Brian Pennington

A blog about Cyber Security & Compliance


May 2014

The Aftermath of a Mega Data Breach

A Ponemon Study sponsored by Experian® explores consumers’ sentiments about data breaches. The goal was to learn the affect data breaches had on consumers’ privacy and data security concerns. A similar study was conducted in 2012 and reveals some interesting trends in consumers’ perceptions.

The study asked consumers who were victims of a data breach questions about their experience. It may not come as a surprise that individuals who have had their personal information lost or stolen increased 100% since the 2012 study when only 25% of individuals surveyed were victims of a data breach.

For purposes of the research, they define a data breach as

the loss or theft of information that can be used to uniquely identify, contact or locate you. This includes, but is not limited to, such information as Social Security number, IP address, driver’s license number, credit card numbers and medical records

797 individuals were surveyed and approximately 400 of these respondents say they were the victims of a data breach. By far, the primary consequence of a data breach is suffering from stress (76% of respondents) followed by having to spend time resolving problems caused by the data breach (39% of respondents).

The most significant findings of the research:-

What companies should do following a data breach

  • 63% of consumers continue to believe that organizations should be obligated to provide identity theft protection
  • 58% believe credit monitoring services should be offered
  • 67% believe compensation such as cash, products or services should be offered

–       These findings are similar to the findings in the 2012 study.

Credit card companies and retail stores sent the most notifications

  • 62% of respondents say they received two data breach notifications involving separate incidents. These notifications can be in the form of a letter, telephone call, email or public notice.

Becoming a victim of a data breach increases fears about becoming an identity theft victim.

  • Prior to having their personal information lost or stolen, 24% say they were extremely or very concerned about becoming a victim of identity theft.
  • Following the data breach, this concern increased significantly to 45%.
  • 48% of respondents say their identity is at risk for years or forever.

How important is media coverage of data breaches?

  • The majority of respondents believe it is important for the media to report details about data breaches. Mainly because it requires companies to be more responsive to victims followed by the creation of greater awareness about how the data breach could affect individuals and alerts potential victims to take action to protect their personal information from identity theft.

Other findings:-

  • 25% of data breach notifications offered identity theft protection such as credit monitoring or fraud resolution services. This is a slight decrease from 2012 when 29% of respondents received such an offer
  • 67% of those receiving a notification wanted the organisation to “Explain the risks or harms that I will experience”
  • 32% said “I ignored the notification(s) and did nothing”
  • 78% were most worried about their Social Security number followed by Password/PIN at 71% and Credit card or bank payment information with 65%
  • 81% of respondents who were victims of a data breach did not have any out of pocket costs. If they did, it averaged about $38
  • 34% say they were able to resolve the consequences of the breach in one day
  • 55% say they have done nothing to protect themselves and their family from identity theft

The full report can be found here.

Perspecsys surveyed 117 attendees of InfoSec Europe Conference 2014 on the opinions of security of their data stored in the cloud.

Key findings from the study include:-

  • 80% of InfoSec Europe attendees use some sort of cloud applications
  • 62% of organizations believe using a European based cloud is easier from a regulatory and compliance perspective
  • 51% of respondents claimed that they do not fully trust U.S. based clouds

Many IT departments do not trust U.S. based clouds:-

  • 47% believe their data is more secure contained in European based versus U.S. based clouds
  • 62% believe that negativity toward U.S. based clouds is justified, based on reports of the NSA having visibility into this data
  • 59% do not believe that European based government agencies conduct practices to the same extent as the NSA

See the Infograph here.

Most European organizations believe using a European cloud is easier from a regulatory and compliance perspective

Perspecsys Infograph from research at InfoSec Europe Conference

Top Concerns for 2014 from Today’s CISOs

According to Cisco’s 2014 Annual Security Report Top Concerns for 2014 from Today’s CISOs

As chief information security officers (CISOs) survey today’s threat landscape, they are faced with growing pressure to protect terabytes of data, meet stiff compliance regulations, and evaluate risks of working with third-party vendors and doing it all with shrinking budgets and lean IT teams. CISOs have more tasks than ever and sophisticated, complex threats to manage.

Principal security strategists for Cisco security services, who advise CISOs on security approaches for their organizations, offer this list of the most pressing concerns and challenges for 2014:-

Managing Compliance

The most pervasive concern among CISOs may be the need to protect data that resides throughout an increasingly porous network, while expending precious resources on compliance. Compliance alone is not equal to being secure it is simply a minimum baseline focusing on the needs of a special regulated environment. Security, meanwhile, is an all-encompassing approach that covers all business activities.

Trusting the Cloud

CISOs must make decisions on how to manage information safely with the finite budgets and time they are allotted. For example, the cloud has become a cost-effective and agile way to manage ever-growing storehouses of data, but it raises more worries for CISOs. Chief executive officers and boards of directors see the cloud as a panacea for eliminating costly hardware. They want the benefits of offloading data to the cloud, and expect the CISO to make it happen securely and quickly.

Trusting Vendors

As with the cloud, organizations tap into vendors to provide specialized solutions. The cost model for going with third parties makes sense. However, these vendors are high value targets for criminals, who know that third-party defences may not be as strong.

Bouncing Back from Security Breaches

All organizations should assume they’ve been hacked, or at least agree that it’s not a question of if they will be targeted for an attack, but when. Recent hacks such as Operation Night Dragon, the RSA breach, and the Shamoon attack against a large oil and gas company in 2012 are on the minds of many CISOs.

The Story Of A Phish

Phishme Inc have produced this excellent Infograph which follows the “life” or progress of a phishing attack.

The three key findings from the Cisco 2014 Annual Security Report

1. Attacks against infrastructure are targeting significant resources across the Internet.

  • Malicious exploits are gaining access to web hosting servers, name servers, and data centers. This suggests the forming of überbots that seek high-reputation and resource-rich assets.
  • Buffer errors are a leading threat, at 21% of the Common Weakness Enumeration (CWE) threat categories.
  • Malware encounters are shifting toward electronics manufacturing and the agriculture and mining industries at about 6x the average encounter rate across industry verticals.

2. Malicious actors are using trusted applications to exploit gaps in perimeter security.

  • Spam continues its downward trend, although the proportion of maliciously intended spam remains constant.
  • Java comprises 91% of web exploits; 76% of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version.
  • “Watering hole” attacks are targeting specific industry-related websites to deliver malware.

3. Investigations of multinational companies show evidence of internal compromise. Suspicious traffic is emanating from their networks and attempting to connect to questionable sites (100% of companies are calling malicious malware hosts).

  • Indicators of compromise suggest network penetrations may be undetected over long periods.
  • Threat alerts grew 14% year over year; new alerts (not updated alerts) are on the rise.
  • 99% of all mobile malware in 2013 targeted Android devices. Android users also have the highest encounter rate (71%) with all forms of web-delivered malware.

Cisco Security can be found here.

How retail companies describe their Cyber Liability exposures

In a recent Willis Report: “Some Fortune 1000 Retailers Remain Silent on Cyber Threats”, Willis explain how the Retail industry compares to the Fortune 1,000 companies in their approach to Cyber Liability.

When describing the extent of cyber risk

  • 57% of retail firms disclosed their cyber exposures as significant, serious, material or critical, according to the study
  • 9% of the firms did not disclose any risks related to cyber exposures

Willis describe the results as

surprising” given that the retail industry has been the target of many of the highest profile system breaches to date, resulting in some of the largest losses, the report said

Other key findings of the report include:-

The top three cyber risks identified by the retail sector of the Fortune 1000 include:

  1. 74% privacy/loss of confidential data
  2. 66% reputation risk
  3. 61% cyber liability

9% cyber risk at the hands of “outsource vendors” which Willis described as “surprising” given the level of outsourcing across the sector and the reliance on third-party technology partners

In detailing cyber risk remedies

  • 49% of the retail companies cited the use of technical safeguards — more than the Fortune 1000 as a whole (43%)
  • 17% of retail companies reported inadequate resources to limit cyber losses, a potential “cause for concern,” as technical protections may not be sufficient to contain the effects of some cyber or technology events, Willis said.

9% of the sector indicated they purchased insurance for cyber exposures.

In Willis’s view the actual rate of cyber insurance may be substantially higher based on additional Willis data obtained in collaboration with insurance underwriters. This places them below

  • The funds sector (33%)
  • Utilities (15%)
  • Banking and conglomerates tied at 14% each)
  • Tech/telco and insurance (11%)
  • The media industry (10%)

The increasing frequency of “point-of-sale” breaches and “do-not- class-action law suits are described as an evolving cyber exposure.

The full report can be found here.

8 areas of computer security that have arisen during Data Breach investigations

The UK Information Commissioner’s Office (ICO) has identified eight important areas of computer security that have frequently arisen during their investigations of data breaches.

The eight areas are:-

  1. Software updates
  2. SQL injection (65% of organisations have been breached by a SQL Injection attack)
  3. Unnecessary services
  4. Decommissioning of software or services
  5. Password storage
  6. Configuration of SSL and TLS
  7. Inappropriate locations for processing data
  8. Default credentials

The ICO has provided advice for all eight areas. The report can be found here.

ICO response to European Union Court of Justice ruling on online search results

The United Kingdom Information Commissioner’s Office (ICO) has issued the following statement in response to this week’s ruling by the European Union Court of Justice on the need for Google to amend its search results following a request by a member of the public. 

ICO spokesperson said:

This is an important judgement. We welcome the extent to which it upholds the data protection rights of individuals and confirms the powers of data protection authorities to enforce these. We will be studying the judgement in detail and considering its practical implications for individuals, businesses and ourselves. When we have done so we will comment further

When the revised European Data Protection Act finally arrives I hope they further clarify the “right” of being forgotten and how it will be enforced.

Top 10 Tips for Cyber Resilience in businesses

The dramatic increase in both the sophistication and frequency of cyber risks and attacks on businesses has profoundly changed the security threat landscape. Gone are the benign days of the Anna Kournikova virus or the “I Love You” bug. Today cyber risks and threats can lead to breaches of sensitive data, harming consumers, businesses and governments of all sizes. But there is a way to stay ahead of these risks by crafting an effective security strategy, and being cyber resilient.

Cyber resilience is not just about installing point products into your IT environment but rather it is about understanding a broader set of business and technical challenges. These include understanding the risks in an increasingly connected cyber world and in particular the risks facing an organisation with rapidly evolving technologies such as mobile, cloud, virtual, big data, and social; as well as increasing dependence on the Internet to conduct business.

Many businesses currently don’t have holistic IT security practices and technologies in place to deal with all of these new challenges. Breaches can and will happen. How businesses prepare for a breach is just as important as how they respond to one. Organisations should consider the following measures to mitigate the risk of an attack and become cyber resilient:

  1. Make security personal to your business – understand your business and how security can be built into your IT practices
  2. Baseline your security regularly – analyse your state of readiness, so that you can interpret the symptoms that can lead to a security incident
  3. Get executive and board engagement – cyber resilience starts at the top of the organisation
  4. Have a plan – security incidents happen every day. Develop a plan that addresses how businesses identify the important incidents and ensure they remain up and running no matter what
  5. Education – from board to new hire, it’s essential that everyone understands that they are responsible and accountable. All employees need to know what part they play in the bigger picture
  6. Do the basics well – leverage government and industry guidelines. This includes aspects such as patching and good user-level access management
  7. Plan for today and scale for the future – for example, BYOD is here to stay. Don’t just apply quick fixes; align your IT to a longer-term strategy
  8. Start small, but think big – Information protection is a long-term project, but organisations need to start where they will add the most business value and then expand where there is further, long-term value. For example, the supply chain and how an organisation interacts with its wider network of vendors and partners. The key is to think big but have a maturity plan, which must be linked to strategic business value and growth
  9. Be accountable – understand what the regulatory, legislative and peer-to-peer controls are that the business needs to adhere to. Make sure there is a clearly defined owner for each of these and an executive sponsor
  10. Don’t wait for it to happen – test your processes, procedures and people regularly. Make sure the business has clearly defined lifecycles that reflect changes in business strategy, technology use and culture. Make sure the strategy is current and effective for the business and the risks.

For an organisation to be cyber resilient there needs to be in place a strategy that adapts to the ever changing cyber security landscape. This strategy should not only make your organisation cyber resilient but it should be designed to make security your competitive advantage.

Written by Brenton Smith, Managing Director & VP Pacific at Symantec and original posted here.

More organisations opting to take out Cyber Insurance

In 2013 70% of organisations in a Marsh Insurance survey said they would buy Cyber Insurance compared to 78% in the 2014 survey.

PCI DSS Version 3.0 Self Assessment Questionnaires

The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS self-assessment. The different SAQ types are shown in the table below to help you identify which SAQ best applies to your organization. Detailed descriptions for each SAQ are provided within the applicable SAQ.

Cost of business cyber security breaches almost double

Information security breaches affecting UK business have decreased over the last year but the cost of individual breaches has almost doubled. 

The number of information security breaches affecting UK businesses has decreased over the last year but the scale and cost of individual breaches has almost doubled. 

The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and carried out by PwC, found

  • 81% of large organisations suffered a security breach, down from 86% a year ago
  • 60% of small businesses reported a breach, down from 64% in 2013

Although organisations are experiencing fewer breaches overall, the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year. For small organisations the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.

The majority of businesses have increased IT security investment over the last year

Universities and Science Minister David Willetts said:

These results show that British companies are still under cyber attack. Increasingly those that can manage cyber security risks have a clear competitive advantage. Through the National Cyber Security Programme, the government is working with partners in business, academia and the education and skills sectors to equip the UK with the professional and technical skills we need for long-term economic growth.”

Andrew Miller, cyber security director at PwC, said:

Whilst the number of breaches affecting UK business has fallen slightly over the past year the number remains high and in many companies more needs to be done to drive true management of security risks. Breaches are becoming more sophisticated and their impact more damaging. Given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis. As the average cost of an organisation’s worst breach has increased this year, businesses must make sure that the way they are spending their money in the control of cyber threats is effective. Organisations also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required.”

70% of companies that have a poor understanding of security policy experienced staff related breaches, compared to only 41% in companies where security is well understood. This suggests that communicating the security risks to staff and investing in on going awareness training results in fewer breaches.

The survey also found that there has been an increase in the number of businesses which are confident that they have the skills required within their organisations to detect, prevent and manage information security breaches, up to 59% from 53% last year.

Ensuring that we have the cyber skills capability to meet the evolving needs of businesses is a key objective of the UK’s National Cyber Security Strategy. Earlier this year (2014), the government unveiled a raft of new proposals to meet the increasing demand for cyber security skills. These include a new higher-level apprenticeship, special learning materials for 11 to 14 year-olds and plans to train teachers to teach cyber security.

Earlier this year (2014) the government launched a new scheme to help businesses stay safe online. Cyber Essentials provides clarity to organisations on what good cyber security practice is and sets out the steps they need to follow, to manage cyber risks. From this summer (2014) organisations that have complied with the best practice recommendations will be able to apply to be awarded the Cyber Essentials Standard. This will demonstrate to potential customers that businesses have achieved a certain level of cyber security and take it seriously.

The press release can be found here

Retail and Financial Sectors Overly Confident About Breach Detection

Atomic Research have announced the results of a survey sponsored by Tripwire of 102 financial organizations and 151 retail organizations in the U.K., all of which process card payments.

The survey results indicate that recent data breaches have had little impact on the security controls of retail and financial organisations.

35% said it would take as long as two to three days to detect a breach on their systems

However, according to the 2014 Verizon Data Breach Investigations Report, 85% of point-of-sale intrusions took weeks to discover and 43% of web application attacks took months to discover.

It is shocking to see the high level of confidence exhibited by respondents in the wake of the recent series of high-profile cardholder data breaches,” said Tim Erlin, director of IT security and risk strategy for Tripwire, in response to the findings. “6% of respondents said they are confident that their security controls are able to prevent the loss of data files, but this confidence flies in the face of recent evidence to the contrary

The Payment Card Industry Data Security Standard is a security standard that outlines minimum security requirements for organizations that handle cardholder information. When asked how important PCI compliance is to their overall security program, 43% of respondents said it was the backbone of their security program, and 36% said it was half of their security program. However, in order to protect confidential customer data, organisations must apply additional security controls.

Other findings include:

  • 24% of those studied have already suffered a data breach where Personally Identifiable Information (PII) was stolen or accessed by intruders
  • 36% of respondents do not have confidence in their incident response plan
  • 51% of respondents are only somewhat confident that their security controls can detect malicious applications
  • 40% of respondents said they do not believe that recent high profile cardholder breaches have changed the level of attention executives give to security

It is great that recent breaches have increased cybersecurity awareness and internal dialogue. However, the improved internal communication may be biased by a false sense of security,” said Dwayne Melancon, chief technology officer for Tripwire. “For example, 95% of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection

Furthermore, only 60% of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches,” Melancon continued. “These attitudes seem to indicate a high degree of overconfidence or naiveté among information security practitioners. I believe a number of these organizations may be in for a rude awakening if their systems are targeted by criminals

The Tripwire report can be found here.

Cybercriminals see a 9% year on year improved yield on stolen records from $136 to $145

IBM and Ponemon have released their ninth annual Cost of Data Breach Study: Global Study. According to the research, the average total cost of a data breach for the companies participating in this research increased 15% to $3.5 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9% from $136 in 2013 to $145 in this year’s study. 

For the first time, the study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in the research, Ponemon believe they can predict the probability of a data breach based on two factors:

  1. How many records were lost or stolen
  2. The company’s industry

According to the findings, organizations in India and Brazil are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Australia are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.

In this year’s study, 314 companies representing the following 11 countries participated:-

  1. Australia
  2. Brazil
  3. France
  4. Germany
  5. India
  6. Italy
  7. Japan
  8. Saudi Arabia (Saudi Arabia and the United Arab Emirates were combined as the Arabian region)
  9. United Arab Emirates
  10. United Kingdom
  11. United States

All participating organizations experienced a data breach ranging from a low of approximately 2,415 to slightly more than 100,000 compromised records. Ponemon define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.

As the findings reveal, the consolidated average per capita cost of data breach (compiled for eleven countries and converted to US dollars) differs widely among the countries. Many of these cost differences can be attributed to the types of attacks and threats organizations face as well as the data protection regulations and laws in their respective countries.

In this year’s global study, the average consolidated data breach increased from $136 to $145

However, German and US organizations on average experienced much higher costs at $195 and $201, respectively.

Ponemon Institute conducted its first Cost of Data Breach study in the United States nine years ago. Since then, they have expanded the study to include the United Kingdom, Germany, France, Australia, India, Italy, Japan, Brazil and, for the first time this year, United Emirates and Saudi Arabia. To date, 1,279 business and government (public sector) organizations have participated in the benchmarking process since the inception of this research series.

This year’s study examines the costs incurred by 314 companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data. It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents. They are based upon cost estimates provided by the 1,690 individuals interviewed over a ten-month period in the companies that are represented in this research.

The following are the key findings, measured in US dollars:

  • The most and least expensive breaches. German and US companies had the most costly data breaches ($201 and $195 per record, respectively). These countries also experienced the highest total cost (US at $5.85 million and Germany at $4.74 million). The least costly breaches occurred in Brazil and India ($70 and $51, respectively). In Brazil, the average total cost for a company was $1.61 million and in India it was $1.37 million. 
  • Size of data breaches. On average, U.S. and Arabian region companies had data breaches that resulted in the greatest number of exposed or compromised records (29,087 and 28,690 records, respectively). On average, Japanese and Italian companies had the smallest number of breached records (18,615 and 19,034 records, respectively). 
  • Causes of data breaches differ among countries. Companies in the Arabian region and in Germany were most likely to experience a malicious or criminal attack, followed by France and Japan. Companies in India were the most likely to experience a data breach caused by a system glitch or business process failure and UK companies were more likely to have a breach caused by human error. 
  • The most costly data breaches were malicious and criminal attacks. Consolidated findings show that malicious or criminal attacks are the most costly data breaches incidents in all ten countries. U.S. and German companies experience the most expensive data breach incidents at $246 and $215 per compromised records, respectively. Brazil and India had the least costly data breach caused by malicious or criminal attackers at $77 and $60 per capita, respectively. 
  • Factors that decreased and increased the cost of a data breach. Having a strong security posture, incident response plan and CISO appointment reduced the cost per record by $14.14, $12.77 and $6.59, respectively. Factors that increased the cost were those that were caused by lost or stolen devices (+ $16.10), third party involvement in the breach (+ $14.80), quick notification (+ $10.45) and engagement of consultants (+ $2.10). 
  • Business continuity management reduced the cost of a breach. For the first time, the research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $8.98 per compromised record. 
  • Countries that lost the most customers following a data breach. France and Italy had the highest rate of abnormal customer turnover or churn following a data breach. In contrast, the Arabian region and India had the lowest rate of abnormal churn. 
  • Countries that spent the most and least on detection and escalation. On average, German and French organizations spent the most on detection and escalation activities such as investigating and assessing the data breach ($1.3 million and $1.1 million, respectively). Organizations in India and the Arabian region spent the least on detection and escalation at $320,763 and $353,735 respectively. 
  • Countries that spent the most and least on notification. Typical notification costs include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts and other efforts to make sure victims are alerted to the fact that their personal information has been compromised. U.S. and German organizations on average spent the most ($509,237 and $317,635 respectively). Brazil and India spent the least amount on notification ($53,772 and $19,841, respectively). 
  • Will your organization have a data breach? As part of understanding the potential risk to an organization’s sensitive and confidential information, we thought it would be helpful to understand the probability that an organization will have a data breach. To do this, we extrapolate a subjective probability distribution for the entire sample of participating companies on the likelihood of a material data breach happening over the next two years. The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22%. In addition to overall aggregated results, we find that the probability or likelihood of data breach varies considerably by country. India and Brazil have the highest estimated probability of occurrence.

 The full report can be obtained here.

Tracking how fast a security incident is discovered and contained is the most important metric but not often used

In a Firemon sponsored Ponemon study respondents were asked to rate the importance of specific metrics in communicating the state of security risk to senior executives and IT management.

The following metrics are considered to be most important in achieving more effective communications. 

  • Metrics on compliance with security standards and frameworks. Metrics most often used are length of time to implement security patches and the reduction in audit findings, especially repeat findings.
  • Metrics on the management of security threat. Metrics most often used are reduction in the number of known vulnerabilities and percentage of endpoints free of malware and viruses. 
  • Metrics on the minimization of disruption to business & IT operations. Metrics most often used is reduction in unplanned system downtime. 
  • Metrics on staff and employee competence. Metrics most often used is number of end users receiving appropriate training. 
  • Metrics on efficient management of resources and spending. Metrics most often used is reduction in the cost of security management activities. 
  • Time-dependent metrics on the discovery and containment of compromises and breaches. Metrics most often used are mean time to fix, to identify and know root causes. 
  • Metrics on the minimization of third-party security risks. Metrics most often used is the number of third parties that attest to meeting compliance and security standards.

 The full study can be found here.

Security Metrics to Manage Change: Which Matter, Which Can Be Measured? A Ponemon Study.

The Firemon sponsored study by Ponemen surveyed 597 individuals who work in IT, IT security, compliance, risk management and other related fields. All respondents are involved in IT security management activities in their organizations. They also are involved in assessing or managing the impact of change on their organization’s IT security operations. The following are the themes of this study:

  • Tale of two security departments
  • The importance of metrics to driving more informed decisions
  • Practices to achieve effective security change management
  • The right metrics for managing change

What is security change management?

Ponemon defines this in the study as “security change management as a formal approach to assessing, prioritizing and managing transitions in personnel, technologies, policies and organizational structures to achieve a desired state of IT security. The security risk landscape is defined as rapidly mutating threats at every point of entry from the perimeter to the desktop; from mobile to the cloud. The fast evolution of the threat landscape and changes in network and security architectures creates a challenging and complex security ecosystem.

The key findings of the study

The security posture perception gap puts organizations at risk. 13% of respondents would rate the security posture of their organization as very strong. Whereas, 33% of respondents say their CEO and Board believes the organization has a very strong security posture. Such a gap reveals the problems the security function acknowledges in accurately communicating the true state of security.

Why can’t communication be better? 71% of respondents say communication occurs at too low a level or only when a security incident has already occurred (63% of respondents). 51% admit to filtering negative facts before talking to senior executives.

Agility is key to managing change. However, when asked to rate their organization’s agility in managing the impact of change on IT security operations, only 16% of respondents say their organizations have a very high level of agility and 25% say it is very low.

Metrics that reveal the impact of change are most valuable. According to 74% of respondents, security metrics that measure the impact of disruptive technologies on security posture are important. 62% of respondents say metrics fail to provide this important information.

Real-time analysis for managing change is essential. When asked about the importance of real-time analysis for managing changes to the organization’s security landscape, 72% of respondents say it is essential or very important. 12% say it is not important.

Organizations are not using more advanced procedures to understand the impact of change on their organization’s security posture. 26% of respondents say they are using manual processes or no proactive processes to identify the impact of changes on the organization’s security posture. 15% are using automated risk impact assessments, 13% say they are using continuous compliance monitoring and 11% rely on internal or external audits.

Senior executives are believed to have a more positive outlook on the effectiveness of their IT security function. While respondents rate their organization’s security posture as just about average, they believe their CEOs and board members have a much more positive perception, and would rate their organization’s security posture as above average. 13% of respondents would rate the security posture as strong. Whereas, 33% of respondents say their CEO and Board believes their organization has a very strong security posture. This perception gap signals that security practitioners are not given an opportunity and/or cannot communicate effectively the true state of security in the organization. As a result it is difficult to convince senior management of the need to invest in the right people, processes and technologies to manage security threats. Likewise, respondents believe key stakeholders also consider the organization’s security posture as being above average. 26% of respondents say this group rates their organization’s security posture as very strong. These include business partners, vendors, regulators, and competitors.

Lack of communication seems to be at the root of the C-suite and IT security disconnect. Too little and too late characterizes communication to senior executives about the state of security risk. 29% of respondents say they do not communicate to senior executives about risks and 31% say such communication only occurs when a serious security risk is revealed. As a result, they admit the state of communication about security risks is not effective. 6% of respondents say they are highly effective in communicating all relevant facts to management.

Why can’t communication be better? The main complaints are that communication occurs at too low a level or when a security incident has already occurred. Other problems stem from the existence of silos that keep information from being communicated throughout the organization. Respondents also recognize that the technical nature of the information could be frustrating for senior executives. Very often, the whole story is not revealed because negative facts are filtered before being disclosed to senior executives and the CEO.

What are the implications of senior executives and IT security not having the same understanding of the organization’s security effectiveness? According to the findings, an important capability such as having the agility to manage the impact of change on IT security operations could be affected by not being able to convince management of the need for enough resources, budget and technologies. When asked to rate their organization’s overall agility in managing the impact of change on IT security operations, respondents say it is fairly low. 16% of respondents say their organizations have a very high level of agility and 25% say it is very low. This is also the case when asked to rate their organization’s effectiveness in managing the impact of change on IT security operations. 17% say their organizations are very effective and 30% say their organizations are very ineffective.

The top three barriers to achieving effective security change management activities are

  1. insufficient resources or budget
  2. lack of effective security technology solutions
  3. lack of skilled or expert personnel

When asked about the importance of real time-analysis for managing changes to the organization’s security landscape, 72% of respondents say it is essential or very important. 12% say it is not important.

  • 26% of respondents say they are using manual processes or no proactive processes to identify the impact of changes on the organization’s security posture
  • 15% are using automated risk impact assessments
  • 13% say they are using continuous compliance monitoring
  • 11% rely on internal or external audits

Those technologies most often fully deployed to facilitate the management of changes that impact an organization’s security risk profile are:

  • Incident detection and alerting (including SIEM)
  • Vulnerability risk management
  • Network traffic monitoring
  • Security configuration management follow
  • Technologies that are often only partially deployed are log monitoring (46% of respondents) and file integrity monitoring (35% of respondents).
  • Minimally or not deployed at all are: big data analytics (64% of respondents), automated policy management (45% of respondents), and sandboxing (44% of respondents).

Current metrics in use do not communicate the true state of security efforts. When asked if the metrics that are in use today adequately convey the true state of security efforts deployed by their organization, 43% of respondents say they do not and 11% are unsure. The biggest reasons for the failure to accurately measure the state of security are more pressing issues take precedence, communication with management only occurs when there is an actual incident, the information is too technical to be understood by nontechnical management, and a lack of resources to develop or refine metrics.

What are the strengths and weaknesses of the security function? Respondents were asked rate their organizations’ ability to accomplish seven specific factors that may impact the security posture. The findings reveal that most respondents say their organizations are best at managing security threats, hiring and retaining competent security staff and employees and discovering and containing compromises and breaches quickly. They are not as effective at achieving compliance with leading security standards and frameworks and minimizing third-party security risks.

What events are most likely to disrupt the organization’s infrastructure and ability to manage security threats? The expansion of mobile platforms and migration to the cloud are the most likely to affect the security posture. Use of employee-owned devices (BYOD) and the implementation of a next generation firewall have moderate impact. Events that are considered to have a low impact are the move or consolidation of data center resources, implementation of virtualized computing and storage, a security audit failure, and reorganizing and downsizing the enterprise and IT function. Who is accountable for managing the risk created by the introduction of such changes as mobile platforms and the clouds? According to respondents, most responsible for managing the impact of these changes is the CIO or CTO followed by no one has overall responsibility.

Metrics must be aligned with business goals. 83% of respondents say it is important to have security metrics fully aligned with business objectives. However, most organizations represented in this study do not seem to be achieving this goal. In fact, 69% say security metrics sometimes conflict with the organization’s business goals.

  • 74% agree that security metrics that show the impact of disruptive technologies on security posture are important
  • 62% of respondents say metrics fail to provide information about the impact of change
  • 54% agree that metrics do not help understand the vulnerabilities to criminal
  • 46% of respondents say they do not help assess or manage risks caused by the migration to the cloud
  • 56% agree that metrics can help justify investment in people, processes and technologies
  • 57% of respondents agree the CEO and board do care about the metrics used to measure security posture

What is the metrics that matter gap? Respondents were asked to rate the metrics most important in communicating relevant facts about the state of security risks to senior executives and IT management. The top metrics in terms of their importance are discovery and containment of compromises and breaches and management of resources and spending. However, the actual average use of metrics in these categories average only 43% and 37% of organizations represented in this research. The biggest gaps in importance vs. use are with metrics that track disruption to business & IT operations (36% gap), management of resources and spending (35% gap), and discovery and containment of compromises and breaches (31% gap). The smallest gaps between importance and use are with third-party risks (7%) and staff and employee competence (2%).

Tracking how fast a security incident is discovered and contained is the most important metric but not often used.

Practices to achieve effective security change management. In this section, we look at the different practices of organizations that were self-reported to have a high security posture and those that have a low security posture. The findings reveal that there is a difference in the technologies deployed, perceptions about barriers to managing the impact of change to the security infrastructure, effectiveness in communication with senior management, and frequency of communications.

Firemon’s report can be found here.

Another successful Infosecurity Europe finishes

Considering there was a tube strike I had no problems taking the normal underground route of Victoria and District lines but the North South didn’t’ seem as affected as East West.

I hadn’t realised until I saw the promotional signs for InfoSec 2015 at Olympia that this is the last time it will be at Earls Court as the building is being demolished and replaced by a retail park with houses and apartments. That is sad as it is a great art deco 1930s building, OK a bit tired but it is a better venue than Olympia.


In the first minute I bumped into a couple of ex-colleagues who were exhibiting but never saw them again over the next 2½ days which serves to demonstrate the size of the event.

I then set off on my marathon walk around and around the stands talking to lots of customers, prospective customers, ex-colleagues and friends resulting in a range of outcomes:-

  • Business opportunities
  • Developed a potentially new service offering
  • Finding out where people are working this year, same person different polo shirt,
  • Speaking opportunities where a vendor wishes to educate their prospective customers on PCI, ISO and other standards

The exhibition itself had a different feel, maybe because there were less people or maybe because all the big stands had huge screens, like something from Bladerunner, backed by stages and speakers and a small army of table magicians whizzing cards everywhere.

Some of the larger vendors weren’t there but that trend isn’t new with vendors like Cisco and Check Point having missed previous events.

There did seem to be more distributors, resellers and service providers than previous years and the trend of vendors having reseller “pods” continued.

The Innovation and Overseas Pavilions of the USA, France, Israel and Moscow had some innovative solutions on offer although no one ever seemed to man the massive Moscow City stand/pods. 

Overall it was a great event.

Create a free website or blog at

Up ↑

%d bloggers like this: