State of Cybersecurity: Implications for 2015

State of Cybersecurity: Implications for 2015

An ISACA and RSA Conference Survey

In January 2015, more than 1,500 individuals participated in the survey, with 649 completing it.

Media Inquiries:

Joanne Duffer, ISACA, +1.847.660.5564,

Deborah Oetjen, ISACA, +1.847.660.5566,

1. How likely do you think it is that your organization will experience a cyberattack in 2015? (n=766)
2. Very likely………………………………………………………………………..38%
3. Likely……………………………………………………………………………..44%
4. Not very likely…………………………………………………………………....16%
5. Not at all likely…………………………………………………………………….1%

1. Do you think the incident motivation is: (n=741)
2. Financial gain……………………………………………………………………..33%
3. Intellectual property theft………………………………………………………...19%
4. Theft of classified data……………………………………………………….…..12%
5. Theft of PII……………………………………………………………………..…12%
6. Disruption of service……………………………………………………..……….24%

1. Has your organization been part of a cybercrime during 2014? (n=717)
2. Yes……………………………………………………………………………..…21%
3. No……………………………………………………………………….………...59%
4. I don’t know………………………………………………………………………20%

1. In 2014, has your enterprise experienced an increase or decrease in security attacks as compared to 2013? (n=1,498)
2. More attacks………………………………………………………………………77%
3. Fewer attacks…………………………………………………………………...…23%

1. Were any user credentials stolen during 2014? (n=804)
2. Yes………………………………………………………………………………..17%
3. No…………………………………………………………………………………60%
4. I don’t know………………………………………………………………………23%
5. Do you provide employees with mobile devices? (n=769)
6. Yes………………………………………………………………………………..83%
7. No…………………………………………………………………………………17%

1. Has your organization experienced physical loss of assets in 2014? (n=759)
2. Yes………………………………………………………………………………..63%
3. No…………………………………………………………………………………37%

1. What types of assets? (n=535)
2. Workstations……………………………………………………………………...36%
3. Servers…………………………………………………………………………….11%
4. Network devices………………………………………………………………….14%
5. Mobile devices…………………………………………………………………...91%

1. Which of the following threat actors exploited your enterprise in 2014? (n=636)
2. Cybercriminals……………………………………………………………….…...46%
3. Nation/State………………………………………………………………..……...17%
4. Hacktivists……………………………………………………………………..….20%
5. Hackers……………………………………………………………………..……..40%
6. Malicious insiders………………………………………………………………...29%
7. Nonmalicious insiders………………………………………………..…….…….41%

1. Which of the following attack types have exploited your enterprise in 2014? (n=704)
2. Hacking attempts…………………………………………………………..……..50%
3. Malware………………………………………………………………………..…66%
4. Social engineering……………………………………………………………..…46%
5. Phishing………………………………………………………………………..….68%
6. Watering hole…………………………………………………………………..…..8%
7. Man-in-the-middle attacks……………………………………………………….11%
8. SQL injections……………………………………………………………………22%
9. Insider theft……………………………………………………………………....25%
10. Loss of mobile devices………………………………………………………...….44%

1. Are you comfortable with your security team’s ability to detect and respond to incidents? (n=839)
2. Yes………………………………………………………………………………..46%
3. Yes, but only for simple issues…………………………………………………...41%
4. No…………………………………………………………………………………13%

1. Are you able to fill your open security positions? (n = 939)

1. Yes…………………………………………………………………………….….65%
2. No…………………………………………………………...…………………….35%

1. On average, how long does it take you to fill a security position? (n=926)
2. Less than 2weeks…………………………………..…………………………...... 3%
3. 1 month…………………………………………………………………………..13%
4. 2 months………………………………………………………………………….21%
5. 3 months………………………………………………………………………….30%
6. 6 months………………………………………………………………………….23%
7. Cannot fill………………………………………………………………………...10%

1. On average, how many applicants are qualified? (n=900)
2. Less than 25%...... 52%
3. 20-50%...... 32%
4. 50-75%...... 12%
5. 75-100%...... 4%

1. For those candidates considered qualified, please rank the following reasons, where 5 is the most prevalent. (n=885)

1 / 2 / 3 / 4 / 5
Practical verification (hands-on) / 26% / 14% / 13% / 14% / 33%
Formal education / 36% / 20% / 16% / 14% / 14%
Specific training / 9% / 33% / 30% / 21% / 8%
Certifications / 10% / 20% / 26% / 29% / 15%
Reference/Personal endorsement / 19% / 13% / 15% / 23% / 30%

1. Do you feel that certification is valuable? (n=856)
2. Yes……………………………………………………………………………...... 92%
3. No…………………………………………………………………………………..8%

1. When looking for candidates to fill open security positions, do you require certification? (n=845)
2. Yes…………………………………………………………………………..……69%
3. No…………………………………………………………………………………31%

1. What is the biggest skill gap you see in today’s security professionals? (n=842)
2. Technical skills…………………………………………………………………...46%
3. Ability to understand the business……………………………………………..…72%
4. Communication…………………………………………………………………...42%

1. Which of the following security roles does your organization employ? (n=838)
2. CISO………………………………………………………………………………55%
3. Technical Director/Deputy CISO………………………………………………...27%
4. Information Assurance Manager/Information Systems Security Manager……..53%
5. Security Consultant……………………………………………………………….51%
6. Security Administrator…………………………………………………………...52%
7. Security Architect………………………………………………………………...49%
8. Security Engineer (network, information, application)…………………………..52%
9. Security Software Developer……………………………………………………..17%
10. Malware Analyst………………………………………………………………….19%
11. Incident Handler/Responder……………………………………………………...40%
12. Security Auditor…………………………………………………………………..44%
13. Research & Development (i.e., capabilities development)…...…………………..13%
14. Risk/Vulnerability Analyst……………………………………………………….43%
15. Reverse Engineer………………………………………………………………...... 7%
16. Penetration Tester………………………………………………………………...34%
17. Governance Manager……………………………………………………………..29%
18. Compliance Manager…………………………………………………………..…46%
19. Computer Crime Investigator/Forensics Expert………………………………….24%

1. Where does security report to in your organization? (n=621)
2. CEO……………………………………………………………………………….20%
3. CIO………………………………………………………………………………..60%
4. CFO………………………………………………………………………………...6%
5. Audit………………………………………………….…………………………….4%
6. Board of Directors………………………………………………………………...11%

1. How will the security budget change in 2015? (n=845)
2. Increase…………………………………………………………………………...56%
3. Decrease…………………………………………………………………………..11%
4. Stay the same……………………………………………………………………..33%

1. How much did your organization spend on continuing education opportunities for security professionals (e.g., training, conferences, etc.)? (n=834)
2. Greater than $1,000…………………..…………………………………………..19%
3. $1,001-$4,999…………………………………………………………………….23%
4. $5,000-$9,999…………………………………………………………………….21%
5. $10,000-$19,999………………………………………………………………….11%
6. Greater than $20,000……………..……………………………………………….25%

1. How concerned is your organization with Internet of Things (IoT) in the workplace? (n=741)

Very Concerned / Concerned / Not Very Concerned / Not Concerned
19% / 45% / 27% / 9%

1. Do you restrict access to social media in your organization? (n=718)
2. Yes………………………………………………………………………………..58%
3. No…………………………………………………………………………………42%

1. Does your company have a security awareness program? (n=858)
2. Yes………………………………………………………………………………..87%
3. No…………………………………………………………………………………13%

1. Do you test security controls? (n=846)
2. No…………………………………………………………………………………..5%
3. No, but we’re planning to do so……………………………………………………8%
4. No, but we’re developing tests……………………………………………………..4%
5. Periodically (at least annually)……………………………………………………51%
6. Routinely (at least quarterly)……………………………………………………...32%

1. Is your board of directors concerned with security? (n=710)
2. Yes………………………………………………………………………………..79%
3. No…………………………………………………………………………………10%
4. Don’t know……………………………………………………………………….12%

1. Does the organization’s executive team support security? (n=705)
2. Yes………………………………………………………………………………..87%
3. No…………………………………………………………………………………13%

1. How is the support demonstrated? (n=649)
2. Enforcing security policy………………………………………………………....71%
3. Providing security with appropriate funding……………………………………..63%
4. Following good security practices themselves……………………………………41%
5. Mandating security awareness training…………………………………………...56%

DEMOGRAPHICS

In which region do you reside? (n=1,548)

1. Asia……………………………………………………………………………………14%
2. Latin America…………………………………………………………………………..6%
3. Europe/Africa………………………………………………………………………….32%
4. North America……………………………………………………………..…………..44%
5. Oceania………………………………………………………………………………….4%

In which of the following industries are you employed? (n=1,459)

1. Aerospace…………………………………………………………………………….…1%
2. Education/Student……………………………………………………………….………2%
3. Financial/Banking………………………………………………………………….…..23%
4. Government/Military—National/State/Local………………………………………….11%
5. Health Care/Medical…………………………………………………………………….5%
6. Insurance………………………………………………………………………….…..…4%
7. Legal/Law/Real Estate…………………………………………………………….…….1%
8. Manufacturing/Engineering……………………………………………………….…….6%
9. Mining/Construction/Petroleum/Agriculture……………………………………….…...3%
10. Pharmaceutical…………………………………………………………………………..1%
11. Public Accounting………………………………………………………………………1%
12. Retail/Wholesale/Distribution…………………………………………………………..3%
13. Technology Services/Consulting……………………………………………...……….29%
14. Telecommunications/Communications…………………………………………………7%
15. Transportation…………………………………………………………………………..2%
16. Utilities………………………………………………………………………………….2%

What is your main area of responsibility? (n=1,537)

1. Information/Cybersecurity Management……………………………………..………..50%
2. Information/Cybersecurity Practitioner………………………………………………..16%
3. Risk Management……………………………………………………………………...13%
4. IT………………………………………………………………………………………11%
5. Other…………………………………………………………………………………...10%

How many people are employed within your enterprise? (n=1,536)

1. 1-99…………………………………………………………………………………….15%
2. 100-249………………………………………………………………………………….7%
3. 250-499………………………………………………………………………………….6%
4. 500-999………………………………………………………………………………….8%
5. 1,000-4,999…………………………………………………………………………….22%
6. Greater than 5,000…………………….……………………………………….………41%

Note: Due to rounding to the nearest whole number, responses may not add up to 100%.