Italy. EY s Global Information Security Survey 2013

Italy EY s Global Information Security Survey 2013

EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information security executives, representing most of the world s largest and most-recognized global companies. Responses to the survey were received from 64 countries and from almost every industry sector, and include some of the world s leading information security authorities. The insights and perspectives of all these participants have been invaluable. Survey results Security budget and investments 2 Security governance 9 The effectiveness of information security 16 Maturity of information security programs 20 Information security environment 27 Emerging technologies and trends 35 Contents EY s Global Information Security Survey 2013 1

Survey results Security budget and investments EY s Global Information Security Survey 2013 2

Security budget and investments 1. What is your organization s total spend on information security (approximately, in US$, including people, process and technology costs)? Choose one. Less than $500,000 43% Between $500,000 and $2 million 23% Between $2 million and $10 million 20% Between $10 million and $50 million Between $50 million and $100 million 2% More than $100 million 2% Due to rounding, data may not total 100%. EY s Global Information Security Survey 2013 3

Security budget and investments 2. Which of the following describes the change in your organization s total information security budget over the last 12 months? Choose one. Increased by more than 2 Increased between 1 and 2 7% Increased between and 1 23% Stayed approximately the same (between + and -) 5 Decreased between and 1 Decreased between 1 and 2 Decreased by more than 2 0% EY s Global Information Security Survey 2013 4

Security budget and investments 3. Which of the following describes the change in your organization s total information security budget in the coming 12 months? Choose one. Will increase by more than 2 Will increase between 1 and 2 1 Will increase between and 1 13% Will stay approximately the same (between + and -) 54% Will decrease between and 1 3% Will decrease between 1 and 2 0% Will decrease by more than 2 2% EY s Global Information Security Survey 2013 5

Security budget and investments 4. Which of the following information security areas are defined as top priorities over the coming 12 months? (Please mark five items showing your top priority with a 1 to your fifth priority with a 5) Business continuity/disaster recovery Compliance monitoring Cyber risks/cyber threats Data leakage/data loss prevention Forensics/fraud support Identity and access management Implementing security standards (e.g., ISO/IEC 27002:2005) Incident response capabilities Information security risk management Information security transformation (fundamental redesign) Offshoring/outsourcing security activities, including third-party supplier risk Privacy Recruiting security resources Secure development processes (e.g., secure coding, QA process) Securing emerging technologies (e.g., cloud computing, virtualization, mobile computing) Security awareness and training Security governance and management (e.g., metrics and reporting, architecture, program management) Security incident and event management (SIEM) Security operations (e.g., antivirus, IDS, IPS, patching, encryption) Security testing (e.g., attack and penetration) Threat and vulnerability management (e.g., security analytics, threat intelligence) 7% 14% 12% 64% 20% 47% 3 2 36% 50% 39% 1 50% 33% 34% 14% 43% 14% 14% 4% 4% 20% 13% 12% 64% 50% 1 50% 19% 6% 23% 29% 7% 100% 33% 67% 50% 2 2 100% 100% 29% 43% 14% 13% 2 50% 14% 29% 14% 43% 22% 4 21% 16% 26% 26% 56% 33% 20% 30% 40% 1st 2nd 3rd 4th 5th EY s Global Information Security Survey 2013 6

Security budget and investments 5. Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the coming year for the following activities? Business continuity/disaster recovery Compliance monitoring Cyber risks/cyber threats Data leakage/data loss prevention Forensics/fraud support Identity and access management Implementing security standards (e.g., ISO/IEC 27002:2005) Incident response capabilities Information security risk management Information security transformation (fundamental redesign) Offshoring/outsourcing security activities, including third-party supplier risk Privacy Recruiting security resources Secure development processes (e.g., secure coding, QA process) Securing emerging technologies (e.g., cloud computing, virtualization, mobile computing) Security awareness and training Security governance and management (e.g., metrics and reporting, architecture, program management) Security incident and event management (SIEM) Security operations (e.g., antivirus, IDS, IPS, patching, encryption) Security testing (e.g., attack and penetration) Threat and vulnerability management (e.g., security analytics, threat intelligence) 53% 31% 39% 2 2 21% 26% 41% 22% 19% 46% 34% 4 33% 31% 33% 30% 42% 66% 53% 62% 79% 64% 71% 71% 54% 6 70% 76% 70% 76% 46% 5 50% 56% 64% 62% 67% 3% 13% 3% 13% 19% 19% 22% 3% Spend more Spend the same Spend less EY s Global Information Security Survey 2013 7

Security budget and investments 6. What was the approximate percentage of total spend for the following information security functional areas in your organization in the past 12 months and the coming 12 months? 50% 4 33% 34% 13% 16% Security operations and maintenance (keep the lights on) Security improvement and expansion Security innovation (emerging technology) Past 12 months Coming 12 months EY s Global Information Security Survey 2013 8

Survey results Security governance EY s Global Information Security Survey 2013 9

Security governance 7. To which department does the information security organization report in your organization? Choose one. Chief Information Officer (CIO) 59% The IT department but not directly to the CIO Chief Financial Officer (CFO) Chief Operations Officer (COO) Chief Executive Officer (CEO) Legal/Compliance/Privacy Department Chief Risk Officer (CRO) Internal Audit Department Business Unit Leader Other 7% 2% 2% 0% 0% EY s Global Information Security Survey 2013 10

Security governance 8. Which statements best describe your information security strategy? Choose all that apply. We do not have an information security strategy 2% Our information security strategy is periodically reviewed and updated 49% Our information security strategy is aligned with the organization s business strategy 51% Our information security strategy is aligned with the organization s IT strategy 49% Our information security strategy is approved by senior management 24% Our information security strategy outlines our key security activities for the next 12 months Our information security strategy is aligned to our organizations risk appetite and risk tolerance 27% Our information security strategy is aligned to today s risk environment Our information security strategy outlines the future state of information security (three to five years out) 1 EY s Global Information Security Survey 2013 11

Security governance 9. How often are information security topics presented to your board (or to the top governing structure in the organization)? Choose one. Never 2% Monthly Quarterly 22% Rarely 34% Annually 37% EY s Global Information Security Survey 2013 12

Security governance 10. At what organizational level resides ownership of policies, operation and assurance for your information security Choose one per information security area. Information security assurance 4 40% Information security operations 3 59% 3% Information security policies 7 22% Group level Divisional/business unit level Third party Unknown EY s Global Information Security Survey 2013 13

Security governance 11. From the following list of information security standards or frameworks, which are used by your organization? Choose all that apply. Capability Maturity Model Integration (CMMI) COBIT 3 COSO Generally Accepted Privacy Principles 3 Information Security Forum s (ISF) Standard of Good Practice Information Technology Infrastructure Library (ITIL) 5 ISO/IEC 27001:2005 4 ISO/IEC 27002:2005 3 NIST Handbooks (e.g., 800 Series ) Octave 0% OWASP 3 PCI DSS 1 None EY s Global Information Security Survey 2013 14

Security governance 12. How do you ensure that your external partners, vendors or contractors are protecting your organization s information? Choose all that apply. Assessments performed by your organization s information security, procurement or internal audit function (e.g., site visits, security testing) 3 All third-parties are risk-rated and appropriate diligence is applied 13% Accurate inventory of third-party network connections and data transfers is kept 13% Independent external assessments of partners, vendors or contractors (e.g., SSAE 16, ISAE 3402) 1 Self assessments or other certifications performed by partners, vendors or contractors 3 Only critical or high-risk third parties are assessed 33% No reviews or assessments performed 13% EY s Global Information Security Survey 2013 15

Survey results The effectiveness of information security EY s Global Information Security Survey 2013 16

The effectiveness of information security 13. Please rate the following information security management processes in your organization in terms of maturity (on a scale of 1 to 5 where 1 is nonexistent and 5 is very mature) Security awareness, training and communication 43% 40% 12% Security governance and management (e.g., metrics and reporting, architecture, program management) 32% 3 20% Security operations (antivirus, IDS, IPS, patching, encryption, etc.) 1 6 Security testing (web applications, penetration testing, etc.) 1 3 3 1 2 3 4 5 EY s Global Information Security Survey 2013 17

The effectiveness of information security 14. How would you characterize the extent to which the Information Security function is meeting the needs of your organization? Choose one. Fully meets the organizational needs Partially meets the organizational needs and improvement is underway 79% Partially meets the organizational needs and there are no agreed plans for improvement It does not meet the organizational needs but improvement is underway 3% It does not meet the organizational needs and there are no agreed plans for improvement 0% EY s Global Information Security Survey 2013 18

The effectiveness of information security 15. What are the main obstacles or reasons that challenge your Information Security operation s contribution and value to the organization? Choose all that apply. Lack of skilled resources 53% Budget constraints 71% Lack of executive awareness or support 47% Management and governance issues 1 Lack of quality tools for managing information security 3% Because respondents could select more than one option, data will not total 100%. EY s Global Information Security Survey 2013 19

Survey results Maturity of information security programs EY s Global Information Security Survey 2013 20

Maturity of information security programs 16. Which statement best describes the maturity of your threat intelligence program? Choose one. We do not have a threat intelligence program 30% We have an informal threat intelligence program that incorporates information from trusted third parties and email distribution lists 33% We have a formal threat intelligence program that includes subscription threat feeds from external providers and internal sources, such as a security incident and event management tool 2 We have a threat intelligence team that collects internal and external threat and vulnerability feeds to analyze for credibility and relevance in our environment We have an advanced threat intelligence function with internal and external feeds, dedicated intelligence analysts and external advisors that evaluate information for credibility, relevance and exposure against threat actors 2% EY s Global Information Security Survey 2013 21

Maturity of information security programs 17. Which statement best describes the maturity of your vulnerability identification capability? Choose one. We do not have a vulnerability identification program 1 We have an informal vulnerability identification program and perform automated testing on a regular basis 4 We use a variety of review approaches, including social engineering and manual testing 13% We have a formal vulnerability intelligence function with a program of assessments based on business threats utilizing deep dive attack and penetration testing 20% We have an advanced vulnerability intelligence function and conduct risk-based assessments with results and remediation agreed with the risk function throughout the year 7% EY s Global Information Security Survey 2013 22

Maturity of information security programs 18. Which statement best describes the maturity of your detection program? Choose one. We do not have a detection program 2% We have perimeter network security devices (i.e., IDS). We do not have formal processes in place for response and escalation 3 We utilize a security information and event management (SIEM) solution to actively monitor network, IDS/IPS and system logs. We have an informal response and escalation processes in place 3 We have a formal detection program that leverages modern technologies (host-based and network-based malware detection, behavioral anomaly detection, etc.) to monitor both internal and external traffic. We use ad hoc processes for threat collection, integration, response and escalation 20% We have a formal and advanced detection function that brings together each category of modern technology (host-based malware detection, antivirus, network-based malware detection, DLP, IDS, next-gen firewalls, log aggregation) and uses sophisticated data analytics to identify anomalies, trends and correlations. We have formal processes for threat collection, dissemination, integration, response and escalation EY s Global Information Security Survey 2013 23

Maturity of information security programs 19. Which statement best describes the maturity of your computer incident response capability? Choose one. We do not have an incident response capability 13% We have an incident response plan through which we can recover from malware and employee misbehavior. Further investigations into root causes are not conducted 3 We have a formal incident response program and conduct investigations following an incident 40% We have a formal incident response program and established arrangements with external vendors for more complete identity response services and investigations We have a robust incident response program that includes third parties and law enforcement and is integrated with our broader threat and vulnerability management function. We build playbooks for potential incidents and test those playbooks via table-top exercises regularly 2% EY s Global Information Security Survey 2013 24

Maturity of information security programs 20. Which statement best describes the maturity of your data protection program? Choose one. We do not have a data protection program 2% Data protection policies and procedures are informal or ad hoc policies are in place 3 Data protection policies and procedures are defined at the business unit level 20% Data protection policies and procedures are defined at the group level 33% Data protection policies and procedures are defined at the group level with corporate oversight and communicated through the business, with specific business unit exceptions documented, tracked and annually reviewed EY s Global Information Security Survey 2013 25

Maturity of information security programs 21. Which statement best describes the maturity of your identity and access management program? Choose one. We do not have an identity and access management program 1 A team with oversight of access management processes and central repository conducts reviews yet not formally established 30% A formal team provides oversight on defined access management processes although largely manual; a central directory is in place yet interacts with a limited number of applications and not regularly reviewed 23% A formal team interacts with business units in gaining oversight with well-defined processes, limited automated workflows, single source sign-on for most applications and regular reviews 20% A formal IT business unit has oversight of well-defined and automated processes, procedures and workflows; single source sign-on on for most applications without reentering logon details; and regular consistent reviews are conducted across all enterprise levels 12% EY s Global Information Security Survey 2013 26

Survey results Information security environment EY s Global Information Security Survey 2013 27

Information security environment 22. What percentage of your spending or effort is allocated to information security controls? Please allocate percentages to add to 100%. 37% 34% 29% Preventative controls Detective controls Response or recover controls EY s Global Information Security Survey 2013 28

Information security environment 23. How has the risk environment in which you operate changed in the last 12 months? Choose all that apply. Increase in (internal) vulnerabilities 26% Increase in (external) threats 64% No change in (internal) vulnerabilities 56% No change in (external) threats 31% Decrease in (internal) vulnerabilities Decrease in (external) threats 3% Because respondents could select more than one option, data will not total 100%. EY s Global Information Security Survey 2013 29

Information security environment 24. How has the number of security incidents* at your organization changed relative to the previous 12 months? Choose one. Increased by more than 50% 0% Increased between 2 and 50% Increased between and 2 20% Stayed approximately the same (between + and -) 64% Decreased between and 2 Decreased between 2 and 50% Decreased by more than 50% 0% 3% * An information security incident is made up of one or more unwanted or unexpected information security events that could very likely compromise the security of your information and weaken or impair your business operations EY s Global Information Security Survey 2013 30

Information security environment 25. What is your estimate of the total financial damage related to information security incidents over the past year (this includes loss of productivity, regulatory fines, etc.; the estimate excludes costs or missed revenue due to brand damage)? Choose one. Between $0 and $50,000 33% Between $50,000 and $100,000 Between $100,000 and $200,000 0% Between $200,000 and $500,000 Between $500,000 and $1,000,000 3% Above $1,000,000 2% Don t know 49% EY s Global Information Security Survey 2013 31

Information security environment 26. Based on actual incidents, which threats* and vulnerabilities** have most changed your risk exposure over the last 12 months? Vulnerability outdated information security controls or architecture 19% 56% 2 Vulnerability careless or unaware employees 20% 69% Vulnerability related to cloud computing use 21% 76% 3% Vulnerability vulnerabilities related to mobile computing use 64% 31% 5 Vulnerability related to social media use 31% 60% 9% Vulnerability unauthorized access (e.g., due to location of data) 76% 19% Threat cyber attacks to disrupt or deface the organization 17% 72% Threat cyber attacks to steal financial information (credit card numbers, bank information, etc.) 80% 9% Threat cyber attacks to steal intellectual property or data 84% Threat espionage (e.g., by competitors) 1 76% 9% Threat fraud 14% 77% 9% Threat internal attacks (e.g., by disgruntled employees) 14% 7 Threat malware (e.g., viruses, worms and Trojan horses) 3 40% 22% Threat natural disasters (storms, flooding, etc.) 3% 77% 20% Threat phishing 40% 49% Threat spam 36% 42% 22% Increased in past 12 months Same in past 12 months Decreased in past 12 months * Threat is defined as a statement to inflict a hostile action from actors in the external environment ** Vulnerability is defined as the state in which exposure to the possibility of being attacked or harmed exists EY s Global Information Security Survey 2013 32

Information security environment 27. Which threats* and vulnerabilities** have most increased your risk exposure over the last 12 months Please select five of these items, marking your top item with a 1, your second with a 2, etc. Vulnerability outdated information security controls or architecture 27% 13% 13% 20% 27% Vulnerability careless or unaware employees 3 24% 1 23% Vulnerability related to cloud computing use 40% 30% 20% Vulnerability vulnerabilities related to mobile computing use 4 13% 22% 4% 13% Vulnerability related to social media use 23% 3 23% Vulnerability unauthorized access (e.g., due to location of data) 22% 56% 22% Threat cyber attacks to disrupt or deface the organization 22% 22% 34% Threat cyber attacks to steal financial information (credit card numbers, bank information, etc.) 29% 14% 29% 2 Threat cyber attacks to steal intellectual property or data 33% 17% 17% 17% 16% Threat espionage (e.g., by competitors) 2 12% 63% Threat fraud 22% 22% 34% Threat internal attacks (e.g., by disgruntled employees) 40% 30% Threat malware (e.g., viruses, worms and Trojan horses) 7% 33% 20% 33% 7% Threat natural disasters (storms, flooding, etc.) 50% 50% Threat phishing 14% 22% 14% 14% 36% Threat spam 30% 20% 30% * Threat is defined as a statement to inflict a hostile action from actors in the external environment ** Vulnerability is defined as the state in which exposure to the possibility of being attacked or harmed exists 1 2 3 4 5 EY s Global Information Security Survey 2013 33

Information security environment 28. How many external internet facing systems have been tested on an annual basis? Choose one. 0% 30% 2 12% 26% 50% 20% 51% 100% 3 EY s Global Information Security Survey 2013 34

Survey results Emerging technologies and trends EY s Global Information Security Survey 2013 35

Emerging technologies and trends 29. Could you please indicate the level of importance to your organization for the following technologies or trends? Choose one. Big data 22% 3 24% In-memory computing 14% 16% 30% 3 Cloud service brokerage 16% 27% 27% 24% 6% Bring your own cloud: personal cloud infrastructure 16% 27% 14% 27% 16% Supply chain management 26% 33% 20% 13% Digital money 39% 2 22% 3% Cyber havens: countries providing data hosting without onerous regulations 3 40% 22% 3% Internet of things: embedded sensors, image recognition technologies 30% 3 19% 16% Social media: new business models, including social media 19% 32% 41% 3% Enterprise application store: role of IT changes to more market focused 19% 41% 27% Digital devices security of smartphones and tablets 61% 29% Digital devices security of software applications 1 62% 23% Digital devices security of web-based applications (HTML5) 24% 47% 24% 1 2 3 4 5 EY s Global Information Security Survey 2013 36

Emerging technologies and trends 30. Could you please indicate the level of familiarity of the implications on your organization for the following technologies or trends? Big data 13% 19% 41% 22% In-memory computing 22% 3 21% Cloud service brokerage 24% 14% 30% 27% Bring your own cloud: personal cloud infrastructure 19% 16% 24% 33% Supply chain management 13% 19% 34% 13% 21% Digital money 27% 24% 30% 14% Cyber havens: countries providing data hosting without onerous regulations 24% 3 27% 14% Internet of things: embedded sensors, image recognition technologies 22% 3 30% 13% Social media: new business models, including social media 43% 3 6% Enterprise application store: role of IT changes to more market focused 14% 27% 43% Digital devices security of smartphones and tablets 3% 2% 21% 5 16% Digital devices security of software applications 29% 53% 13% Digital devices security of web-based applications (HTML5) 34% 47% 1 2 3 4 5 EY s Global Information Security Survey 2013 37

Emerging technologies and trends 31. If you re familiar with the implications on your organization, could you please indicate the level of confidence in your organization s capabilities to address the implications of the following technologies or trends? Big data 9% 20% 34% 31% 6% In-memory computing 23% 23% 32% Cloud service brokerage 17% 23% 31% 23% 6% Bring your own cloud: personal cloud infrastructure 17% 23% 17% 37% 6% Supply chain management 14% 19% 20% 33% 14% Digital money 24% 32% 29% 12% 3% Cyber havens: countries providing data hosting without onerous regulations 3 3 1 1 Internet of things: embedded sensors, image recognition technologies 23% 32% 24% 21% Social media: new business models, including social media 6% 12% 44% 29% 9% Enterprise application store: role of IT changes to more market focused 9% 37% 34% 9% Digital devices security of smartphones and tablets 3% 3 46% 16% Digital devices security of software applications 3% 3% 3 4 Digital devices security of web-based applications (HTML5) 3% 27% 49% 13% 1 2 3 4 5 EY s Global Information Security Survey 2013 38

Emerging technologies and trends 32. Do you have a role or department in your information security function focusing on emerging technology and its impact on information security? Yes 5 No 34% No but planning to implement EY s Global Information Security Survey 2013 39

EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. About EY s Advisory Services Improving business performance while managing risk is an increasingly complex business challenge. Whether your focus is on broad business transformation or more specifically on achieving growth, optimizing or protecting your business having the right advisors on your side can make all the difference. Our 30,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and exceptional client service. We use proven, integrated methodologies to help you solve your most challenging business problems, deliver a strong performance in complex market conditions and build sustainable stakeholder confidence for the longer term. We understand that you need services that are adapted to your industry issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where your strategy and change initiatives are delivering the value your business needs... Proprietary and confidential. Do not distribute without written permission. 1304-1063727 EC ED 0114 ey.com