In a Unisys sponsored Ponemon survey of 599 Global IT and IT security executives across 13 countries, IT practitioners whose job involves securing or overseeing the security of their organisation’s information systems or IT infrastructure were permitted to complete the survey. They are also familiar with security standards such as NERC, CIP, NIST, ISO, PCI DSS, Sarbanes Oxley and other regulations on the protection of information assets and the critical infrastructure.

Key findings of this research

Most companies have not fully deployed their IT security programs

  • 17% of companies represented in this research self-report that most of their IT security program activities are deployed
  • 50% of respondents say their IT security activities have not as yet been defined or deployed (7%)
  • 43% say they have defined activities but they are only partially deployed
  • 28% of respondents agree that security is one of the top five strategic priorities across the enterprise

The risk to industrial control systems and SCADA is believed to have substantially increased

  • 57% of respondents agree that cyber threats are putting industrial control systems and SCADA at greater risk
  • 11% say the risk has decreased due to heightened regulations and industry-based security standards

Security compromises are occurring in most companies

It is difficult to understand why security is not a top a priority because 67% of respondents say their companies have had at least one security compromise that that led to the loss of confidential information or disruption to operations over the last 12 months. 24% of respondents say these compromises were due to an insider attack or negligent privileged IT users

Upgrading existing legacy systems may result in sacrificing mission-critical security

36% of respondents are not confident and 18% are unsure that their organisation would be able to upgrade legacy systems to the next improved security state in cost-effective ways without sacrificing mission-critical security.

Many organisations are not getting actionable real-time threat alerts about security exploits

  • 34% of respondents say their companies do not get real-time alerts, threat analysis and threat prioritisation intelligence that can be used to stop or minimise the impact of a cyber-attack
  • 22% of those that does receive such intelligence say they are not effective
  • 15% of respondents say threat intelligence is very effective and actionable

Find the full report here.