Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

BYOD

Information Security and Cyber Liability Risk Management – a 2014 survey

Advisen Ltd and Zurich have partnered for a fourth consecutive year on a survey designed to gain insight into the current state and on going trends in information security and cyber liability risk management. Invitations to participate were distributed via email to risk managers, insurance buyers and other risk professionals. The survey was completed at least in part by 507 respondents.

The majority of respondents classified themselves as either

  • Member of Risk Management Department (not head) (38%)
  • Chief Risk Manager/Head of Risk Management Department (33%)

Respondents with more than 20 years of risk management and insurance experience represented the largest group at 39% of the total, followed by 25% with between 11 – 20 years, 18% with 5 years or less, and 17% with between 6 – 10 years.

A summary of the survey is below.

Perception of Cyber Risks

Respondents’ perception of cyber risk is largely unchanged from last year with 88% considering cyber and information security risks to be at least a moderate threat to their organization. Respondents do however believe that board members and executive management are viewing cyber risks more seriously.

“In your experience, are cyber risks viewed as a significant threat to your organization by:”

  • 64% said “yes” for Board of Directors (54% in 2013)
  • 72% said “yes” for C-Suite Executives (6% in 2013)

Perception of risk varies based on size of business. Although studies have suggested that small companies are targeted as frequently, if not more so, than larger companies, as a group they continue to view cyber risks less seriously. In response to the question

How would you rate the potential dangers posed to your organization by cyber and information security risks?”

  • 81% of the smallest companies (revenues less than $250 million) consider cyber risks to be at least a moderate danger
  • 93% of the largest companies (revenue greater than $10 billion) consider them to be so.

Consistent with last year’s study, on a scale of one to five, with 5 as very high risk and 1 as very low risk, “damage to your organization’s reputation resulting from a data breach” is the biggest concern of respondents with 64% rating it a 4 or 5. This was closely followed by “incurring costs and expenses from a cyberattack” with 62%, and “privacy violation/data breach of customer records” with 61%.

In contrast, the exposure perceived as the least risky was “theft or loss of customer intellectual property” with 43% rating it a 1 or 2. This was followed by “business interruption due to customer cyber disruptions” with 33%, and “employment practice risk due to use of social media” with 32%.

Data Breach Response

Over the past year, huge and highly recognizable U.S. businesses have fallen victim to some of the largest data breaches in history. These breaches are proof that even those with the most sophisticated information security practices and infrastructures are vulnerable to a cyber-attack. Some suggest that corporate data breaches are no longer an “if” or even a “when” proposition, but rather “how bad” will the inevitable breach be. When a breach does occur, research suggests that organizations that have data breach response plans in place prior to a breach, fare much better than those who do not.

“Does your organization have a data breach response plan in the event of a data breach?”

  • 62% said yes
  • 14% said no
  • 24% did not know

“In the event of a data breach, which department in your organization is PRIMARILY responsible for assuring compliance with all applicable federal, state, or local privacy laws including state breach notification laws?”

  • IT – 38%
  • General Counsel – 21% received the highest percentage of the responses.

Information Security and Cyber Risk Management Focus

Consistent with the 2013 survey, 80% claim that information security risks are a specific risk management focus within their organization. Larger companies are slightly more likely to make it a focus with 83% of companies with revenues in excess of $1billion doing so, compared with 77% with revenues under $1billion. However, the 6% point difference between small and large companies is significantly less the 17% difference from a year ago.

The difference is even more significant when comparing the largest companies (revenues of $10 billion or greater) and the smallest companies (revenues of $250 million or less), with 92 % of the largest companies making information security a risk management focus compared with only 72% of the smallest companies.

For a second consecutive year, the percentage of respondents with a multi-departmental information security risk management team or committee has declined, 52% have an information security risk management team or committee which is down from 56% in 2013, and 61% in 2012. Although statistically still within the margin of error, this is a potential trend worth following. As in previous years, however, this varies materially based on the size of company with 58% of larger companies ($1billion in revenue or greater) claiming to have this team or committee compared to 42% of smaller companies (under $1billion in revenue).

The departments most likely to have representation on the information security risk management team are:

  • IT – 90%
  • Risk Management/Insurance – 73%
  • General Counsel – 63%
  • Compliance – 55%
  • Internal Audit – 47%
  • Treasury or CFO’s Office – 40%
  • Chief Privacy Officer – 36%
  • Marketing – 10%
  • Investor Relations – 6%
  • Sales – 5%
  • 9% Didn’t Know
  • 15% said Other
  • The most common write-in responses under “Other” were Operations and Security

The IT department is still acknowledged as the front line defense against information losses and other cyber liability risks. In response to the question “Which department is PRIMARILY responsible for spearheading the information security risk management effort?”

  • 69% responded IT
  • 11% Risk Management/Insurance
  • 5% responded Other. The most common other being Information Security

Social Media

Social media provides businesses with an array of benefits such as increasing brand awareness, promoting products, and providing timely support. It also exposes organizations to a degree of risk, such as the potential for reputational damage, privacy issues, infringing other intellectual property, and data breaches.

“Does your organization have a written social media policy?”

  • 74% responded yes
  • 17% no

Cloud Services

For a third consecutive year respondents were asked questions on cloud services. Thanks to its cost effectiveness and increased storage capacity, cloud services have become a popular alternative to storing data in-house. Warehousing proprietary business information on a third-party server, however, makes some organizations uncomfortable due to the lack of control in securing the information. Nonetheless, security concerns continue to be outweighed by the benefits.

“Does your company use cloud services?

  • 66% responded yes, up from 55% last year, and 45% in 2012.

“Is the assessment of vulnerabilities from cloud services part of your data security risk management program?”

51% responded yes – consistent with last year

Mobile Devices

“Does your organization have a mobile device security policy?”

  • 74 % said yes
  • 15 % said no
  • 13 % did not know

Larger companies continue to be more likely to have such a policy with

  • 82 % of large companies ($1 billion or greater) responding yes
  • 62 % of smaller companies ($1 billion or less).

The use of personal handheld devices for business purposes is increasingly preferred by employees and allowed by employers. These non-company controlled devices, however, are accessing proprietary corporate information and frequently exposing organizations to a higher degree of risk.

“Does your organization have a bring your own device (BYOD) policy?”

  • 47% responded yes which is consistent with last year’s response.

The Role of Insurance in Information Security and Cyber Risk Management

The upward trend in the percentage of companies purchasing cyber liability insurance plateaued in 2014.

“Does your organization purchase cyber liability insurance?”

  • 52% responded yes
  • 35% said no
  • 13% did not know

Of the respondents who purchase coverage

  • 32% have purchased it for less than two years
  • 47% between three and five years
  • 22% for more than five years
  • The percentage of companies who buy coverage for loss of income due to a data breach dropped slightly from 54 % in 2013 to 48 % this year.

Finally, respondents that do not currently purchase cyber insurance were asked “Are you considering buying this coverage in the next year?” 54% said yes. This was only a one percentage point increase from 2013.

The full survey can be found here.

95% of enterprises allow BYOD

winning-with-mobile-infographic-700x2520

Courtesy of Symantec.

Private Cloud Security Keeps IT Up At Night

Catbird_Survey_Infographic

NQ-Mobile-Mobile-Malware

What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

Ponemon Institute has released its CA Technologies sponsored study “The Identity Imperative for the Open Enterprise: What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

They surveyed 1,589 IT and IT security practitioners and 1,526 business users with more than 1,000 employees in United States, Australia, Brazil, Canada, France, Germany, India, Italy and the United Kingdom to understand current trends in Bring your Own Identity or BYOID, which is defined as the use of trusted digital or social networking identities.

  • 74% of the IT users surveyed report to the CIO
  • 15% report to the CISO
  • 55% of the business users in this research report to the lines of business leader
  • 10% report to the marketing officer 

The majority of respondents in both groups have high levels of interest in BYOID, but IT users and business user groups have different views about the perceived potential value of BYOID. 

  • IT users view BYOID primarily for fraud reduction, risk mitigation and cost reduction
  • Business end users are more interested in how BYOID can streamline customer’s experience and assist in targeted marketing campaigns.

Some of these differences can be expected because of the different job responsibilities of each group. These differences do not necessarily portend conflict, but rather show the need for collaboration between IT and the business functions to yield maximum benefits for any organisation deploying a BYOID system. By developing a cross-functional BYOID strategy around several well-defined use cases, organisations can differentiate themselves from competitors and further grow their business.

Key finding of the study are:

The Application Economy Drives BYOID Interest

In today’s application economy, organisations need to securely deliver new apps to grow their business quickly. This can increase IT risks, which puts a premium on an organisation’s ability to simplify the user experience without sacrificing security. Using an existing digital or social identity issued by a trusted third party to access applications can help organisations meet the need for simplicity, security and a positive customer experience.

  • 67% of IT users say the primary value of BYOID is from strengthening the authentication process
  • 54% from reducing impersonation risk
  • 79% of Business users believe the BYOID value comes from delivering a better customer experience 76% believe it is from increasing the effectiveness of marketing campaigns

While IT sees value primarily in risk mitigation/cost reduction, business users see the value of BYOID in improving the consumer experience to increase customer loyalty and generating new revenue streams. This underscores the need for IT and business collaboration to address the challenge that today’s organisations face: how to secure the business while simultaneously empowering

Mobile and Web Users Drive BYOID

Today’s IT organisations must deliver secure access to a highly distributed and growing user population. These users expect to access information anywhere, anytime from multiple devices. This is changing how user identities should be managed and is affecting the demand for BYOID.

When IT practitioners and business users were polled on their level of interest in accepting identities for different user populations such as job prospects, employees, contractors, retirees, website customers or mobile customers, mobile and web customers received the most interest, far exceeding that of the other populations.

  • 50% of IT respondents and 79% of business respondents have very high or high interest in BYOID for website user populations
  • 48% of IT respondents and 82% of business respondents have very high or high interest in BYOID for mobile user populations

BYOID Requires Security Enhancements to Drive More Adoption

While the survey results indicate interest in BYOID from both IT users and business users, both groups identified features that could contribute to broader BYOID adoption.

When asked which features would most likely increase BYOID adoption within their organisation;

  • 73% of IT users’ top features are identity validation processes
  • 66% have multi-factor authentication as the top feature
  • 71% of Business users say both identity validation processes and simplified user registration are the most popular features for increasing adoption.

The study also indicates a high level of interest for some level of accreditation of the identity providers

  • 59% of IT saying it is essential or very important
  • 21% saying it is important
  • 27% of business respondents say accreditation is essential or very important with 48% believe it’s important

.

Why is there a Cloud Multiplier effect on the risk of a Data Breach?

Netskope-data-breach

65% have experienced an SQL injection attack

The second DB Networks sponsored Ponemon Institute report on the SQL injection threat has been released. 

The report explores what IT security professionals think about the likely attack chain of recent data breaches involving major retailers such as Target, Michaels and Neiman Marcus. The first report focused on how organizations respond to the SQL injection threat and their awareness about different approaches to managing this risk. 

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents are familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database. 

69% of respondents say their organization must comply with Payment Card Industry Data Security Standard (PCI DSS). As such, a majority of the respondents are very familiar with and required to comply with the security requirements for retailers who accept payment cards. 

SQL injections have been defined as being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways.

Background on retail breaches 

Details of the recent retailer network intrusion and data breach haven’t been readily forth coming from either the retailers who were breached or the U.S. Secret Service in charge of the breach investigations. As a result, security professionals are left to piece together the attack chain details based on the nascent amount of information that has been shared thus far. 

Target, for example, has revealed the credentials from an HVAC contractor were compromised. Those compromised credentials they claim initiated the attack chain that ultimately resulted in two major breaches. While certainly an interesting factoid, that information actually offers little insight into the events that ultimately resulted in the breach of 40 million credit cards and another 70 million database records containing personally identifiable information (PII). 

The HVAC vendor credentials only provided access to Target’s vendor billing and invoicing system. It’s a rather long leap from those systems into Target’s POS systems. How that feat was accomplished hasn’t been made public. Further, a report by BusinessWeek revealed that Target’s IT security systems were able to identify the hacker’s suspicious activity multiple times during the attack. But unfortunately those alerts were not agreed upon by Target’s IT security staff. 

Some of the key takeaways from this study include:

  • 50% of respondents believe cyber syndicates are to blame for the large retail data breaches. Only 16% believe an individual perpetrated the attack.
  • Many respondents believe notification of victims is better later than sooner. 36% of respondents would prefer to wait to notify victims until a thorough investigation was conducted.
  • SQL injection threat was one of the components of these retail breaches. 53% of respondents say SQL injections were used to steal sensitive and confidential information.
  • 65% of respondents say continuous monitoring of the database network followed by advanced database activity monitoring are the best approaches to avoiding a mega data breach
  • 33% of respondents say they either scan continuously or daily for active databases. However, 25% scan irregularly and 22% do not scan at all
  • SQL injection was considered by respondents to be one of the components of these attacks. 57% (36% + 21%) of respondents believe the likelihood that the attacks against the U.S. retailers involved SQL injection was 51% or greater
  • 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
  • 49% say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals.
  • 46% are familiar with the term Web Application Firewalls (WAF) bypass
  • 39% of respondents are very familiar or familiar with the techniques cybercriminal use to get around WAF perimeter security devices
  • BYOD makes understanding the root causes of an SQL injection threat more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of employees’ use of personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers
  • Expertise and the right technologies are critical to preventing the SQL injection threat. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect SQL injection threats and 34% agree that they have the technologies or tools to quickly detect a SQL injection threat 

Find the report here

Top 10 Tips for Cyber Resilience in businesses

The dramatic increase in both the sophistication and frequency of cyber risks and attacks on businesses has profoundly changed the security threat landscape. Gone are the benign days of the Anna Kournikova virus or the “I Love You” bug. Today cyber risks and threats can lead to breaches of sensitive data, harming consumers, businesses and governments of all sizes. But there is a way to stay ahead of these risks by crafting an effective security strategy, and being cyber resilient.

Cyber resilience is not just about installing point products into your IT environment but rather it is about understanding a broader set of business and technical challenges. These include understanding the risks in an increasingly connected cyber world and in particular the risks facing an organisation with rapidly evolving technologies such as mobile, cloud, virtual, big data, and social; as well as increasing dependence on the Internet to conduct business.

Many businesses currently don’t have holistic IT security practices and technologies in place to deal with all of these new challenges. Breaches can and will happen. How businesses prepare for a breach is just as important as how they respond to one. Organisations should consider the following measures to mitigate the risk of an attack and become cyber resilient:

  1. Make security personal to your business – understand your business and how security can be built into your IT practices
  2. Baseline your security regularly – analyse your state of readiness, so that you can interpret the symptoms that can lead to a security incident
  3. Get executive and board engagement – cyber resilience starts at the top of the organisation
  4. Have a plan – security incidents happen every day. Develop a plan that addresses how businesses identify the important incidents and ensure they remain up and running no matter what
  5. Education – from board to new hire, it’s essential that everyone understands that they are responsible and accountable. All employees need to know what part they play in the bigger picture
  6. Do the basics well – leverage government and industry guidelines. This includes aspects such as patching and good user-level access management
  7. Plan for today and scale for the future – for example, BYOD is here to stay. Don’t just apply quick fixes; align your IT to a longer-term strategy
  8. Start small, but think big – Information protection is a long-term project, but organisations need to start where they will add the most business value and then expand where there is further, long-term value. For example, the supply chain and how an organisation interacts with its wider network of vendors and partners. The key is to think big but have a maturity plan, which must be linked to strategic business value and growth
  9. Be accountable – understand what the regulatory, legislative and peer-to-peer controls are that the business needs to adhere to. Make sure there is a clearly defined owner for each of these and an executive sponsor
  10. Don’t wait for it to happen – test your processes, procedures and people regularly. Make sure the business has clearly defined lifecycles that reflect changes in business strategy, technology use and culture. Make sure the strategy is current and effective for the business and the risks.

For an organisation to be cyber resilient there needs to be in place a strategy that adapts to the ever changing cyber security landscape. This strategy should not only make your organisation cyber resilient but it should be designed to make security your competitive advantage.

Written by Brenton Smith, Managing Director & VP Pacific at Symantec and original posted here.

Security Metrics to Manage Change: Which Matter, Which Can Be Measured? A Ponemon Study.

The Firemon sponsored study by Ponemen surveyed 597 individuals who work in IT, IT security, compliance, risk management and other related fields. All respondents are involved in IT security management activities in their organizations. They also are involved in assessing or managing the impact of change on their organization’s IT security operations. The following are the themes of this study:

  • Tale of two security departments
  • The importance of metrics to driving more informed decisions
  • Practices to achieve effective security change management
  • The right metrics for managing change

What is security change management?

Ponemon defines this in the study as “security change management as a formal approach to assessing, prioritizing and managing transitions in personnel, technologies, policies and organizational structures to achieve a desired state of IT security. The security risk landscape is defined as rapidly mutating threats at every point of entry from the perimeter to the desktop; from mobile to the cloud. The fast evolution of the threat landscape and changes in network and security architectures creates a challenging and complex security ecosystem.

The key findings of the study

The security posture perception gap puts organizations at risk. 13% of respondents would rate the security posture of their organization as very strong. Whereas, 33% of respondents say their CEO and Board believes the organization has a very strong security posture. Such a gap reveals the problems the security function acknowledges in accurately communicating the true state of security.

Why can’t communication be better? 71% of respondents say communication occurs at too low a level or only when a security incident has already occurred (63% of respondents). 51% admit to filtering negative facts before talking to senior executives.

Agility is key to managing change. However, when asked to rate their organization’s agility in managing the impact of change on IT security operations, only 16% of respondents say their organizations have a very high level of agility and 25% say it is very low.

Metrics that reveal the impact of change are most valuable. According to 74% of respondents, security metrics that measure the impact of disruptive technologies on security posture are important. 62% of respondents say metrics fail to provide this important information.

Real-time analysis for managing change is essential. When asked about the importance of real-time analysis for managing changes to the organization’s security landscape, 72% of respondents say it is essential or very important. 12% say it is not important.

Organizations are not using more advanced procedures to understand the impact of change on their organization’s security posture. 26% of respondents say they are using manual processes or no proactive processes to identify the impact of changes on the organization’s security posture. 15% are using automated risk impact assessments, 13% say they are using continuous compliance monitoring and 11% rely on internal or external audits.

Senior executives are believed to have a more positive outlook on the effectiveness of their IT security function. While respondents rate their organization’s security posture as just about average, they believe their CEOs and board members have a much more positive perception, and would rate their organization’s security posture as above average. 13% of respondents would rate the security posture as strong. Whereas, 33% of respondents say their CEO and Board believes their organization has a very strong security posture. This perception gap signals that security practitioners are not given an opportunity and/or cannot communicate effectively the true state of security in the organization. As a result it is difficult to convince senior management of the need to invest in the right people, processes and technologies to manage security threats. Likewise, respondents believe key stakeholders also consider the organization’s security posture as being above average. 26% of respondents say this group rates their organization’s security posture as very strong. These include business partners, vendors, regulators, and competitors.

Lack of communication seems to be at the root of the C-suite and IT security disconnect. Too little and too late characterizes communication to senior executives about the state of security risk. 29% of respondents say they do not communicate to senior executives about risks and 31% say such communication only occurs when a serious security risk is revealed. As a result, they admit the state of communication about security risks is not effective. 6% of respondents say they are highly effective in communicating all relevant facts to management.

Why can’t communication be better? The main complaints are that communication occurs at too low a level or when a security incident has already occurred. Other problems stem from the existence of silos that keep information from being communicated throughout the organization. Respondents also recognize that the technical nature of the information could be frustrating for senior executives. Very often, the whole story is not revealed because negative facts are filtered before being disclosed to senior executives and the CEO.

What are the implications of senior executives and IT security not having the same understanding of the organization’s security effectiveness? According to the findings, an important capability such as having the agility to manage the impact of change on IT security operations could be affected by not being able to convince management of the need for enough resources, budget and technologies. When asked to rate their organization’s overall agility in managing the impact of change on IT security operations, respondents say it is fairly low. 16% of respondents say their organizations have a very high level of agility and 25% say it is very low. This is also the case when asked to rate their organization’s effectiveness in managing the impact of change on IT security operations. 17% say their organizations are very effective and 30% say their organizations are very ineffective.

The top three barriers to achieving effective security change management activities are

  1. insufficient resources or budget
  2. lack of effective security technology solutions
  3. lack of skilled or expert personnel

When asked about the importance of real time-analysis for managing changes to the organization’s security landscape, 72% of respondents say it is essential or very important. 12% say it is not important.

  • 26% of respondents say they are using manual processes or no proactive processes to identify the impact of changes on the organization’s security posture
  • 15% are using automated risk impact assessments
  • 13% say they are using continuous compliance monitoring
  • 11% rely on internal or external audits

Those technologies most often fully deployed to facilitate the management of changes that impact an organization’s security risk profile are:

  • Incident detection and alerting (including SIEM)
  • Vulnerability risk management
  • Network traffic monitoring
  • Security configuration management follow
  • Technologies that are often only partially deployed are log monitoring (46% of respondents) and file integrity monitoring (35% of respondents).
  • Minimally or not deployed at all are: big data analytics (64% of respondents), automated policy management (45% of respondents), and sandboxing (44% of respondents).

Current metrics in use do not communicate the true state of security efforts. When asked if the metrics that are in use today adequately convey the true state of security efforts deployed by their organization, 43% of respondents say they do not and 11% are unsure. The biggest reasons for the failure to accurately measure the state of security are more pressing issues take precedence, communication with management only occurs when there is an actual incident, the information is too technical to be understood by nontechnical management, and a lack of resources to develop or refine metrics.

What are the strengths and weaknesses of the security function? Respondents were asked rate their organizations’ ability to accomplish seven specific factors that may impact the security posture. The findings reveal that most respondents say their organizations are best at managing security threats, hiring and retaining competent security staff and employees and discovering and containing compromises and breaches quickly. They are not as effective at achieving compliance with leading security standards and frameworks and minimizing third-party security risks.

What events are most likely to disrupt the organization’s infrastructure and ability to manage security threats? The expansion of mobile platforms and migration to the cloud are the most likely to affect the security posture. Use of employee-owned devices (BYOD) and the implementation of a next generation firewall have moderate impact. Events that are considered to have a low impact are the move or consolidation of data center resources, implementation of virtualized computing and storage, a security audit failure, and reorganizing and downsizing the enterprise and IT function. Who is accountable for managing the risk created by the introduction of such changes as mobile platforms and the clouds? According to respondents, most responsible for managing the impact of these changes is the CIO or CTO followed by no one has overall responsibility.

Metrics must be aligned with business goals. 83% of respondents say it is important to have security metrics fully aligned with business objectives. However, most organizations represented in this study do not seem to be achieving this goal. In fact, 69% say security metrics sometimes conflict with the organization’s business goals.

  • 74% agree that security metrics that show the impact of disruptive technologies on security posture are important
  • 62% of respondents say metrics fail to provide information about the impact of change
  • 54% agree that metrics do not help understand the vulnerabilities to criminal
  • 46% of respondents say they do not help assess or manage risks caused by the migration to the cloud
  • 56% agree that metrics can help justify investment in people, processes and technologies
  • 57% of respondents agree the CEO and board do care about the metrics used to measure security posture

What is the metrics that matter gap? Respondents were asked to rate the metrics most important in communicating relevant facts about the state of security risks to senior executives and IT management. The top metrics in terms of their importance are discovery and containment of compromises and breaches and management of resources and spending. However, the actual average use of metrics in these categories average only 43% and 37% of organizations represented in this research. The biggest gaps in importance vs. use are with metrics that track disruption to business & IT operations (36% gap), management of resources and spending (35% gap), and discovery and containment of compromises and breaches (31% gap). The smallest gaps between importance and use are with third-party risks (7%) and staff and employee competence (2%).

Tracking how fast a security incident is discovered and contained is the most important metric but not often used.

Practices to achieve effective security change management. In this section, we look at the different practices of organizations that were self-reported to have a high security posture and those that have a low security posture. The findings reveal that there is a difference in the technologies deployed, perceptions about barriers to managing the impact of change to the security infrastructure, effectiveness in communication with senior management, and frequency of communications.

Firemon’s report can be found here.

Blog at WordPress.com.

Up ↑

%d bloggers like this: