2014 Security Pressures Report. Based on a survey COMMISSIONED by Trustwave

2014 Security Pressures Report Based on a survey COMMISSIONED by Trustwave

Table of Contents INTRODUCTION.... 1 METHODOLOGY.... 3 FINDINGS OVERALL PRESSURE.... 5 SECURITY THREATS.... 6 CYBERATTACK AND DATA BREACH WORRIES.... 7 EXTERNAL VS. INTERNAL THREATS.... 9 PRESSURE EXERTION.... 10 SPEED VS. SECURITY.... 11 TOP OPERATIONAL PRESSURES.... 12 EMERGING TECHNOLOGIES.... 13 BUDGET PRESSURES.... 15 FEATURES VS. RESOURCES.... 16 STAFFING LEVELS... 17 IN-HOUSE VS. MANAGED SERVICES... 18 2014 WISH LIST.... 20 CONCLUSIONS.... 21 TOC

INTRODUCTION The rate and sophistication of malware and data breaches continue to accelerate, a trend that is proving seemingly impossible for businesses to counter. The reasons why are obvious: cybercriminals are increasingly crafty, new attack vectors are emerging, budgets are tight, skills are at a premium, security policies are either incomplete or disregarded, and many security solutions are proving too complex to manage or too basic to be useful against a professional adversary. With customer and proprietary data piling up and not being properly protected, companies are facing an embarrassment of riches and attackers are more than happy to make them pay. But behind this ominous statistical picture of futility and doom, of depleted coffers and data exfiltration, are people living, breathing IT professionals who pride themselves on defending their employer s prized assets against the motivated grasp of the enemy. They are the men and women in the trenches, but as you ll learn in a comprehensive new report from Trustwave, they are feeling intense pressure. It s coming at them for all sides. In some cases, these pressures are forcing them to make decisions they don t necessarily want to make. That is because, more often than they would like, they are at the mercy of the business. The inaugural Security Pressures Report from Trustwave, which is based on a survey of more than 800 IT professionals, reveals the security threats most concerning to these practitioners. And it also uncovers the pressures these respondents have faced, are facing and expect to face in regard to confronting these threats. The report exposes from whom these professionals feel the most pressure when attempting to secure their organizations and how they predict pressures will shift in the future. 1

INTRODUCTION CONTINUED Here are some of the key findings from the 2014 Security Pressures Report: 54% of IT pros felt more pressure to secure their organizations in 2013 compared to the previous year, and 58% expect even more pressure in 2014. Targeted malware was the threat IT pros felt the most pressure to protect against with 64% noting increased pressure over the previous year. Customer data theft worries 58% of IT pros more than reputation damage, fines and legal action combined. External threats caused more pressure than internal security threats, but employee accidents caused more pressure than employee malfeasance. 50% of IT pros say their owners, boards of directors and C-level executives are applying the most pressure, while 13% say it s coming from themselves. Pressure from the top may not always have security in mind, with 4 out of 5 IT pros feeling pressured to roll out IT projects, despite concerns they were not security-ready. Advanced security threats, the adoption of emerging technologies and security product complexity are the top three operational pressures IT pros face. Emerging technologies that IT pros are most pressured to use include the cloud and mobile applications, despite feeling they both pose the greatest security risks. Budget-wise, new capital outlays are the most under pressure, with headcount the least. 65% of IT pros are pressured to use security products with all of the latest features, despite 1 out of 3 not having the resources to do so effectively. 85% of IT pros said a bigger IT security team would reduce security pressures and bolster job effectiveness. 3 out of 4 IT teams currently run security in-house, but 82% use, or are looking to use, managed security services in the future to help alleviate pressures. More budget, more security skills/expertise and more time to focus on security are the top three items on wish lists for IT pros in 2014. 2

METHODOLOGY Trustwave commissioned a third-party research firm to survey 833 full-time information technology (IT) professionals who are security decision makers within their organizations. The objective of the survey was to measure the variety of pressures they face regarding information security. Respondents consisted mainly of chief information officers (CIOs), chief information security officers (CISOs), IT/IT security directors and IT/IT security managers: 833 worldwide, which included 526 in the United States, 105 in the United Kingdom, 101 in Canada and 101 in Germany. The majority of respondents work for mid-sized and enterprise businesses, those with between 250 and 4,999 employees. 92% of respondents are between the ages of 25 and 54, with 49% between the ages of 35 and 44. The survey was deployed through emails sent between December 16, 2013 and January 20, 2014. Survey results have a sampling error of +/- 5%. Respondent demographics Location Worldwide 833 3 Occupation Architect 8% IT/IT Security Manager 34% United States United Kingdom Canada Germany 526 105 101 101 63% 13% 12% 12% 27% CIO/CISO 8% IT/IT Security VP 23% IT/IT Security Director

FINDINGS 4

OVERALL PRESSURE Overall security-related pressures increased from 2012 to 2013, and more pressure is expected in 2014. Compared to 2012, 54% of IT pros felt more pressure to secure their organizations in 2013. Compared to 2013, 58% of respondents expect to experience more pressure to secure their organizations in 2014. IT pros in the United States (62%) noted the largest increase in pressure in 2013, compared to those in Germany (33%) who felt the lowest. 65% of IT pros in the United States expect pressures to increase in 2014, while 20% in the U.K. expect them to decrease. 2013: Perceived Pressures (Compared to 2012) MOST PRESSURE Up Same Down 62% 47% 36% 33% 54% 26% 42% 42% 43% 32% 12% 12% 22% 24% 14% LEAST PRESSURE 2014: Expected Pressures Up Same Down MOST PRESSURE 65% 54% 40% 43% 58% 25% 35% 40% 42% 30% 10% 11% 20% 15% 12% LEAST PRESSURE 5

Security Threats Targeted malware topped the list of security threats exerting the most pressure on organizations in 2013, while threats from viruses and worms caused the lowest pressure. During 2013, respondents felt increased pressure to keep their organizations secure from (#1) targeted malware, (#2) data breaches, (#3) phishing/ social engineering and (#4) zero-day vulnerabilities, while pressure to protect from (#5) viruses and worms decreased. 64% of respondents said that pressures related to targeted malware/advanced persistent threats (APTs) increased. 62% said that the pressure to protect from data breaches also increased over the past year. In the United States and Canada, targeted malware was the top threat IT pros felt pressured to secure against, and in the U.K. and Germany, the top threat was phishing/social engineering. Respondents in each country surveyed said viruses and worms caused the lowest pressure. Security Threats Result in Pressure 6 Increases Decreases 64% 62% 60% Targeted Malware & APTs Data Loss, Theft & Breaches Phishing & Social Engineering 36% 38% 40% Increased Pressures to Protect from Targeted Malware & APTs Data Loss, Theft & Breaches Phishing & Social Engineering Zero-Day Vulnerablities Viruses & Worms 53% Zero-Day Vulnerablities 47% 42% Viruses & Worms 58% 68% 63% 62% 48% 64% 67% 51% 42% 51% 62% 60% 58% 64% 60% 60% 59% 47% 45% 35% 53% 49% 36% 30% 34% 42%

Cyberattack AND DATA BREACH WORRIES Data loss worries IT pros more than reputation damage, fines and legal action, but 3 out of 4 think their organization is safe. 58% of respondents said that, following a cyberattack or data breach, customer data theft worries them the most, followed by intellectual property theft at 22%. 12% are worried most about reputation damage, 3% by fines or legal action and 5% of respondents do not believe their organization will fall victim to cyberattacks data breaches. In a separate question, 73% of respondents said they believe their organization is safe from IT security threats, including cyberattacks and data breaches. Top Cyberattack and Data Breach Worries 22% Intellectual Property Theft 7 Customer Data Theft 58% 5% 12% Reputation Damage 3% Won t Fall Victim Fines or Legal Action

Cyberattack AND DATA BREACH WORRIES CONTINUED Top Cyberattack and Data Breach Worries Customer Data Theft Intellectual Property Theft Reputation Damage Fines or Legal Action Respondents Who Don t Feel They Will Fall Victim 64% 55% 46% 43% 58% 20% 25% 21% 30% 22% 11% 10% 18% 12% 12% 2% 2% 5% 7% 3% 3% 8% 9% 8% 5% Respondents Who Feel Safe from IT Security Threats Yes No 72% 74% 82% 70% 73% 28% 26% 18% 30% 27% 8

EXTERNAL VS. INTERNAL THREATS External threats caused more pressure than internal security threats, but employee accidents caused more pressure than intentional employee malfeasance. 52% of respondents said protection from external threats, such as malicious hackers and data-stealing malware, caused the most pressure compared to 48% who named internal threats (either intentional or accidental). For internal threats, respondents said they were pressured more by employee accidents and non-malicious mishaps (28%) than by employee malfeasance and deliberate data leakage (20%). Top Security Threat Sources 28% Non-Malicious Internal Threats External Threats 52% 48% All Internal Threats 9 External Threats Non-Malicious Internal Threats Malicious Internal Threats 20% Malicious Internal Threats 50% 59% 57% 48% 52% 30% 19% 27% 26% 28% 20% 22% 16% 26% 20%

PRESSURE EXERTION Owners, boards of directors and C-level executives exert the most security pressure. 50% of respondents said they feel the most pressure from their organization s owners, board, or C-level executives when it comes to security. 30% said they feel the most pressure from their direct manager, 13% from themselves and 4% from their peers. Who Exerts the Most Pressure? 30% Direct Manager(s) Boards of Directors, Owner(s), C-Level Executive(s) Boards of Directors, Owner(s), C-Level Executive(s) Direct Manager(s) Self Peers No One 50% 13% Self 4% Peers No One 3% 49% 65% 54% 39% 50% 34% 17% 23% 31% 30% 12% 8% 10% 25% 13% 3% 7% 6% 2% 4% 2% 3% 7% 3% 3% 10

SPEED VS. SECURITY 4 out of 5 IT pros were pressured in 2013 to roll out IT projects despite security issues. 79% of respondents said they were pressured to unveil IT projects in 2013, despite concerns that the projects were not ready due to security issues. 63% said this happened once or twice in the year, and 16% said it happened frequently. Pressure to Roll Out IT Projects Despite Security Issues Yes, Frequently 16% 63% Yes, Once or Twice No 21% 79% Yes 11 Yes, Once or Twice Yes, Frequently No 65% 60% 62% 50% 63% 16% 16% 14% 23% 16% 19% 24% 24% 27% 21%

Top Operational Pressures Advanced security threats, adoption of emerging technologies and security product complexity are the top three operational pressures facing IT pros. When asked about the top three operational pressures they face related to their information security programs, respondents named advanced security threats (22%), adoption of emerging technologies (17%) and security product complexity (15%). Other pressures include: budget-related resource constraints (13%), people-related resource constraints (10%), lack of time (9%), requests from business line managers (7%) and shortage of security expertise (7%). Top Operational Pressures Facing IT Pros 1 Advanced Security Threats 2 Adoption of Emerging Technologies 3 Security Product Complexity 12 Advanced Security Threats Adoption of Emerging Technologies Security Product Complexity Budgetary Constraints Personnel Constraints Time Constraints Requests from Business-Line Managers Shortage of Expertise 21% 23% 21% 22% 22% 18% 18% 17% 15% 17% 14% 14% 13% 19% 15% 13% 16% 15% 9% 13% 10% 9% 12% 10% 10% 9% 7% 8% 10% 9% 7% 6% 8% 8% 7% 8% 7% 6% 7% 7%

EMERGING TECHNOLOGIES Emerging technology security gap: IT pros are pressured most to use cloud and mobile applications but also feel they pose the greatest security risk. When asked about the top three emerging technologies they feel the most pressure to use or to deploy, respondents named the cloud (25%), mobile applications (21%), big data (19%), bring-your-own-device (BYOD) (18%) and social media (17%). Respondents also ranked the emerging technologies they feel pose the greatest security risk to their organization, which included: mobile applications (22%), the cloud (22%), BYOD (21%), social media (20%) and big data (15%). Emerging Technology Security Gap 13 Cloud Mobile Applications Big Data Bring-Your-Own-Device (BYOD) Social Media Adoption/Use Pressure 25% Security Risk Perception 22% Adoption/Use Pressure 21% Security Risk Perception 22% Adoption/Use Pressure 19% Security Risk Perception 15% Adoption/Use Pressure 18% Security Risk Perception 21% Adoption/Use Pressure 17% Security Risk Perception 20%

EMERGING TECHNOLOGIES CONTINUED Emerging Technology: Adoption/Use Pressure Cloud Mobile Applications Big Data Bring-Your-Own-Device (BYOD) Social Media 25% 23% 25% 27% 25% 21% 22% 20% 18% 21% 19% 19% 16% 22% 19% 18% 18% 19% 18% 18% 17% 18% 20% 15% 17% Emerging Technology: Security Risk Perception Cloud Mobile Applications Big Data Bring-Your-Own-Device (BYOD) Social Media 21% 22% 22% 23% 22% 22% 21% 20% 20% 22% 16% 13% 16% 15% 15% 21% 23% 21% 21% 21% 20% 21% 21% 21% 20% 14

BUDGET PRESSUREs Budget-wise, new capital outlays are the most under pressure, with headcount the least. 42% of respondents said new capital outlays one-time, often larger hardware and software expenses are the part of their budget most under pressure, followed closely by monthly operational expenses (40%) and, at the lower end of the spectrum, headcount (18%). Budget Pressures 40% Monthly Operational Expenses New Capital Outlays 42% 18% Headcount 15 New Capital Outlays Monthly Operational Expenses Headcount 46% 22% 39% 41% 42% 38% 50% 40% 40% 40% 16% 28% 21% 19% 18%

FEATURES VS. RESOURCES IT pros are pressured to use security technology containing all of the latest features, despite 1 out of 3 not having the resources to do so effectively. 65% of respondents said they are pressured to select and purchase security technologies with all the latest features, despite the fact that 35% said they do not have the proper resources to effectively use all those features. Pressure to Select Latest Security Technologies 65% Lack the Proper Resources to Use These Technologies 35% Pressure to Select Latest Security Technologies Yes No 66% 62% 53% 70% 65% 34% 38% 47% 30% 35% Lack the Proper Resources to Use These Technologies No Yes 68% 51% 62% 70% 65% 32% 49% 38% 30% 35% 16

STAFFING LEVELS 85% of IT pros said a bigger IT security team would reduce security pressures and bolster job effectiveness. 49% suggest doubling the size of their team, 35% suggest quadrupling (or more than quadrupling) the size of their current team, while 16% of respondents indicated the current size of their team is ideal. Compared to other countries, respondents in the United States were the most likely to believe an increase in the size of their team would reduce pressures. Out of the countries surveyed, IT pros in the U.K. were the most satisfied (26% of U.K. respondents) with their current level of staffing. Ideal Staffing Sizes 7% More than 4x Current Size 2x Current Size 49% 16% Current Size 17 Current Size 2x Current Size 4x Current Size More than 4x Current Size 28% 4x Current Size 11% 18% 26% 25% 16% 46% 66% 46% 51% 49% 33% 14% 24% 21% 28% 10% 2% 4% 3% 7%

IN-HOUSE VS. Managed SERVICES 3 out of 4 IT teams manage security in-house, but 82% use or will look to use managed security services in the future. 74% of respondents noted their in-house IT staff/security team is responsible for installing and maintaining their security solutions. 22% said they use a combination of in-house IT staff and a third-party managed security services provider (MSSP), and 3% use managed security services for all their security. Meanwhile, 82% of IT pros already partner or are likely to partner with a managed security services provider to relieve some IT security pressures. Specifically, 46% said they plan to use managed security services in the future, 36% already do and 18% are not likely to use managed security services. Current IT Responsibilities 22% Combination of MSSP & In-House In-House 74% 3% MSSP 1% Other 18 Plans to Partner with Managed Security Services Provider Yes Plan to do in the future 82% 46% 36% 18% We already do Not likely

IN-HOUSE VS. Managed SERVICES CONTINUED Current IT Responsibilities In-House Combination of MSSP & In-House MSSP Other 78% 67% 68% 67% 74% 19% 28% 30% 25% 22% 3% 3% 2% 4% 3% 0% 2% 0% 4% 1% Plans to Partner with Managed Security Services Provider Plan to in the Future We Already Do Not Likely 44% 47% 49% 51% 46% 41% 28% 23% 30% 36% 15% 25% 28% 19% 18% 19

2014 WISH LIST More budget, more security skills/expertise and more time to focus on security are the top three items on IT pro wish lists for 2014. When asked about the top three items on their wish lists for 2014, respondents named more budget (21%), more security skills/expertise (20%), more time to focus on security (19%), less complex security technologies/products (12%), a service provider to help manage their security program (10%), fewer requests from business line managers (10%) and more staff (8%). IT Professional s Wish List for 2014 21% MORE Budget 20% More IT Security Skills 20 More Budget More IT Security Skills More Time to Focus on Security Less Complex Technologies Service Provider to Help Manage Security Program Fewer Requests from Business Line Managers More Staff 19% More time 21% 24% 18% 24% 21% 19% 21% 23% 19% 20% 18% 16% 20% 20% 19% 11% 12% 14% 14% 12% 12% 8% 9% 7% 10% 11% 9% 9% 9% 10% 8% 10% 7% 7% 8%

CONCLUSION We opened this report by enumerating the reasons why IT professionals are facing so much security pressure to fight cybercrime, protect data and reduce security risks. What makes alleviating these pressures so difficult is that these conditions are unlikely to change. Attackers target businesses of all sizes and across all industries. There is a growing pool of attack vectors from which to choose, including what we now consider a basic business tool: the web, as well as emerging technologies like mobile devices and applications, social media and the cloud. Businesses also have huge amounts of information moving through their networks and applications and being stored on their databases, meaning there is more data to protect than ever before. Threats are growing more hostile and have long outpaced traditional security technologies like anti-virus and firewalls. Budgets are also tight, and building and retaining a skilled security team can be challenging. Many believe there is a major workplace shortage in the IT industry. As a result, our recommendations are less about making these strains disappear and more about offering advice on how to lighten the load and transfer some of the stress. Below are 10 ways that IT professionals can help alleviate the security pressures they face on a daily basis. 21 1. Accept that mounting pressures, including attention from the board and other forms of internal scrutiny, are increasing. Pressures were up in 2013 and are expected to climb even more in 2014. Massive data breach and malware headlines are likely to increase the attention that bosses give to information security and compliance. Rather than run their information security programs tactically, IT pros should run their programs as a strategic business initiative and regularly elevate to executives the steps they re taking to protect customer data, intellectual property and the brand as a whole. 2. Malware is everywhere. Make anti-malware protection a top priority. Attackers often use compromised websites, or links to these sites in emails, as the point of entry to serve malware onto a business s network. A recent Osterman Research survey of security professionals, sponsored by Trustwave, showed that malware has infiltrated 74% of organizations through the web during the past year. In the Security Pressures Report, 64% of IT practitioners named targeted malware as their top concern. To defend against malware, businesses should deploy security gateways specifically designed to protect the business in real-time from threats like malware, zero-day vulnerabilities and data loss.

CONCLUSION 3. Augment in-house security expertise. Since security has become a more timeconsuming, skills-specific and daunting task for many in-house IT teams, more businesses are augmenting their staff by partnering with an outside team of security experts that help ensure more effective security tools are installed and running properly to prevent a data compromise. 85% of IT pros surveyed said they needed a bigger IT security team to reduce the pressures and to bolster the effectiveness of their teams, and 82% said they already partner with or plan to partner with a managed security services provider to maintain a higher state of security. This can allow IT pros to focus on their primary jobs of IT projects that enable the business and generate revenue for their employers. 4. Perform business-wide security risk assessments and ongoing penetration testing. With 4 out of 5 IT pros pressured to roll out IT projects despite concerns they weren t security-ready, regular security risk assessments and penetration testing are critical. Risk assessments can help businesses identify where they store sensitive data and if that data is vulnerable to an attack. Frequent penetration testing, where ethical hackers attempt to break in to business systems, can help businesses identify and eliminate vulnerabilities that become the intrusion points of almost any breach. 5. Prioritize security awareness education. Businesses should regularly provide security awareness training to all employees, including contractors and temporary workers. Executives and business leaders are also prime targets, so training should be required for anyone who has access to private information. End-users often are considered the weakest link when it comes to security. Training them on security best practices can reduce the risk of data loss and lessen the burden on already-stressed IT security teams. 6. Web apps are a top target. Automate their protection. Web applications are a high-value target for attackers because they are easily accessible over the internet. The 2013 Trustwave Global Security Report identified web applications as the most popular attack vector, with e-commerce sites being the most targeted asset. Web applications often act as a business s digital front door and are often connected to systems that contain sensitive data. Organizations need to adopt automated protection that includes the ability to detect application vulnerabilities and prevent web application threats. 22

CONCLUSION 7. Stop buying security technologies for their flashy features, especially if IT doesn t have the resources to use them. This report concluded that 65% of IT pros are pressured to use security products that contain all of the latest features, despite a third of them not having the resources to do so effectively. Many also named security technology complexity as a key operational concern. The security industry is known for proclaiming next-generation security technologies are the best at protecting data, but if IT pros don t have the expertise or staff to perform policy adjustments, fine-tuning and device management, they might be throwing away their money and contributing to a false sense of security. 8. Hope for the best, but prepare for the worst. Adequate preparation can help alleviate pressures related to a data breach. Businesses should implement an incident readiness and response plan that includes advanced detection techniques, containment strategies and response scenarios. These elements will help them see, stop and respond to an attack. Incident response plans can drastically reduce the impact of a breach on a business so that it can quickly resume normal operations. 9. Get your spending in order. Budget-wise, 42% of IT pros said new capital outlays those one-time, often larger hardware and software expenses are the part of their budget most under pressure. In addition, increased budget, time and security skills are the top three items on their wish lists for 2014. Consider focusing less on the larger, one-time solution purchases and instead examine the value of an overall service that offers combined technology and managerial expertise. 10. Don t let third-party vendors introduce unnecessary security risk. When partnering with third-party IT providers (or any vendors that have access to IT systems), businesses should require these companies have detailed and locked-down security policies, perform ongoing and regular penetration testing, demonstrate appropriate remote access controls, ensure software and hardware is consistently patched and isolate data from other customers. Need more help alleviating the pressures related to information security? Visit www.trustwave.com and contact an advisor today. 23

Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than two million businesses are enrolled in the Trustwave TrustKeeper cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information, visit https://www.trustwave.com. 2014 Trustwave Holdings, Inc.