Presentation delivered at the 2015 RSA Conference on the joint RSA \ ISACA state of Cybersecurity survey. The full report is available at www.ISACA.org/cyber
ISACA and RSA CSX Presentation from the RSA 2015 Conference
1. #RSAC
SESSION ID:
Robert E. Stroud Fahmida Y. Rashid
State of Cybersecurity:
Implications for 2015
Editor-in-chief
RSA Conference
@zdFYRashid
International President
ISACA
@RobertEStroud
2. #RSAC
Topics Professionals Want to Know About
RSA Conference submissions tell the story:
The industry has matured significantly in regards to discussing identity,
insider threat risk and assessing user behavior.
“Information sharing” has been a trending topic for the past three years.
This year, “threat intelligence” appeared in submission titles and abstracts
four times as much as last year.
Skills and training are key to addressing global cyber issues.
2
3. #RSAC
Global Survey
State of Cybersecurity: Implications for 2015
An ISACA and RSA Conference Survey
Conducted in January 2015.
1,500 ISACA and RSA constituents
participated in the survey and 649
completed it.
3
Demographics
Budgets, hiring and skills
Hacks, attacks and flaws
Threats
Social media
Internet crime and fraud
Organizational security and governance
5. #RSAC
Breakdown of typical respondents:
Demographics
5
80%
An ISACA member
44%
North America
European/African
32%
Employed in an
enterprise with
at least 1,000
employees
29% Working in technology
services/ consulting
23%
Financial
services
66%
Someone whose
main function is in
cybersecurity or
information security
6. #RSAC
Hacks, Attacks and Humans
Successful attack types:
6
Total Respondents: 704
Hacking attempts 50%
67%
47%
11 %
8%
68%
Malware
Social engineering
Phishing
Watering hole
Man-in-the-middle attacks
SQL injections
Insider theft
Loss of mobile devices
22%
25 %
44%
8. #RSAC
Training is Good… Right?
Security awareness programs:
8
87%
Having an
awareness
program in place
Believed it
to be
effective72%
9. #RSAC
Counter-Intuitive Results
Organizations with training in place have MORE human-dependent
incidents.
Especially troublesome: non-malicious insiders impacting enterprise
security are 12 % higher in enterprises that have an awareness program in
place.
9
10. #RSAC
Monitor and Identify
Monitoring and identifying attacks and exploits remains a strong concern:
10
20%
Responded that
they do not know
if they had been
made vulnerable
23%
Do not know whether they
had any corporate assets
hijacked for botnet use or
if they had any user
credentials stolen in 2014.
30%
Do not know if they had
become victimized by
an advanced persistent
threat (APT)
11. #RSAC
How likely do you think it is that your organization will experience a cyber
attack in 2015?
Attacks are Expected
11
Total Respondents: 766
Very likely 39%
44%Likely
16%Not very likely
1%Not at all likely
293
339
124
10
12. #RSAC
Skills Need to Be Sharpened
Are you comfortable with your security team’s ability to detect and respond
to incidents?
12
Total Respondents: 842
Technical skills 46%390
72%Ability to understand
the business
609
42%Communications 355
21. #RSAC
Global Skills Gap and Shortage
21
An increase in cyber attacks
has created global need for
more cybersecurity
professionals and for greater
hands-on, real-world
experience among those
professionals.
23. #RSAC
Training, Certification and Career Management
Cybersecurity Nexus™ (CSX) – Addressing
the Skills Gap
CSX skills-based training and performance-
based certifications
CSX Fundamentals Certificate
Ongoing education & events
Career management resources
23
24. #RSAC
Threats and Gaps
24
Cybersecurity is everyone’s business.
Let’s move forward by building the
skills for a trained cybersecurity
workforce.
Cyber-
Security
RSA Conference is where the world comes to talk security. Every attendee should leave having learned something new and brimming full of ideas on what they can do once they get back to their organizations.
The State of Cybersecurity survey, conducted jointly by ISACA and RSA, delves into complex business and cyber issues and approaches.
In early 2015, RSA Conference and ISACA conducted a joint survey to gain the latest insights into the fast-moving field of cybersecurity.
Results offer a unique view into global activity and perceptions--and reveal some areas of concern and some bright lights regarding this exciting profession and the people who are involved in it.
* Survey sent to RSA Conference constituents and ISACA certification-holders, including cybersecurity and IT managers or practitioners.
Attack types that most frequently exploited enterprises in 2014 were (in order) Phishing, Malware, Hacking attempts and Social engineering.
This indicates that the human factor is still a very weak link.
Survey data show that 95% of respondents’ enterprises have staffs that average at least three years’ experience, and 70 percent average more than five years of experience.
Yet, 41 percent are confident with their security team’s ability to detect and respond to incidents only if the incident is simple.
And less than half feel their security teams are able to detect and respond to complex incidents.
Most agree that technical and administrative controls can help prevent or at least delay many of these attack types.
Plus, training people on how to detect and react to potential security attacks is widely believed to decrease the effectiveness of attacks.
As expected, a majority (87 percent) of the survey respondents say they have an awareness program in place.
72 percent believe their security awareness program is effective.
Surprisingly, enterprises that are NOT doing awareness training are actually faring better than the ones that ARE.
Results show that the enterprises that HAVE an awareness program in place actually have a HIGHER rate of human-dependent incidents such as social engineering, phishing and loss of mobile devices.
Awareness training is important, but it isn’t enough. We need a trained, skills-based workforce to be able to proactively and reactively address threats and hacks.
Clear cause for concern also is the percentage of nonmalicious insiders that are impacting enterprise security.
Increasing recognition of the weakness of the human factor:
RSA Conference analyzed the submissions received and noticed a lot of interest in topics related to the human factor.
The “Human Element” track is the most diverse it has been in its 3-years of existence.
Monitoring and identifying attacks and exploits is also a point of concern in the findings
It’s clear this is something the community is very concerned about. We generated a word cloud out of the submission titles and abstracts received as part of the RSA Conference 2015 call for speakers.
We found that “attacks,” “threat,” and “data” were among the most common used.
The words “breach” and “response” also appeared prominently in the word cloud.
It is no surprise that the cyberthreat is real. Enterprises are finding cyberattacks to have increased in both frequency and impact.
More than three-quarters of the survey respondents (77 percent) reported an increase in attacks in 2014 over 2013.
Even more—82 percent—predicted that it is “likely” or “very likely” they will be victimized in 2015.
Survey data show that 95% of respondents’ enterprises have staffs that average at least three years’ experience, and 70 percent average more than five years of experience.
Yet, 41 percent are confident with their security team’s ability to detect and respond to incidents only if the incident is simple.
And less than half feel their security teams are able to detect and respond to complex incidents.
To understand how the business of defense is adapting to the increased persistence and frequency of attacks, it is important to understand how enterprises are leveraging resources.
Global reports indicate that cybersecurity is faced with a skills crisis.
Many factors, including increased attention to cybersecurity by governments and enterprises as well as an evolving threat landscape, are combining to create an expected exponential increase in cybersecurity jobs that will require skilled professionals.
Two prongs: there is an increased need in the NUMBER of cybersecurity professionals AND a need for greater hands-on EXPERTISE.
Historically, cybersecurity training was a generalist level of high-level concepts. There wasn’t a clear focus on career progression.
Lately we’ve seeing specializations in the industry—e.g., disaster recovery, forensics, data breaches.
Through the Cybersecurity Nexus, ISACA looked at the state of cybersecurity from the angle of what is the lifecycle of cybersecurity professionals throughout their careers?
What are the skills needed at an apprentice level? What do I need to grow and manage my career? What if I want an intensely technical track or what if I want to progress into management?
CSX is a strong step toward providing training that includes real-world, real-time labs that identify a professional’s strengths and weaknesses, and certifications that are performance-based.
Many business leaders have been feeling that we’re falling behind the cyber attackers, and this is addressing those concerns.
Why ISACA for this cybersecurity program? There are many great organizations out there working on cybersecurity issues, but ISACA blends the membership strength, vision, global reach and reputation, integrity, and ties to global governmental entities No one else is offering the complete holistic program that is provided through the Cybersecurity Nexus. CSX is responsive to current risks and business needs.
CSX certifications
Performance-based certifications with three different competency levels—Practitioner, Specialist and Expert.
Relevant for security professionals who have technical cybersecurity responsibilities in an enterprise.
The Specialist level enables professionals to verify skills in : identify, protect, defend, respond and recovery responsibilities
CSX Fundamentals Certificate
Knowledge-based certificate relevant for recent college/university graduates and those looking for a career change to cybersecurity.
Aligned with the National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education (NICE), which is compatible with global cybersecurity issues, activities and job roles. Also aligned with the Skills Framework for the Information Age (SFIA).
Results support the horror stories that haunt organizations relative to cybersecurity.
Enterprises continue to struggle with traditional security threats such as lost devices, insider threats, malware, hacks and social engineering, while simultaneously trying to keep sophisticated attacks by nontraditional threat actors at bay.
In such an environment, it is important to understand how enterprises are staffing and managing security. What challenges are security professionals having hiring and retaining strong candidates? How are organizations supporting their security professionals?