Hpesp wp esg_research-security_mgmtandoperations

ESG Research
Final Sponsor Report
Security Management and Operations
By Jon Oltsik, Senior Principal Analyst
With Kristine Kao and Jennifer Gahm
June 2012
© 2012, The Enterprise Strategy Group, Inc. All Rights Reserved.

Research Report: Security Management and Operations 2
Contents
List of Figures................................................................................................................................................3
List of Tables .................................................................................................................................................4
Executive Summary ......................................................................................................................................5
Report Conclusions................................................................................................................................................... 5
Introduction..................................................................................................................................................8
Research Objectives ................................................................................................................................................. 8
Research Findings.......................................................................................................................................10
The ESG Security Management and Operations Segmentation Model .................................................................10
The State of Security Management and Operations..............................................................................................13
The Evolving Security Organization........................................................................................................................19
Security Organization Responsibilities ...................................................................................................................22
Security Services Trends.........................................................................................................................................24
Risk Management Strategies..................................................................................................................................27
Security Controls Effectiveness and Testing...........................................................................................................30
Situational Awareness ............................................................................................................................................34
Assessing the State of Security Information and Event Management (SIEM) .......................................................38
Changing Attitudes Towards Security Management..............................................................................................40
Research Implications.................................................................................................................................45
Research Implications for Technology Vendors .....................................................................................................45
Research Methodology...............................................................................................................................48
Respondent Demographics.........................................................................................................................49
Respondents by Role in Purchasing Decisions .......................................................................................................49
Respondents by Current Responsibility..................................................................................................................49
Respondents by Number of Employees .................................................................................................................50
Respondents by Industry........................................................................................................................................50
Respondents by Annual Revenue...........................................................................................................................51

List of Figures
Figure 1. ESG Security Management and Operations Segmentation Model Criteria...............................................11
Figure 2. Survey Respondents based on ESG Security Management and Operations Segmentation Model...........11
Figure 3. Most Important Factors Driving Organization’s Information Security Strategy in 2012 ...........................13
Figure 4. Influence of Regulatory Compliance on Organization’s Information Security Strategy and Investment
Decisions ......................................................................................................................................................14
Figure 5. How Security is Viewed at Organizations...................................................................................................16
Figure 6. Perception of CISO within Organization.....................................................................................................16
Figure 7. Level of Engagement of Executive Management Team.............................................................................17
Figure 8. Characterization of Executive Management Team....................................................................................17
Figure 9. Organizations Increasing Security Headcount ...........................................................................................19
Figure 10. Organizations Increasing Security Headcount by the ESG Security Management and Operations
Segmentation Model....................................................................................................................................19
Figure 11. Areas of Information Security with a Shortage of Existing Skills..............................................................20
Figure 12. Current State of Information Security Professional Recruitment/Hiring.................................................21
Figure 13. Information Security Organization’s Level of Responsibility ...................................................................22
Figure 14. Groups Security Team Works With Most Closely ....................................................................................23
Figure 15. Planned Use of Third-Party Professional/Managed Services in 2012......................................................24
Figure 16. How Use of Third-Party Professional/Managed Services has Changed...................................................24
Figure 17. Reasons for Increasing Use of Third-Party Security Services...................................................................25
Figure 18. Areas of Third-Party Security Services Used ............................................................................................26
Figure 19. Formal IT Risk Management Programs in Place.......................................................................................27
Figure 20. How Formal IT Risk Management Program is Implemented ...................................................................28
Figure 21. Organization’s Rating on Standard Security Best Practices .....................................................................29
Figure 22. Frequency of Security Controls Effectiveness Testing .............................................................................30
Figure 23. Technologies/Techniques Used to Test Effectiveness of Security Controls ............................................31
Figure 24. Metrics Used to Gauge Effectiveness of Security Management..............................................................32
Figure 25. Security Technology that Most Effectively Performs Task For Which It Was Designed ..........................33
Figure 26.Organization’s Ability to Detect Suspicious Activity or an Attack.............................................................34
Figure 27.Level of Visibility of Security Status ..........................................................................................................35
Figure 28.Level of Visibility of Security Status Analyzed by the ESG Security Management and Operations
Segmentation Model....................................................................................................................................35
Figure 29.Biggest Inhibitors to Having Real-Time Security Visibility.........................................................................36
Figure 30.Weakest Aspects of Incident Response ....................................................................................................37
Figure 31. SIEM Deployment.....................................................................................................................................38
Figure 32. Effectiveness of SIEM...............................................................................................................................39
Figure 33. How Security Management has Changed Over Past 24 Months .............................................................40
Figure 34. How Introduction of Technologies and Policies Altered Security Management and Operations ...........41
Figure 35. Use of Security and IT Operations Tools in Concert to Automate Security Remediation Tasks..............42
Figure 36. Automated Actions Currently Executed...................................................................................................42
Figure 37. How Security Technology Strategy Decisions Will Change......................................................................43
Figure 38. Biggest Security Management Challenges...............................................................................................44
Figure 39. Survey Respondents, by Role in Security Management Purchasing Decisions........................................49
Figure 40. Survey Respondents, by Current Responsibility ......................................................................................49
Figure 41. Survey Respondents, by Number of Employees ......................................................................................50
Figure 42. Survey Respondent, by Industry ..............................................................................................................50
Figure 43. Survey Respondents, by Annual Revenue................................................................................................51

List of Tables
Table 1. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model ................15
Table 2. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model ................18
Table 3. IT Risk Management Programs Analyzed by the ESG Segmentation Model...............................................29
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise
Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from
time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in
part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise
Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should
you have any questions, please contact ESG Client Relations at 508.482.0188.

Executive Summary
Enterprise Strategy Group (ESG) conducted an in depth research survey on the subject of security management and
operations with 315 U.S.-based security professionals working at enterprise-class (i.e., 1,000 employees or more)
organizations. For the purposes of this project, survey respondents were asked a series of questions about their
organization’s information security philosophy, staffing and services, as well as security management and
operations technology adoption, and purchasing plans.
The objectives of this report were as follows:
• Appraise the current state of security management and operations. Strong information security depends
upon an integrated mix that includes organizational leadership, formal policies, documented processes,
skilled tacticians, and layers of complementary technical defenses. In this report, ESG looked at these areas
to gather a comprehensive viewpoint on enterprise security management and operations. ESG also looked
into three specific aspects of security management and operations: risk management, incident detection,
and incident response. Finally, this report was intended to highlight specific security management and
operations challenges and determine what, if anything, large organizations were doing to overcome them.
• Understand security management and operations changes. Driven by technologies such as server
virtualization, cloud computing, web-based applications, and mobile devices, enterprise IT is going through
numerous simultaneous changes. At the same time, large firms also face an increasingly difficult threat
landscape featuring exponential malware growth and damaging targeted attacks. This research report
looks at how IT and information security trends are transforming enterprise security management and
operations requirements today and in the future.
• Explore the links between information security and business operations. As part of the research
conducted for this report, ESG spoke with numerous enterprise security professionals. Many of these
individuals indicated that executive managers were much more engaged with information security than in
the past. As one CISO put it:
“Every time the Wall Street Journal includes an article about a security breach, I can anticipate a call
from our CEO asking if we are vulnerable to a similar type of attack.”
While there is plenty of anecdotal evidence suggesting that executive managers are paying closer attention
to information security, ESG wanted to take the opportunity to collect data in order to validate or refute
this thesis.
• Analyze the impact of security skills shortages. ESG’s 2012 IT Spending Intentions Survey found that 23%
of organizations believe they have a “problematic shortage” of IT security skills, and that 39% of
organizations planned to add information security staff in 2012. This data is indicative of a growing
information security skills shortage that ESG continues to track. In this report, ESG pushed further to find
out exactly where IT security skills are most needed and whether organizations were busy recruiting help or
offloading internal security tasks to third-party service providers.
• Evaluate how large organizations measure their security management and operations effectiveness. As
the old adage states, “you can’t manage what you can’t measure.” With this in mind, ESG wanted to
understand the methods used to gauge the effectiveness of current security programs and technical
controls.
Report Conclusions
Based on the data collected from this survey, ESG concludes:
• Most large organizations have significant security management and operations shortcomings. Based
upon a number of select criteria, ESG segmented the entire survey population into three sub-groups we
classified as security management “leaders,” “followers,” and” laggards.” Security management and
operations “leaders” comprised just 19% of the total survey population, meaning that 81% were deficient in

one or multiple areas. Additionally, ESG found security management and operations “leaders” were not
resting on their laurels. For example, these enterprises were most aggressive in terms of hiring additional
security staff, engaging third-party security service providers, and investing in new types of technical
controls. Even with these steps, the data suggests that most large organizations may be extremely
vulnerable to future types of security attacks.
• New technologies make security management and operations more difficult. More than half of security
professionals say that cloud computing, mobile devices, and remote worker policies are making security
management and operations “much more difficult” or “somewhat more difficult” at their organizations.
This is not surprising since new IT initiatives are often based upon immature technology, emerging and/or
hard-to-find skill sets, and ill-defined or inadequate controls.
• Information security is becoming an enterprise-class function. The data points to an ongoing intellectual
shift in which information security is increasingly perceived as a core responsibility of the organization
rather than a series of IT tasks and compliance oversight. For example, 44% of organizations say that
information security is aligned with corporate culture and 55% say that information security is aligned with
business processes. In spite of these trends, however, information security still has a long way to go in
many organizations. When asked to identify the most important factors driving their information security
strategy, many companies remain grounded in classic infosec roots: 55% of large organizations say
“protecting sensitive data and Intellectual Property (IP)” is driving IT security strategy, while 50% say
“regulatory compliance” is driving their information security strategy. Of course, these factors remain the
foundation of information security strategy but don’t extend to business processes or incorporate the
entire organization beyond IT. Given the preponderance of network-based business processes and
Internet/web communications, information security should be more pervasive beyond the IT organization
and regulatory compliance domains alone.
• Information security management and operations relies on cooperative responsibilities across the IT
organization. Security management and operations tasks like establishing controls for security policy
enforcement, developing security policies, and working with business units to define security needs depend
upon strong collaboration between information security and other IT and business groups. As a general
rule, information security teams work most closely with other functional IT groups like network operations
and server administrators, and IT oversight functions like IT and regulatory compliance auditors. ESG sees
deeper meaning in these data points. An organization may have world-class security expertise and best-of-
breed security technology controls, but the overall effectiveness of its information security programs and
strategy depends upon the working relationship, shared processes, and communication between the
information security group and a number of other functional IT teams. If these relationships are
dysfunctional, information security success will likely be marginal at best.
• Security assessment testing frequency varies widely. Forty percent of organizations test the effectiveness
of their security controls constantly, 15% test the effectiveness of their security controls on a weekly basis,
14% do so twice a month and 14% conduct these tests on a quarterly basis. This data is generally
encouraging as infrequent security controls testing increases vulnerability and overall IT risk.
• Security monitoring and visibility is a mixed bag. A vast majority (81%) of security professionals say that
their organization’s level of visibility about its security status is either “excellent” or “good.” Nevertheless,
security status visibility gaps remain. When asked to identify areas that inhibit real-time and
comprehensive security visibility, 34% said they need tighter integration between security and IT operations
tools, 33% said they need better security analysis/forensic skills at their organization, and 29% said they
needed better automated analytics from their security intelligence tools.
• Large organizations have numerous weaknesses with incident response. Twenty-seven percent of large
organizations report weaknesses performing security forensics to determine the root cause of a problem,
27% say they have weaknesses determining which assets remain vulnerable to similar attacks, and 24%

point to weaknesses gathering the right data for accurate situational awareness. These deficiencies were
consistent across all three groups of the ESG security management and operations segmentation model.
• CISOs are increasing their use of automated security remediation. More than half of large organizations
(56%) are using their security and IT operations tools in concert to automate security automation
remediation tasks. In terms of common automation chores, 66% employ security/IT operations automation
to block URLs or web content, 53% generate firewall or IDS/IPS rules based upon network behavior or event
detection, and 51% use risk management “triggers” to launch an immediate network scan.
• Security budgets remain a major obstacle. When asked to identify their most significant security
management challenges, 50% of organizations pointed first and foremost to budget constraints. ESG is
somewhat concerned that this response was common across security management “leaders,” “followers”
and “laggards”—apparently even the best-prepared organizations still believe they are under-funded in
their mission. Beyond budgetary problems, 30% say the security team spends too much of its time reacting
to problems (and not enough time with proactive security management or strategic planning), 24% say they
are challenged by a lack of appropriate security skills within the security organization, and 23% are
challenged by too many security tools. It is also worth noting that 28% of security management and
operations “laggards” are challenged by a lack of executive management support. This was much higher
than the other segments.
• The security skills shortage is widespread. More than half (55%) of organizations plan to increase security
headcount in 2012, yet 83% say that it is “extremely difficult” or “somewhat difficult” to recruit and hire
security professionals. When asked to identify the areas of information security where they have a
problematic skills shortage, 43% pointed to cloud/server virtualization security. Other areas identified
include endpoint/mobile device security (31%), network security (31%), security analysis/forensics (30%),
and data security (30%). Clearly, security skills deficits are widespread and will likely get worse in the near
future, exacerbating the need for efficient and effective security management and operations technologies
and processes.
• Large organizations are increasing their use of security services. Given the shortage of security skills, it is
not surprising that 62% of enterprises plan on using third-party professional or managed security services in
2012. Additionally, 16% of large organizations say that their use of third-party professional or managed
services has “increased substantially” over the past 24 months while 42% say that their use of third-party
professional or managed services has “increased somewhat” over the same period. Security management
and operations “leaders” are most active here—36% say that their use of third-party providers has
“increased substantially” over the past 24 months. The top four security services currently used by
organizations are security design (33% of organizations), security/risk management/regulatory compliance
assessments (30%), network monitoring (30%), and threat management intelligence (30%).
• New security technology decisions are on the horizon. The evolving threat landscape, along with current
security weaknesses, is persuading large organizations to make significant security technology changes. For
instance, 44% of large organizations say they will design and build a more integrated security architecture,
39% will include new data sources for security intelligence, and 24% plan to buy more security suites from a
single vendor. While 22% of all organizations also say they will actively decrease the number of security
vendors they buy from, one-third of organizations classified as security management and operations
“leaders” plan to reduce the number of security technology vendors they buy from today. This may be a
leading indicator of market consolidation as “followers” and “laggards” adopt similar purchasing tactics.

Introduction
Research Objectives
In order to assess the state of information security management and operations in 2012 and beyond, ESG surveyed
315 security professionals working at enterprise-class (1,000 employees or more) organizations in North America.
All respondents were personally responsible for or familiar with their organizations’ 2011 information security
strategies as well as their 2012 IT security budget and spending plans at either an organizational or business
unit/division/branch level.
To assess current and future information security management and operations strategies, survey respondents were
asked to respond to questions in areas such as:
• The role of the information security within the organization.
o How is the CISO (or similar role) perceived within the organization?
o Is information security considered an integral part of the corporate culture? Is information
security well aligned with business processes?
o Is the executive management team actively engaged in information security issues? If so, how?
Does the executive management team have the right level of information security knowledge
and skills?
• Information security organization and skills.
o What are the primary responsibilities of the information security team? Which tasks are shared
between information security and other IT groups?
o Are organizations suffering from information security skills shortages? If so, in what areas?
o How are organizations consuming third-party security services today? Is the use of third-party
security services increasing? Which security services are most popular?
• Security management and operations landscape.
o Is information security driven solely by regulatory compliance or are there other motivating
factors?
o Is security management becoming progressively more difficult?
o What is the impact of new technology initiatives like server virtualization, cloud computing, and
mobile device support on security management and operations?
o What are the security management and operations priorities for 2012 and beyond?
• Risk management.
o What types of policies and technical controls are in place to address IT risk?
o Are these policies and technical controls mandatory or discretionary?
o How effective are risk management programs? Are there particular areas of weakness?
o Do organizations have real-time visibility into IT risk as business conditions change?
• Incident detection and response.
o How do organizations detect security attacks?
o Do they have the right level of visibility to do so effectively? If not, are there particular areas
where visibility is lacking?
o When the organization does detect a security incident, how efficient is its response?

• Security technologies.
o Which security technologies are most effective at performing the tasks they were designed for?
o In particular, how effective are security information and event management (SIEM) platforms?
Survey participants represented a wide range of industries including manufacturing, financial services,
communications and media, retail, government, and business services. For more details, please see the Research
Methodology and Respondent Demographics sections of this report.

Research Findings
The ESG Security Management and Operations Segmentation Model
The information security management and operations discipline contains a multitude of interrelated security
policies, processes, technical controls, and monitoring activities. As a result, enterprise-class security management
and operations includes a number of organizational, cultural, educational, financial, and technical dependencies.
Given the increasingly onerous threat landscape, the rise of Advanced Persistent Threats (APTs), and the alarming
frequency of publicly-disclosed data breaches, many organizations are far more engaged with their information
security strategies than they were a few years ago. While this is a positive step, ESG research indicates that security
management and operations effectiveness and efficiency varies widely across enterprise organizations.
To better understand the state of enterprise security management and operations, ESG developed a security
management and operations model that segments organizations based on five dimensions that tend to characterize
security best practices and commitment. These dimensions are:
• Respondent organization’s perception of information security. A value for this dimension was calculated
based upon how information security is viewed within the organization. ESG assigned a value of two (2)
where information security was well aligned with corporate culture, and a value of one (1) where
information security was aligned with specific business processes. Organizations offering other responses
were assigned a value of zero (0) in this category.
• Respondent organization’s perception of the CISO role. A value for this dimension was calculated based
upon the how the CISO (or similar role) was perceived within the organization. ESG assigned a value of two
(2) to organizations that perceived the CISO as a business executive, and a value of one (1) to organizations
where the CISO was perceived as an IT executive. Organizations offering other responses were assigned a
value of zero (0) in this category.
• Level of executive management involvement with information security. A value for this dimension was
calculated based upon whether the executive management team was more engaged with information
security strategy and situational awareness than it was in 2010. ESG assigned a value of two (2) to
organizations where the executive management team was much more engaged with information security
strategy and situational awareness than it was in 2010, and a value of one (1) to organizations where the
executive management team was somewhat more engaged. Organizations offering other responses were
assigned a value of zero (0) in this category.
• Frequency of security controls testing. A value for this dimension was calculated based upon how often an
organization tested the effectiveness of its security controls. ESG assigned a value of two (2) to
organizations that tested its security controls “constantly,” and a value of one (1) to organizations that
tested the effectiveness of its security controls at least twice a month. Organizations offering other
responses were assigned a value of zero (0) in this category.
• Presence of a SIEM platform. A value for this dimension was calculated based upon whether organizations
had a SIEM (security incident and event management) platform deployed. ESG assigned a value of two (2)
to organizations that had a SIEM platform in place, and a value of one (1) to organizations that planned to
implement a SIEM platform within the next 12 months. Organizations offering other responses were
assigned a value of zero (0) in this category.
As indicated above, ESG used the survey data to assign every respondent organization a score for each of the five
dimensions that comprise ESG’s security management and operations segmentation model (see Figure 1). The
maximum possible score was ten points and the minimum was zero. Based on each respondent organization’s
aggregate score, the organization was then classified as a security management and operations “leader” (7 to 10
points), “follower” (4 to 6 points), or “laggard” (0 to 3 points).

Figure 1. ESG Security Management and Operations Segmentation Model Criteria
Source: Enterprise Strategy Group, 2012.
Based upon this scoring algorithm, 19% of enterprise organizations participating in this research project were
classified as security management and operations “leaders,” 49% were classified as security management and
operations “followers,” and 32% were classified as security management and operations “laggards” (see Figure 2).
Figure 2. Survey Respondents based on ESG Security Management and Operations Segmentation Model
Using this market segmentation model as a guide, ESG’s analysis of the data found clear and profound differences
among each market segment in a number of areas, including security management perceptions, organizational
skills, use of third-party services, and security technology deployment.
Presence of a
SIEM platform
High: SIEM
platform
deployed
Medium: plans to
deploy SIEM
platform within
12 months
Low: none of the
above
Frequency of
security
controls testing
High: security
controls tested
constantly
Medium: security
controls tested at
least twice per
month
Low: none of the
above
Executive
management's
involvement
with security
High: much more
enaged than in
2010
Medium:
somewhat more
engaged than in
2010
Low: none of the
above
CISO role /
perception
High: CISO
perceived as
business
executive
Medium: CISO
perceived as IT
executive
Low: none of the
above
Organizational
perception of
information
security
High: security
aligned with
corporate culture
Medium: security
aligned with
specific business
processes
Low: none of the
above
Leaders, 19%
Followers, 49%
Laggards, 32%
Percent of respondents by ESG security management and operations
segmentation model. (Percent of respondents, N=315)

ESG’s security management and operations segmentation model is used for data analysis purposes throughout this
report to illustrate varying degrees of cybersecurity activities, challenges, and strategies amongst the different
groups. In aggregate, the data is indicative of a diverse population where 81% of organizations (i.e., “followers” and
“laggards”) are lacking the essential security knowledge, processes, technology defenses, and organizational
backing needed to adequately address IT risk, quickly detect security incidents, and respond to ongoing attacks in a
timely and coordinated way. Thus it is safe to say that the vast majority of large organizations remain quite
vulnerable to current and future threats.

The State of Security Management and Operations
ESG found that when it comes to factors influencing information security strategy, organizations are driven by two
primary motivations: protecting sensitive data / intellectual property and regulatory compliance (see Figure 3). It is
worth noting that 42% of security management and operations “leaders” said that their security strategy was
driven by corporate governance as compared to 30% of the overall survey population. This is understandable since
“leaders” tend to weave information security into comprehensive business policies and promote security
awareness training for all employees. Additionally, 55% of “leaders” are driven by improving /automating security
operations as compared to 39% of the overall survey population. ESG believes that this is a harbinger of things to
come: Information security is often anchored by manual tasks and individual skill sets. Security “leaders”
understand that they need to supplement human resources with more automation in order to manage risk and
cope with growing IT scale in real-time.
Figure 3. Most Important Factors Driving Organization’s Information Security Strategy in 2012
With the passage of the Health Insurance Portability and Accountability Act (HIPAA, 1996), California Senate Bill
1386 (SB 1386, 2003), and the Payment Card Industry Data Security Standard (PCI DSS, 2004), regulatory
compliance requirements have had a major influence on enterprise information security strategy in recent years.
While these regulations have increased information security investment and visibility, they have also had some
unintended consequences. Rather than encourage holistic security best practices, these mandates have led some
24%
29%
30%
31%
33%
35%
38%
39%
41%
50%
55%
0% 20% 40% 60%
Migrating from tactical security tools to a more
integrated security technology architecture
Understanding business risk
Corporate governance
Creating an appropriate security model for cloud
computing initiatives
Aligning security policies and controls with business
processes
Improving our ability to analyze security data and
detect attacks in progress
Addressing security issues created by the use of
mobile devices
Improving/automating security operations
Addressing new types of threats
Regulatory compliance
Protecting sensitive data and IP
Of the following, which would you characterize as the most important factors
driving your organization’s information security strategy in 2012? (Percent of
respondents, N=315, multiple responses accepted)

organizations to direct their information security efforts solely toward passing compliance audits. This has led to
many firms technically complying with regulatory mandates, yet still plagued by significant security shortcomings.
ESG research indicates that this compliance-oriented “check box” mentality may be waning. 45% of large
organizations say that regulatory compliance has less influence on their information security strategy today than it
did in the past (see Figure 4). ESG sees this as a positive step forward. While regulatory compliance remains an
important component of information security strategy, CISOs are focusing their attention beyond passing
compliance audits alone and putting more resources and investment into bolstering risk management programs,
accelerating incident detection, and improving incident response. In other words, information security objectives
are centering on protecting the organization—not just appeasing the compliance auditors.
Figure 4. Influence of Regulatory Compliance on Organization’s Information Security Strategy and Investment
Decisions
2%
8%
13%
33%
26%
19%
0% 5% 10% 15% 20% 25% 30% 35%
Don’t know / no opinion
Regulatory compliance was much less influential on my
organization’s information security strategy and
investment decisions in 2010 than it is today
Regulatory compliance was somewhat less influential on
my organization’s information security strategy and
Regulatory compliance was as influential on my
investment decisions in 2010 as it is today
Regulatory compliance was somewhat more influential
on my organization’s information security strategy and
Regulatory compliance was much more influential on my
Compared to 2010, how would you characterize the influence of regulatory compliance
on your organization’s information security strategy and investment decisions? (Percent
of respondents, N=315)

This changing attitude was most pronounced with security management and operations “leaders,” 32% of whom
say that regulatory compliance has less influence on their information security strategy today than it did in the past
(see Table 1). ESG believes this shift is due to a number of factors, including a more ominous threat landscape,
visible publicly-disclosed data breaches, and greater cybersecurity awareness by corporate executives.
Table 1. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model
Influence of regulatory compliance on organization’s
information security strategy and investment decisions as
compared to 2010, by segmentation
Leaders
(N=60)
Followers
(N=154)
Laggards
(N=101)
Regulatory compliance was much more influential on my
organization’s information security strategy and investment
decisions in 2010 than it is today
32% 19% 11%
Regulatory compliance was somewhat more influential on my
23% 29% 24%
Regulatory compliance was as influential on my organization’s
information security strategy and investment decisions in 2010 as
it is today
32% 31% 39%
Regulatory compliance was somewhat less influential on my
3% 14% 17%
Regulatory compliance was much less influential on my
10% 8% 6%
Don’t know 0% 1% 4%
Given its historical focus as an IT discipline, it is not surprising to see that 63% of organizations believe “information
security is aligned with IT assets and the IT department.” Respondents also believe that “information security is
aligned with regulatory compliance.”
Beyond these obvious connections however, this data also points to a changing mindset around information
security: 55% of organizations see an alignment between information security and business processes. This is a
positive step and represents both progressive and realistic thinking. More and more business processes across all
industries are anchored by IT infrastructure and the public Internet. Consequently, CISOs and business managers
should understand the IT assets, employees, and third-parties involved in each business process in order to identify
risk, create/enforce policies, and monitor the effectiveness of security controls. The data also indicates that 44% of
large organizations believe that information security is aligned with the corporate culture. This too represents a
new function for information security. Since organizational success depends upon IT services, strong security
depends upon participation from all employees. By aligning information security with corporate culture, some
executive managers clearly recognize and support this connection deep within the organization (see Figure 5).

Figure 5. How Security is Viewed at Organizations
As a function, Chief Information Security Officers (CISOs) are also perceived differently among various
organizations. Nearly three-quarters of organizations still view CISOs as an IT executive or support function.
However, a significant 18% of survey respondents said that the CISO was perceived as a business executive in their
organization (see Figure 6), a development that will only help raise the awareness of and effective response to
information security issues in those firms.
Figure 6. Perception of CISO within Organization
Along with changing perceptions about regulatory compliance and CISOs, ESG research indicates that executive
management teams are becoming increasingly engaged with information security situational awareness and
strategy (see Figure 7.).
44%
45%
55%
59%
63%
0% 10% 20% 30% 40% 50% 60% 70%
Information security is aligned with
the corporate culture
physical security
business processes
regulatory compliance
IT assets and the IT department
From an organizational perspective, which of the following statements best
reflects how information security is viewed at your organization? (Percent of
As an IT executive,
51%
As a support
function for IT (i.e.
support the CIO
and others), 23%
As a business
executive, 18%
As a support
function for
regulatory
compliance, 5%
Don’t know, 2%
In your opinion, how is the CISO (or similar position) perceived at your
organization? (Percent of respondents, N=315)

Figure 7. Level of Engagement of Executive Management Team
ESG further explored executive management involvement in several areas. As shown in Figure 8, ESG further
explored whether organizations as a whole generally believe that their senior executives are putting forth a “good”
or “adequate” effort when it comes to making necessary security investments, increasing their knowledge about
security concepts, and being actively involved in setting information security strategy.
Figure 8. Characterization of Executive Management Team
1%
1%
2%
27%
40%
29%
0% 10% 20% 30% 40% 50%
Don’t know / no opinion
Much less engaged with information security situational
awareness and strategy
Less engaged with information security situational
awareness and strategy
About the same level of engagement with information
security situational awareness and strategy
Somewhat more engaged with information security
situational awareness and strategy
Much more engaged with information security
situational awareness and strategy
Compared to 2010, do you believe that the executive management team at your
organization is: (Percent of respondents, N=315)
37%
39%
41%
45%
47%
47%
43%
42%
44%
40%
14%
16%
14%
10%
11%
1%
2%
3%
1%
2%
0% 20% 40% 60% 80% 100%
Demonstration of information security leadership position
within the organization
Involvement in information security strategy decisions
Interest in information security status across the
organization
General knowledge about information security concepts
Willingness to commit to a level of security investment
necessary to address risk in an appropriate way
How would you characterize your organization’s executive management in the following
areas? (Percent of respondents, N=315)
Good Adequate Fair Poor

The data paints a different picture, however, when viewed through the lens of the ESG security management and
operations segmentation model (see Table 2). For instance, the majority of security management and operations
“leaders” believe their executives are doing a “good” job across all areas. However, keep in mind that “leaders”
make up only 19% of the total survey population. Executive managers at “follower” and “laggard” organizations
don’t fare nearly as well when it comes to being knowledgeable about, investing in, and generally supporting
security initiatives.
Table 2. Characterization of Executive Management Team Analyzed by the ESG Segmentation Model
How would you characterize
your organization’s executive
management in the following
areas?
Percentage of “leaders”
responding “good”
Percentage of
“followers” responding
“good”
Percentage of
“laggards”
responding “good”
Willingness to commit to a level of
security investment necessary to
address risk in an appropriate way
62% 53% 28%
General knowledge about
information security concepts
70% 50% 24%
Interest in information security
status across the organization
58% 47% 23%
Involvement in information
security strategy decisions
57% 44% 23%
Demonstration of information
security leadership position within
the organization
58% 39% 22%
Overall, the ESG data points to some positive trends. Information security is slowly transforming from a back office
IT and regulatory compliance function to a much more integral component of business operations. This change is
impacting the role of CISOs and business executive involvement in information security. Nevertheless, these
changes are extremely skewed to a progressive minority composed of security management and operations
leaders. Other organizations are either caught in the past or evolving at a snail’s pace.

The Evolving Security Organization
Just over one-half of large organizations surveyed by ESG will increase information security headcount in 2012,
while another 40% say that the size of their security organization will remain about the same. Just 4% will actually
reduce staff (see Figure 9). In particular, large organizations categorized as security management and operations
“leaders” are not resting on their laurels—42% will increase headcount “significantly” in 2012 (see Figure 10).
Figure 9. Organizations Increasing Security Headcount
Figure 10. Organizations Increasing Security Headcount by the ESG Security Management and Operations
Segmentation Model
Yes, significantly, 17%
Yes, somewhat, 38%
No, it will remain
about the same size,
40%
No, the security
organization will
become somewhat
smaller, 3%
No, the security
organization will
become significantly
smaller, 1%
Don’t know, 2%
To the best of your knowledge, will your organization increase its security headcount
(i.e., hire new management/staff) in 2012? (Percent of respondents, N=315)
7%
33%
52%
5%
1% 2%
14%
45%
36%
3% 1% 1%
42%
27% 28%
2% 2%
0%
10%
20%
30%
40%
50%
60%
Yes, significantly Yes, somewhat No, it will remain
about the same
size
No, the security
organization will
become
somewhat
smaller
No, the security
organization will
become
significantly
smaller
Don’t know
Organization's plans to increase security headcount (i.e. hire new management/staff)
in 2012, by segmentation. (Percent of respondents)
Laggard (N=101) Follower (N=154) Leader (N=60)

The fact that information security is becoming more closely aligned with business operations and goals is one
reason why so many organizations are hiring in 2012. Unfortunately, another reason for adding headcount is
related to the dearth of existing security skills. Enterprises point to a problematic shortage of existing information
security skills in a multitude of areas (see Figure 11). A few aspects of this list stand out:
• The biggest skills deficit is in the burgeoning area of cloud/server virtualization security. Since these are
relatively new technology areas, it is likely to be extremely difficult finding seasoned professionals with this
combination of skills. Alternatively, cloud/server virtualization security architects should have an
assortment of high paying positions to choose from. ESG hopes that cloud, server virtualization, and
security vendors recognize this critical skills shortage and will work to bridge this gap with the right
automation, professional services, user training, and professional certifications.
• Large organizations also have skills deficiencies in a number of core areas such as endpoint/mobile security,
network security, and data security. With respect to endpoint/mobile, it is likely that BYOD (bring your own
device) initiatives are exacerbating the scarcity of skills, as organizations need more specialized capabilities
for securing new platforms like iOS, Android, and Macintosh. However, network and data security are not
new areas. This speaks to a more systemic shortage of available bodies for core information security jobs.
• A number of other specific areas such as security analytics/forensics, emerging threat/malware expertise,
and application development security require highly experienced and senior professionals. Once again
these skills don’t come easy or cheap as they are in high demand. Recruiting individuals with these skills
will be highly competitive and very expensive. Organizations with lower pay scales or those in more rural
areas will have the most difficult time here.
Figure 11. Areas of Information Security with a Shortage of Existing Skills
8%
20%
22%
23%
25%
28%
30%
30%
31%
31%
43%
0% 10% 20% 30% 40% 50%
We do not currently have a problematic shortage of
existing information security skills
Application/database security
Email/messaging security
Security operations
Application development security
Emerging threat/malware expertise
Security analysis/forensics
Data security
Network security
Endpoint/mobile device security
Cloud/server virtualization security
In which of the following areas of information security do you believe your IT
organization currently has a problematic shortage of existing skills? (Percent of

Whether general or specialized, finding information security help is becoming increasingly cumbersome. Nearly
one-fifth or large organizations claim that it is “extremely difficult to recruit/hire security professionals,” while
another 65% say it is “somewhat difficult to recruit/hire information security professionals” (see Figure 12). These
hiring issues were consistent across the “leader, follower, and laggard” organizations of the ESG security
management and operations segmentation model, suggesting that no class of organizations is immune from the
current security skills crunch.
Figure 12. Current State of Information Security Professional Recruitment/Hiring
It is extremely
difficult to
recruit/hire
information security
professionals, 18%
It is somewhat
difficult to
recruit/hire
professionals, 65%
It is somewhat easy
to recruit/hire
professionals, 15%
It is extremely easy
to recruit/hire
professionals, 1%
Don’t know, 1%
In your opinion, how would you characterize the current state of information
security professional recruitment/hiring? (Percent of respondents, N=172)

Security Organization Responsibilities
As large organizations increasingly equate information security with business operations, invest in new
technologies, and hire more security staff, it is important to recognize that information security is really composed
of a number of shared tasks and responsibilities. As proof of this, ESG asked security professionals to identify areas
where the security organization has primary responsibility and where it shares responsibilities with other IT groups.
As shown in Figure 13, in the majority of areas, information security teams work hand-in-hand with other functional
IT teams such as network/IT operations, DBAs, or application developers.
Given this situation, CISOs and their organizations should not be held accountable for information security
efficiency and effectiveness alone. Rather, strong security is only possible through a CISO/IT organization
partnership, with the appropriate strategy, goals, and metrics. It is also worth noting however, that security
organizations within the ESG security management and operations “leader” segment were much more likely to
have primary responsibility in a number of the areas listed below. Clearly, these “leaders” recognize the value of
the security team and are willing to give these teams authority to take the initiative if it leads to lower risk, rapid
decision making, and greater security protection.
Figure 13. Information Security Organization’s Level of Responsibility
31%
34%
34%
38%
38%
39%
39%
39%
41%
42%
42%
42%
44%
45%
55%
48%
53%
47%
52%
50%
50%
51%
48%
45%
48%
52%
51%
46%
11%
14%
8%
14%
9%
9%
9%
8%
9%
10%
7%
4%
3%
6%
3%
4%
5%
2%
2%
2%
3%
2%
2%
3%
3%
2%
2%
3%
0% 20% 40% 60% 80% 100%
Training non-IT employees on security policies and best
practices
Patch management
Defining policies for cyber supply chain security
Day-to-day operation of network security devices
Defining secure configurations for hardware and software
Researching, testing, and purchasing security technologies
Incident response
Regulatory compliance policies, controls, and audits
Defining policies and standards for secure software
development
Vulnerability scanning
Monitoring security status on a regular basis
Working with business units to define security needs
Developing security policies
Establishing controls for security policy enforcement
For each of the activities and tasks below, what is the information security
organization’s level of responsibility? (Percent of respondents, N=315)
Security organization has primary responsibility
Security organization shares responsibility with other IT groups (i.e. network operations, DBAs, etc.)
Security organization is not responsible
Don’t know

CISOs need their teams to collaborate across IT but these requirements are especially necessary with key groups
such as network operations, server administrators, and IT auditors (see Figure 14). Security management and
operations “leaders” tend to work more closely with the regulatory compliance team (57% of leaders as compared
with 43% of the overall survey population), DBAs (38% of leaders as compared with 25% of the overall security
population), and IT auditors (52% of leaders as compared with 43% of the overall survey population).
Figure 14. Groups Security Team Works With Most Closely
21%
25%
25%
27%
32%
43%
43%
46%
57%
0% 10% 20% 30% 40% 50% 60%
Endpoint administrators
Help desk
DBAs
Storage administrators
Applications administrators
Regulatory compliance
IT auditors
Server administrators
Network operations
With which of the following groups does your organization’s security team work
most closely? (Percent of respondents, N=315, multiple responses accepted)

Security Services Trends
Many organizations plan on using third-party security services in 2012—17% of organizations surveyed by ESG will
use professional or managed services “extensively” this year, while another 45% will use third-party professional or
managed services to some extent in order to meet their information security requirements (see Figure 15). ESG
also finds it noteworthy that 32% of security management and operations “leaders” will use third-party professional
or managed services “extensively” in 2012 as compared to 17% of the overall survey population. Why? ESG
suspects that “leaders” are far more aggressive at finding mundane security tasks to outsource as well as isolating
areas where they need external expertise and internal skills may be lagging.
Figure 15. Planned Use of Third-Party Professional/Managed Services in 2012
As information security becomes increasingly business-critical, more and more large organizations will be forced to
overcome internal skills gaps and hiring challenges with third-party service alternatives. The ESG research data
indicates that this is already happening: 16% of enterprises say they will increase their use of third-party managed
and/or professionals services “substantially” over the next 24 months, while another 42% will increase their use of
third-party managed and/or professional services “somewhat” (see Figure 16).
Figure 16. How Use of Third-Party Professional/Managed Services has Changed
Yes, extensively,
17%
Yes, somewhat,
45%
No, 33%
Don’t know, 5%
Will your organization use third-party professional or managed services to meet
its information security requirements in 2012? (Percent of respondents, N=315)
Increased
substantially, 16%
Increased
somewhat, 42%
Remained about the
same, 35%
Decreased
somewhat, 6%
Decreased
substantially, 1%
Don’t know / no
opinion, 1%
How has your organization’s use of third-party professional or managed security
services changed over the past 24 months? (Percent of respondents, N=196)

Why are these organizations consuming more security services? ESG’s hypothesis going into this research was that
security service growth was a result of the growing global shortage of security skills. The data gathered for this
project verifies this theory. Large organizations are increasingly turning to service providers for specialized security
skills or to supplement the internal security staff (see Figure 17).
Figure 17. Reasons for Increasing Use of Third-Party Security Services
20%
24%
27%
28%
29%
34%
39%
0% 10% 20% 30% 40% 50%
Couldn’t recruit/hire enough security expertise so
we had no choice
My organization experienced a security breach
which led us to seek out more security services and
expertise
Security is not core to the business so my
organization decided to seek outside expertise
Don’t have specific security skills in house so the
organization decided to outsource security tasks
Don’t have a large enough security staff to handle
all security responsibilities
New types of security threats persuaded my
organization to seek outside expertise
Security service providers can perform certain
security tasks better than we can
What are the primary reasons for increasing the use of third-party security services
at your organization? (Percent of respondents, N=114, multiple responses accepted)

Security services needs follow a pattern that is consistent with the general history of IT outsourcing over the
decades. Enterprise companies tend to turn to service providers for specific skills (usually associated with new or
changing technologies) or commonplace operational tasks. Interestingly, the list below seems weighted toward the
former—i.e., specialized security skills such as security design, threat intelligence, and network monitoring (see
Figure 18).
Figure 18. Areas of Third-Party Security Services Used
15%
18%
18%
22%
26%
28%
29%
29%
29%
30%
30%
30%
33%
0% 10% 20% 30% 40%
Event/log management
Managed network security
Endpoint security
Mail/messaging security
Staff augmentation
Penetration testing
Vulnerability scanning
Email encryption
Web threat management
Security/risk management/regulatory
compliance assessment
Network monitoring
Threat management intelligence
Security design
Which of the following areas of third-party security services has your organization
used in the past and/or does it plan to use in 2012? (Percent of respondents,
N=92, multiple responses accepted)

Risk Management Strategies
Most security professionals agree with the old adage “an ounce of prevention is worth a pound of cure.” In that
spirit, nearly three-quarters of the enterprise organizations have a formal risk management program in place (see
Figure 19). Defined simply, a risk management program would include:
1. Identifying all IT assets (i.e., applications, databases, servers, storage, networking equipment, data, etc.)
2. Classifying all IT assets based upon their value to the business mission.
3. Identifying threats to IT assets and the likelihood of these threats.
4. Identifying vulnerabilities associated with these IT assets.
5. Using these inputs (i.e., assets, asset value, threats, and vulnerabilities) to calculate some measure of
overall risk.
6. Implementing controls to reduce risk.
7. Continually measuring any changes (i.e., new assets, changes to assets, new threats, new vulnerabilities,
etc.) that could represent an increase in risk to the organization.
Figure 19. Formal IT Risk Management Programs in Place
Risk management programs are most effective when they are implemented throughout the enterprise as opposed
to in an ad hoc or piecemeal fashion. As shown in Figure 20, nearly three-quarters of enterprise organizations say
they have implemented their risk management program company-wide.
Yes, 73%
No, but we plan to
implement one in the
next 12 to 18
months, 13%
No, but we are
interested in
implementing one,
9%
No, and we have no
plans or interest in
implementing one,
3%
Don’t know, 2%
Does your organization have a formal IT risk management program in place? (Percent
of respondents, N=315)

Figure 20. How Formal IT Risk Management Program is Implemented
Formal risk management programs are clearly a function of overall information security excellence. For example,
95% of organizations classified in the ESG segmentation model as security management and operations “leaders”
have a formal risk management program in place, compared with 79% of “followers” and just 52% of “laggards”
(see Table 3). Similarly, 91% of “leaders” have a formal risk management program implemented across the
enterprise, compared to 69% of “followers” and 68% of “laggards.”
In a best case scenario, a formal risk management program would be implemented across the enterprise. To
understand whether large organizations were following these best practices, ESG combined responses from the
previous two questions (i.e., Figure 19 and Figure 20). When this data is aggregated, 54% of large organizations
follow risk management best practices by implementing a formal risk management program across the enterprise.
These results are marginal at best and indicate that many enterprises lack the adequate metrics needed to assess IT
risk at any given time.
The data is even more revealing when viewed through the ESG security management and operations segmentation
model. While 86% of the total “leader” population has a formal IT risk management program implemented
throughout the enterprise, 55% of “followers” have a formal IT risk management program implemented throughout
the enterprise, and only 35% of “laggards” have a formal IT risk management program implemented throughout
the enterprise. Clearly, “followers” and “laggards” lag behind and are “flying blind” when it comes to
understanding whether their organizations are vulnerable to attack or adequately protected (see Table 3).Strong
security management and operations depends upon a long list of processes and skills so ESG asked security
professionals to assess their organizations in a number of critical areas (see Figure 21). For the most part,
enterprise firms rated their security standard best practices as either “very good” or “good.”
Across the entire
enterprise, 74%
Across a majority of
business units or
divisions, but not
across the entire
enterprise, 24%
Across some business
units or divisions, but
not across the entire
enterprise, 1%
Which of the following best describes how your organization’s IT risk management
program is implemented? (Percent of respondents, N=231)

Table 3. IT Risk Management Programs Analyzed by the ESG Segmentation Model
ESG Security
Management and
Operations Segment
Percentage with a
formal IT risk
management program
Percentage with a formal
IT risk management
program implemented
across the enterprise
Percentage of the
population with both a
formal risk management
program implemented
across the enterprise
Total survey population
(all segments)
73% 74% 54%
Leaders 95% 91% 86%
Followers 79% 69% 55%
Laggards 52% 68% 35%
Figure 21. Organization’s Rating on Standard Security Best Practices
24%
25%
28%
29%
29%
30%
30%
31%
33%
34%
35%
42%
48%
57%
50%
51%
55%
47%
53%
52%
57%
54%
50%
50%
25%
15%
17%
16%
14%
19%
16%
15%
9%
10%
13%
8%
3%
3%
5%
3%
2%
3%
1%
2%
1%
2%
2%
0% 20% 40% 60% 80% 100%
Mobile device security
Host activity monitoring
Cyber supply chain security
End user security
Data security controls
Secure software development lifecycle training,
processes, and testing
Patching vulnerable systems in a timely manner
Threat management
Monitoring the security status of IT assets
Network security management
Network monitoring
Deploying IT assets (i.e. hardware and software) in
hardened configurations
The following is a list of standard security best practices. Please rate your organization
in each area. (Percent of respondents, N=315)
Very good Good Fair Poor

Security Controls Effectiveness and Testing
Earlier in this report, ESG demonstrated that 45% of security professionals believe regulatory compliance was less
of an influence on their information security strategy than it was a few years ago. One indication of this change is
illustrated by how frequently enterprise firms test the effectiveness of their security controls. When regulatory
compliance is the primary objective, large organizations tend to schedule security controls effectiveness testing
infrequently, exclusively around actual compliance audits. Driven by the increasingly dangerous threat landscape,
many organizations are now willing to be much more diligent with their testing—40% of security professionals say
their organizations test the effectiveness of their security controls “constantly” rather than on an as-needed basis
(see Figure 22).
Figure 22. Frequency of Security Controls Effectiveness Testing
40%
15% 14% 14%
10%
3%
1% 1%
3%
0%
10%
20%
30%
40%
50%
Constantly Once per
week
Twice per
month
Once per
month
About once
per quarter
Twice a
year
Once per
year
Other Don’t know
On average, how often does your organization test the effectiveness of its security
controls? (Percent of respondents, N=304)

Large organizations employ a multitude of methods to test the effectiveness of their security controls (see Figure
23). While most use fairly standard testing methods like network scans and log reviews to perform these functions,
it is worth noting that 43% of security management and operations “leaders” configure and implement assets that
violate security policies to assess how long it takes the security team to detect problems, as compared to 29% of
“followers” and 23% of “laggards.” Seemingly, “leaders” believe it is critically important to “hack” their own
networks to gain measurable experience of just how vulnerable they really are.
Figure 23. Technologies/Techniques Used to Test Effectiveness of Security Controls
1%
29%
30%
34%
34%
37%
43%
47%
48%
58%
0% 20% 40% 60% 80%
We do not test the effectiveness of our security
controls
Monitor/analyze CMDB
Configure and implement assets that violate security
policies to assess how long it takes for the security
team to detect problems
Third-party penetration testing
Help desk calls
Penetration testing by internal employees
Compliance/IT governance dashboard
Monitor/analyze log files
Scan for rogue systems on the network
Network/system scanning
Which of the following techniques/technologies does your organization use to test
the effectiveness of its security controls? (Percent of respondents, N=315, multiple
responses accepted)

According to ESG’s survey respondents, large organizations constantly assess their security management
capabilities using a number of metrics including the number of security events discovered, the number of
security/IT audit violations or failures, and the number of vulnerable systems discovered (see Figure 24). These
assessments were fairly consistent across “leaders,” “followers,” and “laggards” with a few exceptions. For
example, “leaders” were somewhat more diligent in all areas and tended to put more emphasis on the time to
remediate a compromised system (37% as opposed to 28% of the overall survey population).
Figure 24. Metrics Used to Gauge Effectiveness of Security Management
21%
22%
27%
28%
30%
32%
32%
32%
38%
43%
45%
0% 10% 20% 30% 40% 50%
Number of stale user accounts discovered
Number or percent of employees provided with the
latest security training
Number of unapproved systems discovered on the
network
Time to remediate a compromised system
Time between system compromise and detection by the
security team
Number of service calls related to security incidents
Number of systems determined to be out of compliance
with security configuration standards
Number of overall security tests (system scans,
penetration tests, etc.) performed by the organization
Number of vulnerable systems discovered
Number of security/IT audit violations/failures
Number of security events discovered
Which of the following metrics does your organization use to gauge the effectiveness of
its security management? (Percent of respondents, N=315, multiple responses accepted)

Enterprise firms depend upon a myriad of disparate security technologies at every layer of the technology stack.
From a historical perspective, these tools were often purchased separately and were often operated by different IT
functional groups. Alternatively, CISOs relied upon these individual tools in aggregate to provide a layered
cybersecurity defense.
Given this somewhat haphazard strategy, ESG wondered which of these individual tools security professionals
considered to be most and least effective (see Figure 25). There is a bit of a pattern here. The tools deemed most
effective tend to be those where security professionals have the most experience, like network firewalls, or those
that act as independent security filters once deployed on the network (i.e., web threat management, endpoint
security software, etc.). Alternatively, security professionals seem to have a more difficult time with security
technologies that demand custom configurations, advanced training, or advanced analysis. Security technology
vendors and service providers should take note here as there are revenue opportunities in helping large
organizations gain efficiency with these products.
Figure 25. Security Technology that Most Effectively Performs Task For Which It Was Designed
22%
23%
33%
37%
38%
39%
40%
44%
56%
0% 10% 20% 30% 40% 50% 60%
IDS/IPS
SIEM
Log management
Messaging security
Anti-malware network gateways
Endpoint anti-malware software
Web threat management
Application firewall
Network firewall
Which of the following would you say most effectively performs the tasks it was
designed for (i.e., delivers effective protection, ease-of-use, strong reporting, etc.)?
(Percent of respondents, N=315, multiple responses accepted)

Situational Awareness
In addition to formal and comprehensive risk management programs, effective security management and
operations depends upon a deep understanding of IT behavior. In other words, security professionals must know
what represents “normal” behavior and how deviations from the norm may indicate suspicious or malicious
activities. It appears that many large organizations believe they do have the right skills and knowledge around
normal and anomalous IT behavior—most respondents “strongly agree” or “agree” that they can effectively detect
suspicious activity or an attack in progress (see Figure 26). When analyzed by the ESG security management and
operations model, responses to this question aligned in a predictable manner: 50% of “leaders” responded
“strongly agree,” as compared to 22% of “followers” and only 10% of “laggards.”
Figure 26.Organization’s Ability to Detect Suspicious Activity or an Attack
Of course, any deviations from normal behavior may indicate suspicious activity or a security attack in progress.
Detecting these activities requires real-time visibility. As a group, security professionals seem relatively
comfortable with their organizations’ capabilities in this area: 81% rate their organization’s level of security visibility
as either excellent or good (see Figure 27). As expected, levels of visibility vary based on the ESG security
management and operations segmentation model. Thirty-seven percent of leaders believe their level of security
visibility is excellent as compared to 23% of “followers” and just 11% of “laggards.” Alternatively, only 7% of
leaders rated their organization’s level of security visibility as fair or poor. By comparison, 12% of “followers” and
34% of “laggards” rated their organization’s level of security visibility as fair or poor (see Figure 28).
Strongly agree, 23%
Agree, 55%
Neither agree nor
disagree, 16%
Disagree, 3%
Strongly disagree, 2%
Please respond to the following statement: I believe that my organization has a very
good understanding of normal IT behavior and could easily detect
anomalous/suspicious activity or an attack in progress. (Percent of respondents, N=315)

Figure 27.Level of Visibility of Security Status
Figure 28.Level of Visibility of Security Status Analyzed by the ESG Security Management and Operations
Segmentation Model
1%
3%
15%
59%
22%
0% 10% 20% 30% 40% 50% 60% 70%
Don’t know
Poor. We collect and analyze some data but there are
many areas where we don’t have strong visibility and we
depend upon manual processes and analysis for visibility
into our security status.
Fair. We collect and analyze all of the data we can but
there are some areas where we don’t have strong
visibility and we depend upon manual processes and
analysis for visibility into our security status.
Good. We collect and analyze all of the necessary data
but we depend upon manual processes and analysis for
visibility into our security status.
Excellent. We have set up the right data collection,
analysis, and dashboards to have real-time visibility of
our security status.
Which of the following statements most accurately characterizes the level of visibility
your organizations has of its security status? (Percent of respondents, N=315)
11%
53%
26%
9%
2%
23%
64%
11%
1% 1%
37%
55%
7%
2%
0%
10%
20%
30%
40%
50%
60%
70%
Excellent Good Fair Poor Don’t know
Level of visibility organization has into its security status, by segmentation. (Percent
of respondents)
Laggard (N=101) Follower (N=154) Leader (N=60)

Security visibility is a function of collecting and analyzing a multitude of data from all IT domains throughout the
enterprise. This process can be difficult as it depends upon numerous technical, organizational, and human
elements. According to the security professionals surveyed, the biggest inhibitors to real-time security visibility
include the need for tighter integration between security and IT operations tools (34%), the need for better security
analysis and forensic skills (33%), and the need for more automated security analytics from their security tools
(29%) (see Figure 29).
Figure 29.Biggest Inhibitors to Having Real-Time Security Visibility
21%
22%
22%
24%
27%
28%
28%
29%
33%
34%
0% 10% 20% 30% 40%
Need a better understanding of host behavior
Need a better understanding of network behavior
Need a better understanding of server virtualization
technology behavior
Need a better understanding of application behavior
Need better tools to baseline normal behavior so we
can detect anomalies
Need a better understanding of user behavior
Need for better networking visibility
Need better automated analytics from our security
intelligence tools
Need better security analysis/forensic skills at our
organization
Need tighter integration between security intelligence
and IT operations tools
Of the following, which are the biggest inhibitors to having real-time and
comprehensive security visibility at your organization? (Percent of respondents,
N=315, multiple responses accepted)

In addition to security visibility, enterprise organizations need strong incident response policies and procedures
when security attacks are detected. When it comes to incident response, security professionals surveyed by ESG
claim that their organizations are especially weak in areas such as performing forensic analysis to determine the
root cause of problems (27%), determining which assets remain vulnerable to an attack (27%), and gathering the
right data for accurate situational awareness (24%) (see Figure 30).
It is also interesting—and worrisome—to note that nearly one-in-four organizations (23%) say that reporting
security incidents—whether inside or outside the company—is not a strength of their incident response
capabilities.
Figure 30.Weakest Aspects of Incident Response
10%
17%
20%
22%
23%
23%
23%
24%
27%
27%
0% 10% 20% 30%
None of the above
Taking action to minimize the impact of an attack
Understanding the impact and/or scope of a
security incident
Altering security controls to prevent future similar
incidents
Analyzing security intelligence to detect security
incidents
Reporting security incidents internally
Reporting security incidents externally
Gathering the right data for accurate situational
awareness
Determining which assets, if any, remain vulnerable
to a similar type of attack
Performing forensic analysis to determine the root
cause of the problem
Which of the following aspects of incident response are weakest at your
organization? (Percent of respondents, N=315, multiple responses accepted)

Assessing the State of Security Information and Event Management (SIEM)
For the purposes of this project, security information and event management (SIEM) was defined as:
Technology that provides real-time analysis of security alerts generated by network hardware and
applications. SIEM solutions come as software, appliances, or managed services, and are also used to log
security data and generate reports for compliance purposes.
According to the security professionals surveyed, 47% of large organizations have SIEM systems in place today
while another 24% plan to implement a SIEM platform in the next 12 months (see Figure 31).
Figure 31. SIEM Deployment
Yes, 47%
No, but we plan on
implementing a SIEM
system in the next 12
months, 24%
No, but we are
interested in doing
so, 16%
No, no plans or
interest, 9%
Don’t know, 5%
Based on the definition above, does your organization have a SIEM system currently
deployed? (Percent of respondents, N=315)

ESG’s data suggests that organizations with SIEM solutions are an elite, security-conscious group willing to put time
into implementing, learning, and tuning their SIEM systems: Respondents tended to rate their SIEM
feature/functionality as “highly effective” or “effective” in most areas (see Figure 32), although ease of use and
visibility into both network and end-user behavior stand out as potential areas for improvement.
Figure 32. Effectiveness of SIEM
31%
31%
33%
33%
35%
37%
38%
38%
39%
44%
46%
48%
55%
46%
51%
51%
53%
44%
51%
50%
49%
41%
16%
10%
18%
13%
10%
10%
13%
10%
7%
5%
10%
4%
1%
3%
2%
2%
3%
1%
3%
1%
1%
1%
3%
1%
1%
2%
1%
2%
1%
1%
1%
1%
0% 20% 40% 60% 80% 100%
Visibility into user behavior
Customization for specific use cases
Ease-of-use
Integration with other security tools
Value
Performance
Visibility into network behavior
Analytics
Visibility into host behavior
Scalability
Event detection
Please rate your organization’s SIEM system in the following areas: (Percent of
respondents, N=147)
Highly effective Somewhat effective Not very effective Not at all effective Don’t know

Changing Attitudes Towards Security Management
A majority of security professionals agree that security management has become “significantly more difficult” (18%)
or “somewhat more difficult” (44%) than it was 24 months ago (see Figure 33). Interestingly, organizations
classified as security “leaders” in the ESG security management and operations segmentation model seem to be
experiencing this change the most—33% of “leaders” say that security management is significantly more difficult
than it was 24 months ago as compared to 18% of the overall survey population.
ESG believes that security “leaders” are likely aggressive IT users with complex infrastructures and leading-edge
applications, so it follows that security management challenges are most pronounced in these organizations.
Nevertheless, the security management challenges “leaders” face today are likely a harbinger. “Laggard” and
“follower” organizations should anticipate similar security management difficulties as they move forward with new
IT initiatives and plan accordingly.
Figure 33. How Security Management has Changed Over Past 24 Months
What is making security management more difficult? ESG believes this is due to a number of factors, including:
• Increasing threat volume and sophistication.
• Security management’s strong dependency on individual skills and manual processes.
• Pervasive security skills shortages at enterprise organizations.
In addition, the introduction of new and often immature technologies can also make security management and
operations more complex. To test this hypothesis, ESG presented security professionals with a list of nascent IT
technologies and policies and asked them about their impact on security management and operations. Of these,
31% of security professionals believe that cloud computing is making security management and operations much
more difficult while 30% of security professionals believe that mobile devices are making security management and
operations much more difficult (see Figure 34). While these two areas stand out, ESG believe it is worth noting that
at least 40% of security professionals believe that each of the technologies or policies listed has made security
Significantly more
difficult than it was
24 months ago,
18%
Somewhat more
24 months ago,
44%
About the same as
it was 24 months
ago, 30%
Somewhat less
24 months ago, 3%
Significantly less
24 months ago, 2%
Don’t know / no
opinion, 2%
How has security management changed over the past 24 months? (Percent of
respondents, N=315)

management and operations more difficult to some extent. What’s more, new technologies and policies are often
concurrent, creating a multiplicative impact on security management and operations.
Figure 34. How Introduction of Technologies and Policies Altered Security Management and Operations
As previously mentioned, security management and operations is often based upon an error-prone mix of
individual skills and manual processes. Unfortunately, these dependencies are a mismatch for today’s threat
landscape and complex, highly-virtualized, and rapidly-evolving IT infrastructure. Given this incongruence, it is not
surprising to see that more than half of large organizations are using their security and IT operations tools together
to automate security remediation tasks (see Figure 35). In these automated instances, a security “event”
discovered by a security analytics tool initiates some IT operations action like blocking an Ethernet switch port,
creating a new firewall rule, or quarantining a server exhibiting suspicious behavior.
Security management and operations “leaders” are the most aggressive in this area: 76% are using security and IT
operations tools in concert to automate security remediation tasks as compared to 60% of “followers” and 36% of
“laggards.” This may be a function of the influence of the security organization and its relationship with other IT
groups, primarily network operations. Security management and operations “leaders” likely have formal shared
processes, strong communications, and integrated technology tools between the security and IT operations team.
These elements act as a foundation for collective action and security automation.
According to Figure 36, the most common automated security actions currently executed by ESG’s survey
respondents include blocking URLs or web content (66%), generating firewall/IDS/IPS rules based upon network
behavior or event detection (53%), and launching an immediate network scan as a result of some type of trigger
event (51%).
6%
9%
13%
17%
18%
30%
31%
34%
37%
38%
30%
38%
32%
38%
41%
38%
32%
31%
29%
21%
16%
9%
11%
10%
7%
7%
9%
6%
3%
3%
4%
5%
3%
5%
3%
6%
3%
2%
10%
4%
2%
6%
0% 20% 40% 60% 80% 100%
Desktop virtualization
Web applications / SOA
Server virtualization
BYOD policies
Remote worker policies
Mobile devices
Cloud computing
How has the introduction of the following technologies and policies altered security
management and operations at your organization? (Percent of respondents, N=315)
Made security management and operations much more difficult
Made security management and operations somewhat more difficult
Had no impact on security management and operations
Made security management and operations somewhat easier
Made security management and operations much easier
Don’t know / Not applicable

Figure 35. Use of Security and IT Operations Tools in Concert to Automate Security Remediation Tasks
Figure 36. Automated Actions Currently Executed
Yes, 56%
No, but we plan on
doing so within the
next 12 months,
25%
No, but we are
interested in doing
so, 13%
No plans or interest,
4%
Don’t know, 3%
Does your organization use its security and IT operations tools in concert to
automate security remediation tasks (i.e. block activities, disable a port, change
access policy enforcement, etc.)? (Percent of respondents, N=315)
26%
41%
46%
47%
47%
51%
53%
66%
0% 10% 20% 30% 40% 50% 60% 70%
Divert a system to a remediation VLAN/server
Ask users to re-authenticate based upon some
anomalous user activity
Grant limited network access
Remove host systems from the network based on
malware detection, anomalous system behavior, etc.
Enforce different access policies based upon device
type, user location, time of day, etc.
Launch an immediate network scan
Generate firewall/IDS/IPS rules based upon network
behavior or event detection
Block URLs or web content
Which of the following automated actions does your organization currently execute?
(Percent of respondents, N=176, multiple responses accepted)

With security management and operations becoming increasingly difficult, many organizations will make a number
of security technology strategy decisions over the next few years. Most significantly, security professionals say that
their organizations will (see Figure 37):
• Design and build a more integrated enterprise security architecture. In the past, even large security-
conscious organizations addressed information security risks with a series of standalone point tools
deployed independently across the network. This created “islands of security” with no central command-
and-control or situational awareness. The data indicates that 44% of large organizations intend to design
and build a more integrated enterprise security architecture to alleviate shortcomings associated with
existing tactical defenses.
• Include new data sources for security intelligence. To monitor and analyze their information security
status, large organizations tended to rely on data sources like log files, NetFlow, and esoteric tools like
database activity monitoring (DAM) systems. A fairly large population (39%) of the enterprise organizations
surveyed plan to include new data sources for security intelligence moving forward. Examples of these
sources could be full IP packet capture (PCAP), user access and behavior monitoring, or external data feeds
from cloud providers. This data may foretell an emerging “big data” requirement for future security
analytics platforms.
Responses were fairly consistent across all of segments of the ESG security management and operations
segmentation model, but It is worth noting that 35% of security “leaders” say they will actively decrease the
number of vendors they buy products from, as compared to 23% of “followers,” and 13% of “laggards.” Given the
data described above, it is likely that “leaders” are looking to eschew point tool-only vendors for more enterprise-
class and tightly integrated alternatives from an elite few.
Figure 37. How Security Technology Strategy Decisions Will Change
9%
22%
24%
39%
44%
0% 10% 20% 30% 40% 50%
We will not change our security technology strategy
decisions over the next 24 months
Actively decrease the number of security vendors we
buy from
Buy more security suites from a single vendor
Include new data sources for security intelligence
Design and build a more integrated enterprise security
architecture
Do you believe that your organization will change its security technology strategy
decisions in any of the following ways over the next 24 months in order to improve its
security management? (Percent of respondents, N=315, multiple responses accepted)

The security professionals surveyed by ESG report a number of security management challenges that will need to
be addressed moving forward. Specifically, respondents pointed to issues such as security budget constraints
(50%), the amount of time spent “fire fighting” or reacting to events (30%), and a lack of appropriate security skills
(24%) (see Figure 38). These challenges were consistent across all three segments of the ESG security management
and operations segmentation model with one exception: While 18% of the overall survey population indicated a
challenge around a lack of executive management support, these results were heavily skewed towards “laggards.”
While just 12% of “leaders” and 14% of “followers” point out a lack of executive management support as a security
management challenge, some 28% of “laggards” report such a lack of executive support. If is safe to assume that
this lack of management buy-in is a significant factor in why these organizations are ultimately classified as security
“laggards.”
Figure 38. Biggest Security Management Challenges
7%
14%
18%
19%
19%
23%
24%
30%
50%
0% 10% 20% 30% 40% 50% 60%
None of the above
Security is not considered as part of business process and
IT deployment design and planning process
Lack of executive management support
Lack of the appropriate security skills within the security
team
We lack the appropriate level of security intelligence to
make accurate and timely decisions
Too many security tools
Lack of the appropriate security skills within IT
Security team spends too much of its time reacting to
problems and not enough time with proactive security
management or strategic planning
Budget constraints
Which of the following would you say are the biggest security management challenges
at your organization? (Percent of respondents, N=315, multiple responses accepted)

Hpesp wp esg_research-security_mgmtandoperations

Hpesp wp esg_research-security_mgmtandoperations

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (14)

Similaire à Hpesp wp esg_research-security_mgmtandoperations

Similaire à Hpesp wp esg_research-security_mgmtandoperations (20)

Dernier

Dernier (20)

Hpesp wp esg_research-security_mgmtandoperations