David Monahan Director of Security and Risk Management for Enterprise Management Associates (EMA) reviewed results from research performed about IT security. This research includes data from over 600 IT practitioners and managers in mid-size enterprise companies from the United States, United Kingdom, and Germany. The research shows: 1. How secure companies believe they are 2. Why that sense of security might be misplaced 3. The difference in perception about security posture between management and practitioners 4. What IT professionals think they need to do to improve security 5. How best practices fit in to the IT security strategy

1. The Fiction Behind IT Security Confidence
A SolarWinds IT Industry Survey
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL
RIGHTS RESERVED.

2. Introductions
» This presentation is recorded and will be made available after the session.
» Why did SolarWinds commission this research?
» Why Enterprise Management Associates?
Today’s Presenters:
David Monahan
Research Director,
Security and Risk Management
Enterprise Management Associates, Inc.
e-mail: dmonahan@enterprisemanagement.com
Follow me on Twitter: @SecurityMonahan
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL
RIGHTS RESERVED.
Mav Turner
Director of Product Marketing,
Security Products
SolarWinds Worldwide, LLC
e-mail: mav.turner@solarwinds.com
Follow me on Twitter: @mavturner

3. Agenda
Why is this important to you
What you will learn-
 How secure companies believe they are
 Why the sense of security might be misplaced
 Security posture perception deltas- Sr. Mgmt. vs. Practitioners
 IT professionals take on requirements to improve security
 How best practices fit in to the IT security strategy
Slide 3 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.

4. Demographics
34%
Slide 4 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
34%
27%
40%
35%
24%
41%
35%
29%
36%
19%
47%
0% 10% 20% 30% 40% 50%
Network
Security
Systems
North America European Union (EU) Director and Above Manager and Below
 Over 600 respondents surveyed in October 2014
 NA, UK and DE Represented
 Network, Security & Systems admins & Management
 Organizations from 250 to 9,999 people
 Revenue from <$1M US to >$1B US

5. Annual Sales Revenue by Region
1%
5%
Slide 5 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
1%
7%
15%
28%
30%
14%
2%
3%
15%
34%
31%
8%
1%
5%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Less than $1 Million
$1 Million to under $5 Million
$5 Million to under $20 Million
$20 Million to under $100 Million
$100 Million to under $1 Billion
$1 Billion or more
Not applicable, I work for a government or
non-profit agency
Don't know
North America European Union (EU)
 Overall company sales revenues were comparable
 This was a surprise since the EU organizations had fewer people
 We contacted more directors and above in the larger revenue organizations,
$100M-$1B+ which was a little surprising

6. Security Budget Allocations (As a Portion of Overall IT Budgets)
5%
Slide 6 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
13%
24%
27%
15%
11%
5%
1%
4%
12%
26%
25%
16%
8%
4%
4%
0% 5% 10% 15% 20% 25% 30%
Less than 5%
5% thru 9%
10% thru 14%
15% thru 19%
19% thru 24%
25% thru 29%
30% or more%
Dont know
Director and Above Manager and Below
 Overall the perception of budgets were consistent by role (and by geography)
 Budgets were healthy and have been on a generally increasing trend

7. Security Budget Increases
Slide 7 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
10%
32%
32%
23%
7%
28%
30%
31%
7%
32%
35%
25%
9%
28%
29%
29%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Increased more than 25%
Increased between 10% and 25%
Increased less than 10%
Stayed the same
North America European Union (EU) Director and Above Manager and Below
 NA Security Budgets have increased more than EU
 Most likely due to increasing breaches in the past year.
 Over 1900 breaches with 904M Records

8. Research Results-
Perceptions by Role
 Director and Above vs. Manager and Below
Slide 8 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.

9. Drivers for Purchasing Security Products
Slide 9 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
20%
20%
23%
19%
18%
21%
18%
26%
21%
15%
0% 5% 10% 15% 20% 25% 30%
Meeting compliance requirements
Post security incident/breach/data loss
Daily ops/monitoring
Incident response
Improve automation/Accommodate for lack of
workforce or skillset
Director and Above Manager and Below
 Though fairly evenly split, Manager focused a little more on Operations delivery
 In looking at the totals, people closer to the front lines look more at prevent and detect
categories while upper mgmt. is more concerned with respond.
 Surprising that though other questions bring out automation this question does not.
 Appears that automation may be a more forward looking statement than a current
issue
 Remember that all of the companies that suffered major breaches involving payments
were considered Compliant prior to their compromise.
 Compliant is not Secure

10. Drivers for Purchasing Security Products
Slide 10 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
13%
24%
19%
18%
27%
21%
16%
24%
19%
19%
0% 5% 10% 15% 20% 25% 30%
Someone in the organization drove the selection
or made a very strong recommendation
To complete the purchase before a budget
deadline
It was needed to resolve an emergency/urgent
outage/maintenance situation
It was needed to resolve an emergency/urgent
compliance situation
It was needed to resolve an emergency/urgent
security situation
Director and Above Manager and Below
 Managers were most motivated by either responding to an emergency situation or by
spending budget before they lost it.
 Dir. And above were primarily motivated by outages

11. Security Product Recommendations
(outside of the work team)
Slide 11 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
79%
21%
71%
29%
0% 20% 40% 60% 80% 100%
Yes
No
Director and Above Manager and Below
 More Sr. Mgmt recommend tools than Mangers and below.
 This creates a problem, the people who are most removed from how the tools
operate are most communicative.
 Does this tell us that though ops gets the job done, they are not generally as happy with
their tools?

12. Bringing “IT” with them
Slide 12 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
69%
31%
61%
39%
0% 20% 40% 60% 80%
Yes
No
Director and Above Manager and Below
 Both Sr Mgmt. and Operations personnel are highly motivated to introduce their
preciously successful tools into their new environments. This has several ramifications.
 Operations personnel are in a better positon to do this, though they do it less
 A tool that is great in one environment may not perform well in another.
 Understanding requirements prior to importing a tool will reduce negative impacts.

13. Perception of Security Team and IT
Interactions/Integrations
Extremely close (Tightly integrated
Slide 13 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
47%
39%
13%
35%
46%
17%
50%
41%
7%
35%
43%
20%
0% 10% 20% 30% 40% 50% 60%
processes and operations)
Very close (Groups interact freely
with significant handoffs and
integrations defined)
Moderately close (Groups have
operational/functional separation
but work together on issues as
needed)
North America European Union (EU) Director and Above Manager and Below
 NA vs. EU, EU seems to have a more realistic view.
 Managers seem to be more in line with the overall EU perspective
 The over perception of team integration provides a foundation for misperceptions

14. Do You have Enough Resources for Security
Slide 14 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
86%
13%
83%
15%
87%
12%
81%
16%
0% 20% 40% 60% 80% 100%
Yes
No
Director and Above Manager and Below North America European Union (EU)
 Both Sr Mgmt. and Operations AND queried geographies indicate they have enough
resources to maintain security for their organizations.
 Why are breaches increasing in frequency and size?
 Is this is a foundational perception flaw?

15. What is Most Helpful for Improving Security?
Slide 15 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
57%
43%
57%
43%
0% 10% 20% 30% 40% 50% 60%
Tools
People
Director and Above Manager and Below
 People are not disposable but are needed for the more difficult tasks
 Organizations that don’t have enough resources, tools most important:
 Not enough people available
 People are transient in a employee market
 People don’t scale for efficiency and cost as well as automation

16. Following Best Practices
Slide 16 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
21%
24%
11%
23%
11%
10%
0%
17%
21%
15%
19%
11%
15%
2%
0% 5% 10% 15% 20% 25% 30%
We are certified. (ISO, CoBIT, PCI, HIPAA, SOX, etc.)
We have most best practices defined and follow most
of them.
We have most best practices defined but they are not
regularly followed.
We have some key best practices defined and follow
most of them.
We have only a few key best practices defined but they
are not generally followed.
My org. has policies but I am not aware of any
documented best practices.
I am not aware of my org documenting any significant
policies or best practices.
Director and Above Manager and Below
 Sr. Mgmt consistently rates themselves higher than the Mgrs. and below.
 This identifies a disconnect between Sr. Mgmt. and other personnel.
 This could be a driver as to why Sr. Mgmt. also consistently rated their
security higher.
 To be more secure many of these companies need to improve their
documentation. (It often languishes.)

17. Attendee Poll:
How Secure do You Think Your Organization is?
 Extraordinarily secure- in the top 10th percentile
 Superiorly secure- in the top 11th-20th percentile
 Very secure- in the 21st-30th percentile
 Averagely secure- in the 31st-75th percentile
 We really need to work on it- in the bottom 76th-
100th percentile
© 2014 Enterprise Management © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Associates, Inc.

18. How Secure is your Organization?
12%
Slide 18 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
16%
36%
33%
13%
33%
36%
12%
0% 10% 20% 30% 40%
Extraordinarily secure- in the top
10th percentile
Superiorly secure- in the top 11th-
20th percentile
Very secure- in the 21st-30th
percentile
Averagely secure- in the 31st-60th
percentile
Director and Above Manager and Below
 52% of Sr. Mgmt. believe their organizations are in the top 20th percentile!
 85% believe they are in the 30th percentile
 45% of Mgrs. and below believe their organizations are in the top 20th percentile!
 81% believe they are in the 30th percentile
 This identifies another disconnect between Sr. Mgmt. and other personnel.
 Prides comes before the Fall

19. Attendee Poll:
Do you think Is your Org is a Target for Attack?
 Yes
 No
© 2014 Enterprise Management © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Associates, Inc.

20. Is your Org is a Target for Attackers?
Slide 20 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
27%
18%
27%
25%
37%
24%
16%
19%
0% 5% 10% 15% 20% 25% 30% 35% 40%
No
Yes, but we don't have/can't find enough skills or
budget to address it or we have already or are in
process of addressing it
Yes and we are implementing a plan to address it as
quickly as we can.
Yes, but we feel we are at a low risk due to our controls
already in place
Director and Above Manager and Below
 48% more Sr. Mgmt. have a higher perception than Mgrs. and below of where
there organization is with implementing controls.
 This identifies another disconnect between Sr. Mgmt. and other personnel.
 Why do the Sr. Mgmt. believe that they have controls that they may not
have?
 This could be a driver as to why Sr. Mgmt. also consistently rated their
security higher.

21. Who Experienced a Breach or Serious Attack
Slide 21 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
66%
34%
68%
31%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Yes, we experienced a significant attack or
breach that we felt was significant enough
that we reported it to law enforcement
No, we have not experienced an attack or
breach that we felt was significant enough to
warrant reporting or external support
Director and Above Manager and Below
 The majority of respondents admit their org has been attacked/breached.
 Breaches and significant attacks are a common occurrence!
 How can we see the disparity between how secure respondents think they are vs
how many have had serious incidents?

22. Breach Responsibility (Source/Blame)
Slide 22 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
48%
48%
65%
24%
0% 10% 20% 30% 40% 50% 60% 70%
IT Admin, Employee, End User
CEO, CIO, Other Exec
Director and Above Manager and Below
 65% of Mgrs. That their peer group has been tagged as the source of breaches
 This could represent a view of “persecution” on behalf of the Mgrs. and
below.
 Sr. Mgmt. feels their peer group is taking an even share of the responsibility.
 Recent events such as Target® have most likely influenced this perception.
 Since there are far fewer Sr. Mgmt. in the population, that could also
indicate a feeling of “persecution”
 This is supported by the fact that Sr. Mgmt. is providing more budgeting for
security to provide greater protection.

23. How Long it Took to Discover a Breach /
Incident?
Slide 23 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
39%
30%
26%
4%
29%
30%
29%
8%
0% 10% 20% 30% 40% 50%
<= 1 week
1 week to 1 month
1-3 Months
4-6 months
Director and Above Manager and Below
 Mgrs. and below are a little more realistic but are still skewed
 These responses vary considerably from Verizon® DBIR and Mandiant® Reports
based on forensic research (median near 8 months)
 Odds are that either these orgs. did not find the true entry date or they are going
by an unsubstantiated gut feel.

24. Breach/Attack vs. Perception of Security
Slide 24 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
73%
27%
73%
27%
76%
24%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Yes, we experienced a significant attack or breach
that we felt was significant enough to warrant
reporting or external support
No, we have not experienced an attack or breach
that we felt was significant enough to warrant
reporting or external support
Extraordinarily secure- in the top 10th percentile Superiorly secure- in the top 11th-20th percentile
We really need to work on it- in the bottom 76th-100th percentile
 73% of the orgs that felt they were in the top 10th percentile have experienced a
breach or significant attack!
 73% of the orgs that felt they were in the top 20th percentile have experienced a
breach!
 Only 4% more companies that perceived themselves at the bottom of security
experienced a breach or significant attack.
 This could indicate a very poor incremental improvement or a serious over
estimation of security.

25. Enough Resources vs. Believing you are a Target
Slide 25 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.
79%
18%
3%
74%
24%
2%
82%
18%
0%
93%
7%
0%
82%
5%
14%
0% 20% 40% 60% 80% 100%
Yes
No
Don't know
Yes, but we don't have/can't find enough skills to address it
Yes, but we don't have enough budget to address it
Yes and we are implementing a plan to address it as quickly as we can.
Yes, but we feel we are at a low risk due to our controls already in place
I don't really know
 93% of respondents who thought they were a target and had enough controls in
place thought they had sufficient resources. That’s Good!
 82% of respondents who thought they were a target and had a plan in place to
address security thought they had sufficient resources. That’s Good!
 82% of respondents who said they didn’t know if their org was a target for hackers
said they thought they were secure. (Scary!)
 79% of respondents that said they thought they were a target and cannot find enough
skills to address it also answered that they had sufficient resources. (Schizophrenic?)
 74% of respondents that said they thought they were a target and don’t have enough
budget to address it also answered that they had sufficient resources.
(Schizophrenic?)

26. Summary
 How secure companies believe they are..
 Organizations as a whole are overrating their security postures by revenue
size, geography and by role.
 Why the sense of security might be misplaced
 It is evident that though they feel their security is in the upper echelons and
they have little of value, organizations of all sizes are targets and the majority
have suffered major attacks or breaches
 Security posture perception deltas- Sr. Mgmt. vs. Practitioners
 Both Sr mgmt. and operations level personnel in organizations that have not
been breached recognize that better tools are required more than people to
get better scale and results
 Many organizations seem to have a lack of or inferior tools. SIEM is one tool
that has not been well leveraged in many organizations, especially the
smaller ones where cost is considered a barrier to entry.
Slide 26 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.

27. Summary
 IT professionals take on requirements to improve security
 Though many say they have sufficient resources they are getting breached
 How best practices fit in to the IT security strategy
 Lower Mgmt. is not getting the complete picture from upper management so
they believe things are worse
 Sr Mgmt. believes there is tighter alignment between security and other
groups than there is.
 Sr Mgmt. has a perception that policies, procedures and processes are
better documented, distributed and followed than is happening in reality.
 You need to have a strategy for addressing current and future
needs
 Identifying People, Process and Tools is key
 Tools provide the best automation and organization continuity
Slide 27 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
© 2014 Enterprise Management Associates, Inc.

28. SolarWinds IT Management
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL
RIGHTS RESERVED.
Systems
Management
Incident & Problem
Management
Network Fault
&
Performance
(NPM)
Security
Management
Network
Bandwidth &
Traffic
(NTA)
VoIP
Monitoring
(VNQM)
Help Desk
(Web Help
Desk®)
Windows ®
and 3rd Party
Patching
(SPM)
Firewall Rules
and Object
Analysis
(FSM)
Server/
Application/
Database
Monitoring
(SAM, WPM,
DPA)
Virtualization
Manager
Storage
Manager
(STM)
Log
Monitoring &
Event
Correlation
(LEM)
Network
Configuration
Management
(NCM)
Network
Performance Network
Configuration
IP Address
Management
/ Device
Tracking
(IPAM, UDT)
Remote
Administration
(DameWare®,
Mobile Admin®)

29. Thank you for attending
today’s presentation
For more information on Enterprise
Management Associates and its services,
please go to www.enterprisemanagement.com,
or call +1 303-543-9500
The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC, are registered with the U.S. Patent and Trademark
Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks,
registered or pending registration in the United States or in other countries. All other trademarks mentioned herein are used for identification purposes only and may
be or are trademarks or registered trademarks of their respective companies.
© 2014 Enterprise Management Associates, Inc.
© 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.