Research Reprt Abstract: Security Management and Operatins: Changes n the Hrizn By Jn Oltsik, Senir Principal Analyst With Kristine Ka and Jennifer Gahm July 2012 2012, The Enterprise Strategy Grup, Inc. All Rights Reserved.
Intrductin Research Objectives Research Reprt: Security Management and Operatins: Changes n the Hrizn In rder t assess the state f infrmatin security management and peratins in 2012 and beynd, ESG surveyed 315 security prfessinals wrking at enterprise-class (1,000 emplyees r mre) rganizatins in Nrth America. All respndents were persnally respnsible fr r familiar with their rganizatins 2011 infrmatin security strategies as well as their 2012 IT security budget and spending plans at either an rganizatinal r business unit/divisin/branch level. T assess current and future infrmatin security management and peratins strategies, survey respndents were asked t respnd t questins in areas such as: The rle f the infrmatin security within the rganizatin. Hw is the CISO (r similar rle) perceived within the rganizatin? Is infrmatin security cnsidered an integral part f the crprate culture? Is infrmatin security well aligned with business prcesses? Is the executive management team actively engaged in infrmatin security issues? If s, hw? Des the executive management team have the right level f infrmatin security knwledge and skills? Infrmatin security rganizatin and skills. What are the primary respnsibilities f the infrmatin security team? Which tasks are shared between infrmatin security and ther IT grups? Are rganizatins suffering frm infrmatin security skills shrtages? If s, in what areas? Hw are rganizatins cnsuming third-party security services tday? Is the use f third-party security services increasing? Which security services are mst ppular? Security management and peratins landscape. Risk management. Is infrmatin security driven slely by regulatry cmpliance r are there ther mtivating factrs? Is security management becming prgressively mre difficult? What is the impact f new technlgy initiatives like server virtualizatin, clud cmputing, and mbile device supprt n security management and peratins? What are the security management and peratins pririties fr 2012 and beynd? What types f plicies and technical cntrls are in place t address IT risk? Are these plicies and technical cntrls mandatry r discretinary? Hw effective are risk management prgrams? Are there particular areas f weakness? D rganizatins have real-time visibility int IT risk as business cnditins change? Incident detectin and respnse. Hw d rganizatins detect security attacks? D they have the right level f visibility t d s effectively? If nt, are there particular areas where visibility is lacking? When the rganizatin des detect a security incident, hw efficient is its respnse? 2012, The Enterprise Strategy Grup, Inc. All Rights Reserved.
Research Reprt: Security Management and Operatins: Changes n the Hrizn Security technlgies. Which security technlgies are mst effective at perfrming the tasks they were designed fr? In particular, hw effective are security infrmatin and event management (SIEM) platfrms? Survey participants represented a wide range f industries including manufacturing, financial services, cmmunicatins and media, retail, gvernment, and business services. Fr mre details, please see the Research Methdlgy and Respndent Demgraphics sectins f this reprt. 2012, The Enterprise Strategy Grup, Inc. All Rights Reserved.
Research Reprt: Security Management and Operatins: Changes n the Hrizn Research Methdlgy T gather data fr this reprt, ESG cnducted a cmprehensive nline survey f IT managers frm private- and public-sectr rganizatins in Nrth America between March 15, 2012 and March 26, 2012. T qualify fr this survey, respndents were required t be directly invlved in the planning, implementatin, and/r peratins f their rganizatin s infrmatin security plicies, prcesses, r technical safeguards. All respndents were prvided an incentive t cmplete the survey in the frm f cash awards and/r cash equivalents. After filtering ut unqualified respndents, remving duplicate respnses, and screening the remaining cmpleted respnses (n a number f criteria) fr data integrity, we were left with a final ttal sample f 315 IT managers. Please see the Respndent Demgraphics sectin f this reprt fr mre infrmatin n these respndents. Nte: Ttals in figures and tables thrughut this reprt may nt add up t 100% due t runding. 2012, The Enterprise Strategy Grup, Inc. All Rights Reserved.
Research Reprt: Security Management and Operatins: Changes n the Hrizn Respndent Demgraphics The data presented in this reprt is based n a survey f 315 qualified respndents. The figures belw detail the demgraphics f the respndent base, including individual respndents rle in purchasing decisins and current jb respnsibility, as well as respndent rganizatins ttal number f emplyees, primary industry, and annual revenue. Respndents by Rle in Purchasing Decisins Respndents current rle in security management purchasing decisins is shwn in Figure 1. Figure 1. Survey Respndents, by Rle in Security Management Purchasing Decisins T what degree are yu respnsible fr making purchase decisins related t infrmatin security management and peratins technlgy prducts and services? (Percent f respndents, N=315) I influence purchase decisins, 36% I make/apprve purchase decisins, 64% Respndents by Current Respnsibility Respndents current respnsibility within their rganizatins is shwn in Figure 2. Figure 2. Survey Respndents, by Current Respnsibility Which f the fllwing best describes yur current respnsibility within yur rganizatin? (Percent f respndents, N=315) Surce: Enterprise Strategy Grup, 2012. Nn-IT Business Manager, 9% Other, 4% IT staff, 9% IT management, 34% Senir IT management (e.g., CIO, VP f IT, Directr f IT, etc.), 43% Surce: Enterprise Strategy Grup, 2012. 2012, The Enterprise Strategy Grup, Inc. All Rights Reserved.
Research Reprt: Security Management and Operatins: Changes n the Hrizn Respndents by Number f Emplyees The number f emplyees in respndents rganizatins is shwn in Figure 3. Only rganizatins with 1,000 r mre emplyees qualified fr this survey. Figure 3. Survey Respndents, by Number f Emplyees Hw many ttal emplyees des yur rganizatin have wrldwide? (Percent f respndents, N=315) 20,000 r mre, 33% 1,000 t 2,499, 13% 2,500 t 4,999, 19% 10,000 t 19,999, 22% 5,000 t 9,999, 14% Respndents by Industry Surce: Enterprise Strategy Grup, 2012. Respndents were asked t identify their rganizatin s primary industry. In ttal, ESG received cmpleted, qualified respndents frm individuals in 20 distinct vertical industries, plus an Other categry. Respndents were then gruped int the brader categries shwn in Figure 4. Figure 4. Survey Respndent, by Industry What is yur rganizatin s primary industry? (Percent f respndents, N=315) Cmmunicatins & Media, 3% Retail/Whlesale, 4% Other, 14% Manufacturing, 24% Business Services (accunting, cnsulting, legal, etc.), 7% Health Care, 10% Gvernment (Federal/Natinal, State/Prvince/Lcal), 15% Financial (banking, securities, insurance), 21% Surce: Enterprise Strategy Grup, 2012. 2012, The Enterprise Strategy Grup, Inc. All Rights Reserved.
Research Reprt: Security Management and Operatins: Changes n the Hrizn Respndents by Annual Revenue Respndent rganizatins annual revenue is shwn in Figure 5. Figure 5. Survey Respndents, by Annual Revenue What is yur rganizatin s ttal annual revenue ($US)? (Percent f respndents, N=315) Nt applicable (e.g., public sectr, nnprfit), 8% Less than $100 millin, 3% $100 millin t $499 millin, 11% $20 billin r mre, 23% $500 millin t $999 millin, 12% $10 billin t $19.999 billin, 13% $5 billin t $9.999 billin, 12% $1 billin t $4.999 billin, 19% Surce: Enterprise Strategy Grup, 2012. 2012, The Enterprise Strategy Grup, Inc. All Rights Reserved.
Research Reprt: Security Management and Operatins: Changes n the Hrizn Cntents List f Figures... 3 List f Tables... 4 Executive Summary... 5 Reprt Cnclusins... 5 Intrductin... 8 Research Objectives... 8 Research Findings... 10 The ESG Security Management and Operatins Segmentatin Mdel... 10 The State f Security Management and Operatins... 13 The Evlving Security Organizatin... 19 Security Organizatin Respnsibilities... 22 Security Services Trends... 24 Risk Management Strategies... 27 Security Cntrls Effectiveness and Testing... 30 Situatinal Awareness... 34 Assessing the State f Security Infrmatin and Event Management (SIEM)... 38 Changing Attitudes Tward Security Management... 40 Cnclusins... 45 Research Implicatins fr Technlgy Vendrs... 45 Research Implicatins fr IT Prfessinals... 47 Research Methdlgy... 51 Respndent Demgraphics... 52 Respndents by Rle in Purchasing Decisins... 52 Respndents by Current Respnsibility... 52 Respndents by Number f Emplyees... 53 Respndents by Industry... 53 Respndents by Annual Revenue... 54 2012, The Enterprise Strategy Grup, Inc. All Rights Reserved.
Research Reprt: Security Management and Operatins: Changes n the Hrizn List f Figures Figure 1. ESG Security Management and Operatins Segmentatin Mdel Criteria... 11 Figure 2. Survey Respndents based n ESG Security Management and Operatins Segmentatin Mdel... 11 Figure 3. Mst Imprtant Factrs Driving Organizatin s Infrmatin Security Strategy in 2012... 13 Figure 4. Influence f Regulatry Cmpliance n Organizatin s Infrmatin Security Strategy and Investment Decisins... 14 Figure 5. Hw Security is Viewed at Organizatins... 16 Figure 6. Perceptin f CISO within Organizatin... 16 Figure 7. Level f Engagement f Executive Management Team... 17 Figure 8. Characterizatin f Executive Management Team... 17 Figure 9. Organizatins Increasing Security Headcunt... 19 Figure 10. Organizatins Increasing Security Headcunt, by the ESG Security Management and Operatins Segmentatin Mdel... 19 Figure 11. Areas f Infrmatin Security with a Shrtage f Existing Skills... 20 Figure 12. Current State f Infrmatin Security Prfessinal Recruitment/Hiring... 21 Figure 13. Infrmatin Security Organizatin s Level f Respnsibility... 22 Figure 14. Grups Security Team Wrks With Mst Clsely... 23 Figure 15. Planned Use f Third-party Prfessinal/Managed Services in 2012... 24 Figure 16. Hw Use f Third-party Prfessinal/Managed Services has Changed... 24 Figure 17. Reasns fr Increasing Use f Third-party Security Services... 25 Figure 18. Areas f Third-party Security Services Used... 26 Figure 19. Frmal IT Risk Management Prgrams in Place... 27 Figure 20. Hw Frmal IT Risk Management Prgram is Implemented... 28 Figure 21. Organizatin s Rating n Standard Security Best Practices... 29 Figure 22. Frequency f Security Cntrls Effectiveness Testing... 30 Figure 23. Technlgies/Techniques Used t Test Effectiveness f Security Cntrls... 31 Figure 24. Metrics Used t Gauge Effectiveness f Security Management... 32 Figure 25. Security Technlgy that Mst Effectively Perfrms Task fr Which it Was Designed... 33 Figure 26. Organizatin s Ability t Detect Suspicius Activity r an Attack... 34 Figure 27. Level f Visibility f Security Status... 35 Figure 28.Level f Visibility f Security Status Analyzed by the ESG Security Management and Operatins Segmentatin Mdel... 35 Figure 29.Biggest Inhibitrs t Having Real-time Security Visibility... 36 Figure 30.Weakest Aspects f Incident Respnse... 37 Figure 31. SIEM Deplyment... 38 Figure 32. Effectiveness f SIEM... 39 Figure 33. Hw Security Management has Changed Over Past 24 Mnths... 40 Figure 34. Hw Intrductin f Technlgies and Plicies Altered Security Management and Operatins... 41 Figure 35. Use f Security and IT Operatins Tls in Cncert t Autmate Security Remediatin Tasks... 42 Figure 36. Autmated Actins Currently Executed... 42 Figure 37. Hw Security Technlgy Strategy Decisins Will Change... 43 Figure 38. Biggest Security Management Challenges... 44 Figure 39. Survey Respndents, by Rle in Security Management Purchasing Decisins... 52 Figure 40. Survey Respndents, by Current Respnsibility... 52 Figure 41. Survey Respndents, by Number f Emplyees... 53 Figure 42. Survey Respndent, by Industry... 53 Figure 43. Survey Respndents, by Annual Revenue... 54 2012, The Enterprise Strategy Grup, Inc. All Rights Reserved.
Research Reprt: Security Management and Operatins: Changes n the Hrizn List f Tables Table 1. Characterizatin f Executive Management Team Analyzed by the ESG Segmentatin Mdel... 15 Table 2. Characterizatin f Executive Management Team Analyzed by the ESG Segmentatin Mdel... 18 Table 3. IT Risk Management Prgrams Analyzed by the ESG Segmentatin Mdel... 29 All trademark names are prperty f their respective cmpanies. Infrmatin cntained in this publicatin has been btained by surces The Enterprise Strategy Grup (ESG) cnsiders t be reliable but is nt warranted by ESG. This publicatin may cntain pinins f ESG, which are subject t change frm time t time. This publicatin is cpyrighted by The Enterprise Strategy Grup, Inc. Any reprductin r redistributin f this publicatin, in whle r in part, whether in hard-cpy frmat, electrnically, r therwise t persns nt authrized t receive it, withut the express cnsent f The Enterprise Strategy Grup, Inc., is in vilatin f U.S. cpyright law and will be subject t an actin fr civil damages and, if applicable, criminal prsecutin. Shuld yu have any questins, please cntact ESG Client Relatins at 508.482.0188. 2012, The Enterprise Strategy Grup, Inc. All Rights Reserved.
20 Asylum Street Milfrd, MA 01757 Tel: 508.482.0188 Fax: 508.482.0128 www.enterprisestrategygrup.cm