Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Cybersecurity Preparedness
Benchmark Study
2
BRG Overview
Over 1,000 professionals in 37 offices
Berkeley Research Group - Cybersecurity Preparedness Benchmarking St...
3
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Study Background
Why the need for cybersecurity ...
4
Study Background
Target group: Executive Management and Board of
Directors from different sectors
Survey: 103 Questions,...
5
Objectives
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
6
Country of Origin
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
7
Study Participants
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Primary Industry of Organizat...
8
Strategic Insights
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
9
Who does the CISO/CSO report to?
Growing Importance of CISO
Berkeley Research Group - Cybersecurity Preparedness Benchma...
10
How would you rate your organization’s information security culture?
Security Culture
Berkeley Research Group - Cyberse...
11
Rate the effectiveness of your organization’s cyber security program
Cybersecurity Effectiveness
Berkeley Research Grou...
12
How would you rate your organization’s cyber security incident
response capabilities?
Incident Response Capability
Berk...
13
What strategic initiatives has your
organization adopted in its security program?
Strategic Initiatives
Berkeley Resear...
14
Board and Executive Leadership
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
15
Areas in which the Board of Directors actively participate:
Board Engagement
Berkeley Research Group - Cybersecurity Pr...
16
Areas board participation has helped improve your organization’s
information security program:
Board Influence
Berkeley...
17
How does the board oversee cyber security-related issues?
Board Oversight
Berkeley Research Group - Cybersecurity Prepa...
18
How would you rate the organizational leadership support for cybersecurity?
Rate senior management focus on information...
19
How do you measure the effectiveness of the organization’s
cyber security program?
Feedback Mechanisms
Berkeley Researc...
20
Managing Security Risk
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
21
Has your organization performed a cyber risk appetite assessment?
Has your organization performed a cyber threat assess...
Are there formal security and operational procedures documented?
22
Documented Procedures
Berkeley Research Group - Cybers...
23
Areas for improvement and awareness programs?
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
I...
24
How often does executive management receive periodical briefings
on the state of your organization’s network security s...
25
Systems and Controls
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Which information security standard and best practice does
your organization follow?
26
Berkeley Research Group - Cybersec...
Security controls and business continuity plans are tested on a regular basis?
27
Berkeley Research Group - Cybersecurity ...
How often are the security controls of the enterprise
systems and interconnected systems reviewed?
28
Berkeley Research Gr...
How often are self-assessments conducted?
29
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Self-...
How often are external security assessments conducted?
30
Berkeley Research Group - Cybersecurity Preparedness Benchmarkin...
What steps has your organization taken in order to obtain assurances from
external service providers and vendors that thei...
32
Governance and Reporting
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Rate your organization’s cyber security
risk management program
33
Berkeley Research Group - Cybersecurity Preparedness Be...
Rate your organization’s cyber security
Information Governance capabilities
34
Berkeley Research Group - Cybersecurity Pre...
Rate your company’s information security governance maturity level
35
Berkeley Research Group - Cybersecurity Preparedness...
Rate your company’s IT risk management maturity level
36
IT Risk Management Maturity
Berkeley Research Group - Cybersecuri...
Rate your company’s cloud computing maturity level
37
Cloud Computing Maturity
Berkeley Research Group - Cybersecurity Pre...
38
Does the organization incident response plan outline regulatory and
governmental notification protocols for breaches?
R...
39
Breaches and Incidents
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
What type of breaches did your organization experience?
40
Type of Cybersecurity Breaches
Berkeley Research Group - Cybers...
45% of organizations report current employees as the
most likely source of cybersecurity breach incidents
41
What was the ...
Type of staff-related incidents the organization experienced?
42
Staff-related Incidents
Berkeley Research Group - Cyberse...
43
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Key Observations
Despite a strong focus on cybe...
44
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Key Observations
Most organizations do not have...
45
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Recommendations
1. Hire
Experts
2.
Establish a
...
46
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Recommendations
Board & Executive Leadership En...
47
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
• Needs to be early stages of collaboration to ...
48
The full study is available at:
http://www.thinkbrg.com/media/publication/828_CSPBS_Report.pdf
Berkeley Research Group ...
Prochain SlideShare
Chargement dans…5
×

Cybersecurity Preparedness Trends and Best Practices

140 vues

Publié le

Cybersecurity Preparedness Trends and Best Practices

  1. 1. Cybersecurity Preparedness Benchmark Study
  2. 2. 2 BRG Overview Over 1,000 professionals in 37 offices Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  3. 3. 3 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Study Background Why the need for cybersecurity benchmarking? • Financial and non-financial consequences of a successful cyber attack • Governance and Technology • Gain understanding how other peers implement Information Security • Study results from two different points of view: – overall results across all participants to provide a thorough and balanced view of the current state of Cybersecurity – an individual assessment for each participant where individual answers are discussed and compared against other study respondents
  4. 4. 4 Study Background Target group: Executive Management and Board of Directors from different sectors Survey: 103 Questions, approximately 60 minutes. Online questionnaire; select phone interviews Timeline: Q1 and Q2 2016 Results: Q3 2016 Participants received: Anonymized evaluation of participant data including indication of their individual answers Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  5. 5. 5 Objectives Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  6. 6. 6 Country of Origin Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  7. 7. 7 Study Participants Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Primary Industry of Organization Title or Level in Organization Total Employees with Average FTE IT Employees
  8. 8. 8 Strategic Insights Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  9. 9. 9 Who does the CISO/CSO report to? Growing Importance of CISO Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study 54% of organizations report an Information Security Officer is in place
  10. 10. 10 How would you rate your organization’s information security culture? Security Culture Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study CISO 73% of organizations have a formal cybersecurity training and awareness program
  11. 11. 11 Rate the effectiveness of your organization’s cyber security program Cybersecurity Effectiveness Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study CISO 80% of organizations report that senior managers approach information security as an enterprise risk-management issue
  12. 12. 12 How would you rate your organization’s cyber security incident response capabilities? Incident Response Capability Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study CISO 60% of organizations inform governments and regulators of cybersecurity breaches
  13. 13. 13 What strategic initiatives has your organization adopted in its security program? Strategic Initiatives Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study 90% of organizations do not have a cybersecurity strategy for the Internet of Things
  14. 14. 14 Board and Executive Leadership Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  15. 15. 15 Areas in which the Board of Directors actively participate: Board Engagement Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study CISO 55% of organizations report that the Board of Directors actively participate in overall cybersecurity strategy
  16. 16. 16 Areas board participation has helped improve your organization’s information security program: Board Influence Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  17. 17. 17 How does the board oversee cyber security-related issues? Board Oversight Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  18. 18. 18 How would you rate the organizational leadership support for cybersecurity? Rate senior management focus on information security Leadership Support & Focus Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  19. 19. 19 How do you measure the effectiveness of the organization’s cyber security program? Feedback Mechanisms Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study 69% of organizations rely on auditors, both internal and external as a measure of their cybersecurity effectiveness
  20. 20. 20 Managing Security Risk Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  21. 21. 21 Has your organization performed a cyber risk appetite assessment? Has your organization performed a cyber threat assessment? Cybersecurity Risk Assessments Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study CISO CISO 47% of organizations do not believe that leadership has a functional understanding of their network security
  22. 22. Are there formal security and operational procedures documented? 22 Documented Procedures Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study 91% of organizations document their cybersecurity policies and procedures
  23. 23. 23 Areas for improvement and awareness programs? Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Improvement & Awareness
  24. 24. 24 How often does executive management receive periodical briefings on the state of your organization’s network security system? Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Executive Briefings 30% of executive management receive a briefing once every six months or less
  25. 25. 25 Systems and Controls Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  26. 26. Which information security standard and best practice does your organization follow? 26 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Security Standards 37% of organizations used ISO27001, with financial services at 43%
  27. 27. Security controls and business continuity plans are tested on a regular basis? 27 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Controls Testing
  28. 28. How often are the security controls of the enterprise systems and interconnected systems reviewed? 28 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study System Reviews 24% of organizations do not routinely test security controls and business continuity plans on a regular basis
  29. 29. How often are self-assessments conducted? 29 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Self-assessments 30% of organizations do not routinely undertake self-assessments CISO
  30. 30. How often are external security assessments conducted? 30 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study External Assessments CISO
  31. 31. What steps has your organization taken in order to obtain assurances from external service providers and vendors that their security meets standards? 31 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study External Service Providers & VendorsCISO 63% of organizations have ensured external service providers and vendor contracts include provisions for security
  32. 32. 32 Governance and Reporting Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  33. 33. Rate your organization’s cyber security risk management program 33 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Risk Management Effectiveness 42% of organizations somewhat agree that cybersecurity risks are being considered in business decision making 7% of organizations strongly agree that cybersecurity risks are being considered in business decision making
  34. 34. Rate your organization’s cyber security Information Governance capabilities 34 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Information Governance Capabilities 56% of organizations rate their Information Governance capabilities as ‘slightly’ or ‘somewhat effective’
  35. 35. Rate your company’s information security governance maturity level 35 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study IS Governance Maturity CISO
  36. 36. Rate your company’s IT risk management maturity level 36 IT Risk Management Maturity Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study CISOCISO
  37. 37. Rate your company’s cloud computing maturity level 37 Cloud Computing Maturity Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study 57% of organizations do not allow use of public cloud services
  38. 38. 38 Does the organization incident response plan outline regulatory and governmental notification protocols for breaches? Regulatory & Government Reporting Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study 57% of organizations are required by regulatory and government agencies to disclose system breaches
  39. 39. 39 Breaches and Incidents Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  40. 40. What type of breaches did your organization experience? 40 Type of Cybersecurity Breaches Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study 51% of organizations do not believe they are well equipped to handle a breach 46% of organizations report having experienced a cybersecurity breach
  41. 41. 45% of organizations report current employees as the most likely source of cybersecurity breach incidents 41 What was the estimated source of data breach incidents? Sources of Breaches Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  42. 42. Type of staff-related incidents the organization experienced? 42 Staff-related Incidents Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
  43. 43. 43 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Key Observations Despite a strong focus on cybersecurity culture, many organizations do not believe their cybersecurity programs are fully effective 45% of respondents reported that they needed to improve security awareness and training Current employees are the likely cause behind most cybersecurity breaches Respondents reported that current employees were the likely source of 45% of data breach incidents, followed by 22% of incidents caused by hackers and 13% by former employees Viruses and malicious software are the most common breaches. Respondents reported that infections from viruses or malicious software accounted for 39% of all data breaches, followed by system failures or data corruption accounting for 35% of breaches
  44. 44. 44 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Key Observations Most organizations do not have strategies for the emerging fields of the Internet of Things or Big Data 90% of respondents do not have a cybersecurity strategy for the Internet of Things, and 86% do not have a strategy for Big Data Organizations lack confidence in their cybersecurity incident response capability 65% of respondents reported having a formal cyber incident response plan, and 60% incorporated regulatory and government notification protocols for breaches. However, when asked if their organization was well equipped to handle a cyber breach, 51% of respondents were neutral or disagreed Organizations anticipate an increase in information security budgets 54% of respondents reported that they expected an increase in their 2016 cybersecurity budget. However, 48% of respondents reported they were neutral or disagreed when asked if leadership allocated adequate budget for cybersecurity efforts
  45. 45. 45 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Recommendations 1. Hire Experts 2. Establish a Plan of Action 3. Train Your Staff 4. Identify Problems 5. Learn from your mistakes 5 Steps to Prepare for a Data Breach
  46. 46. 46 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Recommendations Board & Executive Leadership Engagement and By-In • Review and approve the cyber risk appetite and tolerance at board level • Ensure the board has sufficient cybersecurity expertise and/or access to such expertise Security Culture • Build cybersecurity in to all activities and develop enterprise-wide cyber risk management strategies and procedures • Incorporate cybersecurity within business strategy and risk management frameworks Documented Vendor Protocols • Develop procedures to identify and manage cyber risks associated with outside vendors, suppliers, customers, utilities, and other external organizations and service providers • Include provisions to conduct cybersecurity audits External Audits • Undertake testing to include the potential for multiple attacks and the impact of interruptions on critical infrastructure • Ensure there is a robust cyber resilience and incident response program Qualified Talent • Pro-actively undertake cyber threat intelligence gathering and ongoing security analytics • Invest in your people to ensure there is high awareness and ownership for cybersecurity across the organization
  47. 47. 47 Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study • Needs to be early stages of collaboration to show the connection points between Corporate and Academic institutions • National Cybersecurity Framework and Cybersecurity Education needs to be aligned • Anticipate use cases for – Organizing academic curriculum – Workforce roles and responsibilities – Professional certifications Cybersecurity Workforce Development National Cybersecurity Education Initiative National Cybersecurity Awareness Formal Cybersecurity Education Cybersecurity Workforce Structure Cybersecurity workforce training & professional development Recommendations
  48. 48. 48 The full study is available at: http://www.thinkbrg.com/media/publication/828_CSPBS_Report.pdf Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study Tony Moroney | Managing Director | International Financial Services Berkeley Research Group, LLC 6 New Street Square, 15th Floor | London, EC4A 3BF D +44 (0) 20 3597 5167 | M +353 87 2556947 | F +44 (0)20 3808 2784 tmoroney@thinkbrg.com | thinkbrg.com Faisal Amin | Director | Benchmarking & Strategic Research Berkeley Research Group, LLC 700 Louisiana Street, Suite 2600 | Houston, TX 77002 D 713.493.2552 | O 713.481.9410 | M 281.788.9573 | F 832.862.2284 famin@thinkbrg.com | thinkbrg.com

×