cybersecurity preparedness benchmark study_webex 27 ocober 2016
TRANSCRIPT
Cybersecurity Preparedness Benchmark Study
2Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
National Cybersecurity Awareness Month (NCSAM)
• This October is the 13th annual National Cyber Security Awareness Month
• As the month comes to a close we hope you will continue to promote a safer, more secure and more trusted internet all year long
• BRG is a proud NCSAM Champion and we encourage everyone to support the 6th anniversary of STOP. THINK. CONNECT.™ NCSAM initiative
• More information can be found @ https://staysafeonline.org/
3Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
BRG Overview
Over 1,000 professionals in 37 offices
4Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Study Background
Why the need for cybersecurity benchmarking?
• Financial and non-financial consequences of a successful cyber attack
• Governance and Technology
• Gain understanding how other peers implement Information Security
• Study results from two different points of view:
– overall results across all participants to provide a thorough and balanced view of the current state of Cybersecurity
– an individual assessment for each participant where individual answers are discussed and compared against other study respondents
5
Study Background
Target group: Executive Management and Board of Directors from different sectors
Survey: 103 Questions, approximately 60 minutes.Online questionnaire; select phone interviews
Timeline: Q1 and Q2 2016
Results: Q3 2016
Participants received: Anonymized evaluation of participant data including indication of their individual answers
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
6
Objectives
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
7
Country of Origin
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
8
Study Participants
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Primary Industry of Organization Title or Level in Organization
Total Employees with Average FTE IT Employees
9
Strategic Insights
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
10
Who does the CISO/CSO report to?
Growing Importance of CISO
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
54%
of organizations report an
Information Security Officer is in place
11
How would you rate your organization’s information security culture?
Security Culture
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
73%
of organizations have a formal
cybersecurity training and awareness program
12
Rate the effectiveness of your organization’s cyber security program
Cybersecurity Effectiveness
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
80%
of organizations report that senior managers approach information
security as an enterprise risk-management issue
13
How would you rate your organization’s cyber security incident response capabilities?
Incident Response Capability
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
60%
of organizations inform governments and
regulators of cybersecurity breaches
14
What strategic initiatives has your organization adopted in its security program?
Strategic Initiatives
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
90%
of organizations do not have a cybersecurity
strategy for the Internet of Things
15
Board and Executive Leadership
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
16
Areas in which the Board of Directors actively participate:
Board Engagement
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CIS
O
55%
of organizations report that the Board of Directors actively participate in overall
cybersecurity strategy
17
Areas board participation has helped improve your organization’s information security program:
Board Influence
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
18
How does the board oversee cyber security-related issues?
Board Oversight
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
19
How would you rate the organizational leadership support for cybersecurity?
Rate senior management focus on information security
Leadership Support & Focus
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
20
How do you measure the effectiveness of the organization’s cyber security program?
Feedback Mechanisms
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
69%
of organizations rely on auditors, both
internal and external as a measure of their
cybersecurity effectiveness
21
Managing Security Risk
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
22
Has your organization performed a cyber risk appetite assessment?
Has your organization performed a cyber threat assessment?
Cybersecurity Risk Assessments
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
CISO
47%of organizations do
not believe that leadership has a
functional understanding of their
network security
Are there formal security and operational procedures documented?
23
Documented Procedures
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
91%of organizations document their cybersecurity policies and procedures
24
Areas for improvement and awareness programs?
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Improvement & Awareness
25
How often does executive management receive periodical briefings on the state of your organization’s network security system?
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Executive Briefings30%of executive
management receive a briefing once every
six months or less
26
Systems and Controls
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Which information security standard and best practice does your organization follow?
27Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Security Standards
37%
of organizations used ISO27001,
with financial services at 43%
Security controls and business continuity plans are tested on a regular basis?
28Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Controls Testing
How often are the security controls of the enterprise systems and interconnected systems reviewed?
29Berkeley Research Group - Cybersecurity Preparedness Benchmark Study
System Reviews24%
of organizations do not routinely test security controls
and business continuity plans on
a regular basis
How often are self-assessments conducted?
30Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Self-assessments30%
of organizations do not routinely undertake self-assessments
CISO
How often are external security assessments conducted?
31Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
External Assessments
CISO
What steps has your organization taken in order to obtain assurances from external service providers and vendors that their security meets standards?
32Berkeley Research Group - Cybersecurity Preparedness Benchmark Study
External Service Providers & Vendors
CIS
O63%
of organizations have ensured external
service providers and vendor contracts
include provisions for security
33
Governance and Reporting
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Rate your organization’s cyber security risk management program
34Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Risk Management Effectiveness
42%
of organizations somewhat agree that cybersecurity risks
are being considered in business decision
making
7%
of organizations strongly agree that cybersecurity risks
are being considered in business decision
making
Rate your organization’s cyber security Information Governance capabilities
35Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Information Governance Capabilities 56%
of organizations rate their Information
Governance capabilities as
‘slightly’ or ‘somewhat effective’
Rate your company’s information security governance maturity level
36Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
IS Governance Maturity
CISO
Rate your company’s IT risk management maturity level
37
IT Risk Management Maturity
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISOCISO
Rate your company’s cloud computing maturity level
38
Cloud Computing Maturity
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
57%
of organizations do not allow use of
public cloud services
39
Does the organization incident response plan outline regulatory and governmental
notification protocols for breaches?
Regulatory & Government Reporting
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
57%
of organizations are required by
regulatory and government
agencies to disclose system breaches
40
Breaches and Incidents
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
What type of breaches did your organization experience?
41
Type of Cybersecurity Breaches
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
51%
of organizations do not believe they are well equipped to handle a
breach
46%
of organizations report having experienced a
cybersecurity breach
45%
of organizations report current
employees as the most likely source of cybersecurity breach
incidents
42
What was the estimated source of data breach incidents?
Sources of Breaches
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Type of staff-related incidents the organization experienced?
43
Staff-related Incidents
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
44Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Key Observations
Despite a strong focus on cybersecurity culture, many organizations do not believe their cybersecurity programs are fully effective45% of respondents reported that they needed to improve security awareness and training
Current employees are the likely cause behind most cybersecurity breachesRespondents reported that current employees were the likely source of 45% of data breach incidents, followed by 22% of incidents caused by hackers and 13% by former employees
Viruses and malicious software are the most common breaches.Respondents reported that infections from viruses or malicious software accounted for 39% of all data breaches, followed by system failures or data corruption accounting for 35% of breaches
45Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Key Observations
Most organizations do not have strategies for the emerging fields of the Internet of Things or Big Data90% of respondents do not have a cybersecurity strategy for the Internet of Things, and 86% do not have a strategy for Big Data
Organizations lack confidence in their cybersecurity incident response capability65% of respondents reported having a formal cyber incident response plan, and 60% incorporated regulatory and government notification protocols for breaches. However, when asked if their organization was well equipped to handle a cyber breach, 51% of respondents were neutral or disagreed
Organizations anticipate an increase in information security budgets54% of respondents reported that they expected an increase in their 2016 cybersecurity budget. However, 48% of respondents reported they were neutral or disagreed when asked if leadership allocated adequate budget for cybersecurity efforts
46Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Recommendations
• Review and approve the cyber risk appetite and tolerance at board level; • Ensure the board has sufficient cybersecurity expertise and/or access to such
expertise; • Build cybersecurity in to all activities and develop enterprise-wide cyber risk
management strategies and procedures; • Incorporate cybersecurity within business strategy and risk management
frameworks; • Develop procedures to identify and manage cyber risks associated with
outside vendors, suppliers, customers, utilities, and other external organizations and service providers;
• Undertake testing to include the potential for multiple attacks and the impact of interruptions on critical infrastructure;
• Ensure there is a robust cyber resilience and incident response program; • Pro-actively undertake cyber threat intelligence gathering and ongoing
security analytics;• Invest in your people to ensure there is high awareness and ownership for
cybersecurity across the organisation.
47
The full study is available at:http://www.thinkbrg.com/media/publication/828_CSPBS_Report.pdf
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Tony Moroney | Managing Director | International Financial Services
Berkeley Research Group, LLC6 New Street Square, 15th Floor | London, EC4A 3BFD +44 (0) 20 3597 5167 | M +353 87 2556947 | F +44 (0)20 3808 [email protected] | thinkbrg.com
Faisal Amin | Director | Benchmarking & Strategic Research
Berkeley Research Group, LLC700 Louisiana Street, Suite 2600 | Houston, TX 77002D 713.493.2552 | O 713.481.9410 | M 281.788.9573 | F [email protected] | thinkbrg.com