R

Previous

Next
DOWNLOAD PDF

MAY 2014

Next

Previous

2014 Strategic
Security
Survey
Previous

Next

Previous

Budgets are tight. Theres a skills crunch.

Download
And more and more sophisticated threats
loom. Are you sure youre up to this? >>

Subscribe

Next

Register
Previous

Next

Previous

Next

Previous

Next

Previous

Download

Subscribe

Next

Register
Previous

Next

DOWNLOAD PDF

Previous

Next

Previous

Next

Next

Previous

Download

Subscribe

Cutting-Edge Security
The top names in security come
together for Black Hat six days
of learning, networking, and
high-intensity skills building. Back
for its 17th year, Black Hat USA
will take place Aug. 2-7 at Mandalay Bay in Las Vegas. Click here for
more information.
Register
Previous

Previous

Previous

Next

informationweek.com
Next
Next

2014 Strategic Security Survey

Tight budgets. A skills crunch. More and more sophisticated threats. Are you sure youre up to this?
By Michael A. Davis

@mdavisCEO

nterprises outsource everything from

server hosting to application development. Why not security? Look for
this year to mark the start of a new
era in information security, where
organizations that can afford to build sophisticated analysis teams do so, and those that
cant hire specialized providers.
Its not that information security pros feel
their efforts are falling short. Just 16% of the
536 respondents to our 2014 Strategic Security Survey say their organizations are more
vulnerable to attacks than they were a year
ago. The problem is that the status quo isnt
acceptable: 23% of respondents admit to a
known security breach or espionage in the
past year, ticking up two points from 2013.
Winston Churchill once said, If youre going
through hell, keep going. Good advice, but

hard to follow when every piece of malware or

end-user mouse click could launch the breach
that ends your business, and your job. IT security is not a needle-in-a-haystack problem.
Its a needle-in-a-needle-stack problem. Thousands of attacks come at you each day. How
do you keep up, much less allot a few hours
to think about defensive technologies or how
to explain the latest zero-day advanced persistent threat to executives who, even after a
breach brought down Target CEO Gregg Steinhafel, still spend on security only grudgingly?
Money, Skills, And Hired Guns
Among respondents who feel theyre more
vulnerable this year, 40% cite budget constraints as a contributing factor up a notable 10 points from 2013. But bigger problems
for these shops are the increased sophistica-

tion of threats (77%) and that there are more

ways than ever to attack a corporate network
(66%). Among all survey respondents, only
5% are cutting IT security spending, compared with 37% increasing and 47% staying
the same. Clearly, the issue isnt just, or even
mostly, about cash to spend on technology.
Its about finding the right people, advanced
attackers, and a warped way of measuring
success.
Our survey shows that even in 2014, with
record breaches and threats, the top way
organizations measure the value of their security investments is by whether they pass a
third-party audit. So in other words, its still
only a need to check the boxes driving security investment.
But before we all bash executives, lets look
at it from their point of view because frankly,
May 2014 3

Register
Previous

Next

[2014 STRATEGIC SECURITY SURVEY]

Previous

Next

Previous

Next

Previous

Download

Subscribe

informationweek.com

Next

investing significant money in security is

no guarantee of good results.
First off, your typical enterprise security
team is its own worst enemy. The biggest area of concern isnt security itself, it
is the balance between security and the
ability to allow for business to continue,
says one respondent. We sometimes add
in too much security, which hinders the
business from operating, and vice versa,
which creates major security risks.
If you cause a business slowdown when
implementing a security control, you take
one step forward and three back in executives minds.
Given a low perceived return on investment, many executives see a binary decision: Build the minimum viable security
practice as cheaply as possible internally,
or outsource.
Until recently, the latter option really
wasnt much of a choice. Even just a few
years ago, most managed security services
providers (MSSPs) did firewall management
and maybe some intrusion detection and
prevention systems. No analysis, no threat
intelligence, just sending you alerts and
hopefully filtering false positives. The idea
was to off-load the most mundane, error-

prone, high-labor, high-volume functions

to a specialist that could hopefully do them
inexpensively and with fewer mistakes.
Unsurprisingly, MSSPs struggled to keep
skilled employees. And meanwhile, tools
such as those from Tufin and AlgoSec let
companies manage their own firewalls
more efficiently and with fewer errors.
So MSSPs pivoted, and theyve improved dramatically. They now provide
threat intelligence and research and risk
management services, such as web security and vulnerability and log management. Some even provide virtual CISO
services, where an experienced security
executive will step in and offer advice.
To a CEO or CIO who couldnt come
close to affording that expertise on staff,
the value is compelling. Why hire one or
two security engineers who are experts
in only a few areas, when you can get a
whole team for the same annual cost?
Especially when open security positions
tend to stay that way for months?
Speaking of being our own worst enemies, CISOs looking to build sophisticated
internal teams are holding out for infosec
pros with application development, networking, and system administration chops,
May 2014 4

Symantec Resource Center

J
Beginners Guide to
SSL Certificates
DOWNLOAD NOW

J
Perfect Forward
Secrecy: The Next
Step in Data Security
DOWNLOAD NOW

J
Internet Trust MarksBuilding Confidence
and Profit Online
DOWNLOAD NOW

J
Reducing the Cost

and Complexity of
Web Vulnerability
Management
DOWNLOAD NOW

J
The Shortcut Guide to
Protecting Against Web
Application Threats
Using SSL
DOWNLOAD NOW

Register
Previous

Next

[2014 STRATEGIC SECURITY SURVEY]

Next

Previous

Next

Previous

Previous

Download

Subscribe

informationweek.com

Next

but people with that level of experience are

expensive. Heck, we know of multiple chief
information security officer positions that face
such a low salary cap theyve been open for
three years. The median base salary of the 369
IT security staffers and 252 managers responding to InformationWeeks 2014 US IT Salary
Survey is $10,000 and $13,000 more, respectively, than the typical IT worker or manager.
Security managers salaries are also increasing
at a faster rate than IT managers overall.
And CIOs cant just throw money at security
pros, since they have other emerging technology specialists demanding top dollar. Staffers
whose primary functions are cloud computing, data warehousing, enterprise application
integration, and enterprise resource planning
all report higher total compensation than security staffers, our Salary Survey finds. So not
only are CISOs battling a security skills shortage, they must make the case that its smarter
to spend on a security engineer (read: cost
center) than a data scientist who can help the
business spin all that Hadoop chaff into marketing gold. Good luck with that.
Even if companies are willing to pay market
rates, there arent enough qualified people.
Most security engineer applicants are either
right out of school with newly minted cer-

Most-Valuable Security Practices

You can keep only three security practices. Which ones stay?

Strong passwords

52%
End-user security awareness training

49%
Log analysis, security information management, or vulnerability analysis and research

33%
Virus and worm detection and analysis

29%

Multifactor authentication

29%

Incident response team

24%

Monitoring employee behavior

13%
Researching new threats

12%
Secure development processes or source code auditing

11%
DevOps

5%
Writing or preparing written responses to audit items

5%
Offensive security program

4%
Attacker attribution

3%
Data: InformationWeek 2014 Strategic Security Survey of 536 business technology and security professionals at organizations with 100 or more
employees, April 2014
May 2014 5

Register
Previous

Next

[2014 STRATEGIC SECURITY SURVEY]

Previous

Next

Previous

Next

Previous

Download

Subscribe

Next

tificates and no real-world security experience, or theyre IT professionals looking to

switch careers, also with no experience.
The skills shortage is real, and in the
coming 12 to 24 months, 73% of Security
Survey respondents expect the problem
to stay as acute (44%) or worsen (29%).
The only answer for companies building
their own IT security teams is investing in
training, both formal and on the job. The
only orgs willing to do that to the extent
required are outsourced security and

cloud providers, the US government, and

a very few forward-looking enterprises.
Now, we dont expect IT to embrace
the MSSP concept with open arms
21% of respondents who say theyre more
vulnerable to attack actually blame increased outsourcing. But the business is
warming up to the idea of hiring out IT
functions. Among 2014 IT Budget Survey
respondents, half outsource 20% or more
of their IT operations; 28% outsource 40%
or more. And plenty of large, trusted IT

Directly Targeted Breach

Has your organization fallen victim to a directly targeted breach or compromise?

Yes

Not sure

26%

18%

56%
No
Data: InformationWeek 2014 Strategic Security Survey of 536 business technology and security professionals at organizations with 100
or more employees, April 2014
informationweek.com

May 2014 6

Register
Previous

Next

[2014 STRATEGIC SECURITY SURVEY]

Next

Previous

Next

Previous

Previous

Download

Subscribe

Next

vendors are in the MSSP business, so get used

to the idea being on the table.
We discuss how to hire an MSSP in depth
in this report. When evaluating providers, at
minimum ask: Will we have an assigned team,
so were working with the same people on a
regular basis? How are issues communicated
must you follow the MSSPs ticketing process or will it work with your existing systems?
And dont take the old route of pushing only
mundane functions to the outsourcing partner.
The value just isnt there, in our opinion. Focus
on high-value services. Leverage their researchers and risk management teams to prioritize
and address the issues putting your data at risk.
Going It Alone? Good Luck!
If youre still reading and not off researching
MSSPs, buckle up. Surviving the next few years
with your companys and customers data more
or less intact starts with a high level of operational efficiency. Security must be treated as
a business discipline, just like marketing or
manufacturing. CISOs should consider hiring
business process or project management talent instead of chasing those scarce security
engineers. You can find and afford experienced technical project managers who can
maximize the resources you have now. Youll

informationweek.com

Mobile Device Threat

Do you believe mobile devices, such as smartphones and tablets, pose a threat to your organizations security?
2014

2013

Yes, a significant threat

41%
23%
Yes, a minor threat

42%

50%
Not yet, but they will

12%
19%
No

5%
8%

Data: InformationWeek Strategic Security Survey of 536 business technology and security professionals at organizations with 100 or more
employees in April 2014 and 1,029 in March 2013

also reap the benefits of process improvement

and a focus on execution when it comes to security analysts and operations centers.
Next, learn how to make the most out of the
big data that your security systems generate.
The value there isnt overhyped. Thirty-nine
percent of respondents either have or are
building a big data security analytics capability, apart from what their log management or
security information and event management
(SIEM) systems can tell them. Most are or will
be based on some combination of Hadoop,
MySQL, and MongoDB, with 51%, 33%, and

18% adoption rates, respectively.

As to what data feeds analytics systems,
the No. 1 pick is endpoint data, chosen by
63%. Think of it as a camera recording everything an endpoint does files, processes,
and network connections. Gathering this
type of data makes a lot of sense given that
the two most frequent attacks in the past
year were malware (76%) and phishing
(59%) and the worry respondents have over
mobility. There is no perimeter anymore. The
security war is waged at the endpoints.
The problem with recording all that activity
May 2014 7

Register
Previous

Next

[2014 STRATEGIC SECURITY SURVEY]

Next

Previous

Next

Previous

Previous

Download

Subscribe

informationweek.com

Next

is that you generate data volumes that conventional SIEM systems simply cant handle.
SIEM and log analysis vendors know this, and
theyre all talking about big data and a new
approach to analysis. None of the major providers has mastered the volume, however,
which explains why respondents are building
their own analysis systems.
Even after you make sense of your security
big data, taking advantage of it requires a
response team that can actively manage incidents as theyre discovered. Just a few years
ago, few organizations we worked with had
incidence response groups, so were excited
to see that 72% of respondents have (58%) or
are building (14%) such teams. This is an important trend; the ability to assess a threat and
respond quickly is paramount.
Maybe youre among the 28% of companies
with no plans for an incident response squad
heck, maybe you dont have a security team
at all but are an IT professional wearing multiple hats. If so, perhaps you considered buying
cyber-risk insurance in the past year; we saw a
nine-point increase, to 26%, in the percentage
of respondents with cyber-risk policies, and our
anecdotal data from talking with security professionals is that most companies are at least
talking with insurance providers. Look for this

Formal Approach
Does your organization have a formal security operations center or team that actively manages security incidents and
events as they are generated?

No

28%

58%

Yes

14%
No, but we are building one within the next year

Data: InformationWeek 2014 Strategic Security Survey of 536 business technology and security professionals at organizations with 100 or more
employees, April 2014

trend to accelerate, but the industry could use

some standardization when it comes to determining what amount of coverage to purchase;
26% of respondents with cyberbreach or cyberrisk insurance use an internal, nonstandard
method to determine the cost of a reputational
impact, while 25% depend on the insurer to tell
them what to buy. Talk about trusting.
What To Do Now
The coming months will see an inflection
point for defenders, not attackers. If you look

at our data for the past few years, attacker

methods havent changed. SQL injection,
privilege escalation, stolen credentials attackers still exploit all of the usual vulnerabilities and will continue to do so.
Companies must shorten the dwell time
the period between an attack and when
its identified. Thats when attackers do
their damage, and we think 2014 will be
the year organizations start tackling this
problem through the use of endpoint detection tools, real-time forensics (network
May 2014 8

Register
Previous

[2014 STRATEGIC SECURITY SURVEY]

Next

Previous

Next

Previous

Previous

Download

Subscribe

informationweek.com

Next

and endpoint), and those big data systems

we talked about.
Instead of stressing quite so much over
cloud and mobile security, pay some mind to
intellectual property (IP) theft. Among those
suffering attacks in the past year, 34% say
IP was stolen or compromised, a nine-point
increase from 2013. IP theft should worry corporations, especially those that for whatever
reason are prime targets FireEye says the
majority of focused attackers go after IP once
a company is breached.
The underground economy for credit card
numbers, IP, and other high-value information
is growing, thanks in part to increased use of
Bitcoin and other hard-to-track digital currencies. The ability to quickly exchange data for
payment without having to launder money
makes these crimes easier to execute. The
solution is data encryption, and were pleased
to see it at No. 3 on the list of most valued security products.
Finally, use the capabilities of the newest
processors and Windows versions to secure
endpoints from attack until you can patch.
Dump XP, if you havent already, and install
Microsofts Enhanced Mitigation Experience
Toolkit. EMET doesnt patch applications but
instead causes exploits to fail when launched

Sufficient Staffing?
Please rate your agreement with this statement: We have or can easily hire enough skilled people to meet
the threats our organization will face this year.

Strongly disagree

Strongly agree

14%

34%

11%

41%
Somewhat agree

Somewhat disagree

Data: InformationWeek 2014 Strategic Security Survey of 536 business technology and security professionals at organizations with
100 or more employees, April 2014

by leveraging a variety of processor and operating system features. EMET 4.1 would have
mitigated the latest Internet Explorer zeroday attack that affected all versions of Windows. It also protects Office, Adobe, and other
applications.
And while youre at it, use 64-bit Windows.
Many exploits just dont work in 64-bit environments, yet the move to 64 bit isnt going
as fast as it should, with some IT folks blaming their foot-dragging on hardware compatibility issues. Thats hogwash.

We wish we could say the good guys are

winning the war. But we cant, and theres
no end in sight. We must get faster, stronger,
and more resilient, even if that means handing off some security functions or investing
in training.
Michael A. Davis is CTO of CounterTack and one of the nations leading authorities on information technology. Write
to us at iwletters@ubm.com.
Copyright 2014 UBM LLC. All rights reserved.
May 2014 9