Session ID: CISO-W22 Session Classification: General Interest

Transcription

1 Session ID: CISO-W22 Session Classification: General Interest

2

3 Pain Points What are your two biggest information security-related pain points?* Mobile Device Security Security Awareness Training User Behavior Compliance/Auditing Organizational Politics Data Security Data Leakage Prevention Budget Authorization/Access Control Resource Constraints Staffing SIEM Remote Access Patch Management Monitoring Improvements Keeping Up With New Technology Hackers Data Analytics and Reporting Vulnerability Management User/Business Requirements Malware Endpoint Security Application Security % n=192. *Note that due to multiple responses per interview, totals may exceed 100%. Industry Profile - 2H 12

4 Top Projects What are your organization s top three information security projects in the next 12 months?* Data Leakage Prevention Identity Management Mobile Device Security Firewall Install/Refresh SIEM Security Awareness Training Intrusion Management Dual-/Multi-factor Authentication Mobile Device Management Log Management Endpoint Security Encryption Authorization/Access Control Risk Assessment Application Security Policy Management Monitoring Improvements Cloud Computing Control Single Sign On Network Segmentation Network Access Control Security Data Classification Anti-malware Vulnerability Management Security Certification PCI Compliance Datacenter Migration/Modification Business Continuity/Disaster Recovery Vulnerability Assessment VPN/Remote Access Mergers and Acquisitions GRC Application-aware Firewall 1 1 9% 1 2 n=193. *Note that due to multiple responses per interview, totals may exceed 100%. Industry Profile - 2H 12

5 Technology Roadmap What is your status of implementation for this technology? Patch Management 8 Vulnerability/Risk Assessment/Scanning (of Infrastructure) 8 9% Network Intrusion Detection and/or Prevention (NIDS/NIPS) 80% Two-factor (Strong) Authentication for Infrastructure 6 20% Identity Management 59% 2 Security Information Event Management (SIEM) 5 9% 2 Mobile Device Management 4 1 8% 2 App Sec Testing Code/Binary Analysis Based Vulnerability 4 4 8% App Sec Testing External App Fuzzing/Testing Vulnerability 40% 4 10% Managed Security Service Provider (MSSP) 3 5 Web-application Firewall (WAF) 3 48% Application-aware Firewall Endpoint Data Loss Prevention Solutions 28% 1 4 In Use Now In Pilot/Evaluation (Budget Has Already Been Allocated) Near-term Plan (In Next 6 Months) Long-term Plan (6-18 Months) Past Long-term Plan (Later Than 18 Months Out) Not in Plan Don't Know/No Response n=200. Technology Roadmap - 2H 12

6

7 Drivers for What are the three drivers for information security within your organization?* Compliance Requirements Managing Reputational Risk Data Protection Requirements Customer Expectations Risk Management Regulatory Requirements Business Requirements Intellectual Property Protection Malware/Hacking Alignment to Best Practices Senior Management Expectations Asset Protection Requirements Availability Requirements Audit Response Revenue Protection Keeping Up With Technology Partner/Supplier Requirements Mobile Device Proliferation Cost Containment % 9% n=193. *Note that due to multiple responses per interview, totals may exceed 100%. Wave 15

8 Method of Project Approval How are information security projects approved within your organization? Compliance Decides ROI Calculation Risk Assessment Committee Approval CIO Decides Senior Management Decides Reaction to Security Problem CISO Driven Security Can't Initiate a Project Business Unit Driven Sacred Cow Strategic Plan Scare Tactics Linked to Customer Requirement Board of Director Approval Various Human Resources Decides External IT Research Driven CFO Decides Other Don't Know 1 4 n=194. Industry Profile - 2H 12

9 Strengths and Weaknesses of Internal IT Audit Function Describe the strengths and weaknesses of your internal IT audit function, if you have one. Strengths Weaknesses No Specific Strengths 2 Lack of Technology Knowledge 2 Breadth of Coverage 1 Lack of Coverage 20% Financial Knowledge Enforcement Around Findings Technology Knowledge Spread Too Thin Inability to Prioritize Findings 1 1 Relationship With 10% No Specific Weaknesses 8% Independent Reporting Line 8% Lack of Independence Risk Management Knowledge Reporting Quality of Testing Process Driven Poor Relationship With Information Security Poor Enforcement of Findings Lack of Process Physical Security Knowledge Poor Reporting Benchmarking Lack of Business Knowledge Left Chart, n=63; Right Chart, n=64. Wave 15

10 Highest Internal IT Security Risks Which of the personnel types below do you consider to be the highest internal IT security risk to your organization? Business Unit Staff (Non-IT Technical) 2 Contractors and Temporary Staff Technical Staff Elevated Privilege (Including IT Systems Administrators) 20% 19% Management/Executive Team 1 Outsourced Service Provider Personnel 9% Remote Employees Technical Staff Without Elevated Privilege (Including IT Systems Administrators) Business Partners Other n=194. Wave 15

11

12 Organizational Structure Is a separate division, or department at your enterprise? No 3 Yes 6 n=194. Wave 15

13 Physical and IT Security Reporting to Same Executive Do physical and IT security functions report to a single executive leader? No 7 Yes 2 n=194. Wave 15

14 Hours Spent Training End Users How many hours a month does your team spend on security awareness programs and training for end users? None % 51 18% n=103. Wave 15

15 Written Security Policies Does your organization have formal written security policies? No Yes 98% n=193. Wave 15

16

17 Application Security Technology Roadmap What is your status of implementation for this technology? App Sec Testing Code/Binary Analysis Based Vulnerability 4 4 8% App Sec Testing External App Fuzzing/Testing Vulnerability 40% 4 10% Web Application Load Testing 39% 4 1 Multi-factor Authentication for Web-based Applications 3 5 Database Security 3 48% 10% Web-application Firewall (WAF) 3 48% In Use Now Near-term Plan (In Next 6 Months) Past Long-term Plan (Later Than 18 Months Out) Don't Know/No Response In Pilot/Evaluation (Budget Has Already Been Allocated) Long-term Plan (6-18 Months) Not in Plan n=200. Technology Roadmap - 2H 12

18 Application Security Controls If your organization has developers, are application security controls built into the internal software development lifecycle? Yes 5 No 4 n=96. Wave 15