Second Annual Assessment Study
2013
Table of Contents:
Synopsis and Methodology _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ page 2
A Snapshot of Participants _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ page 2
Survey Findings _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ page 5
Final Thoughts _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ page10
About Secure Digital Solutions _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ page 11
Conducted by
Secure Digital Solutions June 2013
Synopsis
We at Secure Digital Solutions, a professional services organization with headquarters in Minneapolis, are pleased to release our latest poll of a few dozen information security leaders, ascertaining how they see the state of regulatory compliance, program maturity, and investment plans. Our key findings:
• Most of our respondents, drawn most heavily from the healthcare and financial services sectors, characterize their information security programs as at least proactive and quantifiable, with no significant differences between small and large firms. • Vendor risk assurance, regular monitoring and assessment, and timely remediation
remain the most notable challenges.
• Organizations have been slow to implement mobile device management solutions, but that area is a top priority for this year.
• Virtually all organizations surveyed plan to increase or at least maintain at current levels spending on information security, privacy, and compliance this year.
A Snapshot of Participants
Job titles
Survey respondents work in information security for their respective organizations and reported the following most common job titles:
The two most common, Manager of Information Security and Chief Information Security Officer, accounted for 40 percent of all respondents.
Manager of Information Security
Chief Information Security Officer
VP / Director of IT
Director of Risk Manangement Chief Information OfficerDirector of Compliance
Chief Technology OfficerDirector of Information Security
IT Auditor
Chief Compliance Officer Security Architect (or Analyst) Director of PrivacyOrganization size
The largest share of those surveyed work in large organizations:
• Near half work in firms with more than 5,000 employees, where three-fourths of this group reported working in very large organizations with over 10,000 employees. • Almost one-fourth work in mid-size organizations defined as having
1,001-5,000 employees.
• 30 percent work in small firms with 1,000 or fewer employees.
Business sectors
The largest share of respondents to our survey, near 60 percent, work in healthcare or financial services:
0% 5% 10% 15% 20% 25% 30% 35% Industry Other Education Manufacturing Government Energy Software and Technology Financial Services Healthcare 0-500 Number of employees 501-1000 1001-2500 2501-5000 5001-10,000 10,000+
23%
7%
7%
16%
11%
36%
Organizational structure
Over half of the information security offices in the organizations represented in our survey most commonly report directly to the Chief Information Officer. Much smaller shares indicated the
information security function reports to the General Counsel (12 percent) and Chief Executive Officer (10 percent).
To whom does the Information Security Office report?
Regulatory environmentSurveyed organizations operate under a diversity of regulatory compliance standards and data security and privacy-related laws, the most commonly applicable:
• Health Insurance Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act (HIPAA-HITECH),
• Payment Card Industry Data Security Standard (PCI DSS), • Sarbanes-Oxley Act (SOX).
This reflects the predominance of respondents from the Healthcare and Financial Services Industries.
Percent of Organizations 0% 10% 20% 30% 40% 50% 60% 70% None South American Privacy FedRAMP COPPA FISMA PIPEDA FCRA FDA CFR 21 Part 11 E.U. Safe Harbor GLBA SOX PCI DSS HIPAA-HITECH
Survey Findings
Data Security and Privacy Controls
More than
eight in ten
respondents indicated their organizations have established a control framework to address data security and privacy controls supporting regulatory requirements.• Of these, the largest single group by far—70 percent—reported using the
ISO27001:2005 industry standard to align information security, privacy, and related regulatory control objectives.
• Also, over 40 percent cited their organizations’ use of the NIST-800-53v3 and PCI DSS frameworks.
Survey Findings
Maturity of Information Security Programs Most of the participants in our survey rated their information security programs fairly high for maturity. Indeed, over 60 percent judged their programs to be at least proactive and quantifiable (that is, at least a “3” on a scale of “1 to 5”), when evaluated against seven key components of an information security program.
• Among those seven components, respondents (almost 40 percent) reported vendor
60%
of participants1 3
“Proactive and Quantifiable” 5 ISO27001:2005 Industry standard
70
%
NIST-800 & PCI DSS frameworks40
%
risk assurance requires the greatest improvement reporting either taking no action or merely adopting a reactive approach in that area:
Where Information Security Programs Fall Short
Comparing the results of this year’s survey with the one conducted in 2012, we assess that two issues - regular monitoring and assessment and timely remediation remain the most intractable problems faced by our respondents.
• There has been no change in reported maturity of information security programs for those two areas since 2012, with roughly 30 percent of respondents still rating their programs immature for both areas.
• On the other hand, we have seen very significant improvements in the perceived maturity of companies’ understanding of regulatory and data security requirements, policies and procedures, and expertise within the data security and compliance programs in the past year.
Unlike in the 2012 survey—when small firms reported their information security programs as less developed than those of larger firms—this year we see no significant differences between small and large firms with the reported maturity of their information security programs.
Vendor Risk Assurance 39 Regular Monitoring & Assessment 29 Timely Remediation within 90 days of gap finding 29 Technical Control Adoption and Implementation 24 Understanding of Regulatory and Data Security Requirements 23 Policy & Procedures 12 Expertise within Data Security & Compliance Program 10
Percent of respondents reporting immature aspects of programs
Of all areas of firms’ information security programs, the most established area versus new:.
• Respondents say policies and procedures have been in place longest (more than five years), whereas
• Programs dealing with vendor risk assurance and regular monitoring and assessment are newest (fewer than three years old)
• Generally speaking, the newer aspects of a firm’s information security program also are updated most frequently.
The measurement and reporting of cyber risks to management needs improvement, and fewer than half of organizations even have cyber risk or data breach insurance.
• Roughly 40 percent of respondents say cyber risks are not measured in a standardized fashion.
• A similar number say cyber risks are measured, but not formally communicated to management.
• Only one-third of respondents say that cyber risks are measured and reported to management.
Although companies remain concerned about risks posed by the practice of employees accessing corporate data with personal devices, most companies have been slow to introduce mobile device management solutions to mitigate those risks.
Policy & Procedures 55 11 Understanding of Regulatory & Data Security Requirements 46 12 Expertise within Data Security & Compliance Program 44 9 Timely Remediation within 90 days of gap finding 44 8 Technical Control Adoption & Implementation 42 9 Regular Monitoring & Assessment 34 7 Vendor Risk Assurance 31 8 How long in place (months) How often updated (months)
Program age and frequency of updates
• Our survey shows that two-thirds of respondents’ organizations allow their employees to access company networks using personal devices.
• Only half of the organizations in our survey, however, have fully developed mobile device management solutions.
Policies governing cloud computing are even less defined. Companies without a cloud computing policy outnumber those with a policy by a two-to-one ratio.
Survey Findings
Investment and Remediation
Our survey also examined spending plans on information security, privacy, and related compliance activities for the next twelve months.
As with last year’s survey, the overwhelming number of respondents are optimistic about spending over the next twelve months on information security, privacy,
and related compliance activities, with most organizations planning to increase or at least maintain current spending. Survey respondents revealed the following additional details about their organizations’ current budgets:
• Three-fourths spend between 1 and 7 percent of their respective IT budgets on security and compliance. Almost one in ten, however, spend more than 20 percent.
• For most (six in ten), less than half of that security and compliance spending is directed to non-hardware and non-software consulting.
Percent of respondents
50% Increase
45% No change
5% Decrease
More than 45 percent of respondents identified mobile device management among their top priorities for 2013. On the other end of the spectrum, none pointed to Safe Harbor, FISMA, or FEDRamp compliance. The following chart shows a breakdown of what respondents identified as their top three priorities: FEDRamp Compliance FISMA Compliance Safe Harbor compliance HITRUST Privacy Impact Assessment Firewall Upgrade Database Encryption ISO 27001 Readiness PCI DSS Remediation HIPAA-HITECH Readiness Application Code Review (as part of the SDLC) Application Penetration Testing Indentity & Access Management Solutions Cloud Information Security Management Data Loss Prevention (DLP) IT Governance, Risk & Compliance (IT GRC) Mobile Device Management Percent of Organizations 0% 10% 20% 30% 40% 50%
Final Thoughts
The trends discovered in this year’s study are telling on how the market demands have shifted in the past 12 months.
• It appears that no matter the size of an organization, the maturity of the information security program tends to be a challenge for both large and small firms. The conclusion we can draw is small firms have been catching up to reach a fairly similar level of overall infosec program maturity to that of large firms.
• We believe Mobile Device Management (MDM) and Mobile Application
Management (MAM) will continue to be a top three priority in 2014 as companies continually adapt to the changing landscape for mobile applications and device management while pursuing Bring Your Own Device (BYOD) initiatives.
• IT GRC has become the number two priority for organizations in our study. With an IT GRC program, organizations can realize a centralized method for gathering important risk data from tools such as SIEM’s and vulnerability and threat
management, conducting vendor risk assessments and most importantly reporting to management the findings and overall risk posture the organization is currently facing. • Cyber Risks tend to see another area requiring significant improvement. From our
fieldwork, we tend to see organizations with a higher maturity level formalize their application security processes, threat and vulnerability management programs and tendencies to have a more established risk management programs.
• Seeing that 50% of organizations plan to increase spending on information security and IT compliance provides a clear indication organizations understand the need to continually improve their visibility to risk and manage the IT infrastructure supporting access to critical data. Data, and visible metrics through practices such as a risk dashboard, is critical to support an organization’s decisions and becomes the key to nearly every organization’s success.
About Secure Digital Solutions
Founded in 2005 with headquarters in Minneapolis, MN Secure Digital Solutions is a vendor-independent professional services firm specializing in information security, IT compliance and privacy related services. Our services focus on solving a business objective while delivering leadership to each client engagement. Our team of professionals each has a minimum of ten years experience and hold industry recognized certifications in their selected discipline.
A snapshot of our services:
• Information Security Program Development • Information Security Leadership Advisory • Adjunct CISO
• Strategic Planning
• Infosec resource and financial planning • Regulatory Compliance Reviews
• HIPAA-HITECH • GLBA • PCI DSS • FISMA (NIST 800-53) • Privacy compliance • Penetration Testing • Mobile • Web application • Network • Wireless • Application Security • Secure SDLC • Code Reviews
