Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.
3. Top Takeaways from the Wisegate Survey 3
Introduction
In June of 2014, Scale Venture Partners and Wisegate collaborated to conduct a member-
driven, member-developed research initiative to gauge what meaningful IT security risks
are growing, as well as which (if any) are shrinking. We wanted to understand what senior
IT professionals identify as top risks, how confident they are in existing controls, and how
they’re measuring the significance of these risks.
We wanted to understand what industry trends and opportunities will affect respondents’
company's security efforts in the near future, and how security programs are being affected
by evolving security issues—where opportunities are both increasing and decreasing for
security professionals in IT.
We gathered data using a hybrid approach: first, by personally meeting with leading CISOs
across approximately 15 industries. We asked what trends and externalities affected their
security programs, and what areas security teams are focusing on to protect their evolving
enterprise risks. These conversations revealed common themes driving InfoSec program
prioritization and spending.
4. Assessing and Managing IT Security Risks 4
We then expanded this study to a larger audience, conducting an online survey among a
large cross-section of senior IT professionals, to get a broader perspective and stronger
conviction on the trends observed in the in-person conversations.
Overall we saw strong consistencies between both data sets: large numbers got larger, and
the gaps between lowest and highest security priorities increased as more survey
participants chimed in.
We did see some “spreading” amongst priorities, implying that both program maturity and
product choice is alive and well within the Information Security market. We also collected
attributes about InfoSec programs and heard glimpses of makes programs successful.
IT Security Environment in the Business
In order to get a sense of the business context in which IT security professionals are
working, this survey asked a few questions about the line of business to which the security
function reports, how IT security is organized, and who is responsible for day-to-day
security operations.
As shown in Figure 1, security teams are aligned either centrally (55%) or with some
blending of accountability (37%). A purely decentralized approach is an outlier (5%).
Figure 1. Survey Question: How is your company's security function organized?
Source: Wisegate, June 2014
5. Top Takeaways from the Wisegate Survey 5
Having a bias toward more centralization typically enables a security team to have tighter
coordination and response times within itself, at the expense of local optimization with its
internal customers.
When asked who handles operational security tasks, the vast majority of security teams
(82%) handle some or all of the operational security duties necessary to secure their
enterprise (see Figure 2). Nearly half of IT security departments handle all of the IT-focused
tasks such as endpoint patching, antivirus updates and network firewall maintenance.
Figure 2. Survey Question: Who handles operational security tasks at your company?
Source: Wisegate, June 2014
It’s interesting to note that, as Figure 2 shows, more than half (54%, combining “shared”
and “exclusively other teams”) of the security teams rely on partners to implement security
controls into their business’ operations.
A final important point to observe in Figure 2 is that only 18% of security departments
function in a purely non-operational capacity, instead focusing on security policies, training,
governance, audits, oversight and reviews, security consultation, and so forth.
Risks and Tech Trends Drive Security Programs
IT security is in the press with increasing—and, sadly, distressing— frequency. There
seems to be no lack of serious examples of company data being compromised, nor of ways
these kinds of attacks and thefts can be accomplished. With so many possible ways for
harm to affect a company and its data, how do information security programs prioritize what
to focus on, what threats to address first, and when to change their focus?
6. Assessing and Managing IT Security Risks 6
Risks at the Forefront
As shown in Figure 3, respondents to the recent Wisegate / ScaleVP survey overwhelmingly
follow “Risk-Based” approaches as their primary criteria for prioritization in their security
program. Twice as many teams chose “risk-based approach” over “business strategy
changes” as their first priority, which is likely because to security teams, business strategy
changes are just another risk for the security team to consider.
Figure 3. Survey Question: Indicate how you most often determine what to prioritize
in your security program.
Source: Wisegate, June 2014
Changes to business strategy are the second-most common guide security professionals
use to prioritize their security program, particularly when considering first and second
choices.
As Figure 3 demonstrates, security organizations aren’t prioritizing their program’s maturity.
Nearly three-quarters (70%) are primarily focused on meeting external demands such as
risks and business strategies instead of improving the operational excellence of their own
security efforts. This raises concerns about building up security technical debt, either
because the business’s strategies and risks change so fast, it becomes difficult to focus on
maturity.
It’s worth considering that if a solution is presented (tech or otherwise) that is aligned to
business priorities and addresses an important business risk, it almost doesn’t matter what
the fix costs. Budget isn’t the limiting factor.
7. Top Takeaways from the Wisegate Survey 7
In terms of setting plans and priorities, this reactive approach to prioritization is manifested
in the length of the roadmap, as shown in Figure 4.
Figure 4. Survey Question: How far out does your department and / organization
build its strategic roadmap?
Source: Wisegate, June 2014
Most security teams look forward 1-3 years when reviewing their strategic roadmap. Only
19% look out further than three years, and 12% forecast out even less than a year. While
this tendency toward short-term planning might look near-sighted to many of those in the
business side of an enterprise, the fact is that attacks and technology itself are changing so
fast—and so unexpectedly—that planning much beyond two or three years is simply pure
guesswork, and will have to be revised multiple times. As business objectives shift and
external threats morph, IT must adjust its own priorities. So while there is often little security
teams can do to predict long-term shifts in external threats, IT security professionals must
understand—and be a part of—business context and trends.
Top Trends Affecting IT Security
Businesses and security programs are under serious pressure from external threats, which
is often forcing them to change direction or add new controls to manage these new risks. IT
is rapidly losing control over endpoints, applications, and even networks when accessing
corporate information. This has shattered many security controls that are based on
traditional strategies such as passive traffic inspection, signature-matching signatures, and
restricting specific applications endpoints can use.
8. Assessing and Managing IT Security Risks 8
In Figure 5, leading technology trends and other forcing functions are displayed around a
circle, showing what trends security professionals find both most and least impactful to a
security team’s program (participants could choose multiple options).
Figure 5. Survey Question: Which of these trends most / least affect your security
program?
Source: Wisegate, June 2014
Top areas of concern to security teams included Cloud technologies (both IaaS and SaaS),
the consumerization of IT technology and services, and the proliferation of mobile devices
such as smartphones and tablets.
Security teams tend to be sensitive to changes in regulations and compliance mandates, so
it’s not surprising that this category had widespread agreement among participants. This
reflects the increased granularity in controls from contractual obligations such as the
payment card industry’s PCI-DSS v.3.0, the impact of EU Data Protection Directive as
companies expand globally, and growing interest from the U.S. Securities and Exchange
Commission over corporate cyber risk.
However, the most-affected and least-affected ratings aren’t necessarily opposed to each
other, likely because of differences in regulatory mandates, corporate culture, or the
business’ mission itself.
9. Top Takeaways from the Wisegate Survey 9
For example, businesses that do not frequently write online applications are unaffected by
advances in Agile methodologies, whereas security teams at engineering-focused firms
find Agile & DevOps growth disruptive to how they do application security reviews. Smart
teams are looking to integrate security into these development processes (e.g.
“SecDevOps”), becoming more effective and secure than ever.
A highly regulated company might be able to enforce stricter network admission controls,
prohibiting IoT devices and enforcing MDM-like controls on mobile devices. Such security
policies would be counter to “open access” companies that encourage innovation and
freedom on their corporate networks.
It’s also worth noting that some low rankings of the importance of different trends may have
to do with lack of knowledge or understanding of that trend. When asked follow-up
questions about Internet of Things, for example, most respondents indicated that IoT was
still confusing to them—not yet fully-backed and therefore not yet impactful to strategic
security program decision-making. Other businesses that rely on remote sensors for data
acquisition, for example, are actively investigating this technology and engaging their
security teams to understand the implications to enterprise risk. As consumer electronics
such as wearable sensors continue to grow in popularity, enterprise security teams will be
faced with a huge array of new networkable devices attempting to join their corporate
wireless networks.
Finally, it’s not clear why Weaponization of the Internet / State-sponsored cyber-espionage
ranked low overall, and equally scored in both sides of the “impactful” equation. As the next
section points out malware, external threat actors and APT score highly as top-risks. As the
Verizon Data Breach Report 2014 points out, attackers are more efficiently breaking in than
defenders are at detecting them.
Top 5 Risks
Wanting to get a sense of what is keeping security practitioners up at night—what they
perceive as the top risks to their companies – we asked survey respondents to list their top
three security concerns. As shown in the word cloud in Figure 6, the words data, security,
malware, outbreak, and breach were especially prominent.
We then grouped these responses into general categories to find larger themes, which
revealed themselves in Figure 7. A few categories gathered the most votes and quickly
degenerated into a long-tail. Identified risks beyond the top 10 or so tended to be
organization—and implementation-specific.
10. Assessing and Managing IT Security Risks 10
The top two identified risks—Malware Outbreak and Sensitive Data Breach—comprise
nearly a third of all participants’ attention. They were more important to participants than the
next 6 identified risks combined.
Figure 6. Survey Question: What are your top three security risks?
Source: Wisegate, June 2014
Figure 7. Survey Question: What are your top three security risks?
Source: Wisegate, June 2014
11. Top Takeaways from the Wisegate Survey 11
Malicious Outsider Threat was slightly more important to participants than Malicious Insider
Threat. Although Malicious Insider Threat continues to receive a lot of press, and it was
ranked in our survey’s top five responses, it was a “top of mind” concern for only 6% of our
participants. Because malicious insiders tend to be more insidious than attacks from
external threat actors, they are high-impact events but one of the hardest to detect.
Verizon’s 2014 Data Breach Incident Report indicated that only 8% of reported data
breaches involved malicious insiders, and while our data suggests that the “insider threat”
is definitely a concern, it doesn’t break into the top three of practitioners’ perceived risks.
Enterprise Security: Definitely Data-Driven
Taking a “data-driven” approach was one of the most common themes that cut across all of
questions we asked about security controls and methods of controlling enterprise risk.
Teams hope to address enterprise security concerns more strategically by focusing on the
data that needs to be protected, applying these types of controls at every enforcement point.
Figure 8. Survey Question: Which endpoint-targeted security controls will be a top-
3 priority to you in the next 3-5 years (multiple selections allowed).
Source: Wisegate, June 2014
12. Assessing and Managing IT Security Risks 12
Information Protection and Control: Top-Ranked Across the Board
Based on top-priority choices among asset type, Information Protection and Control
products (“IPC”, including DLP/DRM/masking/encryption technologies) was the single
most-desired control to apply at computers (see Figure 8), Mobile/IoT endpoints (see
Figure 9), within applications (see Figure 10), at the infrastructure layer (see Figure 11).
Figure 9. Which mobility / IoT security control will be most important to your
company in the next 3-5 years?
Source: Wisegate, June 2014
Figure 10. Which of these Messaging, File/Doc Sharing controls will be a top
priority to you in the next 3-5 years (multiple selections allowed).
Source: Wisegate, June 2014
13. Top Takeaways from the Wisegate Survey 13
Figure 11. Survey Question: Which of these Infrastructure controls will be a top
priority to you in the next 3-5 years (multiple selections allowed).
Source: Wisegate, June 2014
This movement towards data-centric security is especially important as emerging
companies grow up with “Cloud Always” enterprise stacks, established enterprises adopt
“Cloud First” technology refresh initiatives, and even “Cloud Cautious” companies realize
the benefits of SaaS and IaaS options.
IT organizations are losing control over the devices their end users want to use, the
networks over which they communicate, and the applications and infrastructure they use.
The acceleration of technology innovation will make the typical “security review” process
harder for security teams to keep up with change, or else be seen as stifling creativity. By
focusing on capabilities and adherence to data-centric security controls (instead of specific
device types and protocols) security teams can more comfortably support a wider range of
endpoints (including BYOD) and applications.
Automated, Integrated Controls
Security teams frequently track three areas of growth:
1. Enterprise size and complexity
2. Changes in the capabilities of adversaries looking to harm their company
3. Relevant regulatory compliance mandates
14. Assessing and Managing IT Security Risks 14
Growth in any of these areas increases the need to implement new security controls,
streamline and integrate them into existing security controls, and create tighter feedback
loops between the security team and their partners. This ultimately reduces the window of
opportunity for accidental data loss or malicious activity.
Managing the increased complexity and dealing with interoperability and manageability of
technical security controls was another common theme expressed both during the in-
person interviews and in the comments section within the online survey. Several examples
follow:
1. Almost one-third (31%) are making DevOps security controls a top priority, as
shown in Figure 12.
Figure 12. Survey Question: What is your top priority for Development / SDLC
Controls?
Source: Wisegate, June 2014
2. Over half (59%) of respondents marked either proactive threat/misuse detection or
automated orchestration as a top choice to streamline their incident response plans and
limit their exposure windows (see Figure 13).
3. 31% are planning to participate in threat intelligence feeds and sharing platforms,
to get a broader view of the risks they and their peers face, as seen in Figure 13.
4. Nearly half (46%) list risk-based authentication/authorization as a top-three Identity
and Access Management security controls priorities (see Figure 14).
15. Top Takeaways from the Wisegate Survey 15
Figure 13. Survey Question: Which Incident Response security controls will be most
relevant to you during the next 3 - 5 years in your organization?
Source: Wisegate, June 2014
Figure 14. Survey Question: Indicate which of these Identity and Access
Management security controls will be a top-3 priority during the next 3 - 5 years in
your organization (multiple selections allowed).
Source: Wisegate, June 2014
16. Assessing and Managing IT Security Risks 16
Old Threats Never Die (And New Ones Keep Appearing)
When asked which components and controls of their security program could be
decommissioned, only a tiny fraction of survey (less than 8%) respondents indicated
anything at all. Remarkably, nearly nine times as many participants (approximately 70%)
mentioned a part of their security program that was growing. Many respondents noted that
they seem to be always adding new controls to address new threats, but aren’t able to turn
anything down.
However, even if security teams could easily find qualified staff to run these new controls,
focusing on control integration and automation always pays off. Participants mentioned the
need to drive security products and services via APIs, combining results from one service
to power and feed other services.
To address their most important security risk, more than three-quarters of the security
teams needed to build a custom solution/integration, as shown in Figure 15. Even for their
third-most important security risk, 39% of security teams were building something in-house.
Figure 15. Survey Question: For which risks (if any) did you need to build something
in-house because there were no acceptable commercial alternatives available?
Source: Wisegate, June 2014
In fact, more than three-quarters of respondents indicated needing to build a custom
solution to address their top area of risk, indicating either a demand for programmatic
interoperability between security controls or possibly a need for new solutions in the
marketplace.
17. Top Takeaways from the Wisegate Survey 17
Metrics are a Problem
Information Security programs and their effectiveness at managing enterprise risk are
quickly becoming Board-level discussions. Unfortunately, security products are doing a
poor job at providing actionable, high-level metrics to prioritize a security team’s efforts and
to communicate to executive management the business impact of their programs.
Top Risks are Growing
Survey respondents strongly indicated that their top three risks were increasing for their
company (72% agree) and their particular industry (82% agree), as shown in Figure 16.
Figure 16. Survey Question: Which risks are growing for your specific company and
industry?
Source: Wisegate, June 2014
With risks growing for all top risks—both company- and industry-wide—we were of course
interested in how confident respondents are in the efficacy of the controls they have in
place to address the risks they had identified as being important. Overall, teams were
optimistic but not overwhelmingly confident. Figure 17 shows that on a scale of 0 (no
confidence) to 3 (high confidence), the average rating was just under 2, which could be
described as “somewhat confident.”
18. Assessing and Managing IT Security Risks 18
Figure 17. Survey Question: What is your confidence that your current controls are
effectively managing that risk?
Source: Wisegate, June 2014
But Where Are The Metrics?
However, the real problem with security risk management in the enterprise isn’t of
confidence—it’s of measurement; survey respondents don’t really have a good way of
indicating the effectiveness (or lack thereof) of existing programs. Simply put, for all of their
top three risks, approximately half said they didn’t have a way to measure these risks, as
shown in Figure 18.
Figure 18. Survey Question: Do you have a metric to measure the risk in your top
three areas of concerns?
Source: Wisegate, June 2014
19. Top Takeaways from the Wisegate Survey 19
This is concerning, implying that security teams can’t easily measure if their top risks are
increasing or declining, or if their efforts are having an effect on the risk.
Many security products have built-in dashboards based on the specific threat they
address, but aggregating and mapping these back to a holistic business impact appears to
be elusive and part of evolving security program maturity. This is like flying a plane with the
three most important cockpit indicators taped over while you try to navigate over complex
terrain and weather conditions.
There’s also a clear need for holistic risk measurement systems to help security teams
prioritize their resources and communicate their impact to their executive management and
Boards of Directors.
The Bottom Line
IT is giving up control over most devices and infrastructure. This has profound implications
to risk models and the types of controls that are effective going forward. In exchange,
security programs are moving their controls closer to the business data and applications.
Enlightened security teams are focusing on data-centric controls such as encryption and
DLP, working closely with DevOps teams to “bake in” security controls into the
orchestration layer and cloud hosting systems, and leveraging APIs and cloud computing
capabilities to build scalable security solutions that meet the unique needs of their
enterprise and address the sprawl of point solutions.
As concerns of security and compliance rise, teams struggle to map their security
programs’ efforts to business impact. Growing interest from Boards of Directors and
increased scrutiny from compliance regulations has placed more emphasis on identifying
the right security metrics and finding ways to increase the efficiency and efficacy of security
programs.
In order to be competitive against increasingly-sophisticated adversaries, security teams
must look for ways to streamline their operational capabilities and provide actionable
insights from an ever-growing set of security event data.
20. Assessing and Managing IT Security Risks 20
About the Author
Bill Burns is a well-known and well-respected security professional, having held leadership
positions Director of Information Security for Netflix where his teams migrated critical
business workloads and infrastructure to Amazon’s cloud. Most recently Bill held the role of
Executive-In-Residence at Scale Venture Partners, where he created their InfoSec
investment strategy. Bill is a founding member and active advisor to Wisegate, and is
member of the RSA Conference Program Committee, ISSA CISO Forum Advisory
Committee and ISSA CISO Career Lifecycle Committee. Bill has 20 years of experience in
security, specializing in cryptography and communications, and graduated from Michigan
Technological University with electrical engineering and business degrees.
PHONE 512.763.0555
EMAIL info@wisegateit.com
www.wisegateit.com
Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to
submit your request for membership.