Risk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin

Transcription

1 Risk & Innovation in Cybersecurity Investments Sponsored by Lockheed Martin Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report

2 Part 1. Introduction Risk & Innovation in Cybersecurity Investments Ponemon Institute, April 2015 Ponemon Institute is pleased to present the results of Risk & Innovation in Cybersecurity Investments, an industry survey sponsored by Lockheed Martin. The purpose of this research is to understand how people, processes and the desire to be innovative affect cybersecurity technology investment decisions. We surveyed 618 U.S.-based information technology (IT) and security practitioners involved in determining investments in cybersecurity technologies. As shown in Figure 1, business objectives are most influential in deciding on a specific technology (73 percent of respondents) with security risk a close second (68 percent of respondents). Compliance with regulations is least influential. In the context of this research, we define security innovation as the use of enabling technologies and personnel in new ways to create a more secure and efficient organization and improve alignment between security initiatives and business goals. We asked respondents to rate their organizations level of security innovation. Only 32 percent of respondents felt their company is achieving a high level of innovation. Key findings Relying solely on Return on Investment (ROI) and Total Cost of Ownership (TCO) metrics can lead to poor investment decisions. Seventy percent of respondents believe ROI and TCO are important metrics for investment and measuring a technology s economic benefits. However, the same percentage say it is difficult to calculate an accurate ROI for a given security solution or technology. TCO is also difficult to determine, according to 61 percent of respondents. Incorporating other metrics into the decision process could result in smarter investments. Fifteen percent of respondents say their organizations do not use ROI or TCO at all. These organizations are most likely to look instead at improvements in the efficiency of security operations (56 percent of respondents) or reduction in downtime (50 percent of respondents) as ways to determine a technology s viability. Security investments are driven by cost. Sixty-four percent of respondents say cost and 56 percent of respondents say performance and vendor support are the most important factors when investing in security technologies. Features such as interoperability, proven risk reduction and lack of complexity are not considered as important (39 percent, 11 percent and 8 percent, respectively). Shelfware is every organization s problem. Ninety percent of respondents say their organization has invested in a security technology that was ultimately discontinued or scrapped before or soon after deployment. On average, 31 percent of security technologies purchased by organizations represented in this research over the past 24 months were never fully deployed Ponemon Institute Research Report Page 1

3 Part 2. Key findings In this section, we provide an analysis of the key findings. The complete audited findings are presented in the appendix of this report. We have organized the report according to the following topics? The use of ROI and TCO to determine cybersecurity investments When investments go wrong: the problem of shelfware How risk and innovation affects security investments The Use of ROI and TCO to Determine Cybersecurity Investments Organizations are making investment decisions based on inaccurate and unreliable numbers. As shown in Figure 2, 70 percent of respondents believe ROI and TCO are important metrics for investment and measuring a technology s economic benefits. Figure 2. The importance of ROI and TCO in making a technology investment 40% 35% 30% 25% 20% 15% 10% 5% 0% 19% 16% 25% 26% 19% 35% 15% 15% 15% 15% Essential Very important Important Not important We do not use ROI/TCO Importance of ROI Importance of TCO Ponemon Institute Research Report Page 2

4 However, according to Figure 3, 70 percent of respondents say it is very difficult (26 percent) or difficult (44 percent) to calculate an accurate ROI for a given security solution or technology. Similarly, it is difficult to calculate an accurate TCO, according to 61 percent of respondents. More than half of respondents say it is difficult to be precise when calculating ROI for each investment decision made (59 percent of respondents) and calculating a precise TCO (55 percent of respondents) for each investment decision made. Figure 3. How difficult is it to calculate a precise ROI and TCO for a security technology? 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 44% 38% 26% 25% 23% 18% 11% 9% 3% 3% Very difficult Difficult Not difficult Easy Unsure Calculate a precise ROI Calculate a precise TCO What ROI reveals about technologies frequently purchased. According to respondents, the average threshold ROI necessary to achieve a favorable investment decision in a given security solution or technology is 13.7 percent. As shown in Figure 4, the security technologies with the highest ROI are identity & access management (31 percent ROI), SIEM and security technology (29 percent ROI) and encryption for data at rest and in motion (both 25 percent ROI). Figure 4. Security technologies with the highest ROI Identity & access management 31% SIEM and security intelligence 29% Encryption for data at rest 25% Encryption for data in motion 25% Anti-virus & anti-malware 25% 0% 5% 10% 15% 20% 25% 30% 35% Ponemon Institute Research Report Page 3

5 According to Figure 5, access governance systems (9 percent), IT & credentialing system (8 percent), automated policy generation (8 percent), traditional firewalls (7 percent), and perimeter or location surveillance (6 percent) are technologies with the lowest ROI. Figure 5. Security technologies with the lowest ROI Access governance systems 9% ID & credentialing system 8% Automated policy generation 8% Firewalls (traditional) 7% Perimeter or location surveillance 6% 0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% As a means of evaluating the success of specific investments, 54 percent of respondents say their organization reconciles the historic (original) ROI with actual ROI for most or some investments, according to Figure 6. Actual ROI tends to be lower than the historic ROI (46 percent of respondents) or actual and historic ROI tend to be very close (accurate), according to 34 percent of respondents. Forty-eight percent of respondents say their organization reconciles the historic (original) TCO with actual TCO for most or some investments. In contrast to ROI, actual TCO tends be higher than historic TCO, according to 44 percent of respondents. Thirty-six percent of respondents say actual and historic TCO tend to be close or accurate Figure 6. Do you reconcile actual ROI and TCO with historic ROI and TCO? 60% 50% 40% 36% 33% 42% 48% 30% 20% 18% 15% 10% 4% 4% 0% Yes, for most investments Yes, for some investments No Unsure Actual ROI is reconciled with historic ROI Actual TCO is reconciled with historic TCO Ponemon Institute Research Report Page 4

6 Inaccurate TCO and ROI metrics are used to reject technologies that could potentially be successful. Despite the difficulty in determining an accurate TCO, 56 percent of respondents say over the past 24 months one or more proposed investments in a particular solution or technology was rejected because of unfavorable TCOs, as shown in Figure 7. Over the past 24 months, one or more proposed investments was rejected because of unfavorable ROIs, according to 50 percent of respondents. Figure 7. Have proposed investments in a particular security or technology been rejected because of unfavorable ROIs or TCOs? 60% 56% 50% 40% 50% 45% 41% 30% 20% 10% 0% Yes No Unsure 5% 3% Unfavorable ROIs Unfavorable TCOs Other metrics could be useful in evaluating technology s economic viability. Fifteen percent of respondents say their organizations do not use ROI or TCO in their decision making. Figure 8 shows these organizations are most likely to use improvements in the efficiency of security operations (56 percent of respondents) or reduction in downtime (50 percent of respondents as ways to determine a technology s viability. Figure 8. Other metrics used to make investment decisions More than one response permitted Improvement in the efficiency of security operations 56% Reduction in system downtime Reduction in data breach costs 47% 50% Reduction in time to contain security incidents 38% Reduction is non-compliance costs including fines, penalties and lawsuits 23% Reduction in time to detect security incidents 12% Return on prevention 6% Other 2% None of the above 16% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 5

7 The Information Technology (IT) professional and IT security functions have similar influence over cybersecurity investments. As shown in Figure 9, those with the most influence in the purchase of security technologies are business unit leaders (59 percent), CIOs (53 percent) and the CISO (45 percent). However, the chief information officer (CIO) and chief information security officer (30 percent and 20 percent, respectively) hold the purse strings and are the final authority on how cybersecurity dollars should be spent. Figure 9. The main influencers and final authority on cybersecurity investment LOB or business unit leader Chief information officer Chief information security officer Chief technology officer Chief security officer Chief risk officer Chief compliance officer Chief financial officer CEO/COO 6% 2% 6% 2% 5% 1% 4% 4% 3% 3% 19% 20% 19% 19% 30% 45% 53% 59% 0% 10% 20% 30% 40% 50% 60% 70% Who influences what security technologies to purchase? Who is the final authority what security technologies to purchase? Ponemon Institute Research Report Page 6

8 When Investments Go Wrong: The Problem of Shelfware Security investments are driven by cost. As shown in Figure 10, 64 percent of respondents say cost and 56 percent of respondents say performance and vendor support are the most important factors when investing in security technologies. Surprisingly, important features such as interoperability, proven risk reduction and lack of complexity are not considered to be as influential (39 percent, 11 percent and 8 percent, respectively). Figure 10. Most important factors when investing in security technologies Four responses permitted Cost 64% Vendor support Performance 56% 56% Vendor reputation Efficiency Time to deploy Interoperability 45% 44% 40% 39% Scalability 28% Proven risk reduction 11% Redundancy Lack of complexity 8% 8% Other 1% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute Research Report Page 7

9 Shelfware is every organization s problem. Ninety percent of respondents say their organization has invested in a security technology that was ultimately discontinued or scrapped before or soon after deployment. As shown in Figure 11, on average, 31 percent of security technologies purchased by organizations represented in this research over the past 24 months were never fully deployed. Figure 11. The percentage of security technologies purchased over the past 24 months but never fully deployed Extrapolated value = 31 percent 40% 35% 36% 30% 28% 25% 20% 21% 15% 12% 10% 5% 0% Less than 10% 10% to 25% 26% to 50% 51% to 75% 76% to 100% 3% According to Figure 12, the technologies most often shelved are data loss prevention (55 percent), identity & access management (51 percent), SIEM and security intelligence (49 percent), Web application firewalls (46 percent) and intrusion & detection management (44 percent). Figure 12. Security technologies most often shelved before or soon after deployment More than one response permitted Data loss prevention (DLP) Identity & access management SIEM and security intelligence Web application firewalls (WAF) Intrusion & detection management Configuration & log management Endpoint security solutions Access governance systems Mobile device management Automated policy generation 55% 51% 49% 46% 44% 40% 39% 36% 35% 35% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 8

10 According to Figure 13, technologies least often shelved are tokenization tools (10 percent), perimeter or location surveillance (9 percent), encryption for data at rest (8 percent) and traditional firewalls (5 percent), according to Figure 13. Figure 13. Security technologies least often shelved before or soon after deployment More than one response permitted ID & credentialing system Database scanning and monitoring URL or content filtering Encryption for data in motion Anti-virus & anti-malware Virtual private network (VPN) Tokenization tools 14% 14% 13% 12% 12% 11% 10% Perimeter or location surveillance 9% Encryption for data at rest 8% Firewalls (traditional) 5% 0% 2% 4% 6% 8% 10% 12% 14% 16% Ponemon Institute Research Report Page 9

11 Complexity and difficulty in operating was the main reason the security technologies were scrapped before or soon after deployment (77 percent of respondents). This is followed by a lack of in-house expertise to deploy and operate the technology (55 percent of respondents). It is interesting that the primary reasons for purchasing a particular technology are cost and performance, when complexity of a system is most to blame for creating shelfware. Thus, level of complexity should become a more important factor in the purchasing decision. Figure 14. Why security technologies are scrapped before or soon after deployment More than one response permitted The technology was overly complex and too difficult to operate 77% Lack of in-house expertise to deploy and operate the technology 55% The technology was too expensive to maintain 41% Lack of vendor support and service 27% The technology did not meet the needs of our cybersecurity strategy The technology diminished the performance of our systems The technology diminished the productivity of our employees 12% 10% 16% Other 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Ponemon Institute Research Report Page 10

12 How did the shelfware experience change cybersecurity investments? Sixty-five percent of respondents say their organizations expanded the effort to evaluate vendors customer service and support. Organizations are also insisting on contracts (SLAs) that hold vendors accountable to their commitments (59 percent of respondents) and performance of additional risk assessments (47 percent of respondents). Figure 15. How did the shelfware experience change the organization s approach to purchasing cybersecurity technologies? Expanded the effort to evaluate vendors customer service and support Insisted on contracts (SLAs) that hold vendors accountable to their commitments 59% 65% Performed additional risk assessments 47% Conducted extensive testing of the technology prior to purchase Implemented pilot or "beta" tests before investing in the solution 25% 33% No change 8% Other 2% 0% 10% 20% 30% 40% 50% 60% 70% How Risk and Innovation Affects Security Investments Are organizations innovative in their use of security technologies? In the context of this research we define security innovation as the use of enabling technologies and personnel in new ways to create a more secure and efficient organization and improve alignment between security initiatives and business goals. Figure 16 reveals that almost half (49 percent) believe innovation is essential or very important to achieving a strong security posture. Figure 16. How important is innovation to achieving a strong security posture 40% 35% 34% 30% 25% 26% 20% 15% 15% 13% 12% 10% 5% 0% Essential Very important Important Not important Irrelevant Ponemon Institute Research Report Page 11

13 Only 32 percent of respondents say their organizations achieve a high level of innovation. Figure 17 shows how differently respondents define innovation. Seventy-five percent of respondents say the reason they believe their organizations are innovative is because they use existing technologies in ways that are more efficient and cost effective. Sixty-seven percent of respondents say they use these technologies to create a more secure and efficient organizations. Figure 17. What makes an organization innovative? More than one response permitted Uses existing technologies in ways that are more efficient and cost effective 75% Uses enabling technologies to create a more secure and efficient organization 67% Is not dependent upon any one vendor or solution to achieve a strong security posture 60% Uses technologies to improve alignment between security initiatives and business goals 55% Creative in using existing technologies to address new threats 46% Other 4% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute Research Report Page 12

14 Those who believe their organizations are not innovative, cite several reasons. More than half (56 percent) feel their organization is overly dependent upon vendors to make technology decisions, 53 percent of respondents believe their organizational culture inhibits innovation and 40 percent say they do not have the right in-house expertise, as shown in Figure 18. Only 34 percent say their level of investment in security innovation has changed over the past 24 months. Figure 18. What keeps an organization from being innovative? More than one response permitted Overly dependent upon vendors to make technology decisions 56% Organizational culture inhibits innovation 53% Lack of in-house expertise 40% Lack of resources 37% Belief that innovation increases security risk 28% Overly dependent upon what industry peers are doing 16% Other 2% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 13

15 Part 3. Conclusion In this study, we explore how organizations are making decisions that will have a significant impact on their ability to prevent and detect cyber threats. Our findings reveal how organizations can avoid the problem of shelfware and invest instead in technologies that will pay dividends by reducing cybersecurity risks. Reduce dependency on ROI and TCO to make investment decisions. Instead, consider such metrics as improvements in the efficiency of security operations, reduction in time to detect security incidents and return on prevention. Cost should not be the most important factor when investing in a security technology. Companies find themselves investing heavily in technologies that are never deployed because they are overly complex. Yet, only eight percent of respondents say their organizations consider a lack of complexity in the investment decision. Shelfware would become less pervasive a problem if companies prioritized level of complexity, interoperability and proven risk reduction in their decision making Innovation is important to a strong cybersecurity posture. The most innovative organizations have found ways to use existing technologies that are more efficient and cost effective and to create a more secure and efficient organization. We believe these recommendations can be easily incorporated into an organization s strategy to improve the allocation of resources and achieve a strong cybersecurity posture. Ponemon Institute Research Report Page 14

16 Part 4. Methods The sampling frame is composed of 17,228 IT management and IT security practitioners who are located in the United States. All respondents are familiar with and responsible for determining their organizations investments in cybersecurity technologies. As shown in Table 1, 17,228 respondents completed the survey. Screening removed 73 surveys. The final sample was 618 surveys (or a 3.6 percent response rate). All survey responses were captured February 18 to March 13, Table 1. Sample response Freq Total sampling frame 17, % Total returns % Rejected or screened surveys % Final sample % We calculated a margin of error for all statistical survey questions that yielded a proportional or percentage result. Most questions utilized the full sample size of n = 618 qualified respondents. Assuming a confidence level at the 95 percent level, the margin of error for survey questions ranted from ± 1.0 percent to ± 5.6 percent, with an overall average of ± 3.6. Pie Chart 1 reports the current position or organizational level of the respondents. More than half of respondents (57 percent) reported their current position as supervisory or above. Pie Chart 1. Current position or organizational level 4% 2% 1% 2% 3% 16% 34% 23% Senior Executive Vice President Director Manager Supervisor Technician Staff Consultant Contractor 15% Ponemon Institute Research Report Page 15

17 Pie Chart 2 identifies the primary role the respondent has within the organization. Fifty-six percent of respondents identified the chief information officer as the primary person they report to. Another 21 percent indicated they report to the chief information security officer. Pie Chart 2. Primary person you or your IT leader reports to within the organization 6% 3% 3% 2% 2% Chief Information Officer Chief Information Security Officer 7% Chief Risk Officer Data Center Management 56% Other Compliance Officer 21% Chief Financial Officer Chief Security Officer Pie Chart 3 reports the primary industry classification of respondents organizations. This chart identifies financial services (18 percent) as the largest segment, followed by federal government (17 percent), healthcare (15 percent) and hi tech (11 percent). Pie Chart 3. Primary industry focus 4% 8% 18% 8% 9% 10% 17% Financial services Federal government Healthcare Hi Tech Utilities Energy, oil & gas Pharmaceuticals Telecom All others 11% 15% Ponemon Institute Research Report Page 16

18 According to Pie Chart 4, more than half of the respondents (64 percent) are from organizations with a global headcount of more than 1,000 employees. Pie Chart 4. Worldwide headcount of the organization 8% 8% 17% 11% 9% 19% < to to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000 28% Table 2 reveals that in addition to the United States, 70 percent of respondents indicated their organization has employees in Canada and sixty-nice percent responded Europe. Table 2. Where are your employees located? United States 100% Canada 70% Europe 69% Asia-Pacific 49% Latin America (including Mexico) 43% Middle East & Africa 39% Ponemon Institute Research Report Page 17

19 Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners in various organizations in the United States. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a specified time period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses. Ponemon Institute Research Report Page 18

20 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured February 18 to March 13, Survey response Freq Total sampling frame % Total returns % Rejected or screened surveys % Final sample % Part 1. Screening questions S1. How familiar are you with your organization s investments in cybersecurity technologies? Very familiar 33% Familiar 36% Somewhat familiar 31% No knowledge (Stop) 0% S2. Do you have any responsibility for determining investments in cyber security technologies? Yes, full responsibility 25% Yes, some responsibility 59% Yes, minimum responsibility 16% No responsibility (Stop) 0% Part 2. Attributions Q1a. My organization believes a strong cybersecurity posture is a competitive advantage. Strongly agree 12% Agree 18% Unsure 23% Disagree 25% Strongly disagree 22% Q1b. My organization s senior leadership understands the cybersecurity risks it faces. Strongly agree 15% Agree 19% Unsure 32% Disagree 22% Strongly disagree 12% Q1c. My organization is effective in using cybersecurity technologies to reduce the risk. Strongly agree 25% Agree 24% Unsure 25% Disagree 16% Strongly disagree 10% Ponemon Institute Research Report Page 19

21 Q1d. My organization is innovative in how it invests and deploys cybersecurity technologies Strongly agree 16% Agree 31% Unsure 25% Disagree 18% Strongly disagree 10% Q1e. My organization s senior leadership does not view investment in cybersecurity technologies as a strategic priority. Strongly agree 26% Agree 38% Unsure 16% Disagree 12% Strongly disagree 8% Q1f. My organization had made investments in security technologies that did not improve its cybersecurity posture. Strongly agree 29% Agree 29% Unsure 16% Disagree 16% Strongly disagree 10% Part 3. The measurement of security technology investment Q2a. How important is Return on Investment (ROI) in making a decision to invest in a given security solution or technology? Essential 19% Very important 25% Important 26% Not important 15% We do not use ROI to evaluate investments in security solutions or technologies [skip to Q3a] 15% Q2b. How difficult is it to calculate a precise (accurate) ROI for a given security solution or technology? Very difficult 26% Difficult 44% Not difficult 18% Easy 9% Unsure 3% Q2c Were you able to determine a precise ROI for each investment decision made? Yes 41% No 59% Ponemon Institute Research Report Page 20

22 Q2d. Over the past 24 months, were one or more proposed investments in a particular security solution or technology rejected because of unfavorable ROIs? Yes 50% No 45% Unsure 5% Q2e-1. Does your organization reconcile the historic (original) ROI with actual ROI for investments in security solutions or technologies? Yes, for most investments 18% Yes, for some investments 36% No 42% Unsure 4% Q2e-2. If yes, what best describes your organization s experience? Actual ROI tends to be lower than the historic ROI 46% Actual ROI tends to be higher than the historic ROI 15% Actual and historic ROI tend to be very close (accurate) 34% Unsure 5% Q2f. Approximately, what is the threshold ROI necessary to achieve a favorable investment decision in a given security solution or technology within your organization? Less than 5% 11% 5% to 10% 21% 11% to 15% 34% 16% to 20% 18% 21% to 25% 11% 26% to 30% 4% More than 30% 1% Q3a. How important is Total Cost of Ownership (TCO) in making a decision to invest in a given security solution or technology? Essential 16% Very important 19% Important 35% Not important 15% We do not use TCO to evaluate investments in security solutions or technologies [skip to Q4] 15% Q3b. How difficult is it to calculate a precise (accurate) TCO for a given security solution or technology? Very difficult 23% Difficult 38% Not difficult 25% Easy 11% Unsure 3% Ponemon Institute Research Report Page 21

23 Q3c. Were you able to determine a precise TCO for each investment decision made? Yes 45% No 55% Q3d. Over the past 24 months, were one or more proposed investments in a particular security solution or technology rejected because of unfavorable TCOs? Yes 56% No 41% Unsure 3% Q3e-1. Does your organization reconcile the historic (original) TCO with actual TCO for investments in security solutions or technologies? Yes, for most investments 15% Yes, for some investments 33% No 48% Unsure 4% Q3e-2. If yes, what best describes your organization s experience? Actual TCO tends to be lower than the historic TCO 15% Actual TCO tends to be higher than the historic TCO 44% Actual and historic TCO tend to be very close (accurate) 36% Unsure 5% Q4. If ROI or TCO is not used by your organization, what else is used to evaluate the economic viability of a particular security solution or technology? Please select all that apply. Improvement in the efficiency of security operations 56% Reduction in system downtime 50% Reduction in data breach costs 47% Reduction in time to contain security incidents 38% Reduction is non-compliance costs including fines, penalties and lawsuits 23% Reduction in time to detect security incidents 12% Return on prevention 6% Other (please specify) 2% None of the above 16% Ponemon Institute Research Report Page 22

24 Part 4. The security technology investment process Q5. What are the most important factors when investing in security technologies? Please select the top four. Cost 64% Performance 56% Vendor support 56% Vendor reputation 45% Efficiency 44% Time to deploy 40% Interoperability 39% Scalability 28% Proved risk reduction 11% Lack of complexity 8% Redundancy 8% Other (please specify) 1% Total 400% Q6. In your organization, who is the final authority on what security technologies to purchase? Chief information officer 30% Chief information security officer 20% Chief technology officer 19% LOB or business unit leader 19% Chief financial officer 4% CEO/COO 3% Chief security officer 2% Chief risk officer 2% Chief compliance officer 1% Other (please specify) 0% Q7. In your organization, who influences what security technologies to purchase? Please select the top two choices. LOB or business unit leader 59% Chief information officer 53% Chief information security officer 45% Chief technology officer 19% Chief security officer 6% Chief risk officer 6% Chief compliance officer 5% Chief financial officer 4% CEO/COO 3% Other (please specify) 0% Total 200% Q8. What best describes the investment process for security technologies? A structured approach that is applied consistently throughout the organization 31% A structured approach that is not applied consistently throughout the organization 18% An unstructured approach that applied consistently throughout the organization 4% An unstructured approach that is not applied consistently throughout the organization 28% An ad hoc approach 19% Ponemon Institute Research Report Page 23