Managed Security in the Enterprise (U.S. Enterprise)

Transcription

1 MANAGED SECURITY IN THE ENTERPRISE Managed Security in the Enterprise (U.S. Enterprise) March 2009

2 CONTENTS Executive overview... 3 Methodology... 4 Demographics... 5 Finding 1: Cyber Risk a Big Problem... 6 Finding 2: Losses are Mounting... 9 Finding 3: More Difficult to Provide IT Security Finding 4: IT Security Staffing Difficult Finding 5: Organizations Turning to Outsourcing Finding 6: Appendix Survey Results

3 EXECUTIVE OVERVIEW In January of 2009 Symantec surveyed 1,000 mid to large enterprises in the United States and Europe about their IT security challenges. The study shows there are significant challenges as organizations are struggling to stay ahead of the risks posed by cyber crime. Organizations are finding cyber risk and actual attacks have risen in the last two years and will in the next two years. Far from being just a theoretical risk, actual losses such as lost productivity and lost revenue are felt by 98 percent of all organizations. Exacerbating this mounting problem is the fact that IT managers are finding it increasingly difficult to provide effective IT security due to above mentioned increased risk, increased regulatory pressures, lack of budget and staffing woes. Staffing problems are a particularly difficult challenge as organizations both find it difficult to locate qualified staff and lack the budget to hire sufficient staff. So what is the answer? For the vast majority IT security outsourcing has become the solution of choice. Three out of four U.S. organizations are involved with outsourcing IT security in some fashion. This report details the experiences, challenges and solutions being pursued by mid to large American enterprises in managing cyber risk. 3

4 METHODOLOGY Symantec surveyed 1,000 companies in the United States and Europe to compile this Managed Security in the Enterprise report. Applied Research was selected to perform the survey, and targeted the following IT security personnel: Mid to large enterprises (1,000 or more employees) Managers, directors or VP/SVP Management responsibility for IT security United States and Europe (6 countries, see map below) Applied Research fielded the survey by telephone in late January This study has a margin-of-error of approximately 2.8 percent at the 95 percent confidence level. 4

5 DEMOGRAPHICS Symantec spoke with IT security staff in 523 organizations in the United States and 477 organizations in Europe (Germany, UK, France, Italy and Spain). The companies ranged in size from 1,000 to more than 1,000,000 employees, with the median company in the U.S. having between 5,000 and 10,000 employees. In the U.S., IT security managers (either executive management or management of IT security) represented 80 percent of the respondents, with 20 percent working in IT security in a non-management role. Finally, the organizations we surveyed represent a broad cross-section of industries. 5

6 FINDING 1: CYBER RISK A BIG PROBLEM Respondents view cyber risk as an important and growing concern. The survey makes a distinction between threats (theoretical risk) and attacks (actual events). For example, viruses represent a threat, while an actual episode of a virus getting through and causing damage would be an attack Concerning threats, 46 percent of the respondents indicated that cyber threats increased somewhat/significantly over the past two years, while 48 percent expect to see cyber threats somewhat/significantly increase over the next two years. Interestingly, a higher number of Europeans organizations reported increases in threats than in the United States (by about 8 to 12 percentage points). 6

7 Results were similar for actual cyber attacks. First, 88 percent of U.S. organizations experiences attacks in the past two years. Of those, fortytwo percent saw attacks on a regular basis and ten percent saw a large/extremely large number of cyber attacks. Furthermore, almost one third rated these attacks as being somewhat/highly effective. 7

8 Finally, in order to provide a context for how US organizations perceive cyber risk we provided a list of common business risks and asked the respondents to rank them. Cyber risk far out ranked all other risks, with 67 percent rating cyber attacks as the #1 or #2 risk they face as an organization. This is more than twice the perceived risk of traditional crime and more than four times the risk of terrorism. Clearly, U.S. enterprises perceive cyber risk to be an important and growing concern. 8

9 FINDING 2: LOSSES ARE MOUNTING In the United States, 97 percent reported tangible losses stemming from cyber attacks. The top reported loss areas were downtime, cyber fraud and theft of information such as: Credit card information Intellectual property Customer or employee personally identifiable information Other corporate data We also asked about the actual costs that flowed from these losses. The top reported costs were lost productivity, lost revenue and lost customers or damaged customer relationships. In general, the larger the organization, the more likely they were to report losses. 9

10 FINDING 3: MORE DIFFICULT TO PROVIDE IT SECURITY Exacerbating the problem of frequent cyber attacks and mounting losses is the fact that 49 percent of American organizations report that it is getting somewhat/significantly more difficult to provide security. The reasons reported as to why it is getting harder to provide IT security are: Increasing security threats Not enough staff Increasing regulatory demands Under budgeted Note that more European organizations report this difficultly than their U.S. counterparts (60 percent versus 49 percent). 10

11 FINDING 4: IT SECURITY STAFFING DIFFICULT Two-thirds of American organizations report that when it comes to IT security staffing they are somewhat/significantly understaffed. The most significant problems affecting staffing are: Finding applicants with IT security skills Availability of funds to hire Retaining employees Layoffs 11

12 When asked to identify the biggest problems in trying to obtain the highest productivity from their existing IT security staff, U.S. organizations indicated: Security becoming too complex, too many threats Difficulty retaining qualified security staff Audits distract the staff from security work Note that IT security staffing questions were answered virtually the same in the United States as in Europe. 12

13 FINDING 5: ORGANIZATIONS TURNING TO OUTSOURCING The study found IT is struggling with rising cyber attacks, mounting losses, increased difficulty providing security and multiple staffing woes. It is therefore not surprising that 61 percent of U.S. organizations are involved in some manner with outsourcing some or all of their IT security. The biggest reasons given for outsourcing are: To provide 24x7 coverage Access to security expertise Lower overall cost To mitigate security risks Note that European organizations turn to outsourcing more than their U.S. counterparts (77 percent versus 61 percent). What is your involvement with outsourcing some or all of your security efforts to a Managed Security Service Provider (MSSP)? Not considering 39% Using an IT Outsourcer who is not a true MSSP per se 10% Using an MSSP 16% Under evaluation 22% Will evaluate within the next 12 months 13% 13

14 APPENDIX A: SURVEY RESULTS 14

15 15

16 16

17 17

18 18

19 19

20 20

21 21

22 22

23 23

24 24

25 25

26 26

27 What is your involvement with outsourcing some or all of your security efforts to a Managed Security Service Provider (MSSP)? Not considering 39% Using an IT Outsourcer who is not a true MSSP per se 10% Using an MSSP 16% Under evaluation 22% Will evaluate within the next 12 months 13% 27

28 28

29 29

30 30

31 31

32 32