State of Information Security

Transcription

1 State of Information Security Second Annual Assessment Study 2013 Table of Contents: Synopsis and Methodology _ page 2 A Snapshot of Participants _ page 2 Survey Findings _ page 5 Final Thoughts _ page 10 About Secure Digital Solutions page 11 Conducted by Secure Digital Solutions

2 page 2 Synopsis We at Secure Digital Solutions, a professional services organization with headquarters in Minneapolis, are pleased to release our latest poll of a few dozen information security leaders, ascertaining how they see the state of regulatory compliance, program maturity, and investment plans. Our key findings: Most of our respondents, drawn most heavily from the healthcare and financial services sectors, characterize their information security programs as at least proactive and quantifiable, with no significant differences between small and large firms. Vendor risk assurance, regular monitoring and assessment, and timely remediation remain the most notable challenges. Organizations have been slow to implement mobile device management solutions, but that area is a top priority for this year. Virtually all organizations surveyed plan to increase or at least maintain at current levels spending on information security, privacy, and compliance this year. A Snapshot of Participants Job titles Survey respondents work in information security for their respective organizations and reported the following most common job titles: Chief Compliance Officer IT Auditor Chief Technology Officer Manager of Information Security Chief Information Officer Director of Privacy Director of Risk Manangement Chief Information Security Officer Director of Compliance Director of Information Security Security Architect (or Analyst) Risk Analyst VP / Director of IT The two most common, Manager of Information Security and Chief Information Security Officer, accounted for 40 percent of all respondents.

3 page 3 Organization size The largest share of those surveyed work in large organizations: Near half work in firms with more than 5,000 employees, where three-fourths of this group reported working in very large organizations with over 10,000 employees. Almost one-fourth work in mid-size organizations defined as having 1,001-5,000 employees. 30 percent work in small firms with 1,000 or fewer employees. Number of employees ,000 10, % 7% 7% 16% 11% 36% Business sectors The largest share of respondents to our survey, near 60 percent, work in healthcare or financial services: Healthcare Financial Services Software and Technology Industry Energy Government Manufacturing Education Other 0% 5% 10% 15% 20% 25% 30% 35%

4 page 4 Organizational structure Over half of the information security offices in the organizations represented in our survey most commonly report directly to the Chief Information Officer. Much smaller shares indicated the information security function reports to the General Counsel (12 percent) and Chief Executive Officer (10 percent). To whom does the Information Security Office report? Regulatory environment Surveyed organizations operate under a diversity of regulatory compliance standards and data security and privacy-related laws, the most commonly applicable: Health Insurance Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act (HIPAA-HITECH), Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act (SOX). This reflects the predominance of respondents from the Healthcare and Financial Services Industries. HIPAA-HITECH PCI DSS SOX GLBA E.U. Safe Harbor FDA CFR 21 Part 11 FCRA PIPEDA FISMA COPPA FedRAMP South American Privacy None 0% 10% 20% 30% 40% 50% 60% 70% Percent of Organizations

5 page 5 Survey Findings Data Security and Privacy Controls More than eight in ten respondents indicated their organizations have established a control framework to address data security and privacy controls supporting regulatory requirements. 70 % ISO27001:2005 Industry standard NIST-800 & PCI DSS 40 % frameworks Of these, the largest single group by far 70 percent reported using the ISO27001:2005 industry standard to align information security, privacy, and related regulatory control objectives. Also, over 40 percent cited their organizations use of the NIST v3 and PCI DSS frameworks. Survey Findings Maturity of Information Security Programs Most of the participants in our survey rated their information security programs fairly high for maturity. Indeed, over 60 percent judged their programs to be at least proactive and quantifiable (that is, at least a 3 on a scale of 1 to 5 ), when evaluated against seven key components of an information security program % of participants Proactive and Quantifiable Among those seven components, respondents (almost 40 percent) reported vendor 5 Continued on next page

6 page 6 risk assurance requires the greatest improvement reporting either taking no action or merely adopting a reactive approach in that area: Where Information Security Programs Fall Short Vendor Risk Assurance 39 Regular Monitoring & Assessment 29 Timely Remediation within 90 days of gap finding 29 Technical Control Adoption and Implementation 24 Understanding of Regulatory and Data Security Requirements 23 Policy & Procedures 12 Expertise within Data Security & Compliance Program 10 Percent of respondents reporting immature aspects of programs Comparing the results of this year s survey with the one conducted in 2012, we assess that two issues - regular monitoring and assessment and timely remediation remain the most intractable problems faced by our respondents. There has been no change in reported maturity of information security programs for those two areas since 2012, with roughly 30 percent of respondents still rating their programs immature for both areas. On the other hand, we have seen very significant improvements in the perceived maturity of companies understanding of regulatory and data security requirements, policies and procedures, and expertise within the data security and compliance programs in the past year. Unlike in the 2012 survey when small firms reported their information security programs as less developed than those of larger firms this year we see no significant differences between small and large firms with the reported maturity of their information security programs.

7 page 7 Of all areas of firms information security programs, the most established area versus new:. Respondents say policies and procedures have been in place longest (more than five years), whereas Programs dealing with vendor risk assurance and regular monitoring and assessment are newest (fewer than three years old) Generally speaking, the newer aspects of a firm s information security program also are updated most frequently. Program age and frequency of updates How long in place (months) How often updated (months) Policy & Procedures Understanding of Regulatory & Data Security Requirements Expertise within Data Security & Compliance Program 44 9 Timely Remediation within 90 days of gap finding 44 8 Technical Control Adoption & Implementation 42 9 Regular Monitoring & Assessment 34 7 Vendor Risk Assurance 31 8 The measurement and reporting of cyber risks to management needs improvement, and fewer than half of organizations even have cyber risk or data breach insurance. Roughly 40 percent of respondents say cyber risks are not measured in a standardized fashion. A similar number say cyber risks are measured, but not formally communicated to management. Only one-third of respondents say that cyber risks are measured and reported to management. Although companies remain concerned about risks posed by the practice of employees accessing corporate data with personal devices, most companies have been slow to introduce mobile device management solutions to mitigate those risks. Continued on next page

8 page 8 Our survey shows that two-thirds of respondents organizations allow their employees to access company networks using personal devices. Only half of the organizations in our survey, however, have fully developed mobile device management solutions. Policies governing cloud computing are even less defined. Companies without a cloud computing policy outnumber those with a policy by a two-to-one ratio. Survey Findings Investment and Remediation Our survey also examined spending plans on information security, privacy, and related compliance activities for the next twelve months. As with last year s survey, the overwhelming number of respondents are optimistic about spending over the next twelve months on information security, privacy, and related compliance activities, with most organizations 50% Increase planning to increase or at least maintain current spending. 5% Decrease Survey respondents revealed the following additional details about their organizations current budgets: 45% No change Three-fourths spend between 1 and 7 Percent of respondents percent of their respective IT budgets on security and compliance. Almost one in ten, however, spend more than 20 percent. For most (six in ten), less than half of that security and compliance spending is directed to non-hardware and non-software consulting. Continued on next page

9 page 9 More than 45 percent of respondents identified mobile device management among their top priorities for On the other end of the spectrum, none pointed to Safe Harbor, FISMA, or FEDRamp compliance. The following chart shows a breakdown of what respondents identified as their top three priorities: Mobile Device Management IT Governance, Risk & Compliance (IT GRC) Data Loss Prevention (DLP) Cloud Information Security Management Indentity & Access Management Solutions Application Penetration Testing Application Code Review (as part of the SDLC) HIPAA-HITECH Readiness PCI DSS Remediation ISO Readiness Database Encryption Firewall Upgrade Privacy Impact Assessment HITRUST Safe Harbor compliance FISMA Compliance FEDRamp Compliance 0% 10% 20% 30% 40% 50% Percent of Organizations

10 page 10 Final Thoughts The trends discovered in this year s study are telling on how the market demands have shifted in the past 12 months. It appears that no matter the size of an organization, the maturity of the information security program tends to be a challenge for both large and small firms. The conclusion we can draw is small firms have been catching up to reach a fairly similar level of overall infosec program maturity to that of large firms. We believe Mobile Device Management (MDM) and Mobile Application Management (MAM) will continue to be a top three priority in 2014 as companies continually adapt to the changing landscape for mobile applications and device management while pursuing Bring Your Own Device (BYOD) initiatives. IT GRC has become the number two priority for organizations in our study. With an IT GRC program, organizations can realize a centralized method for gathering important risk data from tools such as SIEM s and vulnerability and threat management, conducting vendor risk assessments and most importantly reporting to management the findings and overall risk posture the organization is currently facing. Cyber Risks tend to see another area requiring significant improvement. From our fieldwork, we tend to see organizations with a higher maturity level formalize their application security processes, threat and vulnerability management programs and tendencies to have a more established risk management programs. Seeing that 50% of organizations plan to increase spending on information security and IT compliance provides a clear indication organizations understand the need to continually improve their visibility to risk and manage the IT infrastructure supporting access to critical data. Data, and visible metrics through practices such as a risk dashboard, is critical to support an organization s decisions and becomes the key to nearly every organization s success.

11 page 11 About Secure Digital Solutions Founded in 2005 with headquarters in Minneapolis, MN Secure Digital Solutions is a vendor-independent professional services firm specializing in information security, IT compliance and privacy related services. Our services focus on solving a business objective while delivering leadership to each client engagement. Our team of professionals each has a minimum of ten years experience and hold industry recognized certifications in their selected discipline. A snapshot of our services: Information Security Program Development Information Security Leadership Advisory Adjunct CISO Strategic Planning Infosec resource and financial planning Regulatory Compliance Reviews HIPAA-HITECH GLBA PCI DSS FISMA (NIST ) Privacy compliance Penetration Testing Mobile Web application Network Wireless Application Security Secure SDLC Code Reviews