high expectations for this
technology. Fifty-seven percent of the security
leaders we surveyed believe that it can significantly
slow the ef forts of cybercriminals. The 22 percent of
respondents who we call “Primed” have started their
journey into the cognitive era of cybersecurity
—
they
believe they have the familiarity, the maturity and the
resources they need. To begin the journey, it is
important to explore your weaknesses, determine
how you want to augment your capabilities with
cognitive solutions and think about building education
and investment plans for your stakeholders.
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
Still need a prime on the CSF? Check out my article for the Access Business Team January 2017 Newsletter on how business can improve their cyber readiness with the NIST Cybersecurity Framework.
In his recent Forbes article, "The Internet Of Things Is About Data, Not Things", John Fruehe stated: "All of the strategy and shiny objects in the world won’t help if the data isn’t accurate, secure, and actionable." That's why, at iVEDiX, we believe in taking a well rounded approach to our thought leadership and the technologies we produce. Here's a look at some twitterers who have joined us in this belief and been great ambassadors of IoT, data, and analytics.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
When asked if their organization’s incident response efficiency and effectiveness is limited by the time and effort required for manual processes, 93% of the cybersecurity professionals surveyed responded, “yes”, according to The State of Incident Response ESG report.
This poses as a real problem since 22% of organizations find it challenging to keep up with the volume of security alerts.
Access this ESG research report and take a closer look at these obstacles while providing important factors for incident response excellence.
Organizations are improving cyber resilience and showing they can perform better under greater pressure as the number of targeted attacks more than doubles.
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
This year, CSO partnered with the CERT® Division of Software Engineering Institute at Carnegie Mellon University, U.S. Secret Service and KnowBe4 to evaluate trends in the frequency and impact of cybersecurity incidents
In its second year, IDG’s 2018 Security Priorities study was conducted to gain a better understanding of organization’s current and future security posture.
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
This was presented at the AISA national seminar day. It is a helicopter view on how to implement a security strategy that is aligned with the business.
The Cyber Security Readiness of Canadian OrganizationsScalar Decisions
Highlights of the 2015 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2015. The full report can be downloaded at: http://hubs.ly/y0tFbr0
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.
EXPERT WEBINAR: Convergence of Cybersecurity & Privacy with Herjavec GroupFeroot
With so much overlap between Privacy and Cybersecurity, why are we spending valuable resources duplicating efforts? Can there be more alignment and synergy between these two areas?
Join Tabitha Gallo of the Herjavec Group and Ivan Tsarynny of Feroot Privacy to start a discussion on Converging Privacy and Cybersecurity practices.
In this webinar, you will learn:
- How to effectively use, re-use and re-purpose existing operational processes and procedures (PCI, ISO and NERC) to satisfy privacy requirements
- What areas to extend existing cybersecurity processes to address GDPR, CCPA and other privacy laws
- New ways and opportunities for aligning privacy and cybersecurity and to become more synergistic
Learn more about Feroot software as an Automation & GDPR Compliance Tool: https://www.feroot.com/
Learn more about Herjavec Security & Privacy services: https://www.herjavecgroup.com/
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
Executive Summary of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016/
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
Learn how cognitive security may be a powerful tool in addressing challenges security professionals face.
New capabilities for a
challenging era
Security leaders are working to address three gaps
in their current capabilities
—
in intelligence, speed
and accuracy. Some organizations are beginning to
explore the potential of cognitive security solutions
to address these gaps and get ahead of their risks
and threats. There are high expectations for this
technology. Fifty-seven percent of the security
leaders we surveyed believe that it can significantly
slow the ef forts of cybercriminals. The 22 percent of
respondents who we call “Primed” have started their
journey into the cognitive era of cybersecurity
—
they
believe they have the familiarity, the maturity and the
resources they need. To begin the journey, it is
important to explore your weaknesses, determine
how you want to augment your capabilities with
cognitive solutions and think about building education
and investment plans for your stakeholders.
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
Still need a prime on the CSF? Check out my article for the Access Business Team January 2017 Newsletter on how business can improve their cyber readiness with the NIST Cybersecurity Framework.
In his recent Forbes article, "The Internet Of Things Is About Data, Not Things", John Fruehe stated: "All of the strategy and shiny objects in the world won’t help if the data isn’t accurate, secure, and actionable." That's why, at iVEDiX, we believe in taking a well rounded approach to our thought leadership and the technologies we produce. Here's a look at some twitterers who have joined us in this belief and been great ambassadors of IoT, data, and analytics.
Cloud Cybersecurity: Strategies for Managing Vendor RiskHealth Catalyst
As more organizations shift away from on-premise architectures toward the cloud or hybrid hosting models, critical cybersecurity concerns emerge. Organizations, especially health systems, should carefully examine the shared responsibility model in partnership with their cloud vendor.
Kevin Scharnhorst, Health Catalyst Chief Information Security Officer, shares perspectives on how your organization’s security program, through adherence to standards-based policy and procedures, can align with your cloud vendor on reduced organizational risk.
Estudio de Russell Reynolds Associates sobre ciberseguridad que explora la importancia de la relación entre el Chief Information Security Officer y el Consejo de Administración.
Russell Reynolds Associates aborda cinco cuestiones de liderazgo en materia de ciberseguridad que los Consejos de Administración y los ejecutivos deben preguntarse. Estas cuestiones abarcan diversos aspectos, desde el nivel de preparación del Consejo hasta la gestión del talento para proteger el negocio de una forma integral.
Presentation on the analysis of cybersecurity capacity building, finding a clear impact of capacity building on a reduction in end user problems and enhanced use by individuals, governments, and business.
The results of this year’s Internal Audit Capabilities and Needs Survey show that, not surprisingly, cybersecurity represents a major focus for internal audit programs, but it is far from the only pressing issue on internal audit’s plate
Webcast outlines how IT security and operations can address top security concerns and challenges and adapt to new technologies and trends surrounding the endpoint.
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursSurfWatch Labs
With the board room increasingly being held accountable for data breaches, it's crucial that they know and understand the cyber risks facing their organization.Connect board room to server room
You can have all the latest firewalls and intrusion detection gizmos, but if you forget to enlist the people in your organization in your security efforts, all could be lost.
Multi-vocal Review of security orchestrationChadni Islam
Organizations use diverse types of security solutions to prevent cyber-attacks. Multiple vendors provide security solutions developed using heterogeneous technologies and paradigms. Hence, it is a challenging rather impossible to easily make security solutions to work an integrated fashion. Security orchestration aims at smoothly integrating multivendor security tools that can effectively and efficiently interoperate to support security staff of a Security Operation Centre (SOC). Given the increasing role and importance of security orchestration, there has been an increasing amount of literature on different aspects of security orchestration solutions. However, there has been no effort to systematically review and analyze the reported solutions. We report a Multivocal Literature Review that has systematically selected and reviewed both academic and grey (blogs, web pages, white papers) literature on different aspects of security orchestration published from January 2007 until July 2017. The review has enabled us to provide a working definition of security orchestration and classify the main functionalities of security orchestration into three main areas – unification, orchestration, and automation. We have also identified the core components of a security orchestration platform and categorized the drivers of security orchestration based on technical and socio-technical aspects. We also provide a taxonomy of security orchestration based on the execution environment, automation strategy, deployment type, mode of task, and resource type. This review has helped us to reveal several areas of further research and development in security orchestration.
The presentation defines cyber security, its importance, presents a Framework to address the threats. The framework consists of core, profile and tiers
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
Learn about the key mistakes organizations are making when it comes to incident response, presented by the chairman and founder of the Ponemon Institute, Dr. Larry Ponemon, and Lancope’s director of security research, Tom Cross. Then learn about how the right mix of people, processes and technology can dramatically improve your incident response efforts and elevate the importance of the CSIRT within your organization.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Cyber security or information technology security are the techniques of protecting computers, networks, programs and data from unauthorized access or attacks that are aimed for exploitation.
2. 2Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
National Cybersecurity Awareness
Month (NCSAM)
• This October is the 13th annual National Cyber
Security Awareness Month
• As the month comes to a close we hope you will
continue to promote a safer, more secure and
more trusted internet all year long
• BRG is a proud NCSAM Champion and we
encourage everyone to support the 6th
anniversary of STOP. THINK. CONNECT.™
NCSAM initiative
• More information can be found @
https://staysafeonline.org/
3. 3Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
BRG Overview
Over 1,000 professionals in 37 offices
4. 4Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Study Background
Why the need for cybersecurity benchmarking?
• Financial and non-financial consequences of a successful cyber attack
• Governance and Technology
• Gain understanding how other peers implement Information Security
• Study results from two different points of view:
– overall results across all participants to provide a thorough and balanced
view of the current state of Cybersecurity
– an individual assessment for each participant where individual answers
are discussed and compared against other study respondents
5. 5
Study Background
Target group: Executive Management and Board of
Directors from different sectors
Survey: 103 Questions, approximately 60 minutes.
Online questionnaire; select phone
interviews
Timeline: Q1 and Q2 2016
Results: Q3 2016
Participants received: Anonymized evaluation of participant data
including indication of their individual
answers
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
8. 8
Study Participants
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Primary Industry of Organization Title or Level in Organization
Total Employees with Average FTE IT Employees
10. 10
Who does the CISO/CSO report to?
Growing Importance
of CISO
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
54%
of organizations
report an
Information Security
Officer is in place
11. 11
How would you rate your organization’s
information security culture?
Security Culture
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
73%
of organizations
have a formal
cybersecurity training
and awareness program
12. 12
Rate the effectiveness of your
organization’s cyber security program
Cybersecurity Effectiveness
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
80%
of organizations report
that senior managers
approach information
security as an enterprise
risk-management issue
13. 13
How would you rate your organization’s cyber
security incident response capabilities?
Incident Response Capability
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
60%
of organizations inform
governments and
regulators of
cybersecurity breaches
14. 14
What strategic initiatives has your
organization adopted in its security program?
Strategic Initiatives
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
90%
of organizations do not
have a cybersecurity
strategy for the Internet
of Things
15. 15
Board and Executive Leadership
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
16. 16
Areas in which the Board of
Directors actively participate:
Board Engagement
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
55%
of organizations
report that the Board
of Directors actively
participate in overall
cybersecurity strategy
17. 17
Areas board participation has helped improve your
organization’s information security program:
Board Influence
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
18. 18
How does the board oversee cyber security-related issues?
Board Oversight
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
19. 19
How would you rate the organizational leadership support for cybersecurity?
Rate senior management focus on information security
Leadership Support & Focus
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
20. 20
How do you measure the effectiveness of
the organization’s cyber security program?
Feedback Mechanisms
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
69%
of organizations rely
on auditors, both
internal and external
as a measure of their
cybersecurity
effectiveness
22. 22
Has your organization performed a cyber risk appetite assessment?
Has your organization performed a cyber threat assessment?
Cybersecurity Risk
Assessments
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
CISO
47%
of organizations do
not believe that
leadership has a
functional
understanding of their
network security
23. Are there formal security and operational procedures documented?
23
Documented Procedures
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
91%
of organizations
document their
cybersecurity
policies and
procedures
24. 24
Areas for improvement and awareness programs?
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Improvement & Awareness
25. 25
How often does executive management receive periodical briefings
on the state of your organization’s network security system?
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Executive Briefings
30%
of executive
management receive
a briefing once every
six months or less
27. Which information security standard and best practice does
your organization follow?
27Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Security Standards
37%
of organizations
used ISO27001,
with financial
services at 43%
28. Security controls and business continuity
plans are tested on a regular basis?
28Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Controls Testing
29. How often are the security controls of the enterprise
systems and interconnected systems reviewed?
29Berkeley Research Group - Cybersecurity Preparedness Benchmark Study
System Reviews
24%
of organizations do
not routinely test
security controls
and business
continuity plans on
a regular basis
30. How often are self-assessments conducted?
30Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Self-assessments
30%
of organizations
do not routinely
undertake self-
assessments
CISO
31. How often are external security assessments conducted?
31Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
External Assessments
CISO
32. What steps has your organization taken in order to obtain assurances from
external service providers and vendors that their security meets standards?
32Berkeley Research Group - Cybersecurity Preparedness Benchmark Study
External Service
Providers & VendorsCISO
63%
of organizations have
ensured external
service providers and
vendor contracts
include provisions for
security
34. Rate your organization’s cyber security
risk management program
34Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Risk Management Effectiveness
42%
of organizations
somewhat agree that
cybersecurity risks
are being considered
in business decision
making
7%
of organizations
strongly agree that
cybersecurity risks
are being considered
in business decision
making
35. Rate your organization’s cyber security
Information Governance capabilities
35Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Information Governance
Capabilities
56%
of organizations rate
their Information
Governance
capabilities as
‘slightly’ or
‘somewhat effective’
36. Rate your company’s information security governance maturity level
36Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
IS Governance Maturity
CISO
37. Rate your company’s IT risk management maturity level
37
IT Risk Management Maturity
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISOCISO
38. Rate your company’s cloud computing maturity level
38
Cloud Computing Maturity
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
57%
of organizations do
not allow use of
public cloud services
39. 39
Does the organization incident response
plan outline regulatory and governmental
notification protocols for breaches?
Regulatory &
Government Reporting
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
57%
of organizations are
required by
regulatory and
government
agencies to disclose
system breaches
41. What type of breaches did your organization experience?
41
Type of
Cybersecurity
Breaches
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
51%
of organizations do not
believe they are well
equipped to handle a
breach
46%
of organizations
report having
experienced a
cybersecurity breach
42. 45%
of organizations
report current
employees as the
most likely source of
cybersecurity breach
incidents
42
What was the estimated source
of data breach incidents?
Sources of Breaches
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
43. Type of staff-related incidents the organization experienced?
43
Staff-related Incidents
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
44. 44Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Key Observations
Despite a strong focus on cybersecurity culture, many organizations do
not believe their cybersecurity programs are fully effective
45% of respondents reported that they needed to improve security awareness
and training
Current employees are the likely cause behind most cybersecurity
breaches
Respondents reported that current employees were the likely source of 45% of
data breach incidents, followed by 22% of incidents caused by hackers
and 13% by former employees
Viruses and malicious software are the most common breaches.
Respondents reported that infections from viruses or malicious software
accounted for 39% of all data breaches, followed by system failures or data
corruption accounting for 35% of breaches
45. 45Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Key Observations
Most organizations do not have strategies for the emerging fields of the
Internet of Things or Big Data
90% of respondents do not have a cybersecurity strategy for the Internet of
Things, and 86% do not have a strategy for Big Data
Organizations lack confidence in their cybersecurity incident response
capability
65% of respondents reported having a formal cyber incident response plan,
and 60% incorporated regulatory and government notification protocols for
breaches. However, when asked if their organization was well equipped to
handle a cyber breach, 51% of respondents were neutral or disagreed
Organizations anticipate an increase in information security budgets
54% of respondents reported that they expected an increase in their 2016
cybersecurity budget. However, 48% of respondents reported they were neutral
or disagreed when asked if leadership allocated adequate budget for
cybersecurity efforts
46. 46Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Recommendations
• Review and approve the cyber risk appetite and tolerance at board level;
• Ensure the board has sufficient cybersecurity expertise and/or access to such
expertise;
• Build cybersecurity in to all activities and develop enterprise-wide cyber risk
management strategies and procedures;
• Incorporate cybersecurity within business strategy and risk management
frameworks;
• Develop procedures to identify and manage cyber risks associated with
outside vendors, suppliers, customers, utilities, and other external
organizations and service providers;
• Undertake testing to include the potential for multiple attacks and the impact
of interruptions on critical infrastructure;
• Ensure there is a robust cyber resilience and incident response program;
• Pro-actively undertake cyber threat intelligence gathering and ongoing
security analytics;
• Invest in your people to ensure there is high awareness and ownership for
cybersecurity across the organisation.
47. 47
The full study is available at:
http://www.thinkbrg.com/media/publication/828_CSPBS_Report.pdf
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Tony Moroney | Managing Director | International Financial Services
Berkeley Research Group, LLC
6 New Street Square, 15th Floor | London, EC4A 3BF
D +44 (0) 20 3597 5167 | M +353 87 2556947 | F +44 (0)20 3808 2784
tmoroney@thinkbrg.com | thinkbrg.com
Faisal Amin | Director | Benchmarking & Strategic Research
Berkeley Research Group, LLC
700 Louisiana Street, Suite 2600 | Houston, TX 77002
D 713.493.2552 | O 713.481.9410 | M 281.788.9573 | F 832.862.2284
famin@thinkbrg.com | thinkbrg.com