David Monahan Director of Security and Risk Management for Enterprise Management Associates (EMA) reviewed results from research performed about IT security. This research includes data from over 600 IT practitioners and managers in mid-size enterprise companies from the United States, United Kingdom, and Germany.
The research shows:
1. How secure companies believe they are
2. Why that sense of security might be misplaced
3. The difference in perception about security posture between management and practitioners
4. What IT professionals think they need to do to improve security
5. How best practices fit in to the IT security strategy
David has over 20 years of IT security experience and has organized and managed both physical and information security programs, including Security and Network Operations (SOCs and NOCs) for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse Audit and Compliance and Risk and Privacy experience – providing strategic and tactical leadership, developing, architecting and deploying assurance controls, delivering process and policy documentation and training, as well as other aspects associated with educational and technical solutions.
Prior to joining Enterprise Management Associates (EMA), David spent almost 10 years at AT&T Solutions focused on the network security discipline.
Over 600 respondents
Organizations across NA, UK and DE
Respondents composed of Network, Security and Systems administrators and direct management
Company sizes from 250 to 9,999 people
Revenue from <$1M US to >$1B US
No significant differences between NA and EU respondents
Mgrs. and below are more represented in Systems
Situational drivers
Buy without trying
Mav wants to jump in here
The identified motivations are understandable. The upper management often is not involved until pain is experienced for an outage so that is their primary perception.
Mgrs. and below are trying to fight fires and resolve issues, not just outages, many of which upper management will not see if they are dealt with or contained in a timely manner
Managers see the warts and may be less inclined to promote some tools while Sr. Mgmt. see the final product/results and equate that with the tool quality without necessarily knowing what had to be done outside the tool to achieve the result.
This makes sense as they tend to control the budgets
Operations personnel are in a better positon to do this, though they do it less, because they understand the environment better
Mangers live the daily work so their perception of integrations and interaction should be closer to reality
Sr. Mgmt is shielded from the rough edges or lack of integration by managers because all they see is the job getting done.
Th e integrations are lower at the small company level but the personal relationships more than make up for it
Larger organizations generally have better defined processes but they are not always tightly followed or well designed.
Bureaucratic and other issues often get in the way of smoothly executing
How can it be that organizations across the board by both role and geography are saying they have sufficient resources and yet breaches are increasing in frequency and size!?
Sample Size = 91
Upper management seems to be overly confident in their certification levels and best practices leading to their over estimation of security
Respondents consistently think they are more secure than they are
Dir and above have a significantly higher perception of their security than the Mgrs. and below
Mgrs. and below are either not doing a good job of communicating the real situation or upper mgmt has a significant bravado issue
68% Mgrs. and below indicated they had had some form of significant breach
66% of Directors and above indicated they had had some form of significant breach
If there are fewer Sr. Mgmt. taking an equal share of the blame for breaches then the Sr. Mgmt has a higher percentage of their population taking the blame for breaches.
50 breaches divided equally in to are 25 for each group. There are 100 in the Mgr and below group and 25 Sr. Mgmt. That would equal 25% of the Mgrs and below but 100% of the Sr. Mgmt.
Sample Size = 401
Mav wants to jump in here
Front line people recognize it takes longer to discover. Managers tend to under report.
These are significantly lower than research from the forensics guys 8 months median and 76 months longest
Sample Size = 401
How can 73% of respondents indicate that they believe they are in the top 10% of security and also indicate that they have had a significant attack or breach that warranted external support?
93% of respondents who thought they were a target but had enough controls in place thought they had sufficient resources. That’s Good!
82% of respondents who thought they were a target and had a plan in place to address security thought they had sufficient resources. That’s Good!
Paradox- These people should know but come across as schizophrenic
82% of respondents who said they didn’t know if their org was a target for hackers said they thought they were secure
79% of respondents that said they thought they were a target and cannot find enough skills to address it also answered that they had sufficient resources
74% of respondents that said they thought they were a target and don’t have enough budget to address it also answered that they had sufficient resources