Market Research. Study. Database Security and Compliance Risks. December, 2009. By Jon Oltsik

Similar documents
Threat Intelligence and Its Role Within Enterprise Cybersecurity Practices

The State of Mobile Computing Security

Web Application Security Testing Tools and Services

Research Report. Abstract: The Evolution of Server Virtualization. November 2010

Enterprise Database Trends in a Big Data World

Research Report. Remote Office/Branch Office Technology Trends. July 2011

Enterprise Big Data, Business Intelligence, and Analytics Trends

Research Report. Abstract: The Impact of Big Data on Data Analytics. September 2011

The Shift Toward Data Protection Appliances

Online File Sharing and Collaboration: Deployment Model Trends

Research Report. Abstract: Solid-state Storage Market Trends. November By Bill Lundell and Mark Peters With Jennifer Gahm and John McKnight

Platform-as-a-service Usage and Satisfaction Study

Research Report. Abstract: Social Enterprise Adoption Trends. June 2012

Research Report. Abstract: The Impact of Server Virtualization on Data Protection. September 2010

The Convergence of Big Data Processing and Integrated Infrastructure

Research Report. Abstract: e-discovery Market Trends. A View from the Legal Department. October 2011

Research Report. Abstract: Endpoint Device Backup Trends. December By Lauren Whitehouse With Bill Lundell and John McKnight

2015 Data Storage Market Trends

Corporate Online File Sharing and Collaboration Market Trends

Research Report. Abstract: Archiving Market Trends. May By Brian Babineau With Bill Lundell and John McKnight

Virtual Patch Management Offers Automation, Availability, and Cost Benefits Date: June 2013 Author: Jon Oltsik, Senior Principal Analyst

Research Report. Abstract: Trends in Data Protection Modernization. August 2012

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Trends in Private Cloud Infrastructure

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

Research Perspectives

Cloud Computing Adoption Trends:

Data Protection-as-a-service (DPaaS) Trends

White. Paper. Cloud Computing Demands Enterprise- class Password Management and Security. April 2013

Research Report. Abstract: 2013 Public Cloud Computing Trends. March 2013

Research Report. Abstract: The Impact of Cloud Computing on the Channel. September By Jeff Hine and Bill Lundell

Platform-as-a-service Language Use Study

White. Paper. Rethinking Endpoint Security. February 2015

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

Research Report. Abstract: Trends for Protecting Highly Virtualized and Private Cloud Environments. June 2013

RESEARCH REPORT. Abstract. Storage Resource Management Market on the Launch Pad. By Mary Turner and Bob Laliberte With John McKnight and Jennifer Gahm

Backup and Archiving Convergence Trends

Research Report. Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure. November 2010

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

Advanced Cyber Threats Demand a New Privileged Account Security Model Date: June 2013 Author: Jon Oltsik, Senior Principal Analyst

Enterprise Strategy Group Getting to the bigger truth. By Bill Lundell, Senior Research Analyst and John McKnight, VP Research and Analysts

Information Technology Security Review April 16, 2012

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Research Report. Abstract: 2014 Public Cloud Computing Trends. March 2014

Security Intelligence: A Key Component of Big Data Security Analytics Date: December 2012 Author: Jon Oltsik, Senior Principal Analyst

Compensating Security Controls for Windows Server 2003 Security

Leveraging a Maturity Model to Achieve Proactive Compliance

Cybersecurity Skills Shortage: A State of Emergency

The economics of IT risk and reputation

Information-driven Security and RSA Security Analytics and RSA ECAT

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

This ESG White Paper was commissioned by Blue Coat and is distributed under license from ESG.

Information Security Program CHARTER

AD Management Survey: Reveals Security as Key Challenge

White. Paper. Desktop Virtualization, Management, and Security. November, By Jon Oltsik, Principal Analyst and Mark Bowker, Senior Analyst

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Third Party Risk Management 12 April 2012

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Information Security Program Management Standard

VMware and the Need for Cyber Supply Chain Security Assurance

Security Metrics to Manage Change: Which Matter, Which Can Be Measured?

Is your organization developing its own custom applications specifically for mobile devices? (Percent of respondents, N=242)

2012 Application Security Gap Study: A Survey of IT Security & Developers

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Defining the Gap: The Cybersecurity Governance Study

CYBER SECURITY, A GROWING CIO PRIORITY

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Security Information Lifecycle

Data Security Incident Response Plan. [Insert Organization Name]

Enterprise Strategy Group Getting to the bigger truth. Cisco: ACL Survey. Final Results. Jon Oltsik, Senior Principal Analyst

ROUTES TO VALUE. Business Service Management: How fast can you get there?

Top Ten Technology Risks Facing Colleges and Universities

The Value of Vulnerability Management*

IBM Security QRadar Vulnerability Manager

CISM (Certified Information Security Manager) Document version:

Information Security Program

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Avoiding the Top 5 Vulnerability Management Mistakes

Connecting data initiatives with business drivers

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

CORE Security and GLBA

White Paper on Financial Industry Regulatory Climate

White. Paper. The Big Data Security Analytics Era Is Here. January 2013

BIG SHIFT TO CLOUD-BASED SECURITY

White. Paper. Understanding and Addressing APTs. September 2012

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

Understanding Vulnerability Management Life Cycle Functions

How To Understand The Needs Of The Network

Information Technology Risk Management

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

SANS Top 20 Critical Controls for Effective Cyber Defense

White. Paper. The SMB Market is Ready for Data Encryption. January, 2011

Data Loss Prevention Program

Developing National Frameworks & Engaging the Private Sector

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

White. Paper. Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS. January 2013

Transcription:

Market Research Study Database Security and Compliance Risks By Jon Oltsik December, 2009 An ESG Market Research Study Sponsored by Application Security, Inc. 2009, Enterprise Strategy Group, Inc. All Rights Reserved

Market Research Study: Database Security and Compliance Risks 2 Contents Executive Summary... 3 Summary of Report Conclusions... 3 Report Conclusions... 4 Research Analysis... 8 Recommendations... 8 Research Methodology... 11 Respondent Demographics... 12 Respondents by Number of Employees... 12 Respondents by Role... 12 Respondents by Industry... 13 Respondents by Annual Revenue... 13 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at (508) 482-0188. This ESG White Paper was developed with the assistance and funding of Application Security, Inc.

Market Research Study: Database Security and Compliance Risks 3 Executive Summary Summary of Report Conclusions In October 2009, the Enterprise Strategy Group (ESG) conducted a comprehensive web-based survey on behalf of Application Security, Inc. The survey included 175 North American security professionals from enterprise-class organizations (defined as those with 1,000 or more employees) focused on their database security and regulatory compliance policies, experiences, and strategies. Respondents came from over 20 industries in the public and private sectors. To a great extent, this research project built upon data and analysis from a similar effort conducted in 2008. Based upon this research, ESG concludes that there are a large number of independent risks to confidential data 1 stored in databases and that many large organizations remain extremely vulnerable to compliance audit failures and data breaches. Similar to 2008, users recognize weaknesses in their security processes, controls, and technologies, but continue to lack the adequate funding, senior management oversight, organizational support, and security skills needed to address these issues. ESG believes that this data indicates a clear and present danger as corporate database security weaknesses leave hundreds of millions of users vulnerable to a breach of their personal data or, worse yet, identity theft. In 2008 alone, 706 publicly-disclosed data breaches exposed over 85 million personal records. 2 The impact of security weaknesses like those described in this report on society at large have not escaped the attention of governments around the world many are now demanding action. For example, in May 2009, U.S. President Barack Obama released a long-awaited Cyberspace Policy Review report which detailed significant security weaknesses to government agencies and privately-held critical infrastructure like power plants, communications networks, and health care organizations. Upon the release of the report, President Obama declared that he would henceforth treat the nation s entire digital infrastructure as a critical asset. The president stated, Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy, and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage." Like the Cyberspace Policy Review, this ESG report should be viewed as yet another metric describing the fragile state of data security. Hopefully, this report will have a similar effect. ESG recommends that business, IT, and security managers review this data, initiate broad-based database security and compliance reviews, and lead their organizations to address these critical database security gaps soon. 1 For the purposes of this survey, confidential data is defined as information that can be categorized as: Intellectual property Information that is protected by government regulations Non-public private information (NPPI) Information that is protected by industry regulations Information classified as company confidential or private 2 Source: datalossdb.org

Market Research Study: Database Security and Compliance Risks 4 Report Conclusions Based upon the data derived from this survey, ESG believes that: Confidential data remains unprotected. Only 40% of security professionals indicated that existing controls can adequately protect all of their organization s confidential data while the remainder of respondents reported numerous data security gaps. Alarmingly, 13% of large organizations believe that some or most of their organization s confidential data continues to be unprotected for the most part (see Figure 1). On a more focused level, ESG s data revealed similar weaknesses related directly to database security: Less than half of all organizations believe that their existing database security controls provide adequate protection for all of the databases (containing confidential data) distributed across the enterprise. Figure 1. Confidential Data Remains Unprotected Given today s security and regulatory compliance requirements, do you feel that your organization s existing data security controls provide an adequate level of protection for confidential data? (Percent of respondents, N=175) No, I believe that most of our confidential data is not adequately protected, 2% Don t know, 2% Somewhat, I believe that only some of our confidential data is adequately protected, 11% Yes, I believe that all of our confidential data is adequately protected, 40% Yes, I believe most of our confidential data is adequately protected, 44% Regulatory compliance is a major security driver, but large organizations still depend upon manual, time consuming database security processes. Nearly one-third of users claim that regulatory compliance will continue to have the biggest impact on overall security requirements, strategies, and purchasing plans over the next 12 to 24 months. Given this compliance focus, it is quite surprising that more than 25% of large organizations spend a significant amount of time and effort and more than 40% spend a moderate amount of time and effort on manual processes like remediating compliance issues, performing database audits, and working with auditors on database compliance (see Figure 2). This indicates that many organizations are investing their security and compliance dollars in the wrong places, on things like general purpose security tools and check box compliance processes and solutions. This strategy, which cannot formalize processes, automate security operations, or address real risks, is bound to fail over time.

Market Research Study: Database Security and Compliance Risks 5 Figure 2. Organizations Rely on Manual Processes for Regulatory Compliance Of the following list, please indicate whether your organization performs specific types of oversight and management tasks and if so, the relative amount of effort required on each. (Percent of respondents, N=175) Remediating compliance issues 29% 44% 24% 3% Performing database audits 28% 48% 21% 3% Working directly with auditors on database compliance 27% 40% 25% 7% Analyzing audit reports 25% 45% 23% 7% Writing custom scripts 23% 45% 25% 7% Conducting user entitlement reviews for end-users 19% 45% 30% 7% Conducting separation of duties reviews for IT administrators 17% 47% 27% 9% 0% 20% 40% 60% 80% 100% Significant time and effort required Minimal time and effort required Moderate time and effort required Not applicable -- our organization does not perform this task Large organizations have trouble passing compliance audits. In spite of the fact that a majority of large organizations claim that compliance has the greatest impact on data security, only 37% of security professionals believe that their organizations can meet regulatory compliance requirements with respect to ensuring the security of confidential or sensitive information at all times. As a result, nearly 30% of organizations admit that they failed a security/compliance audit regarding data privacy or security within the past three years. Why? A myriad of problems: Large organizations said that compliance audit failures were the result of process problems, technology problems, access control problems, and reporting problems (see Figure 3). Given the number of time-consuming manual processes described above, this is not a surprise.

Market Research Study: Database Security and Compliance Risks 6 Figure 3. Large Organizations Identify Problems Leading to Compliance Audit Failures In your opinion, what were the reasons why your organization failed a security/compliance audit(s)? (Percent of respondents, N=45, multiple responses accepted) A process problem (i.e., a problem related to the way our organization executed a compliance mandate) 40% A technology problem (i.e., a problem associated with the controls, configuration, or a software vulnerability of one or more IT assets) An access control problem (i.e., a problem associated with the number or type of users granted access to an IT system or device) A reporting problem (i.e., a problem associated with capturing or analyzing data needed for a compliance audit) 31% 31% 36% An auditing problem (i.e., a problem associated specifically with our auditing staff and/or process) 24% 0% 10% 20% 30% 40% 50% Existing database controls for regulatory compliance requirements are mismatched. Here s another reason why large organizations are failing their compliance audits: Less than one-fourth of large organizations believe that their database controls are extremely well defined and documented. In other words, a lot of confidential data is protected with database controls that are managed and monitored on an informal, ad-hoc basis. Clearly, this is a far cry from IT best practices and must change soon if large organizations expect to automate processes, pass compliance audits, and manage risk effectively. Data breaches continue. In 2009, 22% of large organizations surveyed had suffered at least one confidential data breach within the last 12 months, as compared to 56% of organizations that reported a confidential data breach incident in 2008. Does this indicate a measurable improvement? No. In spite of this improvement, ESG believes that the more broad-based publicly-disclosed breach data (i.e., from datalossdb.org) described previously suggests that year-over-year variance in ESG s data represents the luck of the draw rather than any real security progress. The root causes of data breaches also seem to be going through a metamorphosis. While 2008 respondents indicated that insider attacks were the primary cause of data breaches, 2009 respondents identified other root causes such as human error (53%) and external attacks (34%). In other words, data breaches may now be a function of poor database security skills, process weaknesses, and the rapidly growing threat of cybercrime. Given these multiple threat vectors, it is safe to assume that database security will grow worse not better in the next few years. Budgetary limitations and organizational confusion continue to hinder database security and compliance efforts. When asked to identify the biggest risks to database security, nearly half of all users pointed to budget constraints. Other issues around security knowledge, skills, poor cooperation, and disconnects between IT and the business were also called out (see Figure 4).

Market Research Study: Database Security and Compliance Risks 7 Figure 4. Risks To Database Security Of the following list of issues, which do you feel represents the greatest risk to database security at your organization? (Percent of respondents, N=175, multiple responses accepted) Budget constraints 47% Lack of understanding of the threats Lack of inter-departmental cooperation Disconnect between IT operations and executive management team Lack of formal database security processes and procedures Too many IT personnel have root access to databases We have a shortage of skilled security professionals 24% 23% 23% 22% 21% 20% Conscious decision to focus elsewhere We are lacking in database security skills 14% 13% 0% 10% 20% 30% 40% 50%

Research Analysis Market Research Study: Database Security and Compliance Risks 8 As in 2008, ESG s 2009 report on database security and compliance demonstrates that confidential data stored in relational databases remains at risk. To summarize, ESG believes that the data indicates: 1. A false sense of security. While large organizations tend to believe that most of their data is protected, they also suffer from continuing data breaches, face new threats, rely on manual processes, and don t have the controls in place to keep up. In contrast to many user illusions, ESG can only conclude that database security has become a weak link in the overall data security chain. 2. Regulatory compliance remains a monumental effort. To meet regulatory compliance mandates, large organizations are forced to rely on manual tasks and time consuming processes. This is a growing problem as enterprises increase data capacity, add new databases, and share data with external constituents. The result? Many organizations are failing compliance audits. This is especially concerning since compliance audits are often checkbox exercises that are only marginally effective at addressing real risks. ESG believes that this data should be a wake-up call. Large organizations must move from inefficient compliance exercises to automated risk management ASAP. 3. Database security spending is not keeping up. While CIOs continue to spend on security, specific database security safeguards remain underserved. This may be a result of the communications gap between IT and business executives previously described in Figure 4 or the misguided belief that database vendors provide all the integrated security needed. Regardless of the reason, ESG s data indicates that database security suffers from a lack of investment. Clearly, large organizations are spending on the wrong things in the wrong places. Dedicated tools that can help address real risks, automate processes, and streamline compliance efforts are sorely needed. Recommendations While ESG s data uncovers some unacceptably high database security risks, it also hints at a few priorities that could help address vulnerabilities, automate processes, and improve controls. ESG strongly suggests that CIOs and CISOs: Educate business and financial executives. The data presented herein should be used as third-party validation illustrating pervasive data security problem to business executives. When presenting this case to business executives, IT managers should highlight the following points: o o o o Data breaches continue, therefore data security must remain a high priority. Threats are changing and growing, therefore new countermeasures and security skills are always needed. Database security shortcomings can pose regulatory compliance issues for the entire organization; security is a business and not just a technology issue. Organizational problems can impede database security; therefore security leadership must come from the executive office suite. Re-examine security spending priorities. While most firms invest in security tools like firewalls, IDS/IPS, and PC security suites, they remain behind with regard to database specific security tools. ESG s data identifies several problems around database security controls, manual/time-consuming processes, and access control issues that may be related to this discrepancy. Database-specific tools can help scan for these problems, automate processes, monitor controls, and streamline audits. Given the risks uncovered in this report, CISOs may want to prioritize database security investments over other more pedestrian needs sooner rather than later. Conduct a cost/benefit analysis. Since incremental security budget dollars may be unlikely at this time, ESG recommends that CISOs use the data presented here as a basis of a cost/benefit analysis. For example, what are the costs of the time consuming processes described in Figure 3? Savings in these operations alone could cost justify an investment in a more automated technology-based approach. Determine database security ownership. Like 2008, the 2009 ESG data indicates that when it comes to database security, there are simply too many cooks in the kitchen (see Figure 5). This may explain loose

Market Research Study: Database Security and Compliance Risks 9 controls, process problems, and the lack of database security safeguards. ESG believes that database security oversight must become more centralized in the hands of a subset of security and database professionals with a greater understanding of threats, vulnerabilities, and risks. CIOs should assess current database security problems and then re-structure IT organizational responsibilities and accountability around security, systems administration, and database administration. Again, centralized database security tools can help ease this transition by automating processes and providing role-based management capabilities. Figure 5. Too Many IT Groups are Involved in Database Security Which of the following individuals or functional groups are responsible for regulatory compliance with respect to securing sensitive information contained in your organization s enterprise databases? (Percent of respondents, N=175, multiple responses acce Security administrators System administrators 42% 45% DBAs Dedicated compliance group within IT Network administrators 34% 33% 35% Corporate regulatory compliance department Internal audit IT operations group Legal department Application administrators Data center managers 27% 26% 26% 25% 24% 22% Finance department 12% 0% 10% 20% 30% 40% 50% Define best practices. The data indicates a lot of variability regarding what needs to be done and how often. For example, while about 40% of organizations regularly scan their databases for things like administrator privileges, database instances, and configuration status on a monthly basis, the remaining 60% do so once per quarter or even less frequently (see Figure 6). It is safe to assume that the 40% minority have defined database security policies, procedures, and best practices that mandate these monthly database audits while others maintain informal or ad-hoc approaches. It is imperative that security, compliance, application, and database professionals reach a consensus on best practices and then religiously adhere to formal processes and schedules. Automated tools will go a long way to help achieve this goal.

Market Research Study: Database Security and Compliance Risks 10 Figure 6. Approximately 40% of Large Organizations Have Defined Database Security Best Practices When preparing for a security/compliance audit, many organizations will scan their database configurations and controls to assess their compliance status. In general, how frequently does your organization scan its databases for each of the following cons Administrator privileges 40% 22% 19% 8% 3% 1% 8% Number of database instances on the network 40% 19% 16% 5% 1% 3% 15% Database revisions and patch levels 37% 26% 16% 4% 3% 1% 12% Database vulnerabilities 37% 23% 16% 4% 3% 4% 13% User account privileges 37% 20% 21% 11% 4% 1% 7% Database configurations 36% 23% 17% 9% 3% 1% 12% 0% 20% 40% 60% 80% 100% Scan once per month Scan once per quarter Scan a few times per year Scan once per year Scan less than once per year Never Use regulatory compliance efforts to measure success. Create a baseline for the time and effort it takes to prepare enterprise databases for regular compliance audits. Make sure to include problems like remediating compliance issues, participating in audits, and working with the auditors outlined above. Once comfortable with these time and cost estimates, challenge the security and compliance team to figure out how to improve upon these metrics. This may also help target and cost justify database security operations investments.

Market Research Study: Database Security and Compliance Risks 11 Research Methodology To gather data for this report, ESG conducted a comprehensive online survey of IT and information security professionals from private- and public- sector organizations in North America during October 2009. To qualify for this survey, respondents were required to be responsible for and/or familiar with the policies, procedures, and technologies their organization used to protect confidential information. Furthermore, qualifying respondents also had to be responsible for overseeing, implementing, and/or managing security or compliance policies, procedures, and technologies related to data stored in enterprise databases. All respondents were provided with an incentive to complete the survey in the form of cash awards and/or cash equivalents. After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on a number of criteria) for data integrity, ESG was left with a total sample of 175 IT and information security professionals. Please see the Respondent Demographics section of this report for more information on these respondents. Note: Totals in figures throughout this report may not add up to 100% due to rounding.

Market Research Study: Database Security and Compliance Risks 12 Respondent Demographics The quantitative information presented in this report is based on 175 qualified survey respondents. The figures below detail the demographics of the respondent base. Respondents by Number of Employees The number of employees in respondents organizations is shown in Figure 7. Figure 7. Survey Respondents by Number of Employees How many employees does your organization have worldwide? (Percent of respondents, N=175) 1,000 to 2,499, 18% 20,000 or more, 42% 2,500 to 4,999, 18% 5,000 to 19,999, 22% Respondents by Role ESG asked respondents to choose one of nine titles (or other ) that best described their current role (see Figure 8). Figure 8. Survey Respondents by Role Which of the following titles best describes your current role? (Percent of respondents, N= 175) Internal auditor, 1% Other, 7% Regulatory compliance manager/staff, 2% General IT staff, 18% Network administrator, 4% Senior IT management, 44% Systems administrator, 10% DBA, 6% Security staff, 3% Security management, 6%

Respondents by Industry Market Research Study: Database Security and Compliance Risks 13 Respondents primary industries are shown in Figure 9. Figure 9. Survey Respondents by Industry What is your organization s primary industry? (Percent of respondents, N= 175) Other, 24% Government (Federal/National /State/Local), 18% Retail/Wholesale, 6% Professional Services, 6% Communications & Media, 7% Health Care, 7% Financial (banking, securities, insurance), 15% Manufacturing, 17% Respondents by Annual Revenue Respondent organizations annual revenue is shown in Figure 10. Figure 10. Survey Respondents by Annual Revenue What is your organization s total annual revenue ($US)? (Percent of respondents, N= 175) Not applicable (e.g., public sector, non-profit), 11% $20 billion or more, 20% Less than $100 million, 6% $100 million to $499,999 million, 14% $500 million to $999,999 million, 8% $10 billion to $19.999 billion, 13% $5 billion to $9.999 billion, 11% $1 billion to $4.999 billion, 17%

20 Asylum Street Milford, MA 01757 Tel:508.482.0188 Fax: 508.482.0218 www.enterprisestrategygroup.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information