The cyber-chasm: How the disconnect between the C-suite and security endangers the enterprise

1. A report from The Economist Intelligence Unit Sponsored by The cyber-chasm: How the disconnect between the C-suite and security endangers the enterprise

2. © The Economist Intelligence Unit Limited 20161 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Executive summary 2 Research methodology 3 Findings of the survey 4 Conclusion 10 Appendix: survey results 12 Contents

3. © The Economist Intelligence Unit Limited 20162 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise No company wants to be the next headline in the aftermath of a massive data breach, so you might think cyber-security strategies run like well-oiled machines. Not so, according to a new global survey by The Economist Intelligence Unit (EIU), sponsored by VMware. Instead, the research found a systematic disconnect between C-suite executives and senior technology leaders—a divide that can imperil the security of the firm. l Corporate leadership and security executives do not share the same commitment to cyber-security—cyber- security ranks as the number one priority for security leaders, but only number nine for the C-suite.1 l The C-suite focuses on the strategic implications of cyber-security—primarily the impact of a cyber-attack on the firm’s reputation or brand. The security function takes a tactical focus on assets—customer data, regulated information, apps, etc. l The two segments are not in sync on the priority of assets for protection—a significant disconnect as many firms move to a flexible, priority-based defence system. l Over 30% of security professionals expect a major and successful attack on the firm within 90 days, whereas only 12% of C-suite executives share that sense of urgency. 1 For the purposes of this survey, the Chief Information Officer was included in the security leadership segment. Please see Research methodology on the next page. l This level of concern escalates—nearly 40% of security executives, and 25% of C-suite members, project a successful attack within three years. l One area of agreement is on the origins of future threats; both segments worry about new technologies—such as cloud computing and BYOD (bring your own device)—that act as points of entry for unknown, unguarded-against threats. l Security functions remain committed to traditional security solutions such as firewalls, identity management etc. Many are pursuing a “defend all” approach, making it difficult to prioritise defences. l The C-suite, which makes budget decisions, is not likely to allocate the budgets that the security executives believe is necessary to protect the firm, or that match the expected escalation of threat levels. This executive cyber-chasm creates imperatives for both segments. The C-suite needs to better understand the vulnerability of their business, and in particular how threats may escalate. The security/IT team needs to bring itself into alignment with the C-suite’s more strategic view of cyber-security within the firm’s operations. Finally, the security function must manage its expectations on the funding that will be provided to support cyber-defences, or adopt more flexible and lower-cost solutions. Executive summary

4. © The Economist Intelligence Unit Limited 20163 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise In January-February 2016, the EIU, sponsored by VMware, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security. The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total. This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs). Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts. Research methodology

5. © The Economist Intelligence Unit Limited 20164 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Mismatched perceptions of urgency and risk Perhaps the most important decision a company can make about cyber-security is its importance. The C-suite and security leadership simply do not agree on the priority that it should be given. By a large margin security executives rank cyber-security as the number one corporate initiative for their company. This is not surprising—after all, this group is directly responsible for corporate security strategies and their careers will be on the line if a serious breach occurs. The disconnect is that despite years of news reports about destructive data breaches at leading firms, security ranks near the bottom of the C-suite’s priority list. Only 5% of C-suite executives consider it the highest priority corporate initiative—second to last on a list of ten major corporate initiatives. Instead, the C-suite focuses on growth issues such as acquiring customers and growing internationally. Marc Goodman is the founder of the Future Findings of the survey Source: Economist Intelligence Unit survey, 2016 CHART 1 Which of the following corporate initiatives has the highest priority in your company? Select one. (% respondents) C-suite Security leadership Growing internationally Acquiring new customers Supporting global growth Ensuring regulatory compliance Reducing costs Fostering innovation and creativity Launching new products and services Meeting sustainability goals Protecting against cyber-attacks Hiring and keeping the best people Protecting against cyber-attacks Acquiring new customers Ensuring regulatory compliance Launching new products and services Supporting global growth Growing internationally Fostering innovation and creativity Reducing costs Meeting sustainability goals Hiring and keeping the best people 16 16 15 13 11 8 7 6 5 3 35 14 12 9 7 6 6 5 4 3

6. © The Economist Intelligence Unit Limited 20165 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Crimes Institute, and has consulted for international law enforcement agencies. He is not surprised by the C-suite attitudes. “Any good CEO focuses on making more money, while preventing losses is still seen as a necessary evil,” he says. “Corporate risk management is something that needs to be managed, but it’s not something that CEOs get up in the morning and feel excited about.” But while it may not be a surprise that cyber-security ranks below business growth on the C-suite agenda, it also trails other governance issues such as regulatory compliance and sustainability. This may be an indication that executive boards are not giving security the attention it deserves. This lack of commitment can have direct implications for firms’ security posture, by limiting funding and diminishing the impetus for organisational change. Total information security is an impractical goal, so companies need to prioritise their more valuable or vulnerable assets. Unfortunately, this study reveals that the C-suite and security leadership are not in sync on what needs to be protected the most. The C-suite’s priorities are clear –their primary single concern is to safeguard the reputation and brand of the firm. In contrast, security executives are focused on the data and the software—regulated data, customer information, applications, services, etc. Industry research corroborates these findings. “Most institutions do not have enough insight into what information assets they need to protect with what priority,” according to Risk and Responsibility in a Hyperconnected World, a report from the World Economic Forum and McKinsey & Company.2 “Going forward, cybersecurity teams need to work with business leaders to understand business risks (for example, loss of proprietary information about a new manufacturing process) across the entire value chain and prioritize the underlying information assets accordingly.” This mismatch in priorities also speaks to a broader disconnect between management 2 http://www.mckinsey.com/business-functions/business- technology/our-insights/risk-and-responsibility-in-a- hyperconnected-world-implications-for-enterprises Source: Economist Intelligence Unit survey, 2016 CHART 2 What is the single most important asset in your company that needs to be protected from cyber-attacks? Select one. (% respondents) C-suite priorities Security leadership priorities Our reputation with our customers Private intra-company communications Strategic plans and initiatives Regulated data Customer information Applications and services Proprietary processes Product specifications and pricing Proprietary research Employee information Liquid financial assets that could be stolen Regulated data Customer information Our reputation with our customers Applications and services Strategic plans and initiatives Private intra-company communications Proprietary processes Employee information Proprietary research Liquid financial assets that could be stolen Product specifications and pricing 25 14 12 12 10 8 6 6 4 3 1 25 20 16 14 7 6 5 4 3 1 1

7. © The Economist Intelligence Unit Limited 20166 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise and IT. The C-suite is thinking about the consequences of the breach—a strategic perspective. The security leadership remains heavily focused on information, data and applications—a tactical approach. This is not just a difference of opinion—the divergence manifests itself in the structure of the firm’s defences (see chart 3). The security function’s cyber-defence efforts appear to track the priorities of the security function—with less effort and resources directed to the priorities of the company’s leadership. Accepting that the C-suite knows the broader interests of the firm, this implies that the most key assets are under-protected. Another glaring mismatch between business and security leadership is in their relative perception of the risk of a security breach. For example, almost a third (31%) of senior security executives believe that their company is either extremely or very vulnerable to a major cyber-attack within 90 days—an alarming number in its own right. But only 12% of C-suite members share this view and this urgency. This is a serious disconnect between those who lead their companies and those who are charged with protecting it. Similarly, 39% of security executives expect that their company will suffer a major breach within five years, versus just 27% of C-suite executives. There is, however, broad agreement on the sources of cyber insecurity. Four out of ten C-suite respondents (40%), and a third of security leaders (34%), see cloud architecture Source: Economist Intelligence Unit survey, 2016 CHART 3 Comparison of C-suite priorities and security implementation Select one. (% respondents) C-suite Priority of assets to be protected Security leadership Assets—level of confidence in their protection Our reputation with our customers Private intra-company communications Strategic plans and initiatives Regulated data Customer information Applications and services Proprietary processes Product specifications and pricing Proprietary research Liquid financial assets that could be stolen Regulated data Customer information Strategic plans and initiatives Proprietary research Our reputation with our customers Proprietary processes Applications and services Private intra-company communications Product specifications and pricing Liquid financial assets that could be stolen 25 14 13 12 10 8 6 6 4 1 51 47 45 41 40 30 25 22 21 17 Source: Economist Intelligence Unit survey, 2016 CHART 4 A serious cyber-attack is one that succeeds in breaching your company’s defences and causes harm to the business. How likely is it that your firm will experience such an attack within the following time frames? (% respondents) C-suite Security executives Within 90 days Within one year Within three years Within five years 12 31 23 40 25 38 27 39

8. © The Economist Intelligence Unit Limited 20167 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise as one of their company’s greatest sources of security risk. There is similar agreement on penetration through non-standard devices (BYOD). The C-suite clearly believes that cyber- security activity is taking a toll on critical functions—stifling innovation, slowing responses to competitors, delaying the launch of new products etc. Notably, they also see it as a major diversion of budgeted funds and, above all, a drain on management time and effort (including their own). The IT leadership needs to understand the perspective of the C-suite—as important as cyber-security is, it is one of many contending corporate priorities. The C-suite is seeking to balance its constraint with an effective organisation. If the security executives are out of sync with this holistic thinking, the programmes they advance may be underfunded, rejected, or simply not acted upon by the larger organisation. This is another disconnect that can lead to vulnerabilities within the firm. Source: Economist Intelligence Unit survey, 2016 CHART 5 What do you believe is the greatest risk or vulnerability of your firm to cyber-attack? Select one. C-suite Security leadership Cloud architecture Penetration through non-standard devices (BYOD) Undersized & underfunded security Threats that move faster than our defences Careless or untrained employees Outdated security software Penetration through suppliers/customers Out of date internal systems Ex-employees Senior management that does not get security Rogue employees Threats that move faster than our defences Cloud architecture Penetration through non-standard devices (BYOD) Careless or untrained employees Outdated security software Undersized & underfunded security Out of date internal systems Penetration through suppliers/customers Ex-employees Senior management that does not get security Rogue employees 40 39 31 30 27 23 14 14 8 7 2 36 34 34 28 23 16 15 10 9 5 3 Source: Economist Intelligence Unit survey, 2016 CHART 6 How has the threat of cyber-attacks, and the effort it takes to mitigate it (cyber-security), impacted the current operations of your company? (% respondents) C-suite Security executives Absorbs too much management time Reduces employee efficiency Slows competitive response Impedes product launches Absorbs too much capital Stifles collaboration Impedes new market entry Stifles innovation 54 25 46 23 45 22 45 20 43 23 33 24 33 26 32 24

9. © The Economist Intelligence Unit Limited 20168 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise The threats—perception of where future cyber-risk will come from One area where there is broad agreement between the C-suite and security executives is on the sources of future cyber-risk—the areas of greatest risk or vulnerability to the firm. Both groups share the highest levels of concern around the growing adoption of cloud architecture, along with new vulnerabilities stemming from non-standard hardware related to employee BYOD policies. These are not so much threats in themselves, but are instead the portals that future cyber- attackers can enter through. What both groups fear is the unknown—the potential to create threats that we don’t know about yet. These are the threats that cannot be controlled. While there is general agreement on future threats, there is divergence on the ”threats that move faster than our defences.” Security leaders register a higher level of concern—36% versus 30% for C-suite members—in this critical category. Again, this may indicate a dangerous lack of appreciation by the C-suite on the rapid mutation of the cyber-attack community. The nature of cyber-defences Security professionals understand they’ll continue to play a cat-and-mouse game with hackers. Whenever a defence emerges to block the latest threat, sophisticated cyber- thieves quickly unveil a new and often more insidious exploit. So it’s not surprising the commitment CIOs and CISOs continue to hold for tactical responses, such as firewalls, anti-virus software and cloud-based security solutions. All of the solutions presented are deemed essential to security strategies by the security professional respondents. However, the C-suite does not appear to share the same confidence in these approaches. Across all categories, the C-suite assigns significantly lower importance to these solutions—and they are the ones who write the cheques. To be sure, most of these solutions will remain essential, like locks on the front door of a home. But in a world where the cyber- security stakes are so high, tactical solutions alone won’t stop data breaches. “The traditional approach holds that we are going to use anti-virus, firewalls and intrusion detection to create big moats so that when the barbarians attack, we’ll see them coming and repel them,” Mr Goodman says. “That’s an outdated model of security for today. The new model acknowledges that the barbarians Source: Economist Intelligence Unit survey, 2016 CHART 7 Threats that move faster than our defences (selected as future threat to the business) (% respondents) C-suite executives Security leadership 30 36 Source: Economist Intelligence Unit survey, 2016 CHART 8 Please indicate the importance of the following factors in your security strategy. (% respondents) C-suite Security executives Cloud-based security solutions Firewalls Anti-virus solutions Mobile security Post-incident response Software back-up and recovery Unified threat management Identity & access management End point solutions (eg VPN) 29 48 24 50 24 45 24 49 23 27 22 52 16 23 15 24 8 30

10. © The Economist Intelligence Unit Limited 20169 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise aren’t at the gate, they’ve overrun the gate and it’s imperative for the CISO to actively hunt them down and get them off the network. It’s about remediation and resilience because the bad guys are already here.” Funding—paying for cyber-defences Funding presents a real challenge to a “defend everything” strategy. In every line of defence, the C-suite demonstrates a significantly lower commitment to fund these projects. On average, their level of commitment is less than half that of the security leadership. Threats grow more than budgets Having the C-suite and security staff on different pages about the urgency, trade-offs and nature of cyber-risks means they can’t collectively do everything necessary to protect against current and future exploits. For example, the business leaders may not provide the financial support needed to stop sophisticated attacks. The survey illustrates this with responses that show only modest funding increases in the months ahead. Clearly, the security professionals would like to see additional financial resources to fight today’s threats. In reality they may have to manage escalating security risk with much smaller budgets than they might like. Source: Economist Intelligence Unit survey, 2016 CHART 9 Please indicate your firm’s funding priority for the following cyber-security solutions. (% of respondents who designated the category a funding priority) C-suite Security executives Firewalls Mobile security Software back-up and recovery Cloud-based security solutions Anti-virus solutions Post-incident response Identity & access management Unified threat management End point solutions (eg VPN) 12 31 11 35 10 34 9 29 9 28 7 16 6 20 4 14 2 17 Source: Economist Intelligence Unit survey, 2016 CHART 10 Respondents who foresee a large increase in cyber-security funding (more than 25%) (% of respondents who foresee a major increase in cyber-security funding) C-suite Security executives Current-year funding Next-year funding 8 28 7 27

11. © The Economist Intelligence Unit Limited 201610 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Conclusion Why is there a disconnect over something as crucial as cyber-security? One explanation lies in the different roles and responsibilities of each group. The C-suite sees the organisation holistically, as it tries to balance the full range of business, technology and operational matters. Historically, security staff have followed a more tactical path as they defend against highly organised, nation- state attackers, as well as opportunistic hackers and untrustworthy insiders. But these differences alone don’t tell the whole story. The research shows signs of wider problems, including missed opportunities for better communication between security staff and senior executives. The implications are clear. Enterprises need a united front against the growing number and sophistication of attacks, and any disconnect between key stakeholders about cyber-vulnerabilities and the urgency of responses could result in company management not providing adequate resources and budgets for security officials to succeed. The challenge is particularly significant given the ambitious, multi-defence security programmes that security experts are advocating today. Potentially, this could delay responses to existing threats or keep organisations from proactively taking steps against emerging risks. Fortunately, security professionals can foster closer alignment by building on their status as protectors of critical corporate assets. First, security personnel must redouble efforts to inform the C-suite of the growing seriousness of cyber-threats. At the same time, security specialists must grasp the reality that they will likely have to depend on existing programs and relatively modest budget increases to effectively defend against a rising onslaught of more-sophisticated cyber-attacks. CIOs and CISOs must incorporate the wider perspective of senior business executives into their security planning so they can demonstrate to the C-suite how cyber-security supports the firm’s core strategic goals. “There’s this major disconnect between people who want to build companies and those whose job it is to protect them because the protectors haven’t done a good job in framing cyber-security as a key business enabler,” says Mr Goodman. “Cyber-security shouldn’t be seen as the thing that costs you money. It’s something that will help you adopt new technologies so you can enhance corporate growth by delivering new products and services to your customers.” Security executives need to configure their cyber-defences to match the needs of the firm. “Current models for protecting institutions from cyber-attacks are becoming less and less effective,” according to the World Economic Forum and McKinsey report. “They are technology-centric and compliance-driven. They do not effectively involve senior business leaders. They are highly manual and require specialized talent. As a result, they do not scale, given an increasing volume of attacks, and they place too high a burden on the

12. © The Economist Intelligence Unit Limited 201611 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise business. All too often security is the choke point for any innovative business initiative.” Finally, just as threats are escalating, so are the responses of firms. Effective cyber- defences are going to involve all personnel, cross siloes, and even extend to customers and suppliers. This absolutely requires the alignment and the commitment of the C-suite. This is a chasm that the security leadership will need to cross.

13. © The Economist Intelligence Unit Limited 201612 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Appendix: survey results Percentages may not add to 100% owing to rounding or the ability of respondents to choose multiple responses. Protecting against cyber-attacks Acquiring new customers Ensuring regulatory compliance Growing internationally Supporting global growth Fostering innovation and creativity Reducing costs Launching new products and services Meeting sustainability goals Hiring and keeping the best people Which one of the following corporate initiatives has the highest priority in your company? Select one. (% respondents) 16 15 12 12 10 9 8 8 7 3

14. © The Economist Intelligence Unit Limited 201613 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Not confident at all Somewhat not confident Slightly confident Very confident Extremely confident Don’t know Customer information Regulated data (eg healthcare records) Private company communications Proprietary processes Applications and services Strategic plans and product launches Product specifications and pricing Proprietary R&D Liquid financial assets that can be stolen Our reputation with our customers What is the single most important asset in your company that needs to be protected from cyber-attacks? Select one. (% respondents) 3 21 35 40 1 4 20 33 42 2 1 10 28 38 21 2 1 7 27 38 26 1 1 7 27 40 24 2 4 22 34 38 1 2 9 30 38 20 2 5 22 35 36 2 2 9 29 40 19 1 3 22 33 40 1 Our reputation with our customers Regulated data (eg patient healthcare records, classified information, etc) Customer information Private intra-company communications Applications and services Strategic plans and launches Proprietary processes Product specifications & pricing Proprietary research and development Employee information Liquid financial assets that could be stolen Don’t know What is the single most important asset in your company that needs to be protected from cyber-attacks? Select one. (% respondents) 20 19 15 9 9 9 6 4 4 3 1 1

15. © The Economist Intelligence Unit Limited 201614 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Not at all vulnerable Not very vulnerable Somewhat vulnerable Very vulnerable Extremely vulnerable Don’t know What is your perceived level of risk facing your company from cyber-attack? Select one. (% respondents) 8 47 26 12 7 0 Very unlikely Somewhat unlikely Neither likely nor unlikely Somewhat likely Very likely Within three months Within one year Within three years Within five years A serious cyber-attack is one that succeeds in breaching your company’s defences, and causes significant harm to the business. How likely do you think your firm will experience such an attack in the following time frames? Select one for each row. (% respondents) 15 43 20 16 7 11 31 24 22 11 8 26 33 22 11 7 25 35 22 12 Cloud architecture Threats that move faster than our defences Penetration through non-standard employee devices (BYOD) Employees who are careless or untrained in cyber-security An undersized and underfunded security team Outdated security software and systems Poor or out-of-date internal systems (authentication, passwords, etc) Penetration through external partners such as suppliers or customers Senior management that does not understand or is uninformed about cyber risk or security Ex-employees Rogue employees None of the above Don’t know What do you believe is the greatest risk or vulnerability of your firm to cyber-attack? Select the top three. (% respondents) 35 34 32 27 24 20 15 13 7 7 2 2 1

16. © The Economist Intelligence Unit Limited 201615 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Theft of customer data Malware attacks that infect important company data and records Theft of intellectual capital—proprietary process designs Theft of intellectual capital—product designs Public disclosure of sensitive intra-company communications Cyber theft of financial assets (eg corporate cash accounts) A breach that becomes public in the media Use of “ransomware” to extort payment Denial of service attacks that bring your online systems down None of the above Don’t know Which one of the following types of attack, if successful, would cause the greatest harm to your company? Select one. (% respondents) 27 18 11 10 9 9 5 4 4 1 1 Theft of customer data Malware attacks that destroy important company data and records Cyber-theft of financial assets (eg corporate cash accounts) Public disclosure of sensitive intra-company communications Any breach that creates public media coverage Theft of intellectual capital—product designs Theft of intellectual capital—proprietary process designs Denial of service attacks that bring your online systems down Use of “ransomware” to extort payment None of the above Don’t know Which one of the following do you think is the most likely to seriously attack your firm within the next year? Select one. (% respondents) 22 20 12 9 6 6 6 4 1 10 3

17. © The Economist Intelligence Unit Limited 201616 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Losing our customer’s trust as a safe company to do business with Loss of competitive information such as pricing or product plans Loss of intellectual capital to competitors Regulatory action due to loss of restricted data Public disclosure of sensitive internal discussions Loss of significant internal funds due to theft Litigation due to loss of third-party data Our online sites being taken down for significant periods None of these Don’t know Which of the following would cause the most damage to your company due to a successful cyber-attack? Select one. (% respondents) 37 24 14 9 8 3 1 1 1 1 No impact Low impact Medium impact High impact Very high impact Don’t know High cost of funds diverted to cyber security Stifling employee innovation Slowing response time to customers or competitors Impeding the sharing of information amongst employees Reducing the everyday efficiency of employees Impeding the launch of new products Ability to enter new markets Management time and effort How has the threat of cyber-attacks, and the effort it takes to mitigate it (cyber-security), impacted the current operations of your company? Select one in each row. (% respondents) 16 14 34 24 9 2 18 19 27 23 8 5 16 15 33 25 8 3 15 16 32 27 8 3 12 18 33 27 7 2 17 16 32 27 6 3 20 15 29 27 9 1 11 23 27 27 11 1

18. © The Economist Intelligence Unit Limited 201617 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Strongly disagree Somewhat disagree Neither agree nor disagree Somewhat agree Strongly agree Don’t know Cyber-risk is a challenge that our company can effectively meet Our cyber-security system should be capable of detecting and stopping any cyber-attack Cyber-security should be a standing item on board meeting agendas Cyber-security is and should remain the domain of IT security specialists Effective cyber-security can be achieved with enough investment in hardware and software Effective cyber-security can be achieved without the involvement of the senior management Our company’s cyber-security capabilities evolve quickly enough to keep pace with cyber-risk To what extent do you agree with each of the following statements? Select one in each row. (% respondents) 1 6 20 39 32 2 1 8 26 41 22 3 1 8 27 41 21 2 1 5 21 36 35 2 6 19 37 35 3 1 10 23 38 26 3 1 7 27 39 24 3 Strongly disagree Somewhat disagree Neither agree nor disagree Somewhat agree Strongly agree Don’t know Please state your level of agreement with the following statement. “We now have enough resources (funding, people and technology) dedicated to cyber-security to meet the current cyber-risk challenge.” Select one. (% respondents) 0 3 10 45 41 1 Budgets should decrease No change Budgets should be increased by about 10% Budgets should be increased by about 25% Budgets should be increased by about 50% Budgets should be increased by about 75% or more Don’t know How much, if at all, should your company’s budget for cyber-security be increased in 2016? Select one. (% respondents) 0 3 62 26 5 0 3

19. © The Economist Intelligence Unit Limited 201618 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Strongly disagree Somewhat disagree Neither agree nor disagree Somewhat agree Strongly agree Don’t know Our cyber-security personnel have the necessary skills to maintain cyber-security Recruiting and retaining specialised personnel is a challenge in maintaining effective cyber-security at our firm To what extent do you agree with the following statements assessing your current security personnel needs? Select one in each row. (% respondents) 1 7 33 56 3 5 21 32 33 9 Strongly disagree Somewhat disagree Neither agree nor disagree Somewhat agree Strongly agree Don’t know To what extent do you agree your current security team and systems can meet the challenge of cyber-attacks? Select one. (% respondents) 0 1 7 32 59 1 Strongly disagree Somewhat disagree Neither agree nor disagree Somewhat agree Strongly agree Don’t know/ Not applicable Our company’s security strategy is to focus on security tools—firewalls, antivirus, passwords etc—that block current attacks Our company’s security strategy focuses on a security architecture that provides comprehensive protection against cyber-attacks Please provide your assessment of your company’s security strategy by selecting one response for each statement. (% respondents) 1 9 43 45 2 1 5 30 61 3 Strongly disagree Somewhat disagree Neither agree nor disagree Somewhat agree Strongly agree Don’t know/ Not applicable I have confidence that our security team can protect the company from cyber-attacks Our security team effectively communicates to the board/C-suite on cyber-security issues I believe that our company’s board/C-suite provides the right amount of time and attention to cyber-security issues I believe our board/C-suite is appropriately informed on cyber-security issues Please provide your assessment of your company’s current cyber-security capabiilties. Select one in each row. (% respondents) 5 15 41 33 6 5 21 33 36 5 5 11 28 50 5 5 14 29 46 6

20. © The Economist Intelligence Unit Limited 201619 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Very unimportant Somewhat unimportant Neither important nor unimportant Somewhat important Very important Don’t know How important is fiduciary liability in board/C-suite decisions about cyber-security? Select one. (% respondents) 0 1 13 22 63 1 Not a factor Not important Important Very important Critically important Don’t know Firewalls Identity and access management End point solutions (eg VPN) Unified threat management Cloud-based security solutions Anti-virus solutions Mobile security Post-incident response Data software (back-up and recovery) Please indicate the importance of the following factors in your security strategy. Select one in each row. (% respondents) 4 24 32 39 1 6 34 38 21 1 1 6 31 38 24 1 8 32 38 20 2 3 24 32 38 2 5 24 34 35 3 1 6 22 32 38 1 1 6 29 37 24 2 3 25 31 39 2

21. © The Economist Intelligence Unit Limited 201620 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Funding will be reduced Funding will remain the same Funding will increase modestly Funding will increase significantly Funding priority increase Firewalls Identity and access management End point solutions (eg VPN) Unified threat management Cloud-based security solutions Anti-virus solutions Mobile security Post-incident response Data software (back-up and recovery) Please indicate your firm’s funding priority for the following cyber-security solutions by selecting one response for each solution. Select one in each row. (% respondents) 1 32 32 15 21 2 31 40 14 13 2 33 39 15 11 2 38 39 13 9 3 27 33 17 20 2 35 27 18 18 5 29 28 15 23 4 34 38 12 11 2 28 32 15 22 Decrease in budget Stay the same 0-25% increase 26-50% increase 51-75% increase 76-100% increase >100% increase Don’t know Last year Current year Next year Please provide an estimate of the change in your company’s annual security budget in the past year, current year and next year. Select one in each row. (% respondents) 26 50 20 2 1 22 48 19 5 6 21 49 19 4 7

22. © The Economist Intelligence Unit Limited 201621 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Decrease Stayed the same 0-25% increase 26-50% increase 51-75% increase 76-100% increase >100% increase Don’t know Total attacks Theft of consumer data Use of ransomware to extort payment Denial of service attacks Theft of intellectual capital Malware attacks that destroy important company data and records Public disclosure of important company intra-communications Cyber theft of financial assets (eg corporate cash accounts) Please provide an estimate of the change in cyber-attacks on your firm in the past year over the previous year. Select one in each row. 1 23 49 20 5 11 1 25 48 18 6 11 1 25 48 19 6 1 1 27 49 16 6 1 1 26 46 18 7 1 1 27 46 20 5 11 1 25 46 19 6 1 2 1 25 46 18 7 2 Australia China India Japan France Germany Netherlands UK US Brazil Mexico Sweden Denmark In which country are you personally located? Select one. (% respondents) 9 9 9 9 8 8 8 8 8 7 7 4 3 $500m to $1bn $1bn to $3bn $3bn to $5bn $5bn to $10bn Over $10bn What are your organisation’s global annual revenues in US dollars? Select one. (% respondents) 67 22 9 2 0

23. © The Economist Intelligence Unit Limited 201622 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Board member CEO/President Chief financial officer/Head of finance Chief strategy officer/Head of strategy Chief marketing officer/Head of marketing Chief operating officer/Head of operations Chief information/technology officer/Head of technology/IT Chief risk office/Head of risk Chief security officer/Head of security Chief sales officer/Head of sales Chief data officer Other C-level executive Managing director SVP/VP/Director Which of the following best describes your title? Select one. (% respondents) 0 1 6 1 5 6 19 3 4 3 1 1 0 50 IT/Technology Marketing and sales Operations and production General management Finance Business development Security Risk Strategy Supply-chain management Human resources R&D Legal Other What is your main functional role? Select one. (% respondents) 26 16 15 10 9 5 5 4 4 3 1 1 0 2 Entertainment, media and publishing Healthcare, pharmaceuticals and biotechnology Telecoms Manufacturing Transportation, travel and tourism Consumer goods Retailing Chemicals Financial services Automotive Agriculture and agribusiness Construction and real estate IT and technology Logistics and distribution Aerospace and defence Energy and natural resources Government/Public sector Professional services Education What is your primary industry? Select one. (% respondents) 9 9 9 8 8 7 7 6 6 5 4 4 4 4 2 2 2 2 1

24. © The Economist Intelligence Unit Limited 201623 The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise Whilst every effort has been taken to verify the accuracy of this information, neither The Economist Intelligence Unit Ltd. nor the sponsor of this report can accept any responsibility or liability for reliance by any person on this report or any of the information, opinions or conclusions set out in the report.

25. London 20 Cabot Square London E14 4QW United Kingdom Tel: (44.20) 7576 8000 Fax: (44.20) 7576 8476 E-mail: london@eiu.com New York 750 Third Avenue 5th Floor New York, NY 10017 United States Tel: (1.212) 554 0600 Fax: (1.212) 586 0248 E-mail: newyork@eiu.com Hong Kong 6001, Central Plaza 18 Harbour Road Wanchai Hong Kong Tel: (852) 2585 3888 Fax: (852) 2802 7638 E-mail: hongkong@eiu.com Geneva Boulevard des Tranchées 16 1206 Geneva Switzerland Tel: (41) 22 566 2470 Fax: (41) 22 346 93 47 E-mail: geneva@eiu.com

The cyber-chasm: How the disconnect between the C-suite and security endangers the enterprise

The cyber-chasm: How the disconnect between the C-suite and security endangers the enterprise

The cyber-chasm: How the disconnect between the C-suite and security endangers the enterprise

Recommandé

Contenu connexe

Tendances

Tendances(20)

En vedette

En vedette(18)

Similaire à The cyber-chasm: How the disconnect between the C-suite and security endangers the enterprise

Similaire à The cyber-chasm: How the disconnect between the C-suite and security endangers the enterprise(20)

Plus de The Economist Media Businesses

Plus de The Economist Media Businesses(20)

Dernier

Dernier(20)

The cyber-chasm: How the disconnect between the C-suite and security endangers the enterprise