Survey Reflects Growth in How Corporations Manage and Protect Information

Although many organizations are developing solutions to overcome cybersecurity challenges, there is no single response that is universally acceptable. Many companies do, however, provide comprehensive plans, policies, and protocols to manage their concerns more effectively. As a result, security leaders who prepare, adapt, and respond, as well as maintain momentum in fighting those who try to access their networks, fare better than their peers. Our research continues to show that human behavior and technological uncertainty remain prominent barriers to corporate confidence.

In 2014, the first Defending Data report showcased general information protection trends, with a focus on guarding the perimeter and drafting policies. The 2015 study detailed the emerging insider threat phenomenon and the growing interest in security at the C-level. In 2016, we detailed the power of collaboration and its impact on spending, strategy, and systemic change.

Spending

Our discussion always begins with spending, and in 2016, we found that detection received the highest investment over the past year; 79% of respondents said they were spending more in that area compared with 2015. 76% had increased spending for identification and response, 62% for protection, and 48% for recovery. “We have been more focused on where we can spend our time and money,” advised one participant. “Now, it is about visibility and control; we have more focus on reacting quickly to what we have identified.”

In characterizing their team's spending on IT security over the past two years, 17% of the respondents called it “high,” 52% described it as “sufficient,” and 28% noted that it was “insufficient.”

“The question is whether what was previously sufficient is enough for tomorrow's attack; it is an arms race,” remarked one security leader. Some reasons for insufficient spending included a lack of senior support and initiative overload.

Technology

Two-thirds (66%) of survey participants said they used more than 10 software products, while 38% worked with more than 10 service providers. Not surprisingly, the integration of the various vendors was generally a work in progress; only 24% described the integration between vendors as seamless. One participant explained that “integration depends on the maturity of the vendor,” but the general consensus was that “many of the vendors are not very seamless; sometimes there is overlap and no integration because they are all trying to compete against each other.”

44% of the respondents said that they were very likely to change an IT security vendor in the coming year, while 31% were unlikely to do so. “Today, you can just switch vendors quickly if they are not working out,” noted one security leader. “Since we have so many vendors, there will always be a change,” another added more practically.

Human Behavior

It was not surprising that 97% of the participants agreed that human behavior was the biggest security threat in their organizations. This was a slight increase over previous surveys — 93% in 2015, and 88% in 2014. Human vulnerability was the primary reason that 34% of survey participants described themselves as “very concerned” about whether they had been breached.

“The entire program is designed to account for human behavior; the company provides training to show individuals how to act and there are also policies in place to guide them,” said one participant. “Unless you train your staff to identify scams and avoid the risk, you will not eliminate security issues; education and awareness does not just rest with your internal staff, it rests with your customers as well.”

The respondents disagreed about the most effective way to change behavior. One participant noted that “performance reviews consider adherence to enterprise security policies and failure to adhere to them could result in termination or disciplinary action.” On the other hand: “The company tries to provide room for grace; if people are concerned about getting in trouble for making a mistake, they will not report to you,” countered another security leader.

Policies

Providing effective guidance is critical. Almost all respondents (93%) worked for an organization with a current data security policy, and 69% of them revised their security policies annually. About three-quarters (76%) are required to read their security policies annually, but 10% are never required to do so. Just under half (48%) of respondents had travel policies for senior executives and essential employees that accounted for cybersecurity concerns.

Everyone is upgrading their policies, but there are still challenges. “You can control the rule, but not the person,” advised a participant. “I don't think that user education solves the problem, though it does provide a benefit; the combination of user awareness and detection increases security,” added another.

Policies have proliferated in the past year; 48% of respondents described their security stance as proactive, up from 29% in 2015. Only 17% said their actions were reactive, down from 29% in 2015. “It depends on the pillars under consideration; prevention and detection are proactive, while response and recovery are reactive,” said one participant.

Most respondents (90%) reported having an incident response plan, though that figure was down from 96% in 2015 and 100% in 2014. That said, more organizations are evaluating their plans — 28% of respondents said they tested their incident response programs annually, up from 18% in 2015; 24% did so twice a year, up from 21% in 2015. Surprisingly, 17% did not review their incident response plans at all.

Insider Threats

Two-thirds (66%) of respondents said they had an insider threat program or policy; 79% of those designated a senior official to oversee it and offered employee training. This reflects a decrease from the 71% of 2015 respondents with an insider threat program or policy where 90% designated a senior official to provide oversight. Employee training, however, rose by nine percentage points over the past year. About three-quarters (74%) of the respondents said they were required to report any perceived misconduct immediately.

While 86% of respondents said they could identify critical value data within their networks and 83% had the means to identify whom within their organization accessed that data, only 59% knew what people had done with the data after they had accessed it. In 2015, 69% of respondents claimed they could find out what had happened to their data, 93% could identify their critical value data, and 100% could detect who retrieved that data. This indicates a potential weakness in this area or perhaps a more realistic assessment of the respondents' capabilities.

The Cloud

Consistent with market trends, 83% of respondents' employers had migrated data to the cloud, up from 71% who did so in 2015, and 73% in 2014. Around one-third (31%) used the cloud for non-confidential data such as marketing, advertising, and creative artwork, and 28% had their e-mail in the cloud.

“When CISOs say that they don't like using the cloud, they are acting a bit two-faced because the most widely used vulnerability management tool is in the cloud,” remarked one security leader.

More than half (62%) of respondents cited cost as a key factor for leveraging the cloud, while 29% acknowledged its convenience and flexibility. Only 21% cited security as a factor in their decision to use or avoid the cloud.

Conclusion

Cybersecurity spending is likely to increase, but at a slower pace than in the past few years given that many organizations have already made substantial infrastructure investments. As they see continued success, companies will align their data security policies with their training initiatives. And, collaboration between security, legal, compliance, and privacy teams will become more robust as more organizations develop interdisciplinary programs to strengthen their data protection initiatives. Finally, cloud usage will quickly achieve much broader acceptance given its cost benefits and convenience.

*****
Ari Kaplan, the principal of Ari Kaplan Advisors and a member of the Board of Editors of Cybersecurity Law & Strategy, is a legal industry analyst and produces benchmarking research on a variety of topics. If you would like his infographic series on 2017 trends or have questions, please e-mail [email protected].

Many organizations are changing their approach to leveraging cybersecurity intelligence through enhanced cooperation, detailed information sharing, and broad-based collaboration. To characterize those shifts and offer perspectives that empower effective benchmarking, for the third consecutive year, Nuix engaged my firm to interview corporate security officials. The December 2016 report — Defending Data: Cybersecurity Maturity Reflects Growth in How Corporations Manage and Protect Information From Increasingly Sophisticated Threats — reflects the perspectives of 29 cybersecurity executives across a range of industries.

More than half of them (55%) were directors or vice presidents with primary responsibility for information or cybersecurity, while 31% served as their organization's chief information security officer. The remaining 14% had management oversight for those areas.

86% were from organizations with over $1 billion in annual revenue and 72% were from companies with over 5,000 employees. They hailed from a diverse group of industries, including: financial services (34%); life sciences (17%); banking (10%); insurance (10%); energy (7%); manufacturing (7%); technology (3%); consulting (3%); retail (3%); and entertainment (3%). (Percentages do not add up to 100% due to rounding.)

Although many organizations are developing solutions to overcome cybersecurity challenges, there is no single response that is universally acceptable. Many companies do, however, provide comprehensive plans, policies, and protocols to manage their concerns more effectively. As a result, security leaders who prepare, adapt, and respond, as well as maintain momentum in fighting those who try to access their networks, fare better than their peers. Our research continues to show that human behavior and technological uncertainty remain prominent barriers to corporate confidence.

In 2014, the first Defending Data report showcased general information protection trends, with a focus on guarding the perimeter and drafting policies. The 2015 study detailed the emerging insider threat phenomenon and the growing interest in security at the C-level. In 2016, we detailed the power of collaboration and its impact on spending, strategy, and systemic change.

Spending

Our discussion always begins with spending, and in 2016, we found that detection received the highest investment over the past year; 79% of respondents said they were spending more in that area compared with 2015. 76% had increased spending for identification and response, 62% for protection, and 48% for recovery. “We have been more focused on where we can spend our time and money,” advised one participant. “Now, it is about visibility and control; we have more focus on reacting quickly to what we have identified.”

In characterizing their team's spending on IT security over the past two years, 17% of the respondents called it “high,” 52% described it as “sufficient,” and 28% noted that it was “insufficient.”

“The question is whether what was previously sufficient is enough for tomorrow's attack; it is an arms race,” remarked one security leader. Some reasons for insufficient spending included a lack of senior support and initiative overload.

Technology

Two-thirds (66%) of survey participants said they used more than 10 software products, while 38% worked with more than 10 service providers. Not surprisingly, the integration of the various vendors was generally a work in progress; only 24% described the integration between vendors as seamless. One participant explained that “integration depends on the maturity of the vendor,” but the general consensus was that “many of the vendors are not very seamless; sometimes there is overlap and no integration because they are all trying to compete against each other.”

44% of the respondents said that they were very likely to change an IT security vendor in the coming year, while 31% were unlikely to do so. “Today, you can just switch vendors quickly if they are not working out,” noted one security leader. “Since we have so many vendors, there will always be a change,” another added more practically.

Human Behavior

It was not surprising that 97% of the participants agreed that human behavior was the biggest security threat in their organizations. This was a slight increase over previous surveys — 93% in 2015, and 88% in 2014. Human vulnerability was the primary reason that 34% of survey participants described themselves as “very concerned” about whether they had been breached.

“The entire program is designed to account for human behavior; the company provides training to show individuals how to act and there are also policies in place to guide them,” said one participant. “Unless you train your staff to identify scams and avoid the risk, you will not eliminate security issues; education and awareness does not just rest with your internal staff, it rests with your customers as well.”

The respondents disagreed about the most effective way to change behavior. One participant noted that “performance reviews consider adherence to enterprise security policies and failure to adhere to them could result in termination or disciplinary action.” On the other hand: “The company tries to provide room for grace; if people are concerned about getting in trouble for making a mistake, they will not report to you,” countered another security leader.

Policies

Providing effective guidance is critical. Almost all respondents (93%) worked for an organization with a current data security policy, and 69% of them revised their security policies annually. About three-quarters (76%) are required to read their security policies annually, but 10% are never required to do so. Just under half (48%) of respondents had travel policies for senior executives and essential employees that accounted for cybersecurity concerns.

Everyone is upgrading their policies, but there are still challenges. “You can control the rule, but not the person,” advised a participant. “I don't think that user education solves the problem, though it does provide a benefit; the combination of user awareness and detection increases security,” added another.

Policies have proliferated in the past year; 48% of respondents described their security stance as proactive, up from 29% in 2015. Only 17% said their actions were reactive, down from 29% in 2015. “It depends on the pillars under consideration; prevention and detection are proactive, while response and recovery are reactive,” said one participant.

Most respondents (90%) reported having an incident response plan, though that figure was down from 96% in 2015 and 100% in 2014. That said, more organizations are evaluating their plans — 28% of respondents said they tested their incident response programs annually, up from 18% in 2015; 24% did so twice a year, up from 21% in 2015. Surprisingly, 17% did not review their incident response plans at all.

Insider Threats

Two-thirds (66%) of respondents said they had an insider threat program or policy; 79% of those designated a senior official to oversee it and offered employee training. This reflects a decrease from the 71% of 2015 respondents with an insider threat program or policy where 90% designated a senior official to provide oversight. Employee training, however, rose by nine percentage points over the past year. About three-quarters (74%) of the respondents said they were required to report any perceived misconduct immediately.

While 86% of respondents said they could identify critical value data within their networks and 83% had the means to identify whom within their organization accessed that data, only 59% knew what people had done with the data after they had accessed it. In 2015, 69% of respondents claimed they could find out what had happened to their data, 93% could identify their critical value data, and 100% could detect who retrieved that data. This indicates a potential weakness in this area or perhaps a more realistic assessment of the respondents' capabilities.

The Cloud

Consistent with market trends, 83% of respondents' employers had migrated data to the cloud, up from 71% who did so in 2015, and 73% in 2014. Around one-third (31%) used the cloud for non-confidential data such as marketing, advertising, and creative artwork, and 28% had their e-mail in the cloud.

“When CISOs say that they don't like using the cloud, they are acting a bit two-faced because the most widely used vulnerability management tool is in the cloud,” remarked one security leader.

More than half (62%) of respondents cited cost as a key factor for leveraging the cloud, while 29% acknowledged its convenience and flexibility. Only 21% cited security as a factor in their decision to use or avoid the cloud.

Conclusion

Cybersecurity spending is likely to increase, but at a slower pace than in the past few years given that many organizations have already made substantial infrastructure investments. As they see continued success, companies will align their data security policies with their training initiatives. And, collaboration between security, legal, compliance, and privacy teams will become more robust as more organizations develop interdisciplinary programs to strengthen their data protection initiatives. Finally, cloud usage will quickly achieve much broader acceptance given its cost benefits and convenience.

*****
Ari Kaplan, the principal of Ari Kaplan Advisors and a member of the Board of Editors of Cybersecurity Law & Strategy, is a legal industry analyst and produces benchmarking research on a variety of topics. If you would like his infographic series on 2017 trends or have questions, please e-mail [email protected].