The document summarizes key findings from a survey of over 12,000 information security professionals conducted in 2012. Some of the main findings include:
1) Application vulnerabilities, malware, and mobile devices were the top security concerns. Concern over cloud-based services also increased significantly since the previous survey in 2011.
2) Information security is seen as a stable career path, but workforce shortages persist. Knowledge and certification are important for career success and advancement.
3) While attack remediation is believed to be rapid, preparedness for security incidents showed signs of strain, with twice as many respondents saying preparedness had worsened compared to 2011.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
This document summarizes findings from 118 security operations maturity assessments of 87 organizations in 18 countries. It finds that the median maturity level remains below the ideal level of 3, and 20% of organizations scored below the minimum level of 1. The top issue facing security operations is the shortage of skilled resources. While organizations are investing in new technologies, many neglect operational budgets and processes, resulting in immature capabilities. Visible breaches have increased focus on security from executive leadership and boards.
The document summarizes the key findings of the 2011 Global Information Security Workforce Study conducted by Frost & Sullivan. Some of the main points from the summary include:
1) Application vulnerabilities were reported as the number one threat to organizations, with over 20% of security professionals reporting involvement in software development.
2) Mobile devices were the second highest security concern, despite most professionals having policies and tools in place to defend against mobile threats.
3) A skills gap exists as new technologies like cloud computing and social media are being adopted without sufficient security training for professionals. Over 70% needed new skills for cloud security.
4) The information security workforce is projected to grow significantly from 2.28 million in 2010
This document discusses the results of Ernst & Young's 2010 Global Information Security Survey. Some key findings include:
- 60% of respondents perceived an increase in risk due to new technologies like social media, cloud computing, and mobile devices.
- 46% planned to increase spending on information security.
- Increased workforce mobility and data leakage were significant challenges for many organizations.
- Many organizations are taking steps to address mobile security risks through policies, encryption, and identity management controls.
This document summarizes the key findings of the 2006 CSI/FBI Computer Crime and Security Survey. The survey polled over 600 security professionals and found that:
1) Virus attacks and unauthorized access continued to be the largest sources of financial loss. Financial losses from laptop theft and stolen proprietary information were also significant.
2) Unauthorized computer use slightly decreased while reported computer security incidents to law enforcement increased after previous years of decline.
3) Most organizations evaluate security investments using metrics like return on investment, but many respondents said economic and risk management issues were most critical.
4) Over 80% of organizations conduct security audits but respondents felt more investment was still needed in security awareness training.
5)
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.
Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats. This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.
For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
This document summarizes the key findings of Kaspersky Lab's 2014 IT Security Risks Survey. Some of the main points include:
1) Protection of confidential data against targeted attacks was the top priority for 38% of IT managers surveyed, compared to not being a priority in previous years.
2) 94% of companies encountered cybersecurity issues originating outside their networks, up from 91% in 2013. About 12% faced targeted attacks, up from 9% previously.
3) The average cost of a data security incident was estimated at $720,000, while a successful targeted attack could cost over $2.5 million. Losses often included internal data, client data, and financial information.
The survey found that organizations do not feel more secure than the previous year due to ineffective endpoint security technologies. Malware incidents are increasing and driving up IT costs. Zero-day attacks, SQL injections, and exploiting old software vulnerabilities are the biggest challenges. Respondents expect the top IT security risks in the next year will be negligent or malicious insiders, mobile device threats, and advanced persistent threats. Current approaches to endpoint security are costly and ineffective at preventing the rise of malware attacks through third-party and web-based applications.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
This document summarizes findings from 118 security operations maturity assessments of 87 organizations in 18 countries. It finds that the median maturity level remains below the ideal level of 3, and 20% of organizations scored below the minimum level of 1. The top issue facing security operations is the shortage of skilled resources. While organizations are investing in new technologies, many neglect operational budgets and processes, resulting in immature capabilities. Visible breaches have increased focus on security from executive leadership and boards.
The document summarizes the key findings of the 2011 Global Information Security Workforce Study conducted by Frost & Sullivan. Some of the main points from the summary include:
1) Application vulnerabilities were reported as the number one threat to organizations, with over 20% of security professionals reporting involvement in software development.
2) Mobile devices were the second highest security concern, despite most professionals having policies and tools in place to defend against mobile threats.
3) A skills gap exists as new technologies like cloud computing and social media are being adopted without sufficient security training for professionals. Over 70% needed new skills for cloud security.
4) The information security workforce is projected to grow significantly from 2.28 million in 2010
This document discusses the results of Ernst & Young's 2010 Global Information Security Survey. Some key findings include:
- 60% of respondents perceived an increase in risk due to new technologies like social media, cloud computing, and mobile devices.
- 46% planned to increase spending on information security.
- Increased workforce mobility and data leakage were significant challenges for many organizations.
- Many organizations are taking steps to address mobile security risks through policies, encryption, and identity management controls.
This document summarizes the key findings of the 2006 CSI/FBI Computer Crime and Security Survey. The survey polled over 600 security professionals and found that:
1) Virus attacks and unauthorized access continued to be the largest sources of financial loss. Financial losses from laptop theft and stolen proprietary information were also significant.
2) Unauthorized computer use slightly decreased while reported computer security incidents to law enforcement increased after previous years of decline.
3) Most organizations evaluate security investments using metrics like return on investment, but many respondents said economic and risk management issues were most critical.
4) Over 80% of organizations conduct security audits but respondents felt more investment was still needed in security awareness training.
5)
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.
Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats. This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.
For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
This document summarizes the key findings of Kaspersky Lab's 2014 IT Security Risks Survey. Some of the main points include:
1) Protection of confidential data against targeted attacks was the top priority for 38% of IT managers surveyed, compared to not being a priority in previous years.
2) 94% of companies encountered cybersecurity issues originating outside their networks, up from 91% in 2013. About 12% faced targeted attacks, up from 9% previously.
3) The average cost of a data security incident was estimated at $720,000, while a successful targeted attack could cost over $2.5 million. Losses often included internal data, client data, and financial information.
The survey found that organizations do not feel more secure than the previous year due to ineffective endpoint security technologies. Malware incidents are increasing and driving up IT costs. Zero-day attacks, SQL injections, and exploiting old software vulnerabilities are the biggest challenges. Respondents expect the top IT security risks in the next year will be negligent or malicious insiders, mobile device threats, and advanced persistent threats. Current approaches to endpoint security are costly and ineffective at preventing the rise of malware attacks through third-party and web-based applications.
Assessing and Managing IT Security RisksChris Ross
Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.
The past few years have seen an explosion of cyber attacks, and with the 2015 OPM breaches underscoring the vulnerability of government data, agencies are racing to implement proactive, holistic cybersecurity measures. In order to measure changing federal perceptions and experiences regarding the present threat landscape, Government Business Council (GBC) and Dell conducted an in-depth research survey as a follow-up to a previous June 2014 GBC study.
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011Lumension
The State of Endpoint Risk 2011 study, conducted by the Ponemon Institute, has been published. Learn the latest endpoint protection best practices that can assist in your 2011 security planning, including:
• Increasingly sophisticated malware and the associated costs
• The top 5 applications that concern IT the most
• Third-party and Web 2.0 application usage policies and the importance of security awareness training programs
• Effective methods to communicate with senior management on evolving endpoint risk and its impact to the business
• Technologies that effectively prevent targeted malware and cyber attacks
Most tech and healthcare executives surveyed viewed cyber attacks as a serious threat to their business and data. While over half were moderately confident in their own security, far fewer were confident in their partners' security. In response, 98% of companies are maintaining or increasing cybersecurity resources, focusing more on response than prevention. Over half of companies now offer cybersecurity as part of their products and services. Increased media coverage has heightened awareness of cyber threats for many executives.
The survey found that organizations are facing increasing endpoint security risks. 64% of respondents said their networks were not more secure than the previous year. Common incidents over the past year included virus/malware infections (98%), device theft (95%), and data loss from negligent/malicious insiders (89% and 61% respectively). The top security risks for the next year were expected to be advanced persistent threats, insider threats, and web-based malware. Current endpoint security approaches were found to be ineffective and costly. IT operating costs were rising mainly due to lost productivity and increased malware incidents.
In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity.
Highlights
- 98% are maintaining or increasing resources devoted to cyber security
- 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur
- Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners
Meraj Ahmad - Information security in a borderless worldnooralmousa
The document discusses information security challenges in today's borderless world of increased mobile and cloud computing use. It notes that while organizations recognize new risks from these technologies, many are not adjusting policies or security awareness accordingly. The presentation recommends that organizations establish comprehensive risk management programs, conduct risk assessments, take an information-centric view of security, and increase security controls, awareness and outsourcing to address risks from mobile, cloud and social media use. It also provides a framework to transform security programs to better protect important data and enable business needs.
Cyber-security is the number one technology issue in the C-suite and Board Room. No wonder that many senior executives are asking what they can be doing to stem the tide of cyber-attacks on their firms.
The document discusses strategies for preventing and protecting against data breaches. It notes that the number of data breaches reached a record high in 2014, with nearly 1 million new malware threats daily. While complete security is impossible, businesses must adapt through cost-effective security solutions. The document recommends asking what is currently being done to prevent breaches, what limitations exist, and how data/systems protection is validated. It advocates layered prevention and protection strategies, including regular security assessments to identify vulnerabilities, encryption of sensitive data, effective backups that facilitate rapid recovery, and ensuring basic tasks like patch and antivirus management are properly performed.
Ponemon Institute Data Breaches and Sensitive Data RiskFiona Lew
This document summarizes the results of a survey of 432 IT and security professionals about data breaches and sensitive data risks. Key findings include:
- The top concerns are not knowing where sensitive data is located and not knowing the data risk. A data breach is also the top security risk.
- Few respondents know the risk level of structured, unstructured, cloud, or big data, and data breach risks are seen as increasing.
- Companies use automated and classification tools to discover sensitive data and assess risk, but what is tracked is uncertain.
- Emerging trends like mobility and the "consumerization of IT" will most influence future security decision-making.
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.
2015 Scalar Security Study Executive Summarypatmisasi
The document summarizes a study on the cyber security readiness of Canadian organizations. It finds that only 41% of respondents believe they are winning the cyber war due to challenges like lack of in-house expertise. Organizations experience an average of 34 cyber attacks per year, with almost half involving sensitive information loss. High-performing organizations that invest more in cyber security (12% of IT budget vs 8% for low performers) are better prepared to mitigate risks and experienced fewer attacks involving information loss (38% vs 53%). The practices of high performers can help organizations improve cyber security effectiveness.
In January-February 2016, the EIU, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
http://tatainteractive.com/ - A comprehensive cyber security-training program in an organization needs to be multi-tiered and nuanced to be effective. Tata Interactive Systems cybersecurity training curriculum leverages games and simulations to improve the profile of your business. It is also ideal for students who are currently working full-time and are aspiring cybersecurity professionals. TIS can help you to learn more, please visit!
Material de apoyo Un replanteamiento masivo de la seguridad.Universidad Cenfotec
Material de apoyo en la presentación: Un replanteamiento masivo de la seguridad.
Mejores prácticas para el aseguramiento de identidades
Charla por Centrify, del Ing. Alvaro Ucrós en desayuno organizado por UCenfotec
The survey of 250 cybersecurity professionals attending the 2016 Black Hat conference found that concerns about major data breaches are increasing. Nearly three-quarters felt a breach at their organization in the next year was likely, up slightly from 2015. Respondents also reported shortages in security staff, budget, and training, making it difficult to address emerging threats like phishing and targeted attacks. The survey highlights how cybersecurity risks are rising as resource constraints grow.
This document provides a first quarter status update on the Cross-Agency Priority Goal for Cybersecurity. The goal aims to achieve 95% implementation of priority cybersecurity capabilities like strong authentication, Trusted Internet Connections, and continuous monitoring across executive branch agencies by the end of FY2014. The goal is led by J. Michael Daniel and uses the Federal Information Security Management Act reporting structure to measure agency progress. The strategy focuses on accountability from agency leadership and coordination across stakeholders to implement the priority capabilities.
Assessing and Managing IT Security RisksChris Ross
Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.
The past few years have seen an explosion of cyber attacks, and with the 2015 OPM breaches underscoring the vulnerability of government data, agencies are racing to implement proactive, holistic cybersecurity measures. In order to measure changing federal perceptions and experiences regarding the present threat landscape, Government Business Council (GBC) and Dell conducted an in-depth research survey as a follow-up to a previous June 2014 GBC study.
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011Lumension
The State of Endpoint Risk 2011 study, conducted by the Ponemon Institute, has been published. Learn the latest endpoint protection best practices that can assist in your 2011 security planning, including:
• Increasingly sophisticated malware and the associated costs
• The top 5 applications that concern IT the most
• Third-party and Web 2.0 application usage policies and the importance of security awareness training programs
• Effective methods to communicate with senior management on evolving endpoint risk and its impact to the business
• Technologies that effectively prevent targeted malware and cyber attacks
Most tech and healthcare executives surveyed viewed cyber attacks as a serious threat to their business and data. While over half were moderately confident in their own security, far fewer were confident in their partners' security. In response, 98% of companies are maintaining or increasing cybersecurity resources, focusing more on response than prevention. Over half of companies now offer cybersecurity as part of their products and services. Increased media coverage has heightened awareness of cyber threats for many executives.
The survey found that organizations are facing increasing endpoint security risks. 64% of respondents said their networks were not more secure than the previous year. Common incidents over the past year included virus/malware infections (98%), device theft (95%), and data loss from negligent/malicious insiders (89% and 61% respectively). The top security risks for the next year were expected to be advanced persistent threats, insider threats, and web-based malware. Current endpoint security approaches were found to be ineffective and costly. IT operating costs were rising mainly due to lost productivity and increased malware incidents.
In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity.
Highlights
- 98% are maintaining or increasing resources devoted to cyber security
- 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur
- Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners
Meraj Ahmad - Information security in a borderless worldnooralmousa
The document discusses information security challenges in today's borderless world of increased mobile and cloud computing use. It notes that while organizations recognize new risks from these technologies, many are not adjusting policies or security awareness accordingly. The presentation recommends that organizations establish comprehensive risk management programs, conduct risk assessments, take an information-centric view of security, and increase security controls, awareness and outsourcing to address risks from mobile, cloud and social media use. It also provides a framework to transform security programs to better protect important data and enable business needs.
Cyber-security is the number one technology issue in the C-suite and Board Room. No wonder that many senior executives are asking what they can be doing to stem the tide of cyber-attacks on their firms.
The document discusses strategies for preventing and protecting against data breaches. It notes that the number of data breaches reached a record high in 2014, with nearly 1 million new malware threats daily. While complete security is impossible, businesses must adapt through cost-effective security solutions. The document recommends asking what is currently being done to prevent breaches, what limitations exist, and how data/systems protection is validated. It advocates layered prevention and protection strategies, including regular security assessments to identify vulnerabilities, encryption of sensitive data, effective backups that facilitate rapid recovery, and ensuring basic tasks like patch and antivirus management are properly performed.
Ponemon Institute Data Breaches and Sensitive Data RiskFiona Lew
This document summarizes the results of a survey of 432 IT and security professionals about data breaches and sensitive data risks. Key findings include:
- The top concerns are not knowing where sensitive data is located and not knowing the data risk. A data breach is also the top security risk.
- Few respondents know the risk level of structured, unstructured, cloud, or big data, and data breach risks are seen as increasing.
- Companies use automated and classification tools to discover sensitive data and assess risk, but what is tracked is uncertain.
- Emerging trends like mobility and the "consumerization of IT" will most influence future security decision-making.
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.
2015 Scalar Security Study Executive Summarypatmisasi
The document summarizes a study on the cyber security readiness of Canadian organizations. It finds that only 41% of respondents believe they are winning the cyber war due to challenges like lack of in-house expertise. Organizations experience an average of 34 cyber attacks per year, with almost half involving sensitive information loss. High-performing organizations that invest more in cyber security (12% of IT budget vs 8% for low performers) are better prepared to mitigate risks and experienced fewer attacks involving information loss (38% vs 53%). The practices of high performers can help organizations improve cyber security effectiveness.
In January-February 2016, the EIU, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
http://tatainteractive.com/ - A comprehensive cyber security-training program in an organization needs to be multi-tiered and nuanced to be effective. Tata Interactive Systems cybersecurity training curriculum leverages games and simulations to improve the profile of your business. It is also ideal for students who are currently working full-time and are aspiring cybersecurity professionals. TIS can help you to learn more, please visit!
Material de apoyo Un replanteamiento masivo de la seguridad.Universidad Cenfotec
Material de apoyo en la presentación: Un replanteamiento masivo de la seguridad.
Mejores prácticas para el aseguramiento de identidades
Charla por Centrify, del Ing. Alvaro Ucrós en desayuno organizado por UCenfotec
The survey of 250 cybersecurity professionals attending the 2016 Black Hat conference found that concerns about major data breaches are increasing. Nearly three-quarters felt a breach at their organization in the next year was likely, up slightly from 2015. Respondents also reported shortages in security staff, budget, and training, making it difficult to address emerging threats like phishing and targeted attacks. The survey highlights how cybersecurity risks are rising as resource constraints grow.
This document provides a first quarter status update on the Cross-Agency Priority Goal for Cybersecurity. The goal aims to achieve 95% implementation of priority cybersecurity capabilities like strong authentication, Trusted Internet Connections, and continuous monitoring across executive branch agencies by the end of FY2014. The goal is led by J. Michael Daniel and uses the Federal Information Security Management Act reporting structure to measure agency progress. The strategy focuses on accountability from agency leadership and coordination across stakeholders to implement the priority capabilities.
The burgeoning mobile enterprise brings opportunities as well as risks. Organizations are expanding beyond email to mobilizing a wide range of enterprise apps for tasks like workflow, business intelligence, sales, and customer support. They aim to support a mix of corporate and employee-owned devices through BYOD programs. This allows greater flexibility and choice for employees while improving productivity and business value through faster access to information and more agile, collaborative workflows. However, the use of consumer devices and expanding mobile apps also introduces new security challenges that must be addressed.
Создание национальной системы платежных карт с использованием отечественных HSMSelectedPresentations
VII Уральский форум
Информационная безопасность банков
ТЕМАТИЧЕСКОЕ ЗАСЕДАНИЕ № 1
Банковский фрод
Простов Владимир Михайлович, сотрудник ФСБ России
Источник: http://ural.ib-bank.ru/materials_2015
Digital has increased businesses’ cybersecurity risk – and yet few have elevated security to a senior leadership concern, according to our recent research. Here’s what businesses are thinking about cybersecurity, and a framework for strengthening their security strategies.
This document summarizes the results of a survey of federal Chief Information Security Officers (CISOs) on the state of cybersecurity from their perspective. Key findings include:
1) CISOs see greater national awareness of cybersecurity issues but still lack sufficient resources to fully address threats.
2) While security tools and training are improving, threats and attacks are also increasing.
3) CISOs face evolving responsibilities beyond technical issues to include management, policy, and political roles.
4) CISOs rely on well-trained staff but need more funding, clear mandates, and operational support from agencies.
This document provides a summary of findings from Hewlett Packard Enterprise's (HPE) annual assessment of the capabilities and maturity of cyber defense organizations. Some key findings include that only 15% of assessed organizations have achieved recommended maturity levels, the median maturity level remains below optimal, and adoption of hybrid infrastructure, staffing models, and automation has increased due to skills shortages and the need to monitor complex IT environments. HPE believes that most organizations should target a maturity level of 3, defined processes, but that truly innovative security operations are moving towards threat hunting, data analytics, and intelligence sharing.
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
Information Security - Hiring Trends and Trends for the Future PDFAlexander Goodwin
The document discusses current trends and future predictions in the information security industry. It notes that information security incidents are increasing in both number and severity. This has led companies to increase spending on information security by over 50% in some sectors. There is currently high demand and a shortage of information security professionals. Salaries for information security roles range from £45,000 to over £200,000 depending on level of experience and role. The document predicts that detected security attacks will continue increasing and that niche information security startups will drive innovation in the industry within the next 5 years.
Etude PwC sécurité de l’information et protection des données (2014)PwC France
The document summarizes the key findings of the 2014 Global State of Information Security Survey conducted by PwC. It finds that while organizations have made improvements in security, they have not kept pace with today's sophisticated adversaries. As a result, many rely on outdated security practices that are ineffective against current threats. The survey also finds that security budgets and detected incidents are increasing, but costs per incident are rising as well. Leaders are more proactive in security and better able to detect and understand incidents. However, more work is still needed to address issues like mobile security, cloud services, and the growing insider threat.
2016 Scalar Security Study Executive Summarypatmisasi
Executive Summary of the 2016 Scalar Security Study. The study examines the cyber security readiness of Canadian organizations and the trends in dealing with growing cyber threats.
We surveyed 650+ IT and IT security practitioners in Canada , and found that organizations are experiencing an average of 40 cyber attacks per year and only 37% of organizations believe they are winning the cyber security war. We looked at average spend, cost of attacks, and technologies that are yielding the highest ROI. We also provide recommendations on how you can benchmark your own security posture and what you can do to improve.
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
Executive Summary of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016/
This document provides information about Module 002 of the course IT 411 - Information Assurance and Security 2. The module aims to examine fundamental computer security techniques and identify potential security issues. It covers topics like cryptography, application security, incident response, risk assessment, and compliance with regulations. The module outlines learning objectives, outcomes, resources, tasks, content items, and assessments. It also includes detailed lessons on topics like the financial impacts of cybercrime, developing a security strategy using the 10 steps approach, techniques for protecting against attacks like examining the perimeter and network segregation, and methods for detecting attacks through logging.
The document summarizes key findings from the Cisco 2015 Annual Security Report. It discusses how exploit kit authors have adapted their techniques in response to law enforcement actions against previous dominant exploit kits. While no single exploit kit has achieved dominance, Angler and Sweet Orange have emerged as particularly sophisticated and dynamic kits. It also notes that exploit kit authors may now view maintaining a mid-level position as a sign of success to avoid detection, and outlines strategies used by Angler, Sweet Orange, and Goon kits to evade security defenses and remain effective over time.
How close is your organization to being breached | Safe SecurityRahul Tyagi
This document discusses the need for organizations to quantify their digital business risk and cybersecurity posture using mathematical models. It introduces SAFE, a unique method developed by MIT researchers to measure an organization's cyber risk using a Bayesian network and machine learning. SAFE analyzes data from various sources to provide a breach likelihood score between 0-5, indicating how likely a breach is in the next 12 months. It also demonstrates how SAFE could have helped detect and prevent a recent ransomware attack on a large shipping company.
The 2010 IOUG Data Security Survey was conducted by Unisphere Research and sponsored by Oracle. It surveyed 430 members of the Independent Oracle Users Group on data security practices. The survey found that fewer than 30% encrypt personally identifiable information in databases, and close to 40% send unprotected or unsurely protected live data to external parties. Also, over 75% cannot prevent privileged users from accessing application data, and almost two-thirds cannot detect privileged user abuse. Overall, two-thirds expect or are unsure about a security incident in the next year. The survey assessed data privacy, access controls, activity monitoring, and operational security at respondents' organizations.
This document provides an overview and summary of CompTIA's 10th Annual Information Security Trends research report. It discusses the objectives of the research study which included tracking changes in security practices over time, gaining insights into security issues related to emerging technologies, and understanding the role of the IT channel in cybersecurity. The research involved quantitative online surveys of over 500 IT and business executives and over 300 IT firm executives. Key findings included that information security remains a high priority, global security spending is growing significantly, demand for security professionals exceeds supply, and human error is often the cause of security breaches.
The document discusses the findings of a global survey on IT security risks conducted by Kaspersky Lab. Some key findings include:
- IT security is the top concern for businesses and almost half see cyber threats as a top emerging risk.
- The most common external threat experienced by companies is malware.
- Companies are cautious of new technologies like cloud computing and mobile devices.
- Most companies take measures like anti-malware protection but many feel more investment is needed in IT security.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportFERMA
This document summarizes the key findings of a survey on cyber risk conducted by Harvard Business Review Analytic Services and sponsored by Zurich Insurance Group. Some of the main points:
- More than 3/4 of respondents said information security and privacy have become more significant concerns in the past 3 years.
- The top concerns were malware/viruses, administrative errors, data provider incidents, and malicious employee activity.
- Legal liability from data breaches was also a major concern, with costs of litigation and regulatory fines among the top worries.
- While many companies have improved security practices like IT updates and employee training, over 20% said their security budgets were inadequate and awareness has yet to penetrate all levels
Under cyber attack: EY's Global information security survey 2013EY
This document summarizes the key findings from a survey of over 1,900 organizations on cybersecurity threats and responses. Some of the main points include:
- Many organizations have improved their cybersecurity programs but still have work to do to address evolving threats. Top priorities include business continuity, cyber risks, and data protection.
- Budgets for cybersecurity are increasing for 43% of organizations, but information security professionals still feel budgets are insufficient.
- Focus is shifting from basic security operations to improving and innovating programs. However, skilled resources and executive support still lag behind needs.
- Around half of organizations now align their security strategy with business and IT strategies, showing increased understanding of security's importance.
The document discusses improvements organizations have made to address cyber threats, but also areas that still need work. It finds that many organizations now recognize the extent of cyber threats, with 76% owning information security policies at the highest level. 70% conduct security assessments of third parties accessing their data. However, the document notes that while improvements have been made, organizations need to do more quickly to address increasing cyber risks. Leading practices and innovation are needed to better protect against known and unknown future threats.
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
Learn how cognitive security may be a powerful tool in addressing challenges security professionals face.
New capabilities for a
challenging era
Security leaders are working to address three gaps
in their current capabilities
—
in intelligence, speed
and accuracy. Some organizations are beginning to
explore the potential of cognitive security solutions
to address these gaps and get ahead of their risks
and threats. There are high expectations for this
technology. Fifty-seven percent of the security
leaders we surveyed believe that it can significantly
slow the ef forts of cybercriminals. The 22 percent of
respondents who we call “Primed” have started their
journey into the cognitive era of cybersecurity
—
they
believe they have the familiarity, the maturity and the
resources they need. To begin the journey, it is
important to explore your weaknesses, determine
how you want to augment your capabilities with
cognitive solutions and think about building education
and investment plans for your stakeholders.
Similar to Prof m01-2013 global information security workforce study - final (20)
Об угрозах информационной безопасности, актуальных для разработчика СЗИSelectedPresentations
Качалин Алексей Игоревич, эксперт МОО «АЗИ»
IV Форум АЗИ
«Актуальные вопросы информационной безопасности России»
г. Москва, Конгресс-Центр МТУСИ, 14 апреля 2015 года
This document provides an overview of cyberespionage and international cyber operations as weapons. It defines key terms, gives a brief history of cyberespionage dating back to the 1980s, describes the anatomy of a typical cyberespionage attack, discusses implications for nation-state policy, and outlines what individuals should do to protect themselves. The presenter is Mark Russinovich, author of Zero Day and Trojan Horse, speaking at an intermediate-level conference session.
This document summarizes the plateau effect through 7 elements: 1) immunity to interventions over time, 2) greed leading to local optima, 3) bad timing of interventions, 4) flow issues in automated systems, 5) distorted data obscuring real risks, 6) distraction reducing performance, and 7) failing slowly over many small incremental changes. The document provides examples and studies to illustrate each element and argues that understanding the plateau effect is important to causing meaningful long-term change.
This document discusses the challenges facing the IT security industry in an era of increasing cyberwarfare and sophisticated cyberattacks. It outlines the major sources of attacks, including criminals, hacktivists, and government agencies. It also describes the motivations behind attacks, such as financial gain or political sabotage. Additionally, it examines some of the key attributes of cyberweapons like attribution difficulty and the ease of developing attacks. The document analyzes high-profile past attacks and the anatomy of how such targeted strikes are carried out. It also discusses approaches for protecting against sophisticated targeted attacks through technologies, policies, and international cooperation. Finally, it notes how the threats and attackers have evolved over time, posing new challenges for the IT security industry.
Stuart McClure, CEO of Cylance Inc., gave a presentation on securing embedded systems and devices. He began by noting the vast number of embedded systems worldwide that were designed without security. He then demonstrated live hacks against a Samsung smart TV, a Tridium building management system, and an electronic lockbox. To conclude, he discussed countermeasures organizations can implement to prevent attacks on embedded systems, such as disabling unnecessary ports, patching vulnerabilities, restricting physical and remote access, and using firewalls, IDS systems and encryption.
This document contains information about an experimental session. The session ID is EXP-W23 and it has been classified for general interest. No other details are provided about the topics, participants, or objectives of the experimental session.
The document discusses several emerging cyber threats including the increasing militarization of cyber space by governments, the rise of offensive forensics techniques and purposeful misattribution of attacks, and computer attacks that can result in kinetic impacts in the real world by targeting industrial control and critical infrastructure systems. It also describes the CyberCity project, which is a miniature simulated city that security experts can use to visualize how cyber attacks can achieve kinetic effects. The document uses a case study to illustrate how an actual power grid attack may have progressed by exploiting vulnerabilities across different systems and networks.
This document summarizes a presentation on adapting security strategies as control is lost over IT systems. It discusses how virtualization, cloud computing, and increased mobility have reduced administrative control. It defines the "Control Quotient" as optimizing security controls within one's sphere of control. Examples show how control has shifted between users, customers and providers in cloud models. The presentation argues that security must focus on controls that can still be influenced rather than what is lost.
Organizations are increasingly reliant on third-party IT services like cloud computing and data backup. Unless security requirements are documented and communicated, there is little assurance these needs will be met. Developing effective cybersecurity service level agreements (SLAs) through a process of identifying requirements, developing performance measures, monitoring compliance, and using results to make changes can help manage this risk.
The document discusses tensions between user demands for easy access and sharing of data from any device versus enterprise needs to secure confidential data, support auditing and compliance, and integrate new technologies with existing enterprise systems. User demands include wanting to sync and access data from any device anytime, wanting to easily collaborate and share data with anyone, and wanting technology that "just works" and is easy to use. However, enterprises need to ensure confidential data is kept secure and controlled, support audit and compliance requirements, and integrate new technologies with existing enterprise portals and systems and their workflows.
Prof m01-2013 global information security workforce study - final
1. 50 Years of Growth, Innovation and Leadership
Prepared by
Michael Suby
Global Program Director
Information Security
www.frost.com
A Frost & Sullivan Market Study in Partnership with:
The 2013 (ISC)2
Global Information SecurityWorkforce Study
2. Frost & Sullivan
CONTENTS
Executive Summary................................................................................................................ 3
Survey Objective and Methodology...................................................................................... 4
SecurityThreats andVulnerabilities, Implications, and State of Readiness....................... 6
People are a KeyTool in Information Security..................................................................... 10
Need and Budget for the Right Information Security Professionals................................. 12
Skills....................................................................................................................................... 13
Certification.......................................................................................................................... 14
Affiliations.............................................................................................................................. 15
Information Security is a Rewarding and Resilient Profession........................................... 15
Secure Software Development: Essential but Under-Supported....................................... 19
Security Implications of BYOD, Cloud Computing, and Social Media............................... 21
BYOD..................................................................................................................................... 22
Cloud Computing.................................................................................................................. 23
Social Media.......................................................................................................................... 25
The Last Word......................................................................................................................... 26
3. The Dynamically Stable Information Security Career
3Frost.com
Executive Summary
The information security profession, in addition to being a large and growing field, is a
barometer of economic health and the changing nature of how business is being conducted.
Information security professionals are critical guardians in the protection of networked
operations and informational assets. Growth in this profession is a testament to the need
for their expertise and also a signal that global economic activity is advancing. Furthermore,
changes in information technology (IT) and evolving IT norms on how, when, and where
business operations occur—such as BYOD, cloud computing, and social media—remind us
that information security professionals must be highly adaptable in learning and applying new
skills, technologies, and procedures in order to manage a dynamic range of risks. Not to be
overlooked, hackers, attackers, and other threatening entities are also advancing and evolving.
Change and complexity in IT and IT norms represent new opportunities for them to succeed
in their nefarious pursuits. Consequently,information security professionals have no downtime;
there are always new risk management challenges to address.
It is against this backdrop that (ISC)2
, in partnership with Booz Allen Hamilton, with the
assistance of Frost & Sullivan, conducted its sixth bi-annual worldwide survey of information
security professionals.1
This Web-based survey conducted in the fourth quarter of 2012 was
both broad in scope (more than 12,000 respondents, a 19 percent increase over the 2011
survey) and deep in its queries. In addition to producing a rich profile of this profession and its
dedication to continuous training and education, this year’s survey intensified its focus on the
risk and response to BYOD, cloud computing, and social media. Secure software development,
touched on lightly in previous surveys, also garnered expanded focus in the 2013 survey. This
was done in recognition that software applications are increasingly under attack.Without a
corresponding response by security professionals and the technology vendors that support
them, this “soft” underbelly of business and governmental entities has and will continue to be
exposed with serious consequences—data breaches,disrupted operations,lost business,brand
damage, and regulatory fines. Secure software development, more than any other
discipline, is where the largest gap between risk and response attention by the
information security profession exists. Other notable survey findings include:
• Information security is a stable and growing profession – Information security
professionals are very stable in their employment; more than 80 percent had no change in
employer or employment in the past year, and the number of professionals is projected to
continuously grow more than 11 percent annually over the next five years.
• (ISC)2
membership and location drive higher salaries – The salary gap between
(ISC)2
members and non-members is widening. Comparatively on a regional basis, 79
percent of information security professionals in developed countries in the Americas have
average salaries of US$80,000 or more, whereas only 12 percent of respondents located
in APAC developing countries do.
1
Founded in 1989, (ISC)2®
is a not-for-profit global operating organization dedicated to providing education,
certification, and peer-networking opportunities for information security professionals throughout their careers.
4. Frost & Sullivan
4 Frost.com
• Even with past annual growth in the double-digits, workforce shortages persist –
Fifty-six percent of respondents believe there is a workforce shortage, compared to two
percent that believe there is a surplus. The impact of shortage is the greatest on the
existing workforce.
• Knowledge and certification of knowledge weigh heavily in job placement
and advancement – Broad understanding of the security field was the #1 factor in
contributing to career success; followed by communication skills. Nearly 70 percent view
certification as a reliable indicator of competency.
• Application vulnerabilities rank the highest in security concern – Malware
and mobile device are close seconds. Mitigating the risk from these and other security
concerns to the organization’s reputation is the highest priority.
• While attack remediation is anticipated to be rapid, security incident
preparedness is exhibiting signs of strain – Twenty-eight percent believe their
organizations can remediate from a targeted attack within one day. Yet, with regard
to being prepared for a security incident, a doubling of the percentage of 2013 survey
respondents believe their preparedness has worsened compared to the respondents in
the 2011 survey.
• Information security professionals trump products in securing infrastructure
effectiveness – In a ranking of importance in securing infrastructure, software and
hardware solutions rank behind the effectiveness of information security professionals.
• Security concern is high for BYOD and cloud computing – Protecting sensitive
information contributes to the security concern noted in both of these IT trends. Security
concern with social media is significantly lower than in 2011 as organizations leverage existing
security technologies and policy mechanisms to manage this communication channel.
• New skills, deepening knowledge, and a wider range of technologies needed –
A multi-disciplinary approach is required to address the risks in BYOD and cloud computing.
With cloud computing, organizations balance the type of cloud environment with their
level of acceptable risk and ability to control risk. For example, with security concern
regarding cloud computing being high, private clouds, where the customer has greater
control in security risk management, are chosen more frequently than public clouds.
Survey Objective and Methodology
The 2013 Global Information Security Workforce Study (GISWS) was conducted in
September-December of 2012 through a Web-based survey, approximately 25 minutes in
length. The study’s objective is to gauge the opinions of information security professionals
regarding trends and issues affecting their profession and careers. Designed to capture
expansive viewpoints and produce statistically significant results, a total of 12,396 surveys of
qualified information security professionals were collected.The diversity of survey respondents
is reflected in the survey respondent profiles shown on the next page.
5. The Dynamically Stable Information Security Career
5Frost.com
Respondents by Membership Respondents by JobTitle
Respondents by IndustryVertical
Respondents by Company Size
(Number of Employees)
Respondents by Region
Europe
21%
North America
57%
10,000 or more
43%
2,500-9,999
17% 500-2,499
15%
1-499
25%
Rest of
the World
11%
Asia
11%
Professional &
Personal Services
21%
Banking, Insurance,
& Finance
17%
Information
Technology
13%
Gov’t
Non-Defense
11%
Gov’t
Defense
10%
Other Private
Enterprise
12%
Non-Members
32%
(ISC)2
Members
68%
Security Analysts
& All Other
34%
Architects, Strategists,
& Strategic Advisors
32%
Auditors
7%
Managers
13%
C-Levels &
Officers
14%
Telecom &
Media
7%
Manufacturing
5%
Healthcare
4%
6. Frost & Sullivan
6 Frost.com
SecurityThreats andVulnerabilities, Implications and State
of Readiness
As reported in previous GISWS surveys, there is no lack of diversity in the threats and
vulnerabilities information security professionals are tackling—and concerned about. All of the
12 threats and vulnerabilities presented in the survey were selected as top or high concerns for
36 percent or more of the survey respondents. At the top of the list,application vulnerabilities,
malware, and mobile devices were each identified as a top or high concern by two-thirds or
more of the respondents.
THREAT AND VULNERABILITY CONCERNS
(TOP AND HIGH CONCERNS)
State Sponsored Acts
Organized Crime
Trusted Third Parties
Hacktivists
Contractors
Cyber Terrorism
Cloud-based Services
Hackers
Internal Employees
Mobile Devices
Malware
Application Vulnerabilities
36%
36%
39%
43%
43%
44%
49%
56%
56%
66%
67%
69%
Greater examination of Bring Your Own Device (BYOD), including mobile devices, cloud
computing, and social media, and their security implications and how information security
professionals are responding, is included later in this paper. Secure software development, the
upfront means to lessen application vulnerabilities, will also be examined later in this paper.
Focusing deeper into the responses on threats and vulnerabilities reveals that concern
severity varies.
• Some perspectives change over time – Comparing this year’s survey to the 2011
results, the level of concern is fairly stable. However, there was a notable increase in
cloud-based services. Compared to the 49 percent of respondents that view cloud-based
services as either a top or high security concern in the 2013 survey, 43 percent viewed
it as a top or high security concern in the 2011 survey. We believe this increase follows
the increased adoption of cloud-based services over the two-year period since the last
survey, combined with the resilient security concerns, real and perceived, associated with
cloud-based services.
• C-levels and officers rated nearly all threat and vulnerability categories
higher than respondents in other job titles – This was most notable in application
vulnerabilities and mobile device security.Top or high concern was selected by 72 percent
of C-levels and officers for application vulnerabilities and 70 percent for mobile devices.
• Size and anxiety is correlated – In all threat and vulnerability categories, the average
level of concern increased as company size increased. Perhaps the bigger the company is,
the more resources it devotes to examining these threats and through that examination,
gains a more comprehensive and realistic appreciation of risk and risk implications.Also,
7. The Dynamically Stable Information Security Career
7Frost.com
from the“greatest gain for the effort mentality,” larger companies represent more lucrative
targets for attackers and hackers, thus contributing to a higher level of concern among
large company respondents.
• Vertical equates to variability – The nature of a company’s business and operations
also has implications on being a target and with that, variation in concern. No surprise,
respondents in the banking, insurance, and finance verticals, with their possession and
use of valuable and exploitable personally identifiable and financial information, view
the threats posed by hackers, hacktivists, and organized crime higher than the majority
of other verticals. Government respondents, also not a surprise, view the threat of
state-sponsored acts and cyber terrorism as a greater security concern (i.e., choosing top
or high concern) over private enterprises by more than 20 percentage points in each of
these threat categories.
• Developing countries express higher level of concern – Survey respondents located
in developing countries state a higher level of concern for a majority of the threat and
vulnerability categories versus respondents in developed countries. Directly contributing
to this is that information security investments in developing countries are historically
less than the global average. This is reflected in the lower level of security certifications in
developing versus developed countries. For example, with the most popular certification
chosen by survey respondents—Certified Information Systems Security Professional
(CISSP®
)—only 42 percent of the survey respondents located in developing countries
(members and non-members combined) had acquired and maintained this certification,
versus 71 percent of respondents located in developed countries.2
Threats and vulnerabilities have implications—attackers are successful and vulnerabilities are
exploited. To that point, the survey asked respondents to rank their organizations’ priorities:
In other words, what needs to be avoided? As shown, damage to the organization’s reputation,
breach of laws and regulations, and service downtime represent the top three to-be-avoided
outcomes. Also noteworthy is the high percentage of top-priority selections. For example,
49 percent of all survey respondents rated damage to the organization’s reputation as a
top priority. In fact, five of the nine categories received a top-priority rating by more than
one-third of the survey respondents. Conclusion: the “protect and secure” activities of
information security professionals are strongly aligned with many high priorities
of their organizations.
ORGANIZATIONS’ PRIORITIES
(TOP AND HIGH)
Lawsuits
Reduced shareholder value
Health and safety
Theft of intellectual property
Customer identity theft or fraud
Customer privacy violations
Service downtime
Breach of laws and regulations
Damage to the organization's reputation
47%
49%
57%
58%
66%
71%
74%
75%
83%
8. Frost & Sullivan
8 Frost.com
Perhaps an indication of information security professionals’ improving ability to allay a subset
of outcomes, the percent of respondents in the 2013 survey selecting top or high concern
for service downtime, customer privacy violations, theft of intellectual property, and lawsuits
was down 3-5 percentage points from the 2011 survey for these categories.These reductions
notwithstanding, these categories remain high priority.
Notable variation in priority ratings among job titles, company sizes, and verticals are:
• Auditors’ aim is clear – In keeping with the role of auditor, survey respondents that
chose this job title prioritize breach of laws and regulations higher than all other job titles.
Also aligned with their roles, managers and security analysts placed a higher priority on
service downtime than the other job titles.
• Priority rises with company size – Like security concerns, priority ratings rose with
company size.
• Top priority varies among verticals, logically – Sixty-three percent of banking,
insurance, and finance respondents selected damage to the organization’s reputation as
top priority. In healthcare, 59 percent chose customer privacy violations as top priority.
Fifty-seven percent of construction respondents chose health and safety as a top priority,
and 50 percent of telecom & media respondents view service downtime as top priority.
With a diversity of threats and vulnerabilities to be concerned with and the need to avoid a
range of undesirable outcomes, it is logical to ask about preparedness. In a repeat of the 2011
survey, the 2013 survey requested the respondents judge their change in readiness relative
to 12 months earlier (perform better, worse, or same). The results for both surveys are
summarized in the following table.
Percent of Respondent
Performance Relative to 12 months Earlier
Better Worse Same
Being prepared for
a security incident
2013 survey: 41% 2013 survey: 6% 2013 survey: 53%
2011 survey: 55% 2011 survey: 3% 2011 survey: 43%
Discovering a
security breach
2013 survey: 40% 2013 survey: 6% 2013 survey: 54%
2011 survey: 50% 2011 survey: 3% 2011 survey: 47%
Recovering from a
security incident
2013 survey: 39% 2013 survey: 6% 2013 survey: 55%
2011 survey: 49% 2011 survey: 3% 2011 survey: 48%
While the majority of respondents believe that their organizations would perform better or
the same relative to 12 months earlier, there was a 10-point or more decline in the percent
of respondents believing they would perform better in the 2013 survey compared to the
2011 survey. Not as significant, but equally disconcerting about improvement in the state
2
The percent of survey respondents with certifications other than CISSP (e.g.,ITIL,CISA,and Security+) was materially lower,
and the difference between developed and developing countries was less (10 percentage points difference or less).
9. The Dynamically Stable Information Security Career
9Frost.com
of readiness, twice the percentage of respondents in the 2013 survey view their readiness
has worsened in the past year as did respondents in the 2011 survey. As an indication
that membership really matters, the survey-over-survey decline in the percent
of respondents selecting “better,” and increase in selecting “worse,” was not as
profound with member respondents compared to non-member respondents.
Other noteworthy observations from the 2013 survey on these readiness categories include:
• C-levels and the rank-and-file differ – Respondents with C-level and officer job titles
were decidedly more optimistic on readiness; they chose “perform better” by a greater
percentage than respondents in all other job title categories.
• Largest companies more optimistic – In all three categories of readiness, a greater
percentage of the largest companies (10,000 employees or more) viewed that their readiness
had improved versus smaller companies. Reflecting the correlation between readiness and
training,and smaller companies being less optimistic on their readiness than large companies,
a greater percent of survey respondents in companies with 2,500 or fewer employees than
larger companies indicated spending on training and education increased in the past 12
months and is expected to increase over the next 12 months as well.
• Battle-tested banking, finance, and insurance verticals confident they are
turning the tide – Respondents in these industries chose “perform better” to a greater
extent than all other verticals in all three categories. Conversely, the respondents in the
less battle-tested utilities vertical chose “perform worse” to a greater extent than any
other vertical.
Another survey question focused on readiness is how quickly damage from a targeted attack
would be remediated. Slightly more than two-thirds of the respondents project that they could
remediate the damage from a targeted attack within a week or less.Yet,there is also a material
portion of the respondents that are unsure how long damage remediation might take.
Time to Remediate from aTargeted Attack
• As typical, C-levels voiced greater assurance on their organizations’
readiness – C-levels and officers chose “within one day” or “don’t know” less than
respondents with job titles farther down the organizational structure—31 percent and
10 percent, respectively.
Within
a day
28%
Don’t
know
15%
Within
a week
41%
Within two
to three weeks
9%
Within a month
4%
Longer than a month
3%
10. Frost & Sullivan
10 Frost.com
• Smallness advantage –With a less diverse and smaller spread of operations,31 percent
of small companies (less than 500 employees) believe they can remediate in one day
and 44 percent within a week. This is a faster expectation than very large companies
(10,000 or more employees)—28 percent and 39 percent, respectively. Also, respondents
in very large organizations chose“don’t know” to a greater extent (18 percent) than small
companies (12 percent).
• Experience advantage – Banking, insurance, and finance verticals, plus the info tech
vertical, believe they can respond faster than other industries; 34 percent and 32 percent
of respondents in those verticals, respectively, predicted within one day to remediate.
Potentially due to highly distributed operations, respondents in the retail & wholesale and
construction verticals chose “don’t know” at higher levels—19 percent and 20 percent,
respectively. Potentially, a lack of experience in past remediation efforts influenced 20
percent of respondents in the utilities vertical to choose “don’t know.”
People are a KeyTool in Information Security
With the pervasiveness, diversity, and evolution in security threats, information security
professionals use an assortment of tools.Top of the list are human aspects:management
support, qualified staff, and policy adherence, with half or greater of respondents
choosing very important for each. The next four categories also have a human aspect.
Security software and hardware are materially farther down the list of essential tools in
effective security; confirming the viewpoint that the effectiveness of security technologies is
maximized only when the trained human element is actively incorporated.
IMPORTANCE IN SECURING INFRASTRUCTURE
(VERY IMPORTANT AND IMPORTANT)
Hardware solutions
Software solutions
Secure software development
Having access to executive management
Budget allocated for security
Training of staff on security policy
Adherence to security policy
Qualified security staff
Management support of security policies
53%
61%
68%
68%
80%
83%
86%
88%
89%
Other observations include:
• Compared to the 2011 survey, the average importance ratings were essentially unchanged
in the 2013 survey.
• C-levels and officers indicated a higher importance on access to executives than
respondents in other job titles, indicating that these respondents believe their greatest
influence occurs at their peer level.
11. The Dynamically Stable Information Security Career
11Frost.com
• As organization size increases, importance on human assets increases, whereas the
importance of hardware and software is even across company sizes.
• Across industry verticals, respondents in the government place higher importance on
hardware and software solutions than the companies in the private sector.
• Secure software development is viewed as more important by banking,finance,
and insurance;info tech;retail and wholesale;and telecom and media verticals.
Concentrating on select security technologies that provide significant improvement in system
and network security (those that garnered more than 10 percent of respondent selection),
two technologies were highlighted by the survey respondents for their capabilities: network
monitoring & intelligence, and intrusion detection & prevention.
TECHNOLOGIES THAT SIGNIFICANTLY
IMPROVE SYSTEM AND NETWORK SECURITY
Automated identity management software
Policy management and audit tools
Web security applications
Improved intrusion detection
and prevention technologies
Network monitoring and intelligence
45%
54%
55%
72%
75%
Other perspectives are:
• Aside from the technologies shown, no other selectable technology in the survey gained
more than one percent of survey respondents’ votes. Other selectable technologies
included: authentication, network access control (NAC), and security incident and event
monitoring (SIEM).
• There was no tangible difference in selection frequency by company size or job title.
• Owing to the public-facing attribute of their businesses,Web security applications had the
greatest frequency of votes by the banking,finance,and insurance;education;info tech;and
retail and wholesale verticals. Healthcare respondents selected policy management and
auditing tools in greater numbers than respondents in other verticals.
12. Frost & Sullivan
12 Frost.com
Need and Budget forthe Right Information
Security Professionals
With security staff viewed as critical in importance, it is equally important to understand the
acuteness of need, organizations’ ability to fund staff expansion and improvement, and the
sought-after attributes of information security professionals.
The need is present
• Very few respondents view their security organizations as being over-staffed.
Nearly one-third of respondents believe they have the right number of staff,but more than
50 percent believe staff expansion is justified.
• The good news is that two-thirds of C-levels, those with the greatest budgetary influence,
view their security organizations as being too few in numbers.
• More midsize companies’ (500-2,499 employees) respondents view their organizations as
understaffed versus smaller and larger size companies.
• Across industries, a greater percentage of respondents in education, healthcare,
manufacturing, and retail & wholesale verticals believe they are understaffed.
DoesYour Organization Currently Have the Right Number of Information
Security Workers?
The strain of understaffing is felt greatest on the existing security workforce—
greater than the overall organization, security breaches, and customers.
The reasons for an inability to bridge the need for additional information security
workers are fueled by three factors: business conditions, executives not fully
understanding the need, and an inability to locate appropriate information security
professionals. Other reasons provided by respondents—such as economy, lack of funding or
budget, and staffing cuts or layoffs—were volunteered by one percent or less of the respondents.
Across verticals, respondents in info tech view an inability to find qualify personnel as a larger
impediment to staffing than other verticals.When asked which job title experienced the greatest
workforceshortage,securityanalyst(chosenby47percentofrespondents)toppedthelist,followed
by security engineering-planning and design (32 percent),and security auditor (31 percent).
Too Many
2%
The right
number
32%
Don’t
know
10%
Too Few
56%
13. The Dynamically Stable Information Security Career
13Frost.com
IMPACT OF INFORMATION SECURITY WORKFORCE SHORTAGES
(VERY GREAT AND GREAT IMPACTS)
On customers
On security breaches
On the organization overall
On the existing information
security workforce
47%
52%
56%
71%
Budget availability to increase spending is strong
An increase in spending is predicted by nearly one-third of survey respondents in personnel,
training and education, and hardware and software. Slightly more than 10 percent, however,
predict a decline. This decline is more prevalent in government (approximately 19 percent
of respondents predicting declines) versus private sector (approximately 10 percent of
respondents predicting declines). More than any other private sector vertical, 35 percent of
respondents in the info tech vertical predict spending increases.
How will information security spending
change over the next 12 months?
Percent of Respondents
Increase Decrease Same
Information security personnel 30% 12% 59%
Training and education 28% 13% 60%
Hardware and software 32% 11% 57%
Slightly more than one-third (34 percent) of C-levels expect their spending on personnel to
increase over the next 12 months.Also, 31 percent of C-levels predict increased spending on
education and training.
Sought-after attributes in information security professionals
When examining the sought-after attributes of information security professionals,
it is not just the skills that are important. Confirmation of those skills (i.e.,
certification) and professionals’ engagement in peer groups (i.e., affiliations) are
also essential. The importance attached to each is examined in this section.
Skills
Across the entire survey, broad understanding of the security field was on top in terms
of importance, followed by communication skills. Technical knowledge, awareness and
understanding of the latest security threats round out the top four.
14. Frost & Sullivan
14 Frost.com
SUCCESS FACTORS OF INFORMATION SECURITY PROFESSIONALS
(IMPORTANT AND VERY IMPORTANT)
Legal knowledge
Project management skills
Business management skills
Leadership skills
Security policy formulation and application
Awareness and understanding
of the latest security threats
Technical knowledge
Communication skills
Broad understanding of the security field
42%
55%
57%
68%
75%
86%
88%
91%
92%
Respondents in the banking, finance, and insurance verticals place a higher emphasis on the
importance of broad understanding than other verticals. Info tech and government-defense
place higher importance on technical knowledge. Healthcare respondents rate communication
skills higher in importance.
Certification
Slightly more than 46 percent of all survey respondents indicated that their
organizations require certification, and among those respondents, 50 percent of
member and 39 percent of non-member indicate certification is a requirement.
Government-defense is most emphatic on this point; 84 percent state certification is required,
and a distant, but still high, second is info tech at 47 percent.
While regulations are a primary driver for certification in government-defense, that is an
anomaly. The private sector overwhelmingly (74 percent) views certification as an indicator of
competency. The correlated quality of work was the second highest reason.
REASONS FOR REQUIRING INFORMATION SECURITY CERTIFICATIONS
Legal/due diligence
Ethical conduct
Continuing education requirement
Customer requirement
Company policy
Company image or reputation
Regulatory requirements (governance)
Quality of work
Employee competence
24%
27%
35%
40%
40%
43%
48%
53%
68%
15. The Dynamically Stable Information Security Career
15Frost.com
Affiliations
When asked about affiliations that matter most in career development and
resiliency,(ISC)2
was rated the highest,no surprise by (ISC)2
members (74 percent
chose extremely critical or critical),but the same is true with non-(ISC)2
members
(51 percent chose extremely critical or critical). SANS and ISACA were ranked the
next two in importance for each survey group.
CAREER CRITICALITY OF SECURITY AFFILIATIONS
(EXTREMELY CRITICAL AND CRITICAL)
CSA Cloud
Security Alliance
IEEE
OWASP
ISACA
SANS
(ISC)2
13%
16%
18%
31%
32%
66%
Information Security is a Rewarding and Resilient Profession
The importance of the information security profession has been clearly articulated in this survey
by the respondents, which does include bias as they have chosen this career. To gain a more
unbiased confirmation of the importance of this profession, the survey asked respondents to
weigh in on the uniform measuring sticks of all careers: salary, change in salary, and job stability.
In terms of salary, the average annual salary across all survey respondents is US$92,835.
As expected, C-levels and officers reported the highest average annual salary at US$106,151.
The respondents in government-defense and healthcare reported the highest average annual
salaries at US$101,246 and US$98,037, respectively.
In comparing average annual salaries for members and non-members between
the 2013 and 2011 surveys, the member average salary is higher, and the salary
gap between members and non-members is widening. Recognizing that many factors
influence salary—job title,location,security certifications,and tenure—a narrower examination
on salary is appropriate.To gain the greatest confidence possible in salary comparisons with the
survey data, we selected the job title and location with the greatest number of respondents:
security analyst located in the U.S. As displayed, U.S.-based security analysts that
are (ISC)2
members, on average, have a higher salary—23 percent greater than
U.S.-based security analysts that are non-members. (see chart on next page)
16. Frost & Sullivan
16 Frost.com
2010
2012
Average Annual Salary
Non-Member Member
Down 3.6%
Up 2.4%
$75,682
$78,494
$101,014
$98,605
0%
10%
20%
30%
40%
$120K&
G
reater
$110K-$119K
$100K
-$109K
$90K
-$99K
$80K
-$89K
$70K
-$79K
$50K
-$69K
<
$50,000
ANNUAL SALARY ($USD)
SECURITY ANALYSTS LOCATED IN THE U.S.
Average Salary
Members: $94,316
Non-Members: $76,957
PercentofRespondents
Member Non-Member
Part of the reason for the higher salaries is tenure; (ISC)2
security analyst members
located in the U.S. averaged 35 percent longer careers than non-members. And, as
shown,tenure distribution is skewed to the right for members.The conclusion from these two
comparison charts between members and non-members is that for one job title in one country,
member professionals sustain a longer career and receive higher rewards (i.e.,pay).We project
that a similar finding would be confirmed with other job titles and locations, provided there is
a sufficient number of respondents to produce statistically significant comparisons.
%0
10%
20%
30%
40%
>2521-2516-2011-156-10<6
TENURE
SECURITY ANALYSTS LOCATED IN THE U.S.
Years in Information Security
PercentofRespondents
Average Tenure
Members: 12.0 years
Non-Members: 8.9 years
Member Non-Member
Salaries of information security professionals have been and continue to be on the rise. In
the table on the next page are the self-reported salary changes recorded in the 2013 and
2011 surveys.
17. The Dynamically Stable Information Security Career
17Frost.com
Salary change in current year?
Percent of Respondents
2013 Survey 2011 Survey
Yes, an increase up to 5% 40% 39%
Yes,an increase between 5% and 10% 12% 14%
Yes, an increase of over 10% 8% 9%
No change in salary or benefits 36% 34%
Received a salary or benefit reduction 4% 4%
There are no notable differences in this distribution of salary changes by either job title or
company size in the 2013 survey. There are, however, differences among the verticals.These
differences provide an indication of which verticals are using salary to retain and reward security
professionals more than other verticals. For example, 11 percent of respondents in the info
tech vertical reported receiving a salary increase of more than 10 percent in 2012. Conversely,
education and government are not rewarding their information security professionals to the
same degree.Forty-four percent and six percent of education respondents reported no change
or reduction in salary, respectively, in 2012. For respondents in government, the results are
similar: 45 percent reported no change and five percent reported a salary reduction.
Another notable comparison in salary differences is across region and developmental stage
of countries (i.e., developed versus developing). The following two charts display salary range
distribution, first for respondents in developed countries and second in developing countries.
DEVELOPED COUNTRIES DEVELOPING COUNTRIES
APAC
EMEA
AMERICAS
13%
6%
7%
5%
46%
23%
4%
9%
50%
8%
16%
14%
2% 4%
4%
67%15%
6%
APAC
EMEA
AMERICAS
32%
2%
5%
13%
23%
24%
19%
6%
17%
23%
20%
15%
15%
19%
17%15%
12%
22%
US$40,000-US$59,000
US$80,000-99,999
US$120,000 or more
Less than US$40,000
US$60,000-79,999
US$100,000-US$119,999
US$40,000-US$59,000
US$80,000-99,999
US$120,000 or more
Less than US$40,000
US$60,000-79,999
US$100,000-US$119,999
These tables on the next page highlight the degree of differences in salary distribution
across geographies. Notable, a far greater percent of information security
professionals located in the Americas command higher salaries than
professionals in other regions.
18. Frost & Sullivan
18 Frost.com
Region
Percent of Respondents with Annual Salaries of US$80,000 or More
In Developed Countries In Developing Countries
Americas 79% 18%
EMEA 54% 21%
APAC 49% 12%
Reversing the table contents and focusing on annual salaries of less than US$40,000,
information security professionals located in developing APAC countries have the
highest proportional representation.
Region
Percent of Respondents with Annual Salaries of Less than US$40,000
In Developed Countries In Developing Countries
Americas 2% 46%
EMEA 6% 50%
APAC 15% 67%
Regarding employment stability, the information security profession is highly resilient. As
shown in the following table, only three percent of respondents reported an
employer change due to layoff or termination consistently in the two surveys.
Change in employer or employment status in current year?
Percent of Respondents
2013 Survey 2011 Survey
No change in employer or employment status 83% 82%
Yes,changed employer while still employed 11% 12%
Yes, changed employer due to layoff or termination 3% 3%
Yes, became self-employed 2% 2%
Yes, became an employee from being self-employed 1% 1%
In terms of the long-term employment picture for information security professionals,
Frost & Sullivan predicts double-digit, year-over-year percentage increases over
the next five years.3
In 2013, Frost & Sullivan predicts global employment of information
security professionals to increase 332,000, ending the year at 3.2 million.
Thousands 2010 2011 2012 2013 2014 2015 2016 2017 2017
CAGR
Americas 921 1,045 1,181 1,331 1,495 1,673 1,867 2,081 12.0%
EMEA 617 704 797 892 995 1,108 1,230 1,363 11.3%
APAC 748 817 894 981 1,079 1,191 1,320 1,463 10.4%
Total 2,283 2,566 2,872 3,204 3,568 3,972 4,416 4,908 11.3%
3
This table reflects Frost & Sullivan’s best estimate and projection of 2010 - 2017 employment of information
security professionals. Professionals in both managerial and operational roles are included. Data from a variety
of sources, including credible secondary sources and internal research was incorporated. This year’s forecast
is slightly less than the employment forecast developed two years ago due to refinement in the forecasting
methodology. Greater emphasis was placed on correlation analysis with Frost & Sullivan’s sizing of global market
expenditures on security products and services, and with regional variations contained in the survey data.
2012-
19. The Dynamically Stable Information Security Career
19Frost.com
Secure Software Development: Essential but
Under-Supported
Application vulnerabilities was the number one security concern for survey respondents.
Closer examination reveals that the secure software development concern
increases with company size, perhaps correlated with the greater amounts of
software development in large companies versus smaller companies that rely
heavily on commercial applications. Also, the importance of secure software
development was rated above software and hardware solutions in securing the
organization’s infrastructure. Here, too, there is variance associated with company size. In
particular, as company size increases, the importance of secure software development relative
to the importance of software and hardware solutions also increases.
Recognizing that software procurement and development involves multiple phases, the level of
security concern may fluctuate among these steps. According to the survey respondents, this
is true but within a fairly narrow range in the pre-installation steps.
SECURITY CONCERNS AT STAGES OF SOFTWARE
PROCUREMENT AND DEVELOPMENT
(TOP AND HIGH)
Installation 46%
Maintenance 50%
Integration 62%
Construction
(i.e., implementation or coding) 61%
Testing, debugging, or validation 65%
Specifying requirements 69%
Design 71%
The risk implications of these concerns are most notable in the proportion of detected security
breaches attributed to insecure software. According to survey respondents,insecure software
was a contributor in approximately one-third of the 60 percent of detected security breaches.
In the other 40 percent of detected breaches, insecure software’s role was uncertain either
because post-breach forensics were inconclusive, or the survey respondents were not privy
to the forensics. Regardless of this uncertainty, along with insecure software’s unquantifiable
attribution in undetected breaches, information security professionals are certain that their
concerns regarding insecure software are justified.
DETECTED SECURITY BREACHES IN THE PAST YEAR
ATTRIBUTABLE TO INSECURE SOFTWARE
75% - 100% 5%
50% - 74% 9%
25% - 49% 13%
Less than 25% 33%
Don't know 40%
20. Frost & Sullivan
20 Frost.com
The next question is, what is being done to mitigate or resolve the risk of insecure
software? This mitigation begins by being involved in software development, procurement,
and outsourcing. According to survey respondents, approximately 50 percent state that
someone other than themselves from their security organizations is engaged in software
development, procurement, and outsourcing. Not so promising of information security
professionals’ involvement is the substantially lower percent personally involved
in software development (12 percent),procurement (20 percent),and outsourcing
(10 percent). Considering the size and comprehensive reach of the GISWS, and the high
level of concern and attributed risk assigned to insecure software, this survey observation is
one signal that a material gap exists between risk and response.
INVOLVEMENT IN SOFTWARE DEVELOPMENT, PROCUREMENT AND OUTSOURCING
Development of software applications
Procurement of software applications
Outsourcing the development
of software application
Personally Organization No Involvement at all
0% 10% 20% 30% 40% 50% 60%
The phases of software procurement and development that this subset of information
security professionals is engaged in are diverse. The most common phase of personal
involvement is specifying requirements (75 percent). Involvement in stages
that confirm that these requirements are meeting their objectives drops off
considerably. This, too, is a signal of a gap between risk and response by information
security professionals and their organizations.
INVOLVEMENT IN SOFTWARE PROCUREMENT AND DEVELOPMENT STAGES
Construction
(i.e., implementation or coding) 28%
Maintenance 46%
Support 47%
Design 50%
Integration 50%
Installation and deployment 54%
Testing, debugging, or validation 56%
Specifying requirements 75%
As reported previously in this study, information security professionals, members, and
non-members, view acquiring new skills and certification as very important. Earning
certifications most applicable to secure software, however, is hardly a blip on
the list of certifications survey respondents claim. For example, only one percent
of surveyed information security professionals claim to have acquired the Certified Secure
Software Lifecycle Professional (CSSLP®
) certification.This is also a signal that the gap between
insecure software risk and response is real.
21. The Dynamically Stable Information Security Career
21Frost.com
The conclusion is apparent:unless software and information security professionals’ involvement
is deepened in secure software development, procurement, and outsourcing; and training and
education permeates the ranks of software development functions, the risks associated with
insecure software will remain. Furthermore, deepening engagements in software
development cannot occur in isolation or be the exclusive responsibility of the
information security workforce. Other relevant functional groups—software
developers,application owners,and the quality assurance and testing teams—must
internalize secure software development best practices and engage, as standard
operating procedure, with information security professionals. While expertise in the
information security discipline varies across groups,all groups must be responsible in order for
the risk and consequences of insecure software to decrease.
Security Implications of BYOD,Cloud Computing,and Social Media
In this section, we zero in on the survey responses to three prominent IT trends: BYOD, cloud
computing, and social media. Each is unique in their security implications and how information
security professionals and their organizations are managing risk. For example, assessment of
security risk is not uniform. BYOD is the highest overall, followed by cloud computing and
social media.We believe that the “it’s just happening” and “happening at accelerating speed”
with BYOD are forcing organizations to react more than with cloud computing,where adoption
and use is more of a managed choice by companies. Consequently, the risk in BYOD is
“cast upon” businesses more so than evaluated and chosen with cloud computing.
Social media is different.While social media, too, has the “cast upon” attribute of BYOD, social
media represents more of an evolution in internal and external communication channels than
the introduction of a mushrooming range of user-owned and therefore untrusted user devices.
As such, companies have experience in managing the risk of unauthorized communications
(e.g.,when instant messaging andWeb-based email became broadly available),with many of the
same and existing technologies and procedures to monitor and manage the communication
flows. Consequently, the security risk with social media is less than BYOD.
BYOD, CLOUD COMPUTING, AND SOCIAL MEDIA
(TOP 2 ON 5-POINT SCALE OF SECURITY SIGNIFIGANCE OR CONCERN)
Inability to support forensic investigations 50%
Inability to support compliance audits 50%
Susceptibility to cyber attacks 62%
Disruptions in the continuous operation of the data center
(i.e., uninterrupted availability) 65%
Weak system or application access controls 67%
Exposure of confidential or sensitive information
to unauthorized systems or personnel 80%
Confidential or sensitive data loss or leakage 81%
Overall, how significant a security risk would you say employee or
partner owned devices pose for your organization? 78% BYOD
CLOUD
COMPUTING
How much of a concern is social media
as a security threat to your organization? 43% SOCIAL MEDIA
22. Frost & Sullivan
22 Frost.com
BYOD
Approval for use of user-owned devices, according to this survey, is more than 50 percent.
Differences in allowance do exist, primarily among verticals. For example, 67 percent of
respondents in government state user-owned devices are not allowed. In the private sector,
47 percent of respondents in banking, insurance, and finance verticals state user-owned
devices are not allowed. At the other end, education is most permissive, with 86
percent of education respondents claiming user-owned devices (employee and
business partners combined) are allowed.
ALLOW USER-ORIENTED DEVICES (BYOD)
Don't know 5%
No, we do not allow any user devices
to access the organization's network 42%
53%
Yes, employees 26%
Yes, both employees and business partners 23%
Yes, business partners 4%
End-user license agreements are one way that companies manage BYOD risk. Fifty-one percent
of survey respondents claim agreements are in use. Beyond these agreements, a growing
number of security technologies are used. Furthermore, all mobile security technologies listed
in the 2011 survey (encryption, remote lock and wipe, MDM, mobile anti-malware, and DRM)
had a greater percent of respondents claiming use in 2013. Also as a sign of expanding
security technologies in use are the modest percentages assigned to technologies
that were in their commercial infancy in 2011, such as secure containerization
or secure sandbox, with 20 percent of respondents stating it is used in the
2013 survey.
MOBILE DEVICE SECURITY TECHNOLOGIES IN USE
Digital rights management (DRM) 13%
Secure offline storage 14%
Secure containerization or secure sandbox 20%
Data leakage prevention (DLP) 25%
Mobile anti-malware and -virus endpoint security 31%
Authentication (other than PIN codes) 40%
Application access control 42%
Enforced PIN codes 44%
Mobile device management (MDM) 50%
Remote lock and wipe functionality 53%
Virtual private networks (VPN) 63%
Encryption 64%
23. The Dynamically Stable Information Security Career
23Frost.com
Another interesting perspective revealed in the survey is how mobile security technology use
varies among industry verticals. The chart below shows differences for five verticals, including
the most permissive allowance of user-owned devices vertical (education) and the most
restrictive (banking, insurance, and finance). Note: Only mobile security technologies that had use
differences of 10 percentage points or more are shown.
DIFFERING MOBILE DEVICES’ SECURITY TECHNOLOGIES
IN USE AMONG SELECT INDUSTRY VERTICALS
0% 20% 40% 60% 80%
Remote lock and wipe functionality
Mobile device management (MDM)
Enforced PIN codes
Data leakage prevention (DLP)
Secure containerization or secure sandbox
Mobile anti-malware and -virus endpoint security
BANKING/INSURANCE/FINANCE
INFO TECH
EDUCATION
TELECOM & MEDIA
HEALTHCARE
Encryption
Development of new skills in mobile security and BYOD by information security
professionals was noted as required by 74 percent of respondents. This opinion has
little variation by company size, job title, or industry vertical.This chart shows which new skills
are most required in dealing with mobile security and BYOD.
SKILL REQUIRED IN DEALING WITH MOBILE SECURITY AND BYOD
Enhanced technical knowledge 72%
An enhanced understanding of security of applications 70%
Contract negotiation skills 11%
Procurement skills 13%
Enhanced management skills 24%
Business stakeholder management and education 33%
Specifying contractual obligations and
requirements related to security 36%
Enhanced data management skills 43%
An enhanced understanding of cloud security
guidelines and reference architectures 45%
How security applies to cloud 47%
Knowledge of compliance issues 66%
Cloud Computing
The GISWS confirms the prevailing use of cloud computing is the greatest with large companies
(2,500 or more employees). Among industry verticals, the cloud computing priority varies
moderately. Respondents in info tech have the highest cloud computing priority; 57 percent
chose top- or high-priority cloud computing currently and expect priority to rise to 69 percent
in two years.Government respondents express the lowest current and future cloud computing
priority ratings (top and high)—26 percent and 45 percent, respectively.
24. Frost & Sullivan
24 Frost.com
CURRENT AND FUTURE PRIORITY OF CLOUD COMPUTING BY COMPANY SIZE
(TOP AND HIGH PRIORITIES)
0% 10% 20% 30% 40% 50% 60%
Currently
Within two years
1 - 499500 - 2,4992,500 - 9,99910,000 or more
Selection among cloud computing approaches corresponds to the high level of risk
currently associated with the cloud. As shown in the table below,private cloud computing
services have the greatest proportionate use.With private cloud computing services,the cloud
customer retains more control over the cloud infrastructure and how that infrastructure is
secured than other approaches.
Proportionate Use of Cloud Computing Approaches — Current
Total
Survey
Banking,
Insurance
& Finance
Education Healthcare
Info
Tech
Telecom &
Media
Gov’t
Private cloud
computing services
38% 41% 37% 38% 34% 37% 46%
Software as a Service 19% 22% 19% 25% 19% 15% 13%
Infrastructure as a Service 11% 11% 7% 8% 12% 13% 11%
Public cloud
computing services
11% 8% 16% 10% 11% 12% 9%
Platform as a Service 7% 7% 5% 6% 8% 9% 7%
Hybrid cloud
computing services
7% 6% 7% 7% 8% 8% 8%
Community cloud
computing services
6% 4% 9% 6% 6% 6% 6%
Similar to mobile security and BYOD, 74 percent of survey respondents believe new skills will
be required to manage the risks anticipated with cloud use.
25. The Dynamically Stable Information Security Career
25Frost.com
SKILLS REQUIRED IN DEALING WITH CLOUD COMPUTING
Procurement skills 25%
Enhanced management skills 25%
Contract negotiation skills 33%
Business stakeholder management and education 36%
Enhanced data management skills 47%
Specifying contractual obligations and
requirements related to security 61%
Enhanced technical knowledge 62%
Knowledge of compliance issues 71%
An enhanced understanding of cloud security
guidelines and reference architectures 78%
How security applies to cloud 89%
The chart above lists the skills information security professionals believe are needed to manage
cloud risks. The very high percentage of respondents choosing “understanding”
skills is indicative that there remains considerable ambiguity regarding cloud-
related risks. Furthermore, with cloud services providers not bound by industry standards
or regulations with regard to security practices and procedures, general understanding of
potential cloud risks would be incomplete in assessing risk.A thorough understanding of each
potential cloud service provider would be required to adequately assess risk across providers.
Social Media
As previously shared, the security concern with social media is less than BYOD and cloud
computing. Nevertheless, there is sufficient concern that a majority of information security
professionals take action to manage the risk emanating from social media use. The most
prominent means to limit access to social media is by using content filtering and website
blocking technologies. The prominence of these technologies is greater with larger companies
than small. Not surprisingly, higher proportions of medium, large, and very large companies
surveyed use this technology for social media access control than small companies. Also
as expected, survey respondents in the banking, insurance, and finance verticals expressed
greater use (82 percent) of these technologies than any other vertical. Respondents in the
education vertical are the most permissive in social media access;59 percent state
their organizations have no social media restrictions.
HOW EMPLOYEE ACCESS TO SOCIAL MEDIA IS LIMITED
We have no restrictions on the
use of social media by employees 25%
By setting and enforcing policy 51%
Through content filtering and
website blocking technology 64%
26. Frost & Sullivan
26 Frost.com
The Last Word
The professional discipline of information security is complex and requires continuous
investment in knowledge, procedures, and technologies. Moreover, the application
of information security is the duty of all members of the organization. From a practical
perspective, there is a shared need to protect what is important—sensitive information
and critical business operations—and a shared responsibility as system users and their
devices represent a widely distributed and dynamic field of entry points into public and
private networked operations and informational databases.Without organizationally broad
awareness and attentiveness to security policies, risk will surely rise and, as a consequence,
contribute to sub-optimized effort by information security professionals. More time will be
driven to incident response and remediation, and away from proactive building of security
practices that meet the organization’s risk management objectives and directly contribute to
strategic business initiatives (e.g., development and implementation of cutting-edge software
applications, mobilizing workforce and operations, and extracting maximum benefits from
the evolution in information technologies, such as cloud computing).
For those who have chosen a career in information security, it is a rewarding profession both
intellectually and financially. And while skill and knowledge building must never slow down—
attackers, hackers, and other cyber threat actors certainly will not—information security
professionals must also translate their risk management expertise into organization-wide
leadership. Consider if those with the greatest understanding of risk management operate
in isolation or, worse, choose to violate security policies. Members of other functional areas
in the organization will view information security as an optional responsibility and be equally,
if not more, cavalier in their adherence to security policies.Therefore, it is incumbent upon
information security professionals to demonstrate security consciousness, and openly and
freely engage with members of other departments to show how security is best when
practiced together.
Michael P. Suby
VP of Research
Stratecast | Frost & Sullivan
mike.suby@frost.com
(ISC)² would like to acknowledge and thank the following organizations for their participation in the 2013 (ISC)² Global
Information Security Workforce Study: Sri Lanka CERT|CC, ISACA, Alderbridge, GFI Software, Reed Exhibitions –
Infosecurity Europe,Acumin, CompTIA, Information Security Forum, NASCIO, Security Bsides, IAPP, U Fairfax, Executive
Women’s Forum, IT Security C&T, SecuMedia,The European Association for e-Identity and Security, BUiM Group for All
in the CloudAsia 2012,ISSA Poland,SANS,ASIS International,IAPP,SEC,RSA,MISTraining Institute,Hashdays,IT Security
Pro, FirebrandTraining UK, Data Security Council of India (DSCI), Information Security Solutions, and Cast Forum.
27.
28. 877.GoFrost • myfrost@frost.com
http://www.frost.com
About (ISC)²® andthe (ISC)² Foundation
(ISC)² is the largest not-for-profit membership body of certified information security professionals worldwide, with nearly 90,000
members in more than 135 countries.(ISC)²’s certifications are among the first information technology credentials to meet the stringent
requirements of ISO/IEC Standard 17024,a global benchmark for assessing and certifying personnel.(ISC)² also offers education programs
and services based on its CBK®
, a compendium of information security topics.The (ISC)² Foundation is the charitable trust of (ISC)²,
aiming to make the cyber world a safer place for everyone with community education,scholarships and industry research like the (ISC)²
Global Information SecurityWorkforce Study.More information is available at www.isc2.org and www.isc2cares.org.
About Booz Allen Hamilton
Booz Allen Hamilton is a leading provider of management and technology consulting services to the US government in defense,
intelligence,and civil markets,and to major corporations,institutions,and not-for-profit organizations.BoozAllen is headquartered
in McLean,Virginia, employs approximately 25,000 people, and had revenue of $5.86 billion for the 12 months ended March 31,
2012.To learn more, visit www.boozallen.com. (NYSE: BAH)
About Frost & Sullivan
Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that
addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more
than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the
investment community.Is your organization prepared for the next profound wave of industry convergence,disruptive technologies,
increasing competitive intensity, MegaTrends, breakthrough best practices, changing customer dynamics and emerging economies?
Contact Us: Start the Discussion
For information regarding permission, write:
Frost & Sullivan
331 E. Evelyn Ave. Suite 100
MountainView, CA 94041
SiliconValley
331 E. Evelyn Ave. Suite 100
MountainView, CA 94041
Tel 650.475.4500
Fax 650.475.1570
San Antonio
7550 West Interstate 10, Suite 400,
San Antonio,Texas 78229-5616
Tel 210.348.1000
Fax 210.348.1003
London
4, Grosvenor Gardens,
London SWIW ODH,UK
Tel 44(0)20 7730 3438
Fax 44(0)20 7730 3343
Auckland
Bahrain
Bangkok
Beijing
Bengaluru
Bogotá
Buenos Aires
Cape Town
Chennai
Colombo
Delhi / NCR
Detroit
Dhaka
Dubai
Frankfurt
Hong Kong
Iskander Malaysia/Johor Bahru
Istanbul
Jakarta
Kolkata
Kuala Lumpur
London
Manhattan
Mexico City
Miami
Milan
Mumbai
Moscow
Oxford
Paris
Pune
Rockville Centre
San Antonio
São Paulo
Seoul
Shanghai
Shenzhen
SiliconValley
Singapore
Sophia Antipolis
Sydney
Taipei
Tel Aviv
Tokyo
Toronto
Warsaw
Washington, DC