(ISC) 2 2015 Global Workforce Study Results Overview Regional Report: Europe, Middle East & Africa...

(ISC)2 2015 Global Workforce Study ResultsOverview

Regional Report:Europe, Middle East & Africa

March 23, 2015

2

Project Background and Objectives

3

Research Background and Objectives

Background

The information security profession continues to undergo shifts as a result of constantly changing regulatory environment and increasingly sophisticated and emerging new threats. (ISC)2 has committed itself to maintaining its leadership role and growing its membership base in key geographic regions in which it is currently under represented.

Study Objectives

• To obtain feedback from the (ISC)2 members regarding certification, training and educational requirements for their organizations and their professional development.

• To identify trends and issues related to information security from both members and non-member security professionals.

• To understand potential gaps in organizational security.

• To forecast what positions will be most highly sought after in the next 3 to 5 years.

4

Methods

5

Methods: (ISC)2 Members Survey

• Conducted using an on-line web based survey using the (ISC)2 membership list.

• Email invitations to complete the survey were sent out to (ISC)2 members between October 2014 and January 2015.

• Respondents are currently employed directly by a company or organization, employed as a contractor or work as an independent security consultant.

• A total of 11,208 (ISC)2 members were surveyed between October 2014 and January 2015.

6

Methods: (ISC)2 Members Survey (Continued)

Sample Size

Care was taken to ensure that the sample taken from the (ISC)2 membership is representative of the current (ISC)2 membership.

An analysis of the (ISC)2 membership list by country population proportions was undertaken and compared to country level sample sizes for the (ISC)2 membership survey. The sample sizes by country are representative of the total population proportions by country.

Technical Note

The sample in this study is not designed to reflect the universe of all public and private organizations for security professionals, and the results should not be projected across the entire population.

Note: Due to rounding errors, percentages in charts and tables, may not sum to 100.

7

Methods: (ISC)2 Members Survey (Continued)

A total of 11,208 (ISC)2 members were surveyed between October 2014 and January 2015 by Frost & Sullivan. The table below shows the sample size by region.

Sub-Region Worldwide

Region

(Horizontal %)

Americas EMEA APAC

Number of Respondents 11,208 6,793 2,736 1,679

Percentage 100% 61% 24% 12%

Americas

Latin America 282 3% 4% - -

North America 6,511 58% 96% - -

EMEA

Africa 139 1% - 5% -

Europe 2,365 21% - 86% -

Middle East 232 2% - 9% -

APAC

Asia 1,431 13% - - 85%

Oceania 248 2% - - 15%

8

Methods: Non-Members Survey

Respondents had the following roles and responsibilities related to IT security:

• Hire or manage IT security professionals and look for security related credentials in their candidates

• Provide input to IT security-related policies and procedures, or execute their companies IT security related policies and procedures

• Hold security related credentials or a member of a security-related organization excluding (ISC)2

A total of 2,722 non-members were surveyed between October 2014 and January 2015 by Frost & Sullivan.

9

Methods: Non-Members Survey (Continued)

A total of 2,722 non-members were surveyed between October 2014 and January 2015 by Frost & Sullivan. The table below shows the sample size by region.

Sub-Region Worldwide

Region

(Horizontal %)

Americas EMEA APAC

Number of Respondents 2,722 1536 701 485

Percentage 100% 56% 26% 18%

Americas

Latin America 178 7% 12% - -

North America 1,358 50% 88% - -

EMEA

Africa 152 6% - 22% -

Europe 453 17% - 65% -

Middle East 96 4% - 14% -

APAC

Asia 435 16% - - 90%

Oceania 50 2% - - 10%

10

Respondent Profile

11

Source: Frost & Sullivan

Job Function

Q1a. Which of the following most closely represents your present job function?

Information security professional is the most common job function globally, and the largest proportion from across EMEA identify this role as their primary job function.

Base: All 2015 worldwide respondents (n=13,930). `

Info

rma

tion

...

Info

rma

tion

...

Se

curi

ty/IT

...

Info

rma

tion

...

Cyb

er

secu

ri...

Info

rma

tion

...

Info

rma

tion

...

So

ftwa

re d

e...

Info

rma

tion

s...

Da

ta p

riva

c...

40

%

17

%

13

%

9%

9%

4%

3%

3%

2%

1%

44

%

13

% 19

%

7% 7%

2% 4%

2%

1%

1%

46

%

11

% 16

%

10

%

9%

0%

7%

1%

1%

1%

41

%

9%

32

%

5% 6%

2%

2%

1%

1% 1%

47

%

11

% 17

%

5% 9

%

5%

2%

2%

2%

1%

51

%

16

%

14

%

5%

5%

1% 3%

3%

2%

0%

37

%

18

%

17

%

7% 8%

3% 7

%

1% 2%

0%

Job FunctionWorldwide EMEA France Germany United Kingdom South Africa Middle East

12


Job Title

Q7c. Which one of the following job titles or categories best describes your current position?

While globally security analysts and security consultants are equally common, in EMEA the security consultant job title is most common. This trend is driven by the UK, where this title is more than twice as common than any others.

Base: All 2015 worldwide respondents (n=13,930).

Se

curi

ty a

na

...

Se

curi

ty c

o...

CS

O/C

ISO

...

Se

curi

ty a

ud

...

Info

rma

tio...

Se

curi

ty a

rc...

Se

curi

ty e

n...

Se

curi

ty a

rch

...

Se

curi

ty a

dv.

..

Ne

two

rk a

dm

...

10

%

9%

6%

5%

4%

4%

4%

4%

4%

3%

6%

13

%

8%

5%

3%

7%

3% 5

% 6%

3%

3%

11

% 13

%

7%

1%

5%

1%

11

%

7%

3%

8% 1

0%

9%

2%

6% 7

%

3% 3%

9%

2%

8%

18

%

5%

3% 5

%

9%

2% 3

% 6%

1%

7%

15

%

7%

4%

1% 3

% 5%

5%

3%

1%

4%

13

%

9%

8%

4% 5

%

5%

4%

2%

5%

Job TitleWorldwide EMEA France Germany United Kingdom South Africa Middle East

13


Satisfaction With Current Position

Q10c. Overall, how satisfied are you in your current position?

Overall, satisfaction levels are relatively consistent throughout EMEA, with France more likely to report that they are somewhat satisfied and less likely to be very satisfied compared with other countries in the region.


Very satisfied Somewhat satisfied Neither satisfied nor dissatisfied

Somewhat dissatis-fied

Very dissatisfied

30

%

46

%

11

%

9%

3%

28

%

47

%

11

%

9%

2%

18

%

56

%

14

%

8%

4%

33

%

43

%

10

%

10

%

1%

26

%

47

%

11

%

11

%

3%

25

%

47

%

16

%

6%

3%

29

%

46

%

11

%

9%

2%

Satisfaction With Current PositionWorldwide EMEA France Germany United Kingdom South Africa Middle East

14


Professional Area

Q8. Would you consider yourself to be a professional in any of the following areas? Please select all that apply to you.

Globally, information security is the most commonly reported professional area. The trend is slightly less common in Germany, where professionals are less likely to report that they work in information security.


Info

rma

tion

...

IT o

pe

ratio

ns

IT m

an

ag

e...

IT c

on

sulta

nt

Sys

tem

s a

dm

...

IT a

ud

itor

En

gin

ee

rin

g

Te

leco

mm

un

...

Bu

sin

ess

op

...

Se

curi

ty s

ol..

.

So

ftwa

re d

...

Sa

les/

bu

si...

Fin

an

ce

Ma

rke

ting

82%

46%

41%

35%

35%

27%

19%

18%

17%

16%

14%

5% 4% 2%

82%

43%

39% 42

%

30%

30%

17% 22

%

17% 22

%

12%

6% 5% 2%

92%

33%

19%

38%

25%

39%

33%

28%

9%

25%

12%

4% 3% 2%

70%

46%

38% 46

%

31%

25%

22% 31

%

16% 20

%

12%

7%

2% 1%

85%

38%

33% 38

%

27%

23%

13% 17

%

14%

17%

11%

5% 5%

1%

89%

54%

46%

36% 41

%

24%

8%

19%

22% 32

%

14%

9% 7%

3%

80%

50%

49%

44%

32% 36%

17%

20%

22% 26

%

8% 6% 6% 3%

Professional AreaWorldwide EMEA France Germany United Kingdom South Africa Middle East

15


Professional Activities

Q9a. Which of the following activities consume a significant amount of your time? Please select all that apply to you.

EMEA professionals are equally likely to engage in GRC and security management activities, while GRC activities are more common globally.


GR

C

Se

curi

ty m

...

Se

curi

ty o

p...

Pro

vid

e a

dv.

..

Re

sea

rch

in...

Se

curi

ty le

...

Vu

lne

rab

ili...

Inci

de

nt r

e...

Se

curi

ty s

ol..

.

So

ftwa

re d

...

Sa

les

con

su...

50

%

45

%

42

%

39

%

32

%

29

%

27

%

26

%

12

%

10

%

5%

50

%

50

%

38

% 43

%

29

%

28

%

25

%

26

%

16

%

8%

7%

54

%

49

%

29

%

44

%

21

%

25

%

19

%

20

%

13

%

4% 6%

43

%

58

%

34

%

50

%

29

%

28

%

23

%

23

%

17

%

8%

5%

59

%

52

%

39

%

50

%

31

%

35

%

28

%

25

%

14

%

7%

5%

60

%

49

%

45

%

44

%

43

%

25

%

26

%

28

%

22

%

11

%

11

%

50

% 55

%

47

%

30

%

30

%

32

%

28

%

30

%

18

%

6%

5%

Professional ActivitiesWorldwide EMEA France Germany United Kingdom South Africa Middle East

16


GRC Activities

Q9b. Which of the following GRC activities consume a significant amount of your time? Please select all that apply to you.

Base: Filtered respondents (n=6,975).

Au

diti

ng

IT g

...

Au

diti

ng

IT s

ec.

..

Ce

rtify

ing

an

d...

De

velo

pin

g in

te...

Me

etin

g r

eg

ula

...

37

%

57

%

43

%

67

%

55

%

37

%

61

%

32

%

70

%

53

%

24

%

64

%

23

%

71

%

43

%47

%

66

%

31

%

72

%

44

%

36

%

57

%

39

%

72

%

60

%

44

%

60

%

39

%

72

%

53

%

51

%

69

%

39

%

65

%

49

%

GRC ActivitiesWorldwide EMEA France Germany United Kingdom South Africa Middle East

17


Security Leadership Activities

Q9c. Which of the following security leadership activities consume a significant amount of your time? Please select all that apply to you.

Base: Respondents involved in security leadership activities (n=4,074).

Se

curi

ty le

ad

...

Se

curi

ty li

fec.

..

Se

curi

ty c

om

p...

Co

ntin

ge

ncy

...

La

w, e

thic

s, a

...

83

%

41

%

65

%

22

% 29

%

85

%

41

%

62

%

20

% 29

%

83

%

35

% 40

%

10

%

28

%

87

%

41

%

59

%

10

%

12

%

83

%

41

%

66

%

19

% 29

%

92

%

63

%

67

%

25

%

46

%

84

%

40

%

65

%

27

% 33

%

Security Leadership ActivitiesWorldwide EMEA France Germany United Kingdom South Africa Middle East

18


Security Management Activities

Q9d. Which of the following security management activities consume a significant amount of your time? Please select all that apply to you.

Base: Filtered respondent (n=6,334).

Ga

the

rin

g m

etr

i...

Pa

rtic

ipa

ting

i...

Ma

na

gin

g in

tern

...

Ma

na

gin

g in

ter.

..

Ma

na

gin

g e

xte

r...

Ma

na

gin

g in

form

...

Se

llin

g s

ecu

ri...

39

%

62

%

48

%

49

%

16

%

47

%

37

%

38

%

62

%

48

%

48

%

15

%

43

%

41

%

34

%

65

%

47

%

42

%

11

%

23

%

43

%

38

%

63

%

33

%

42

%

11

%

41

%

31

%40

%

63

%

57

%

51

%

15

%

46

%

45

%

43

%

55

%

38

%

60

%

17

%

57

%

47

%

46

% 54

%

41

%

53

%

23

%

56

%

40

%

Security Management ActivitiesWorldwide EMEA France Germany United Kingdom South Africa Middle East

19


Security Operations Activities

Q9e. Which of the following security operations activities consume a significant amount of your time? Please select all that apply to you.

Base: Respondents involved in security operations activities (n=5,895).

De

skto

p o

r m

o...

Eve

nt m

an

ag

...

Mo

nito

rin

g th

e...

Pa

tch

ing

sys

...

Ph

ysic

al s

ecu

rity

Re

setti

ng

pa

s...

35

%

62

%

64

%

41

%

21

%

12

%

35

%

61

%

60

%

40

%

23

%

9%

30

%

74

%

55

%

30

%

13

%

6%

24

%

59

%

63

%

36

%

13

%

3%

33

%

52

% 59

%

42

%

26

%

6%

47

%

70

%

67

%

51

%

21

%

9%

44

%

61

%

79

%

45

%

35

%

16

%

Security Operations ActivitiesWorldwide EMEA France Germany United Kingdom South Africa Middle East

20


Incident Response Activities

Q9f. Which of the following incident response activities consume a significant amount of your time? Please select all that apply to you.

Base: Respondents involved in incident response activities (n=5,895).

Forensics Remediating attacks and malware

41

%

85

%

40

%

86

%

50

%

72

%

35

%

93

%

34

%

92

%

52

%

74

%

52

%

88

%

Incident Response ActivitiesWorldwide EMEA France Germany United Kingdom South Africa Middle East

21


New Research Technology Activities

Q9g. Which of the following new technology research activities consume a significant amount of your time? Please select all that apply to you.

Base: Respondents involved in new technology research activities (n=4,474).

Researching new technologies Security testing new tech-nologies

Implementing new security technologies

Securing the use of emerging technologies adopted by your

organization (e.g., BYOD, social media)

85

%

44

% 55

%

50

%

81

%

40

%

54

%

52

%

74

%

35

%

62

%

41

%

70

%

51

% 62

%

42

%

84

%

37

%

52

% 58

%

88

%

34

% 41

% 49

%

85

%

45

% 55

%

58

%

New Research Technology ActivitiesWorldwide EMEA France Germany United Kingdom South Africa Middle East

22


Current Primary Responsibility

Q7a. Which one of the following best describes your current primary functional responsibility?

Globally, professionals are equally likely to be primarily responsible for managerial, consulting or operational duties, however professionals in EMEA lean more heavily toward security consulting.


Mo

stly

ma

na

...

Mo

stly

se

cur.

..

Mo

stly

op

er.

..

Mo

stly

GR

C...

Mo

stly

ne

two

...

Mo

stly

au

di..

.

Mo

stly

thre

...

Mo

stly

da

ta ..

.

Mo

stly

so

ft...

Mo

stly

re

gu

...

Mo

stly

se

cur.

..

18

%

18

%

17

%

12

%

10

%

5%

5%

5%

4%

3%

2%

18

%

25

%

14

%

13

%

10

%

5%

4%

4%

3%

2%

1%

14

%

24

%

10

%

21

%

13

%

4%

2%

6%

1% 2% 3%

14

%

29

%

11

%

13

%

13

%

5% 6%

2% 3%

2%

1%

17

%

31

%

14

%

13

%

8%

4%

3% 4%

2%

2% 2%

15

% 20

%

19

%

14

%

11

%

6%

3%

3%

7%

1%

0%

22

%

18

%

18

%

12

%

10

%

8%

4%

4%

2%

1% 2%

Current Primary ResponsibilityWorldwide EMEA France Germany United Kingdom South Africa Middle East

23


Future Primary Responsibility

Q7b. Which one of the following best describes what you expect your primary functional responsibility to be in the next two to three years?

Professionals in EMEA expect to transition into managerial roles or stay in their security consulting roles.


Mo

stly

ma

na

...

Mo

stly

se

cur.

..

Mo

stly

GR

C...

Mo

stly

op

er.

..

Mo

stly

ne

two

...

Mo

stly

thre

...

Mo

stly

da

ta ..

.

Mo

stly

au

di..

.

Mo

stly

se

cur.

..

Mo

stly

so

ft...

Mo

stly

re

gu

...

Mo

stly

ma

in...

27

%

18

%

14

%

10

%

8%

5%

4%

4%

3%

3%

3%

0%

28

%

25

%

14

%

7% 7%

4%

3% 4%

3%

2% 2%

0%

22

%

23

%

22

%

3% 6

%

4% 8

%

4% 6%

1% 2%

0%

20

%

27

%

16

%

8%

8%

6%

2% 4% 4%

1% 1%

1%

23

%

31

%

14

%

9%

6%

3% 4%

3%

2%

2%

2%

0%

34

%

23

%

19

%

3% 6

%

3%

1% 4

%

1% 3%

1%

1%

39

%

16

%

14

%

7% 8%

3%

3% 4%

2%

1% 2%

0%

Future Primary ResponsibilityWorldwide EMEA France Germany United Kingdom South Africa Middle East

24


Reporting Structure

Q10a. Which one functional area of your organization do you primarily report to?

Across EMEA, most report to the IT department or executive management.


IT d

ep

art

me

nt

Exe

cutiv

e m

...

Se

curi

ty d

e...

Op

era

tion

s o

...

Co

nsu

ltin

g

Bo

ard

of d

ir...

Ris

k m

an

a...

Go

vern

an

ce...

Sa

les

ma

n...

Inte

rna

l au

di..

.

25

%

24

%

17

%

7%

6%

4%

4%

3%

2%

2%

23

%

25

%

15

%

5% 7

% 7%

4%

3% 3%

2%

26

%

18

%

13

%

7% 9

%

3%

7%

4% 5%

2%

23

% 26

%

17

%

3%

12

%

3%

2% 4

% 5%

1%

20

% 23

%

18

%

5% 8

%

8%

4%

4%

3%

2%

22

%

33

%

13

%

3% 5% 8

%

6%

2%

2%

2%

30

%

27

%

12

%

5%

4% 6

%

4%

0% 4

% 5%

Reporting StructureWorldwide EMEA France Germany United Kingdom South Africa Middle East

25


C-Level Reporting

Q10b. Which C-level executive do you primarily report to?

Among those who report to a C-level manager, most report to a CIO. This is particularly common in South Africa.


CIO CEO COO CFO

40

%

22

%

12

%

4%

39

%

28

%

11

%

3%

19

%

44

%

19

%

11

%

43

%

38

%

6%

4%

41

%

12

%

13

%

4%

68

%

4% 7%

7%

35

%

30

%

13

%

4%

Reporting StructureWorldwide EMEA France Germany United Kingdom South Africa Middle East

26


Years of Experience

Q6. How many years have you been actively involved with information or IT security?

The largest proportion indicate that they have between 11 and 15 years of experience.


Three years or less Four to six years Seven to ten years Eleven to fifteen years

Sixteen to twenty-five years

More than 25 years

5%

11

%

25

% 28

%

22

%

9%

5%

12

%

28

%

29

%

21

%

5%

1%

9%

28

%

35

%

20

%

6%

3%

10

%

22

%

33

%

26

%

5%

5%

10

%

26

%

25

%

26

%

8%

6%

17

%

23

%

31

%

22

%

1%

5%

12

%

36

%

31

%

14

%

2%

Years of ExperienceWorldwide EMEA France Germany United Kingdom South Africa Middle East

27


Industry

Q4a. Which one of the following industry sectors best describes your company?

Information technology and professional services are the most common industries in EMEA.


Info

rma

tion

tech

n...

Pro

fess

ion

al s

erv

...

Go

vern

me

nt (

exc

lu...

Ba

nki

ng

Mili

tary

se

rvic

es,

...

Te

leco

mm

un

ica

t...

He

alth

care

19

%

15

%

10

%

10

%

10

%

6%

5%

21

%

17

%

8%

14

%

4%

8%

2%

19

% 23

%

5%

18

%

2%

7%

3%

26

%

15

%

4%

10

%

8%

14

%

1%

17

% 20

%

8% 1

2%

4% 8

%

2%

21

%

17

%

5%

15

%

1%

5%

2%

16

%

10

%

9% 1

3%

5% 6%

3%

Industry

Worldwide EMEA France GermanyUnited Kingdom South Africa Middle East

28


Government Professional Services

Q4b. Are you providing professional services exclusively to government?

The prevalence of respondents who provide professional services exclusively to the government is the highest in the Middle East.


Yes No

12

%

88

%

5%

95

%

0%

10

0%

2%

98

%

6%

94

%

0%

10

0%

18

%

82

%

Government Professional Services

Worldwide EMEA France Germany United Kingdom South Africa Middle East

29


Government Contractor

Q5a. Are you currently employed as a government contractor?

The numbers reporting that they are a government contractor are considerably lower in EMEA compared to global levels.


Yes No

40

%

60

%

26

%

74

%

9%

91

%

28

%

73

%

25

%

75

%

0%

10

0%

45

% 55

%

Government Contractor


30


Government Organization

Q5b. Which of the following best describes the government organization for which you currently work?

In Germany, those who work for the government are most commonly involved in national defense. This trend does not apply in other EMEA regions.


Ce

ntr

al,

fed

era

l, o

r n

...

Ce

ntr

al,

fed

era

l, o

r ...

Sta

te/lo

cal/p

rovi

nci

al..

.

Sta

te/lo

cal/p

rovi

nci

al..

.

Inte

rna

tion

al/R

eg

ion

a...

Inte

rna

tion

al/R

eg

ion

...

43

%

35

%

1% 1

4%

4%

2%

27

% 39

%

2%

14

%

10

%

8%

27

% 45

%

0% 9

%

0%

18

%

70

%

15

%

0%

0%

13

%

3%

28

% 39

%

4%

18

%

8%

3%

17

%

50

%

17

%

17

%

0%

0%

29

%

27

%

0%

20

%

13

%

11

%

Government OrganizationWorldwide EMEA France Germany United Kingdom South Africa Middle East

31


Employment Status

Q2. Which of the following best describes your employment status?

Most in EMEA are employed directly by a company or organization.

Base: All 2015 worldwide respondents (n=13,930)

Employed directly by a company or organization

Employed as a contractor An independent security/IT consultant

85

%

9%

6%

86

%

7% 7%

85

%

9%

6%

88

%

5% 6%

84

%

8% 8%

84

%

6% 8%

82

%

12

%

6%

Employment Status


32


Organizational Revenue

Q62. What is your organization's global annual revenue? As best you can, please provide the total annual revenues for your organization in U.S. dollars.

Overall, the largest proportion are unable to provide their organizational revenues.


Less than $50 mil-lion

$50 to less than $500 million

$500 million to less than $10 bil-

lion

$10 billion or more

Unable to provide

16

%

11

% 15

%

15

%

43

%

19

%

10

% 14

%

15

%

41

%

16

%

9%

18

%

18

%

39

%

16

%

8%

15

% 21

%

38

%

15

%

11

% 16

% 20

%

38

%

26

%

11

%

22

%

3%

38

%

19

%

12

% 16

%

9%

44

%

Employment Status


33


Total Employees

Q17. What is the total number of employees across your entire organization worldwide, including all of its branches, divisions, and subsidiaries?

The largest proportion of respondents work for large organizations with 10,000 or more employees.


One to 499 employees 500 to 2,499 em-ployees

2,500 to 9,999 employees

10,000 employees or more

25

%

16

%

16

%

43

%

27

%

16

%

15

%

42

%

24

%

11

%

11

%

54

%

22

%

12

%

16

%

50

%

20

%

13

%

16

%

51

%

28

%

9%

18

%

44

%

30

%

25

%

20

% 26

%

Total Employees


34


Age

Q64. Which of the following categories contains your age?

The numbers reporting that they are a government contractor are considerably lower in EMEA compared to global levels.


Under 30 years of age 30 to 39 years of age 40 to 49 years of age 50 years of age or older

6%

33

%

35

%

27

%

5%

37

%

39

%

19

%

6%

46

%

32

%

16

%

3%

30

%

49

%

17

%

3%

26

%

42

%

29

%

11

%

43

%

38

%

8%

5%

58

%

25

%

11

%

Age


35


Gender

Q63. What is your gender?

Across the EMEA region, the profession is overwhelmingly male-dominated.


Male Female

90

%

10

%

94

%

6%

95

%

5%

94

%

6%

94

%

6%

92

%

8%

96

%

4%

Age


36


Salary Change

Q67. Did you receive a salary increase, including benefits and incentives, in 2014?

The majority received a salary increase in 2014, including 47% of South Africans whose salary increase exceeded 5%.


Yes, an increase of up to 5%

Yes, an increase of between 5% and

10%

Yes, an increase of over 10%

No change in salary or benefits

Received a salary or benefit reduction

40

%

12

%

9%

35

%

3%

35

%

11

%

8%

43

%

3%

37

%

11

%

7%

45

%

1%

41

%

10

%

5%

42

%

1%

42

%

9% 10

%

36

%

2%

28

%

40

%

7%

23

%

1%

29

%

20

%

13

%

37

%

2%

Salary Change


37


Change in Employment Status

Q68. Did you change your employer or employment status in 2014?


Yes, changed employer while still employed

Yes, changed em-ployer due to a

layoff or termina-tion

Yes, became self-employed

Yes, became an employee from be-ing self-employed

No change in em-ployer or employ-

ment status in 2014

14

%

3%

2%

1%

79

%

12

%

3% 3%

1%

81

%

0.1

25

0 0.0

18

75

0

0.8

56

25

9%

3%

2% 3%

84

%

16

%

3% 5%

2%

75

%

22

%

3%

3%

1%

71

%

13

%

3%

3%

0%

80

%

Change in Employment Status


38


Education

Q65a. What is your highest level of education completed?


High school (or equiva-lent upper secondary)

Bachelors (or equivalent post-secondary)

Master's (or equivalent first stage of tertiary ed-

ucation)

Doctorate (or equivalent second stage of tertiary

education)

10

%

44

%

42

%

3%

13

%

36

%

47

%

4%

3%

11

%

69

%

18

%

13

% 23

%

57

%

8%

22

%

43

%

32

%

3%

18

%

56

%

26

%

0%5

%

54

%

39

%

2%

Education


39


Undergraduate Major

Q65b. What was your undergraduate major?


Computer and informa-tion sciences

Engineering and en-gineering technolo-

gies

Business Social sciences and his-tory

49

%

20

%

10

%

4%

53

%

23

%

7%

2%

63

%

25

%

3%

1%

49

%

26

%

7%

1%

41

%

18

%

8%

4%

71

%

12

%

8%

0%

50

%

29

%

10

%

2%

Education


40

Hiring and Workforce Issues

41


Hiring

Q19a. Are you responsible for hiring your organization's information security staff?

More Middle Eastern respondents are responsible for hiring than their regional counters counterparts.


Yes No

25

%

75

%

23

%

77

%

22

%

78

%

16

%

84

%

27

%

73

%

28

%

72

%

35

%

65

%

Hiring


42


Important Skills

Q19b. When making hiring decisions for information security staff how important is each of the following? - Top two box scores

Across the EMEA region, relevant experience is the most important skill sought in new hires, however security certifications take on special importance in South Africa and the Middle East.


The candidate has rele-vant information security

experience

The candidate has in-formation security certi-

fications

The candidate has knowledge of relevant

regulatory policies

The candidate has an in-formation security or re-

lated degree

94

%

70

%

65

%

46

%

94

%

67

%

61

%

44

%

91

%

66

%

46

% 54

%

95

%

67

%

56

%

37

%

93

%

64

%

61

%

26

%

96

%

89

%

48

%

44

%

92

%

79

%

66

%

61

%

Important Skills(Very/Somewhat Important)


43


Require Security Certifications Among Staff

Q20a. Does your organization require its IT staff to have information security certifications?

French firms are by far the least likely to require a security certification among their staff, and the EMEA region generally is less likely to require them.


Yes No Don't know

43

% 48

%

9%

37

%

54

%

9%

24

%

67

%

9%

34

%

55

%

11

%

38

%

53

%

9%

55

%

40

%

5%

45

%

47

%

8%



Reasons For Requiring Staff to Hold Security Certifications

Q20b. What are all the reasons your organization requires staff to have information security certifications? Select as many as apply.

Among those who require a security certification, employee competence is the most commonly cited reason in most areas of the EMEA region, however Middle Eastern professionals are more likely to cite quality of work.

Base: Filtered respondents (n=5,946):

Em

plo

yee

co

...

Qu

alit

y o

f wo

rk

Re

gu

lato

ry r

e...

Co

mp

an

y p

olic

y

Co

mp

an

y im

ag

...

Cu

sto

me

r re

q...

Co

ntin

uin

g e

d...

Eth

ica

l co

nd

uct

Le

ga

l/du

e d

il...

67

%

52

%

51

%

41

%

39

%

38

%

36

%

26

%

25

%

75

%

63

%

38

%

44

%

45

%

38

%

39

%

27

%

26

%

69

%

44

%

36

% 54

%

49

%

46

%

31

%

18

%

8%

74

%

59

%

47

%

45

%

38

%

43

%

42

%

22

%

28

%

76

%

53

%

40

%

41

%

45

%

34

%

39

%

30

%

32

%

90

%

69

%

40

%

38

% 46

%

38

% 54

%

54

%

31

%

66

%

72

%

37

% 49

%

39

%

30

%

33

%

28

%

24

%



45


Factors Contributing to Success

Q21. How would you rate the importance of each of the following in contributing to being a successful information security professional? - Top two box scores

Consistently in all countries, communication skills, a broad understanding of the security field and an awareness of the latest security threats are the most important skills.


Com

mun

icat

ion

skill

s

Bro

ad u

nder

stan

ding

of

...

Aw

aren

ess

and

unde

rsta

...

Tec

hnic

al k

now

ledg

e

Kno

wle

dge

of r

elev

ant

...

Sec

urity

pol

icy

form

ula.

..

Lead

ersh

ip s

kills

Pos

sess

ion

of a

n in

form

...

Pro

ject

man

agem

ent

sk..

.

Bus

ines

s m

anag

emen

t ..

.

Lega

l kno

wle

dge

Pos

sess

ion

of a

n in

fo..

.

90%

90%

89%

87%

71%

70%

69%

63%

59%

53%

40%

35%

88%

91%

87%

80%

68%

70%

62%

58%

52%

50%

39%

35%

88%

89%

84%

74%

65% 74

%

66%

55%

50%

29% 41

%

39%

91%

91%

86%

80%

68%

69%

50%

50%

52%

44%

39%

31%

90%

92%

88%

78%

71%

67%

66%

56%

43% 53

%

31%

19%

91% 98

%

96%

86%

75% 81

%

75%

79%

54% 62

%

34%

39%

88%

90%

88%

86%

73% 80

%

74%

72%

67%

59%

49% 55%

Factors Contributing to Success(Very/Somewhat Important)


46


Employment Gaps

Q22. Thinking of your organization, at what experience level is there the most demand for new hires?

Across the EMEA region, entry level positions are in highest demand.


Ind

ivid

ua

l Co

n...

Ma

na

ge

r

Dire

cto

r/M

idd

...

Exe

cutiv

e m

...

C-le

vel E

xecu

...

78

%

12

%

6%

2%

2%

72

%

16

%

6%

3%

3%

64

%

19

%

3%

1% 1

3%

71

%

18

%

5%

3%

2%

77

%

17

%

5%

1%

1%

73

%

19

%

5%

3%

0%

67

%

17

%

8%

5%

4%

Future Employment Gaps


47


Demand for Training and Education

Q23. In which areas of information security do you see growing demand for training and education within the next three years? Select as many as apply.

In most regions in the EMEA region, cloud computing is the area requiring the most training and education, however in the UK, South Africa and the Middle East, training on BYOD is ranked a close second.


Clo

ud

co

mp

u...

Brin

g-y

ou

r-o

...

Inci

de

nce

re

...

Info

rma

tion

r...

Mo

bile

de

vic.

..

Fo

ren

sics

Ap

plic

atio

ns

...

Acc

ess

co

ntr

...

En

d-u

ser

secu

...

Se

curit

y m

a...

57

%

47

%

47

%

47

%

41

%

41

%

35

%

33

%

32

%

32

%

55

%

45

%

41

%

44

%

38

%

38

%

32

%

32

%

33

%

31

%

52

%

31

%

33

% 44

%

33

%

30

%

28

%

20

% 26

%

19

%

55

%

35

%

35

% 43

%

34

%

38

%

32

%

22

% 29

%

31

%

58

%

52

%

45

%

46

%

41

%

36

%

32

%

33

%

36

%

34

%

61

%

56

%

49

% 57

%

44

% 54

%

33

%

37

% 43

%

29

%

51

%

45

%

48

%

50

%

37

% 45

%

34

%

38

%

35

%

35

%

Demand for Training and Education


48


Significant Skills for Achieving Success

Q24. How significant were each of the following skills and competencies in information security in achieving your current position or level? - Top two box scores

Communication skills are the most important for achieving success in all regions, followed by analytical skills and risk assessment and management skills.


Com

mun

icat

ions

ski

lls

Ana

lytic

al s

kills

Ris

k as

sess

men

t an

...

Info

Sys

tem

s an

d se

cu..

.

Gov

erna

nce,

ris

k m

an..

.

Arc

hite

ctur

e

Pla

tfor

m o

r te

chno

logy

...

Inci

dent

inve

stig

atio

n...

Dat

a ad

min

istr

atio

n ..

.

Eng

inee

ring

Bus

ines

s an

d bu

sine

ss..

.

Virt

ualiz

atio

n

Sof

twar

e sy

stem

dev

...

Acq

uisi

tion/

Pro

cure

me.

..

98%

97%

94%

90%

89%

86%

86%

85%

80%

80%

76%

66%

60%

48%

98%

97%

93%

88%

88%

87%

84%

84%

75%

76%

74%

61%

55%

46%

99%

90%

91%

79% 96

%

88%

69%

71%

68%

88%

57%

56%

46%

36%

99%

97%

94%

85%

83% 90

%

86%

79%

72%

72%

66%

63%

50%

38%

98%

96%

94%

88%

88%

81%

82%

83%

72%

67% 75

%

52%

52%

40%

100%

97%

95%

95%

95%

95%

86% 93

%

78%

71% 84

%

69%

57%

41%

99%

98%

94%

94%

96%

89%

87% 95

%

82%

83%

78%

70%

58%

63%

Significant Skills for Achieving Success(Very/Somewhat Significant)


49


Future Skills and Competencies

Q25. What are the skills and competencies that you will need to acquire or strengthen to be in position to respond to the threat landscape over the next three years? Select all that apply.

Risk assessment and management ranks as the top overall future skill among professionals in the EMEA. Generally, professionals in the Middle East and South Africa are more likely to place emphasis on any given skill or competency.


Ris

k as

sess

men

t an

...

Inci

dent

inve

stig

atio

n...

Gov

erna

nce,

ris

k m

an..

.

Ana

lytic

al s

kills

Arc

hite

ctur

e

Com

mun

icat

ions

ski

lls

Info

Sys

tem

s an

d se

cu..

.

Virt

ualiz

atio

n

Pla

tfor

m o

r te

chno

logy

...

Bus

ines

s an

d bu

sine

ss..

.

Eng

inee

ring

Dat

a ad

min

istr

atio

n ..

.

Sof

twar

e sy

stem

dev

...

55%

52%

48%

42%

38%

37%

36%

33%

30%

20%

19%

18%

17%

52%

48%

47%

38%

41%

36%

31%

30%

28%

20%

14%

16%

14%

46%

41%

52%

19%

33%

31%

15%

26%

20%

14%

9% 10%

10%

51%

40% 43%

42%

35% 41

%

24%

35%

26%

15%

15%

13%

9%

54%

50%

51%

29%

43%

34%

35%

27%

28%

20%

13%

14%

13%

64%

64%

64%

55%

55%

41% 45

%

31%

33%

21%

22%

21%

22%

64%

60%

53%

49%

46%

34% 40

%

41%

31%

21%

18%

21%

16%

Future Skills and Competencies


50


Future Skills and Competencies in New Recruits

Q26. How important are each of the following skills and competencies when recruiting new entry to mid-level information security professionals to your organization? - Top two box scores

Communication skills and analytical skills are nearly unanimously seen as important skills in new recruits.

Base: Filtered respondents (n=7,534)

Com

mun

icat

ions

ski

lls

Ana

lytic

al s

kills

Ris

k as

sess

men

t an

...

Pla

tfor

m o

r te

chno

logy

...

Info

Sys

tem

s an

d se

cu..

.

Inci

dent

inve

stig

atio

n...

Arc

hite

ctur

e

Gov

erna

nce,

ris

k m

an..

.

Eng

inee

ring

Dat

a ad

min

istr

atio

n ..

.

Virt

ualiz

atio

n

Bus

ines

s an

d bu

sine

ss..

.

Sof

twar

e sy

stem

dev

...

Acq

uisi

tion/

Pro

cure

me.

..

98%

97%

92%

90%

89%

89%

86%

86%

80%

79%

75%

68%

67%

43%

97%

96%

92%

88%

89%

88%

88%

86%

75%

76%

73%

68%

64%

43%

93%

81% 92

%

84%

82%

86%

87%

85%

85%

65% 72

%

55%

55%

29%

99%

97%

89%

91%

87%

83% 89%

82%

68% 76

%

78%

57% 63%

37%

98%

96%

94%

88%

91%

90%

87%

90%

68% 76

%

65% 74

%

60%

36%

95%

96%

93%

91%

95%

89%

89%

85%

78%

82%

73%

69%

51%

42%

99%

96%

95%

93%

87%

92%

90%

90%

78%

81%

77%

70%

62%

54%

Future Skills and Competencies in New Recruits(Very/Somewhat Important)


51


Employee Retention Activities

Q27. How important are each of the following initiatives for the retention of information security professionals at your organization? - Top two box scores

Training programs, paying for professional development and offering flexible work schedules are among the most important employee retention activities in each country.


Off

erin

g tr

aini

ng p

rog.

..

Pay

ing

for

prof

essi

onal

...

Impr

ovin

g co

mpe

nsat

...

Off

erin

g fle

xibl

e w

ork.

..

Sup

port

ing

rem

ote

or f

...

Enc

oura

ging

rol

e di

ver.

..

Enc

oura

ging

and

pay

in..

.

Act

ive

part

icip

atio

n ..

.

Spo

nsor

ing

men

tors

hi..

.

Virt

ualiz

atio

n

Spo

nsor

ing

exec

utiv

e ..

.

Bus

ines

s an

d bu

sine

ss..

.

Sof

twar

e sy

stem

dev

...

94%

93%

92%

92%

90%

87%

87%

82%

76%

75%

71%

68%

67%

93%

91%

90%

89%

88%

88%

83%

82%

74%

73%

71%

68%

64%

86% 92

%

87%

84%

81%

86%

72%

75%

69%

72%

66%

55%

55%

93%

93%

92%

96%

92%

86%

78%

76%

72% 78%

74%

57% 63%

94%

92%

91%

89%

93%

88%

85%

85%

73%

65%

66% 74

%

60%

96%

98%

98%

89%

87%

91%

95%

91%

84%

73% 84

%

69%

51%

96%

90% 96%

89%

85%

89%

89%

87%

85%

77% 86

%

70%

62%

Employee Retention Activities(Very/Somewhat Important)


52


Number of Security Workers

Q28a. Would you say that your organization currently has the right number of information security workers, too few, or too many?

A majority from each country indicate that there are too few security workers in their organization.


Too many The right number Too few Don't know

2%

26%

62%

9%

2%

29%

61%

8%

0%

32%

54%

14%

2%

27%

64%

6%

2%

27

%

63

%

8%

2%

24%

64%

10%

4%

25%

61%

9%

Number of Security Workers


53


Number of Security Workers Increase

Q28b. How many MORE information security staff should there be?

A third indicate that they would like to see a 15% or greater increase in the security workforce in their organization.


One to five percent Six to 10 percent 11 to 15 percent More than 15 percent

Don't know

18%

26%

15%

35%

6%

18%

24%

16%

37%

6%

18% 22

%

18%

33%

8%

11%

26%

17%

40%

6%

16%

22%

17%

37%

8%

19%

32%

11%

32%

5%

23% 25

%

16%

34%

3%

Number of Security Workers Increase


54


Number of Security Workers Decrease

Q28b. How many LESS information security staff should there be?

Of the small number who would like to see a decrease in the number of security workers, the largest proportion indicate that 6 to 10% cut would suffice. That said, 63% of UK professionals would prefer a 15% or more cut to their workforce.

Base: Filtered respondents (n=154).

One to five percent Six to 10 percent 11 to 15 percent More than 15 percent

Don't know

20% 27

%

18% 25

%

10%20

%

22%

20% 29

%

9%

0 0 0 0 00%

60%

40%

0% 0%0%

13%

13%

63%

13%

1

0 0 0 0

38%

25%

13%

13%

13%

Number of Security Workers Decrease


55


Organizational Gaps

Q28c. Of which of the following job titles or categories are there currently not enough of within your organization?

Security analysts are in shortest supply in most countries, however South African firms report a shortage of forensic analysts in greater numbers than the rest of the region.


Se

curit

y a

n...

Se

curit

y a

ud

...

Se

curit

y a

rc...

Fo

ren

sic

an

...

Inci

de

nt h

an

...

Se

curit

y e

ng

...

Se

curit

y e

n...

We

b s

ecu

rity

Se

curit

y te

...

Se

curit

y sy

...

46%

32%

32%

30%

28%

27%

26%

25%

25%

24%

40%

32%

34%

32%

25%

23%

21%

23% 26%

21%

31% 37

%

20%

18%

12%

31%

16%

27%

12% 18

%

31%

23%

31% 36

%

21%

23%

25%

22% 26

%

18%

51%

28%

39%

27%

22%

22%

20% 24

%

20%

20%

41%

32%

32%

57%

30%

24% 32

%

16%

32%

16%

40%

41%

28% 34

% 38%

22%

19% 25

%

34%

22%

Organizational Gaps(Top 10)


56


Reasons for Worker Shortage

Q28d. What are the reasons that your organization has too few information security workers? Select as many as apply.

Most often, businesses cannot support additional personnel, or report that it is difficult to find qualified personnel. Businesses in France are the most likely to report that they cannot find the qualified personnel that they require.


Business conditions can't support addi-tional personnel at

this time

It is difficult to find the qualified per-sonnel we require

Leadership in our organization has insufficient under-standing of the re-quirement for in-

formation security

There is no clear ca-reer path for infor-

mation security workers

It is difficult to retain security workers

45%

44%

43%

31%

24%

44%

44%

43%

33%

21%

37%

61%

33%

43%

37%

39%

55%

41%

33%

23%

44%

41%

40%

28%

26%

49% 54%

51%

27%

19%

39%

50%

48%

31%

26%

Reasons for Worker Shortage


57


Impact of Worker Shortage

Q28e. What is the impact of your organization's shortage of information security workers on each of the following? - Top two box scores

In most cases, workers in the Middle East are more likely to report that the worker shortage they experience has an impact on multiple facets of their jobs.


On the existing informa-tion security workforce

On the organization as a whole

On security breaches On customers

71%

59%

50%

48%

66%

54%

48%

45%

55%

43%

45%

43%

66%

55%

48% 52

%

73%

54%

43%

44%

62%

54%

51%

51%

77%

61%

60%

50%

Impact of Worker Shortage(Very Great/Great Impact)


58

Certification and Training

59


Vendor Neutral Certifications

Q11a. Which of the following vendor-neutral certifications and designations have you acquired and maintain? Please read carefully and select all that apply to you.

Base: All 2015 worldwide respondents (n=13,930). :

CIS

SP

- C

ert

ifie

d In

...

ITIL

Se

curit

y+

CIS

A -

Ce

rtifi

ed

Info

...

CIS

M -

Ce

rtifi

ed

Inf..

.

CE

H -

Ce

rtifi

ed

Eth

ic...

PM

P -

Pro

ject

Ma

na

g...

CR

ISC

- C

ert

ifie

d in

...

BS

77

99

/ISO

27

00

1 ..

.

76%

19%

15%

15%

11%

11%

7% 6% 5%

76%

25%

7%

18%

15%

11%

5% 7% 10%

88%

23%

2%

11%

13%

5% 3% 3%

18%

84%

27%

9% 12%

13%

11%

3% 4% 9%

79

%

22

%

7% 12

%

13

%

12

%

3% 6% 12

%

69%

28%

18%

18%

18%

6% 2%

8% 4%

68%

32%

12% 24

%

21%

20%

9% 12%

15%

Vendor Neutral Certifications


60


Lapsed Vendor Neutral Certifications

Q11b. Which of the following vendor-neutral certifications and designations have you acquired but have allowed to lapse or expire? Please read carefully and select all that apply to you.


No

ne

ITIL

Se

curit

y+

CE

H -

Ce

rtifi

ed

Eth

ic...

GS

EC

- G

IAC

Se

curit

y...

CIS

A -

Ce

rtifi

ed

Info

...

CIS

SP

- IS

SA

P, I

nfo

r...

CIS

SP

- C

ert

ifie

d In

...

PM

P -

Pro

ject

Ma

na

g...

CIS

M -

Ce

rtifi

ed

Inf..

.

GC

IH -

GIA

C C

ert

ifie

...

BS

77

99

/ISO

27

00

1 ..

.

79%

2% 2% 1% 1% 1% 1% 1% 1% 1% 1% 1%

81%

2% 1% 1% 0% 1% 1% 1% 1% 1% 0% 1%

82%

1% 1% 1% 1% 1% 2% 1% 1% 1% 0% 4%

85%

2% 1% 1% 0% 0% 1% 1% 1% 0% 1% 1%

79

%

3%

1% 2%

1%

1%

1%

1%

0% 1%

0% 1%

78%

6%

0% 2% 1% 2% 0% 1% 0% 1% 0% 1%

73%

2% 0% 2% 0% 2% 1% 2% 2% 2% 1% 2%

Lapsed Vendor Neutral Certifications


61


Vendor Specific Certifications

Q12a. To date, which of the following vendor-specific certifications and designations have you acquired and maintain? Please read carefully and select all that apply to you.


No

ne

MC

SE

: Se

curit

y -

Mic

...

MC

SA

: Se

curit

y -

Mic

r...

CC

SP

- C

isco

Ce

rtifi

...

CC

SA

- C

he

ck P

oin

t C...

CC

SE

- C

he

ck P

oin

t C...

CS

VP

N -

Cis

co S

ecu

r...

Su

n C

ert

ifie

d S

ecu

rity.

..

CS

PF

A -

Cis

co S

ecu

...

CC

SK

En

CE

- E

nC

ase

Ce

rti..

.

CS

IDS

- C

isco

Se

cur.

..

79%

6% 5% 2% 2% 2% 1% 1% 1% 1% 1% 1%

76%

7% 5% 3% 3% 3% 1% 1% 1% 1% 0% 1%

89%

2% 2% 1% 1% 1% 1% 0% 1% 1% 0% 1%

74%

6% 4% 3% 5% 5% 0% 1% 0% 1% 1% 0%

81

%

7%

4%

3% 3%

3%

1%

1%

1%

1%

0%

0%

66%

8% 6% 5% 5% 0% 1% 0% 2% 0% 2% 0%

62%

13%

12%

8% 6% 4% 3% 2% 3% 1% 0% 3%

Vendor Specific Certifications


62


Lapsed Vendor Specific Certifications

Q12b. Which of the following vendor-specific certifications and designations have you acquired but have allowed to lapse? Please read carefully and select all that apply to you.


No

ne

MC

SE

: Se

curit

y -

Mic

...

CC

SA

- C

he

ck P

oin

t C...

MC

SA

: Se

curit

y -

Mic

r...

CC

SE

- C

he

ck P

oin

t C...

CC

SP

- C

isco

Ce

rtifi

...

Su

n C

ert

ifie

d S

ecu

rity.

..

CS

PF

A -

Cis

co S

ecu

...

CS

IDS

- C

isco

Se

cur.

..

CC

SE

Plu

s -

Ch

eck

Po

...

CS

VP

N -

Cis

co S

ecu

r...

RS

A/C

A -

RS

A S

ecu

rI...

83%

4% 3% 2% 2% 2% 1% 1% 1% 1% 1% 1%

81%

4% 4% 2% 3% 2% 1% 1% 1% 1% 1% 1%

83%

1%

10%

0%

8%

2% 0% 1% 0% 4% 0% 1%

83%

4% 5% 1% 5% 2% 1% 2% 1% 2% 1% 1%

82

%

6%

4%

2% 4%

2%

1%

1%

1%

1%

1%

1%

75%

9%

3% 6%

0% 1% 3% 0% 1% 0% 0% 1%

71%

6% 2% 4% 2% 5% 2% 2% 2% 2% 2% 0%

Lapsed Vendor Specific Certifications


63


Additional Security Certifications

Q13a. Are you planning to acquire additional security certifications in the next 12 months?

Professionals in South Africa and the Middle East are the most likely to seek out additional certifications in the next year.


Yes No

59

%

41

%

63

%

37

%

57

%

43

%

61

%

39

%

60

%

40

%

82

%

18

%

74

%

26

%



64



Q13b. Which of the following certifications are you planning to acquire in the next 12 months? Please read carefully and select all that apply to you.

Base: Filtered Respondent (n=8,285)

Not

sur

e at

thi

s tim

e

CIS

SP

- C

ertif

ied

Info

rmat

ion

S..

.

CE

H -

Cer

tifie

d E

thic

al H

acke

r

CIS

M -

Cer

tifie

d In

form

atio

n S

e...

CIS

A -

Cer

tifie

d In

form

atio

n S

ys..

.

CIS

SP

- I

SS

AP

, In

form

atio

n S

ys..

.

ITIL

PM

P -

Pro

ject

Man

agem

ent

Pro

f...

CIS

SP

- I

SS

MP

, In

form

atio

n S

y...

CR

ISC

- C

ertif

ied

in R

isk

and

I...

CIS

SP

- I

SS

EP

, In

form

atio

n S

ys..

.

CC

SK

- C

ertif

icat

e of

Clo

ud S

ec..

.

HC

ISP

P -

Hea

lthca

re I

nfor

mat

ion.

..

CC

SP

- C

isco

Cer

tifie

d S

ecur

ity .

..

BS

779

9/IS

O 2

7001

IS

MS

Aud

itor

18%

15%

14%

12%

10%

6% 6% 5% 5% 5%

3% 3% 3% 3% 3%

19%

15%

12% 15

%

10%

6% 6%

3% 5% 6%

1%

3%

1% 2%

4%

20%

10%

8%

11%

9%

11%

4%

1%

5% 5%

1% 2%

0% 0%

10%

27%

5%

12%

10%

10%

7%

4%

1%

5% 6%

1% 2%

0% 1%

4%

23%

13%

9%

13%

5% 6%

4%

1%

6%

8%

2%

4%

0% 2%

6%

14%

13%

18%

24%

12%

8%

10%

0%

8%

10%

8%

3% 1% 1% 0%

11%

20%

10%

20%

11%

7%

12%

11%

7% 6%

1%

5%

2% 3%

9%

Additional Certifications


65


Current Certifications

Q14a. From which of the following security organizations have you received certification or hold a membership? Please select all that apply to you.


(IS

C)2

ISA

CA

Co

mp

TIA

SA

NS

EC

Co

un

cil

ISS

A

IEE

E

OW

AS

P

CS

A C

lou

d S

ecu

ri...

78%

26%

20%

14%

12%

6% 5% 4% 3%

78%

30%

10%

9% 12%

2% 4% 3% 3%

90%

20%

4% 9% 6% 2% 1% 4% 3%

90%

23%

10%

7% 12%

1% 4% 3% 4%

80%

25%

11%

7%

15%

4% 4% 2% 3%

68%

40%

28%

4% 6%

0% 4% 1% 0%

70%

40%

16%

12% 20

%

3% 7% 3% 3%

Current Certifications


66


Critical Security Organizations

Q14b. Thinking about your own career and role within your organization, how critical is each of the following security organizations to your career development? - Top two box scores

In each country and throughout the region as a whole, (ISC)2 is considered to be the most critical for career development.

Base: Filtered sample (n=12,568)

(IS

C)2

SA

NS

ISA

CA

OW

AS

P

IEE

E

EC

Co

un

cil

CS

A C

lou

d S

ec.

..

Co

mp

TIA

ISS

A

ISF

Info

rma

tio...

BC

I (B

usi

ne

ss C

...

77%

41%

36%

27%

18%

17%

17%

14%

12%

10%

10%

72%

32% 40

%

26%

14%

16%

15%

7% 7%

14%

11%

72%

36%

33%

33%

12%

14% 21

%

5% 5% 9% 10%

74%

26% 33

%

23%

16%

9% 15%

9% 3%

13%

5%

75%

27%

31%

23%

12%

13%

14%

6% 6%

16%

8%

80%

49% 66

%

29%

22%

24%

20%

14%

8%

25%

24%

81%

50% 62

%

36%

19% 28

%

22%

14%

16%

12% 22

%

Critical Security Organizations(Very/Somewhat Critical)


67


Training and Education (Past 12 Months)

Q15a. In the past 12 months has the amount of information security training and education you received increased, decreased, or remained the same? Please include both internal and external training and education.

European professionals are the least likely to have seen an increase in training in 2014, while African and Middle Eastern professionals are the most likely to have seen an increase.


Increased Remained the same Decreased Don't know

37%

46%

16%

1%

35%

47%

17%

1%

30%

46%

21%

3%

28%

54%

16%

1%

30%

47%

21%

1%

40% 46

%

12%

2%

47%

36%

16%

2%

Training and Education (Past 12 Months)


68


Training and Education (Next 12 Months)

Q15b. Over the next 12 months do you expect the amount of information security training and education you receive to increase, decrease, or remain the same? Please include both internal and external training and education.

South African and Middle Eastern professionals are the most likely to expect an increase in training in 2015.


Increase Remain the same Decrease Don't know

45%

45%

7%

3%

43% 46

%

8%

3%

42%

42%

7% 9%

36%

53%

9%

2%

37%

50%

10%

3%

61%

27%

8%

3%

58%

33%

6%

3%

Training and Education (Next 12 Months)


69


Training and Education (Increase)

Q15c. What percentage [INCREASE] are you expecting in the amount of information security training and education that you will receive in the next 12 months? Please provide your best estimate below.

In every country, the largest proportion of professionals expect a 6 to 10% increase in training.


Five percent or less

Six to 10 percent 11 to 15 percent 16 to 20 percent 21 to 25 percent More than 25 percent

9%

29%

15%

15%

10%

17%

9%

29%

15%

15%

9%

18%

10%

25%

19%

16%

4%

19%

10%

41%

17%

13%

4%

8%9%

31%

11%

19%

9%

17%

14%

24%

16% 19

%

10% 14

%

7%

28%

17%

15%

12% 15

%

Training and Education (Increase)


70


Training and Education (Decrease)

Q15c. What percentage [DECREASE] are you expecting in the amount of information security training and education that you will receive in the next 12 months? Please provide your best estimate below.

Of the few who expect a decrease in training, most expect it will drop dramatically by 25% or more.

Base: Filtered respondents(n=975).

Five percent or less

Six to 10 percent 11 to 15 percent 16 to 20 percent 21 to 25 percent More than 25 percent

5%

10%

7%

11%

12%

46%

5%

10%

11%

12%

10%

44%

27%

9%

0%

9%

18%

18%

0%

13%

10%

19%

3%

45%

4%

11%

11%

11%

7%

54%

0 0

0.12

5

0.25

0.37

5

0.25

5%

10%

24%

10%

10%

38%

Training and Education (Decrease)


71


Training and Education Resources

Q15d. Does your organization provide adequate resources for training and professional development opportunities for your information security workforce?

Professionals are split as to whether their organization offers sufficient training and professional development opportunities. Generally, a majority or close to a majority believes that the resources are sufficient.


Yes No Don't know

56%

37%

7%

57%

36%

7%

61%

28%

11%

62%

29%

9%

56%

38%

6%

48%

46%

5%

50%

42%

8%

Adequate Training and Resources


72


Payment for Training

Q15e. How is your information security training and education currently paid?

Overall, Middle Eastern professionals are the most likely to pay for their training entirely themselves. European countries fare better, with more than half reporting that their employer paid for their training.


Paid for completely myself

Paid for completely by my employer

Paid partially by me and my employer

Completely or partially paid by government

grants

22%

45%

32%

2%

19%

51%

29%

1%

15%

69%

14%

2%

11%

61%

27%

1%

21%

50%

29%

0%

26% 3

5% 39%

0%

35%

35%

29%

1%

Payment for Training


73


Preferred Training Channel

Q15f. How would you rate the relevance of each of the following methods of receiving information security training and education? - Top two box scores

Where European and Middle Eastern countries prefer face-to face training, South Africa reports the highest approval of online training.


Face-to-face (in classroom)

Internet-based learning (e-learn-ing, self-paced)

Study guide re-view (textbooks)

Web conferenc-ing (live online)

Cyber-range based training

(simulated cyber war games)

Study group

74%

72%

57%

54%

41%

34%

74%

68%

57%

49%

36%

36%

82%

59%

44%

44%

34%

47%

69%

67%

53%

50%

33%

32%

76%

66%

56%

51%

31%

33%

66%

82%

67%

57%

47%

39%

81%

74%

64%

57%

47%

46%



74


Success of Cyber-Range Based Training

Q15g. You indicated that you think cyber-range based training is at least somewhat relevant. Please rate how successful you believe that cyber-range training has been in developing skills and techniques to meet ever-evolving security threats?

In each country, reviews of cyber-range based training are positive, with a large majority in each region rating it at least somewhat successful.


Very successful Somewhat success-ful

Neither successful nor unsuccessful

Not very successful Not at all successful

26%

58%

7%

1% 0%

24%

60%

6%

2% 0%

20%

53%

16%

2% 0%

28%

51%

6%

1% 0%

16%

63%

8%

2% 0%

29%

53%

7%

2% 0%

26%

62%

3% 1% 0%

Success of Cyber-Range Based Training(Very/Somewhat Successful)


75

Security Importance and Incident Response

76


Factors Driving Effective Security

Q29. How would you rate the importance of each of the following in effectively securing your organization? - Top two box scores

The top three factors driving effective security are qualified staff, adherence to policy and support from management.


Qu

alif

ied

se

curi.

..

Ma

na

ge

me

nt s

up

...

Ad

he

ren

ce to

s...

Tra

inin

g o

f sta

f...

Bu

dg

et a

lloca

te...

Ha

vin

g a

cce

ss...

Se

cure

so

ftwa

...

So

ftwa

re s

olu

t...

Ha

rdw

are

ap

pli.

..

Virt

ua

lize

d o

r ...

Inte

rne

t de

live

...

88%

85%

85%

81%

81%

68%

66%

53%

49%

48%

43%

87%

84%

83%

81%

79%

71%

65%

49%

43%

45%

41%

79%

81%

76%

78%

75%

75%

56%

33%

31% 38% 48%

89%

78% 85%

80%

75%

65%

68%

41%

36%

41%

32%

82% 89%

88%

87%

81%

70%

65%

48%

46%

44%

39%

98%

90%

93%

86%

86%

83%

74%

67%

57%

55% 64%

90%

89%

89%

86%

83%

79%

70%

59%

55%

55%

53%

Factors Driving Effective Security(Very/Somewhat Important)


77


Top Security Threats

Q30. Thinking about your own organization, please rate the following potential security threats on the degree of concern you have for each. - Top two box scores

Overall, application vulnerabilities and malware are the top security threats identified by professionals in the EMEA region. Surprisingly, South African and Middle Eastern professionals identify internal employees as a top threat.


App

licat

ion

vuln

erab

ilitie

s

Mal

war

e

Con

figur

atio

n m

ista

kes/

...

Mob

ile d

evic

es

Fau

lty n

etw

ork/

syst

em .

..

Hac

kers

Inte

rnal

em

ploy

ees

Clo

ud-b

ased

ser

vice

s

Cyb

er t

erro

rism

Tru

sted

thi

rd p

artie

s

Cor

pora

te e

spio

nage

Con

trac

tors

Sta

te s

pons

ored

act

s

Hac

ktiv

ists

Org

aniz

ed c

rime

72%

71%

65%

60%

59%

59%

54%

49%

48%

42%

42%

41%

41%

40%

38%

70%

66%

63%

60%

58%

56%

52%

46%

42%

41%

43%

40%

34% 37% 42

%

74%

49%

48% 56

%

54%

49%

45%

47%

35%

27%

42%

43%

25%

23% 34

%

68%

55%

58%

57%

50%

53%

41%

42%

41%

37% 47

%

34% 41

%

32%

45%

70%

68%

67%

58%

58%

51%

53%

48%

46%

42%

37%

38%

38% 42

% 45%

74% 79

%

78%

76%

67% 76

%

72%

48% 53

% 64%

64%

62%

29%

53%

69%74

% 80%

73%

66%

64% 71

%

65%

49% 58

%

54%

56%

54%

50% 55

%

49%

Top Security Threats(Top/High Concern)


78


Organizational Priorities

Q31. Please rate the following in terms of their priority to your organization. - Top two box scores

Consistently, protecting the organization’s reputation is an important priority in each country. Typically, South African and Middle Eastern professionals place greater emphasis on each priority.


Da

ma

ge

to t.

..

Se

rvic

e d

o...

Bre

ach

of l

...

Cu

sto

me

r p

r...

Cu

sto

me

r id

e...

He

alth

an

d ..

.

Th

eft

of i

nte

...

Co

mp

etit

ive

...

La

wsu

its

Re

du

ced

sh

...

82%

75%

75%

72%

65%

58%

58%

50%

48%

47%

84%

75%

73%

72%

66%

58%

56%

50%

46% 51

%

75%

62% 70

%

62%

64%

52%

52%

46%

47%

44%

81%

74%

70%

74%

64%

58%

52%

37%

36% 48

%

90%

77%

80%

76%

69%

58%

56%

51%

44% 53

%

95%

81%

81%

83%

83%

60%

76%

69%

57% 67

%

83%

78%

72%

68%

67%

67%

69%

63%

61%

58%

Organizational Priorities


79


Assessment of Performance Under Attack Scenarios (Perform Better)

Q32. Compared to a year ago, please indicate how your organization would perform if its systems or data were compromised by a targeted attack? - Perform better

In each scenario, South Africans and Middle Eastern firms believe they would perform better in greater numbers than their European counterparts.


Having systems in place to prepare for a security incident

Discovering a security breach Recovering from a security breach

48%

50%

46%

46%

48%

44%

45% 52

%

45%

42% 47

%

40%45

%

44%

42%

69%

62%

55%

56%

57%

55%



80


Threat Response Time

Q33a. If your organization's systems or data were compromised by a targeted attack, how quickly do you predict it would take to remediate the damage?

The largest proportion in each country indicate that they would be able to remediate a threat within a week.


Within one day Two to seven days

Eight to twenty days

Three to five weeks

Six weeks or more

Don't know

20%

44%

11%

4% 4%

16%19

%

46%

11%

4% 3%

17%

14%

37%

12%

4%

8%

24%

16%

47%

16%

3% 1%

17%

15%

47%

12%

4% 4%

19%22

%

50%

5% 5% 5%

12%

27%

44%

9%

4% 2%

14%

Threat Response Time


81


Factors Improving Security Activities

Q33b. What security technologies do you believe will provide significant improvements to the security of your organization? Select as many as you feel apply.

In most countries in the region, network monitoring and intelligence coupled with improved intrusion detection are highlighted as technologies that will improve security activities.


Network monitoring and intelligence

Improved intrusion detection and

prevention tech-nologies

Policy management and audit tools

Web security ap-plications

Automated identity management

software

75%

72%

52%

49%

44%

71%

70%

50%

47%

45%49% 5

8%

54%

45%

45%

62% 6

9%

41%

38%

41%

80%

73%

53%

45%

45%

81%

74%

59%

57%

69%

81%

72%

57%

54%

52%

Factors Improving Security Activities


82


Security Threats

Q33c. Please indicate how common each of the security threats listed below are for your organization. - Top two box scores

Across all regions, phishing is the most common security threat.


Ph

ish

ing

Sca

n n

etw

...

We

b a

pp

lica

...

Priv

ileg

e a

...

De

nia

l of s

e...

SQ

L In

ject

ion

Do

wn

loa

de

r

Co

mm

an

d a

n...

Ba

ckd

oo

r

Bru

te fo

rce

54%

36%

35%

34%

33%

31%

29%

27%

26%

25%

51%

34%

36%

35%

36%

30%

27%

26%

24%

23%

49%

32% 41

%

30%

31%

32%

20% 29

%

20%

21%

53%

39% 47

%

32% 40

% 44%

32%

29%

30%

31%

53%

30%

31%

32%

35%

23%

25%

22%

18%

19%

64%

50%

36%

59%

41%

31% 38

%

33%

34%

29%

61%

41%

41% 48

%

41%

38%

38%

37%

36%

29%

Top 10 Security Threats(Very/Somewhat Common)


83


Security Breaches Attributable to Known Vulnerabilities

Q33d. Approximately what percentage of all detected security breaches in your organization over the past year can you attribute to known vulnerabilities?

Known vulnerabilities account for less than 25% of breaches in the largest proportion of nations in the EMEA region.


Less than 25% 25 to less than 50% 50 to less than 75% 75 to 100% Don't know

28%

14%

11%

10%

36%

27%

15%

13%

12%

32%

22%

13%

9%

18%

38%

24%

19%

19%

11%

27%

24%

15%

10%

11%

40%

26%

21%

12%

10%

31%34

%

15%

15%

15%

21%

Security Breaches Attributable to Known Vulnerabilities


84


Security Breaches Attributable to Insecure Software

Q33e. Approximately what percentage of all detected security breaches in your organization over the past year can you attribute to insecure software applications?

Insecure software accounts for less than 25% of breaches in the largest proportion of nations in the EMEA region.


Less than 25% 25 to less than 50% 50 to less than 75% 75 to 100% Don't know

29%

17%

11%

6%

38%

29%

17%

13%

7%

34%

18%

12%

13%

12%

45%

26%

22%

16%

7%

29%

29%

14%

10%

6%

42%

34%

14%

9% 10%

33%36

%

21%

14%

8%

22%

Security Breaches Attributable to Insecure Software


85


Effectiveness of Global Government Initiatives

Q33f. Please rate the effectiveness of each of the following government initiatives in providing security guidance and standards.

Global government initiatives garner much more favorable reviews among South African and Middle Eastern professionals than they do among other EMEA countries.


Internet Governance Fo-rum

World Economic Forum Cyber Resilience Initia-

tive

Impact-ITU Global Cyber Security Agenda

Commonwealth Internet Governance Forum

17%

15%

15%

14%17%

15%

14%

12%

13%

9%

8%

3%

12%

11%

12%

9%

12%

10%

9%

8%

26% 28%

24% 26%

34%

31% 3

4%

32%

Effectiveness of Global Government Initiatives


86


Adoption of Framework for Improving Infrastructure Cybersecurity

Q33h. In 2014, the United States government released the Framework for Improving Infrastructure Cybersecurity. Has your company adopted any of the measured outlined in this framework?

No more than one tenth of organizations in EMEA countries have adopted FIIC.

Base: Filtered Respondents (n=7,985)

Yes No Don't know

12

%

43

%

46

%

5%

52

%

44

%

2%

47

%

51

%

8%

37

%

55

%

7%

48

%

46

%

0%

74

%

26

%

9%

56

%

35

%

Adoption of FIIC


87


Internet Governance

Q33j. Do you believe there is a need to implement a form of governance on the Internet?

The majority of South African, French and UK professionals favor internet governance, while their counterparts in Germany do not.


Yes No Don't know

42

%

40

%

18

%

43

%

40

%

17

%

59

%

25

%

15

%26

%

54

%

21

%

49

%

35

%

17

%

67

%

26

%

7%

55

%

28

%

17

%

Internet Governance


88


Approaches to Internet Governance

Q33k. In your opinion, which of the following is the best approach to Internet governance?

Among those who favor internet governance, the largest proportion from each country save France advocate a collaborative approach among global governments. France, on the other hand, endorse a proscribed approach from an international organization such as the UN.


Based on a collaborative approach amongst gov-

ernments globally

The responsibility of an organization specifically established for such a

task

Proscribed top down by an organization such as

the United Nations

The responsibility of a private sector organiza-

tion such as ICANN

Other

42

%

27

%

14

%

14

%

2%

40

%

27

%

21

%

10

%

2%

24

%

15

%

43

%

17

%

2%

43

%

30

%

14

%

11

%

2%

42

%

31

%

16

%

8%

2%

41

%

23

% 26

%

8%

3%

40

%

29

%

22

%

9%

0%

Approaches to Internet Governance


89


Confidence in Legislators

Q33l. How confident are you that your country's legislators understand the importance of security enough to provide sufficient funding to support your key information security initiatives?

Professionals in the EMEA region are divided regarding their confidence in legislators' understanding of information security. Notably, more than half of professionals in South Africa are not confident in their legislators.


Very confident Somewhat confident Neither confident nor unconfident

Somewhat uncon-fident

Not confident at all

9%

29

%

20

%

20

%

22

%

12

%

34

%

20

%

20

%

14

%

9%

44

%

13

%

24

%

9%

18

%

41

%

18

%

16

%

7%8%

43

%

22

%

16

%

11

%

5%

23

%

15

%

38

%

18

%22

%

31

%

21

%

12

%

14

%

Confidence in Legislators


90


Government Information Security

QG5a. Overall, is the government's information security better or worse off than a year ago?

Overall in the EMEA region, slightly more believe that government information security is better off now than it was a year ago, however one in five believe that it is worse off. This trend is reversed in France, however, where three in ten believe government security is worse off.

Base: Filtered Respondents (n=1,615).

Better off About the same Worse off Don't know

27

%

47

%

17

%

9%

32

%

45

%

13

%

9%1

4%

29

%

29

%

29

%32

%

52

%

12

%

4%

40

% 45

%

8%

8%

25

%

25

%

25

%

25

%

40

%

33

%

13

%

13

%

Government Information Security


91


Government Information Security (Better)

QG5b. Why do you say that government security is better off than a year ago?

The largest proportion who believe that government security is better than it was a year ago indicate that awareness has improved and that risk management has improved.


Improved secu-rity awareness

Improved un-derstanding of risk manage-

ment

Improving ability to keep pace with threats

Effective security guidance or standards

Better or more qualified profes-sionals available

Adequate fund-ing for security

initiatives

76%

58%

51%

45%

38%

24%

70%

45%

46%

49%

31%

34%

0%

100%

100%

100%

0%

0%

63%

50%

88%

63%

50%

25%

86%

43%

38%

57%

19%

43%

0 0

1

0

1 1

50%

42%

58%

50%

25%

58%

Government Information Security (Better)


92


Government Information Security (Worse)

QG5c. Why do you say that government security is worse off than a year ago?

Those who believe that government security is worse than it was a year ago most commonly cite an inability to keep pace with threats.


Inability to keep pace with threats

Inadequate fund-ing for security

initiatives

Ineffective secu-rity guidance or

standards

Not enough qual-ified profession-

als available

Poor under-standing of risk management within govern-

ment

Security awareness is

still too low

77%

66%

49%

66% 72%

58%7

1%

55%

55%

55%

77%

45%

100%

100%

50%

50%

100%

0%

100%

33%

33%

100%

33%

33%

50%

25%

50%

25%

75%

25%

100%

100%

100%

100%

100%

100%

75%

75%

50%

50%

75%

50%

Government Information Security (Worse)


93


Important Factors in Securing Organizational Infrastructure

QG6. How would you rate the importance of each of the following in effectively securing your organization's infrastructure? - Top two box scores

Professionals in EMEA agree that hiring and retaining qualified information security professionals is the most important influencer in securing organizational infrastructure.


Hiring and retain-ing qualified in-formation secu-

rity professionals

Improved agency funding

for and en-forcement of security man-

dates

Public awareness

Develop a na-tional cyber in-

cident response capability

Expand cyber coordination

capabilities to states and the private sector

International out-reach, collabora-tion and deter-rence strategy

85%

70%

63%

61%

54%

40%

82%

63%

69%

70%

61%

52%

57% 7

1%

43% 5

7%

43%

29%

84%

56%

76%

60%

52%

40%

79%

53% 60% 7

2%

53%

49%

100%

75%

75%

100%

50%

25%

93%

80%

77%

70%

57%

53%

Important Factors in Securing Organizational Infrastructure(Very/Somewhat Important)


94


Attitudes Toward Strict Government Requirements

QG7. How much do you agree that the government should include specific, mandatory security requirements in every major IT procurement?

The majority of information security professionals in the EMEA region agree that there should be specific, mandatory security requirements in every major IT procurement. Nowhere is the belief held more firmly than in France and the UK, where three quarters strongly agree with this sentiment.

Base: Filtered Sample (n=1,615)

Agree completely Agree somewhat Neither agree nor disagree

Disagree somewhat Disagree completely

51%

32%

11%

3% 3%

58%

28%

10%

1% 3%

71%

29%

0% 0% 0%

48%

24%

16%

4%

8%

60%

34%

6%

0% 0%

75%

25%

0% 0% 0%

50%

30%

10%

3%

7%

Attitudes Toward Strict Government Requirements


95


Impact of Security Posture

QG9. How would you rate your own impact on the security posture of your department or agency?

In each country, the majority report having an impact on security posture.

Base: Filtered Sample (n=1,615)

People listen to what I say about security and follow my suggestions

most of the time

I have a significant im-pact. People frequently ask for my advice and implement my recom-

mendations

People sometimes ask for my advice, but gen-

erally implement security controls they have de-

termined to be appropri-ate and

I am somewhat marginal-ized within my depart-

ment

41%

33%

18%

8%

44%

38%

14%

4%

29%

43%

29%

0%

52%

28%

8% 1

2%

36

%

47

%

15

%

2%

75%

25%

0%

0%

30%

53%

13%

3%

Impact of Security Posture


96


Outsourcing

97


Outsourcing Security Operations

Overall, firms in the EMEA are the least likely to outsource risk and compliance management. As a proportion, the French outsource the most threat intelligence, research, detection, forensics and remediation.

Q34a. Which areas of your security operations do you outsource today? Please select the percent outsourced for each operation


Security asset management and monitoring (e.g., firewall, IPS)

Risk and compliance man-agement

Threat intelligence, research, de-tection, forensics, and remediation

19

11

192

1

10

21

24

13

28

18

6

14

23

9

20

25

8

2021

19

26

Security Operations Outsourced(Average %)


98


Future Outsourcing of Security Asset Management

Q34b_1. How will your outsourcing change over the next 12 months? - Security asset management and monitoring (e.g., firewall, IPS)


Decrease more than

20%

Decrease 11 to 20%

Decrease 1 to 10%

No change Increase 1 to 10%

Increase 11 to 20%

Increase more than 20%

4% 5% 6%

61%

13%

7% 5%3% 5% 5%

59%

14%

8% 6%

3% 3% 3%

67%

15%

5% 5%

1%

9%

4%

59%

16%

3%

7%

4% 5%

5%

61

%

15

%

8%

3%0.04

0

0.08

0.64

0.2

0

0.0410

%

5% 5%

47%

12% 16

%

6%

Future Outsourcing of Security Asset Management


99


Future Outsourcing of Risk and Compliance Management

Q34b_2. How will your outsourcing change over the next 12 months? - Risk and compliance management


Decrease more than

20%

Decrease 11 to 20%

Decrease 1 to 10%


Increase 11 to 20%


4% 5% 7%

63%

12%

5% 3%4% 4%

7%

63%

13%

5% 3%

10%

3%

7%

76%

0%

3%

0%2% 4%

8%

59%

20%

4% 2%3%

3% 5%

67

%

14

%

3% 4%6% 6% 6%

59%

12%

6% 6%8% 7% 7%

47%

14%

12%

5%

Future Outsourcing of Risk and Compliance


100


Future Outsourcing of Threat Intelligence, Research, Detection and Remediation

Q34b_3. How will your outsourcing change over the next 12 months? - Threat intelligence, research, detection and remediation


Decrease more than

20%

Decrease 11 to 20%

Decrease 1 to 10%


Increase 11 to 20%


3% 4% 6%

60%

14%

7%

5%4% 5% 6%

59%

13%

9%

5%7%

2% 2%

60%

18%

9%

2%3% 5%

2%

62%

17%

7%

3%5%

3%

8%

58

%

14

%

7%

4%

4% 4%

0%

63%

13%

4%

13%

4%

10%

9%

49%

11%

13%

5%

Future Outsourcing of Risk and Compliance


101


Outsourcing Professional Services

Q35a. Please indicate whether you or your organization outsources any of the following professional services

In each case, France and firms in the Middle East are the most likely to outsource professional services.


Security advisory (security strategy, security governance

and compliance, training)

Technical services (security audit, breach management, residency)

Implementation services (integra-tion, security product installation

and migration, security product life cycle

26

%

33

%

34

%

30

%

36

%

36

%

37

%

44

%

41

%

29

%

38

%

31

%

28

%

30

%

31

%

29

% 33

% 38

%

39

%

38

%

45

%

Outsourcing Professional Services


102


Future Outsourcing of Security Advisory

Q35b_1. How will your outsourcing change over the next 12 months? - Security advisory


Decrease more than

20%

Decrease 11 to 20%

Decrease 1 to 10%


Increase 11 to 20%


3% 3% 4%

60%

19%

7%

4%4% 4% 5%

54%

23%

6% 4%3% 3%

0%

62%

24%

0%

9%

5% 6%

3%

55%

23%

6%

2%2% 3%

3%

58

%

24

%

8%

4%

0.17

6470

5882

3529

4

0

0.11

7647

0588

2352

9

0.41

1764

7058

8235

3

0.23

5294

1176

4705

9

0.05

8823

5294

1176

47

0

4% 3%

7%

49%

23%

11%

4%

Future Outsourcing of Security Advisory


103


Future Outsourcing of Technical Services

Q35b_2. How will your outsourcing change over the next 12 months? - Technical services


Decrease more than

20%

Decrease 11 to 20%

Decrease 1 to 10%


Increase 11 to 20%


3% 3%

5%

60%

17%

8%

4%3% 3%

5%

57%

17%

10%

5%

3%

5%

10%

57%

15%

0%

10%

4% 4% 2%

55%

24%

8%

2%4%

2% 4

%

58

%

18

%

11

%

3%0.

0526

3157

8947

3684

0

0.10

5263

1578

9473

7

0.63

1578

9473

6842

1

0.21

0526

3157

8947

4

0 01%

4%

8%

49%

16%

18%

3%

Future Outsourcing of Technical Services


104


Future Outsourcing of Implementation Services

Q35b_3. How will your outsourcing change over the next 12 months? - Implementation services


Decrease more than

20%

Decrease 11 to 20%

Decrease 1 to 10%


Increase 11 to 20%


3% 3% 5%

56%

18%

10%

5%3% 3% 4%

54%

19%

10%

7%

3% 3%

0%

49%

32%

3%

11%

4% 6%

1%

54%

13%

13%

7%

3%

2%

7%

57

%

18

%

9%

4%

14%

9%

14%

36%

23%

0%

5%5% 3%

1%

43%

19%

16%

13%

Future Outsourcing of Implementation Services


105


Reasons for Outsourcing

Q36. What are all of your reasons for outsourcing?

Lack of in-house skills is the most common reason for outsourcing services.


Lack of in-house skills

Temporary need for flex force ca-

pacity

It is less ex-pensive

Recruiting limita-tions

Alleviating the burden of te-dious tasks

Difficulty in re-taining staff

49%

30%

30%

26%

23%

18%

51%

31%

29%

32%

19%

16%

57%

40%

32% 4

0%

14%

9%

59%

45%

31%

40%

18%

15%

47%

28% 33%

27%

22%

16%

61%

22%

22%

44%

27%

12%

56%

18%

29%

46%

20% 2

6%

Reasons for Outsourcing


106


Criteria for Service Provider Selection

Q37. What criteria do you use in selecting a managed or professional security services provider? Please select all that apply.

Price is among the most important criteria for selecting a service provider, particularly in South Africa. Service level agreements are also highly important in South Africa and the Middle East.


Pricing Service Level

Agreement

Quality and number of security people

Number of years in business

Breadth of service

Brand name

Location of the

provider's base of

operations

Geo-graphic

proximity

Size of the organiza-

tion

55%

50%

49%

33%

30%

22%

20%

19%

17%

59%

50% 54%

37%

25%

24%

26%

25%

20%

52%

48% 54%

38%

18%

18% 2

5%

25%

27%

57%

49%

61%

43%

28%

16%

33%

24%

25%

60%

49%

51%

27%

30%

21%

22%

18%

17%

72%

66%

62%

45%

40%

24%

40%

34%

24%

62%

59%

58%

54%

28%

39%

37%

33%

28%

Criteria for Service Provider Selection


107


Single Most Important Criterion for Service Provider Selection

Q38. Please select the single most important criterion that you use when selecting a managed or professional security services provider?

When forced to choose the most important criterion influencing service provider selection, most agree that quality is the single most important determinant.

Base: Filtered respondents (7,985)

Quality and number of security people

Service Level

Agreement

Pricing Breadth of service

Brand name

Number of years in business

Location of the

provider's base of

operations

Geo-graphic

proximity

Size of the organiza-

tion

29%

17%

13%

5%

3%

3%

1%

1%

1%

33%

16%

13%

4% 4%

3%

3%

2%

1%

34%

16%

11%

2% 3% 5

%

2%

2%

2%

35%

17%

11%

5%

3% 3% 5

%

1%

1%

29%

12%

17%

4%

3%

2%

2%

2%

1%

29%

16% 1

9%

5% 7

%

2% 3

%

2%

0%

37%

19%

11%

4% 5%

5%

3%

2%

1%

Most Important Criterion for Service Provider Selection


108


Permanency of Service Provider

The largest proportion describe their relationship with their service provider as somewhat permanent.


Q39. Would you describe your use of a managed security service provider as temporary or permanent? Please indicate the level of permanence using the scale below.

Completely permanent Somewhat permanent Somewhat temporary Completely temporary

10%

35%

22%

9%10%

36%

22%

9%8%

34%

18%

11%16

%

34%

21%

9%11%

41%

19%

5%

7%

56%

15%

10%

10%

25% 29

%

14%

Permanency of Service Provider


109

Secure Software Development

110


Frequency of Security Scans on Applications (Always)

Q40. Please indicate the frequency with which security scans are conducted on the following applications. - Always

In each case, French firms are less likely to always perform scans on applications.


Internally developed ap-plications that are hosted in your private data cen-

ters

Internally developed ap-plications that are hosted

in a public cloud envi-ronment

Externally developed applications that are

hosted in private data centers


hosted in a public cloud environment

49%

42% 45%

39%4

4%

40%

41%

38%

36%

29% 3

4%

28%

43%

42%

41%

38%

50%

48%

46%

45%

48%

40% 4

6%

35%

48%

34%

45%

33%

Frequency of Security Scans on Applications (Always)


111


Frequency of Security Scans on Applications (Never)

Q40. Please indicate the frequency with which security scans are conducted on the following applications. - Never

In each case, firms in France and South Africa are among the most likely to never perform scans on applications.


Internally developed ap-plications that are hosted in your private data cen-

ters

Internally developed ap-plications that are hosted

in a public cloud envi-ronment


hosted in private data centers


hosted in a public cloud environment

10%

21%

11%

22%

11%

20%

11%

21%

14%

24%

16%

24%

6%

16%

10%

17%

9%

15%

9%

16%

13%

27%

16%

27%

9%

21%

11%

24%

Frequency of Security Scans on Applications (Never)


112


Frequency of Security Scans by Organizational Group

Q41. Please indicate the frequency with which the following groups within your organization conduct application security scans? - Top two box scores

Generally, the security operations group is the most likely to perform security scans in each country.


The security operations

group

The compli-ance auditing

group

An external consultant

A professional security ser-

vices provider

The security architecture

group

The software development

group

A committee of personnel from some or all of these

groups

88%

72%

71%

69%

66%

65%

53%

86%

70% 75%

74%

64%

64%

53%

85%

73%

75%

75%

68%

64%

49%

79%

72%

68% 76%

66%

66%

55%

88%

69% 75%

79%

60%

65%

51%

91%

85%

82%

82%

69%

65%

60%

88%

78%

80%

74%

71%

62%

55%

Frequency of Security Scans By Organizational Group (% Always/Sometimes)


113


Security Scans on Internally Developed Applications

Q42. How frequently are security scans conducted on internally developed applications? - Top two box scores

Professionals in each country are the least likely to perform a scan during code development, and the most likely to perform a scan after a breach has been detected.

Base: Filtered respondents (n=8,849):

During code de-velopment

During application testing

After the application has been placed into production

After a data breach or intrusion has

been discovered

We use externally-developed applica-

tions

70%

84% 88%

89%

81%

69%

85%

88%

88%

82%

67%

88%

87%

88%

77%

74%

87% 91%

90%

85%

74%

86% 91%

92%

82%

67% 7

5%

86%

84%

86%

63%

83%

87%

88%

80%

Security Scans on Internally Developed Applications(% Always/Sometimes)


114


Reasons for Not Conducting Application Security Scans

Q43. Which of the following reasons explains why application security scans are NOT conducted in your organization? Select all that apply


Non

e of

the

abo

ve r

easo

ns e

xpl..

.

On

exte

rnal

ly-d

evel

oped

app

lica.

..

Sca

nnin

g in

terf

eres

with

the

a..

.

Sca

nnin

g ta

kes

too

muc

h tim

e

Sca

nnin

g pr

oduc

ts a

re t

oo e

xp..

.

We

don'

t ha

ve t

he e

xper

tise

to i.

..

It is

usu

ally

too

late

in t

he d

...

Our

inte

rnal

sof

twar

e de

velo

per.

..

On

exte

rnal

ly-d

evel

oped

app

lica.

..

The

sca

nnin

g pr

oduc

es ir

rele

va..

.

The

sca

ns a

re in

com

plet

e

We

have

suf

ficie

nt s

econ

dary

m..

.

We

usua

lly d

on't

know

or

are

u...

We

view

the

ris

k of

inse

cure

s..

.

38%

22%

19%

18%

17%

16%

15%

12%

11%

11%

11%

10%

7% 4%

36%

22%

19%

19%

19%

16%

15%

12%

12%

10%

10%

12%

5% 4%

17%

28%

24%

38%

32%

18%

28%

7% 7%

4%

11%

10%

1%

5%

36%

24%

19%

15% 22

%

17%

11%

13%

12%

15%

15%

6% 4% 4%

45%

20%

18%

16%

14%

13%

14%

15%

9% 9% 7%

11%

4%

1%

25%

25%

22%

19% 22

%

38%

14% 17

% 21%

8% 6%

16%

8%

3%

35%

21%

15%

17% 23

%

17%

15%

10%

13%

10%

11% 15

%

11%

6%

Reasons for Not Conducting Application Security Scans


115


Sowtware Development Concerns

Q44. Please indicate your level of concern for each secure software development issue. - Top two box scores

Overall, concern among professionals in the EMEA region is highest for changes introduced by ill-informed or careless developers or with the adoption of out of date third-part libraries that contain vulnerabilities. In each case, South Africa and Middle Eastern professionals are more likely to express concern over these software development issues than their European counterparts.


Vul

nera

ble

chan

ges.

..

Add

ition

of o

ut o

f da.

..

Sof

twar

e fo

r w

hich

...

Add

ition

of u

nann

o...

IT-d

riven

pro

duct

s ...

A la

ck o

f kno

wle

dg...

Bud

getin

g fo

r fe

atu.

..

65%

63%

62%

60%

59%

57%

54%62

%

62%

61%

58%

58%

55%

50%64

%

54%

58%

53%

49%

51%

48%57

%

61%

61%

60%

50%

49%

51%

68%

66%

63%

59%

61%

53%

51%

78%

79%

68%

73%

73%

70%

56%67

%

70%

68%

69%

66%

67%

61%

Software Development Concerns(% Top/High Concern)


116


Procedures for Screening External Applications

Q45. Does your organization have a procedure in place to screen external appliances and applications for flawed programming or malicious software?

Firms in the UK have procedures in place to screen external applications in greater numbers than firms outside of the UK.


Yes No

58%

42%

54%46%44%

56%57%

43%

64%

36%

49% 51%56%

44%

Procedures for Screening External Applications


117


Protocols for Screening External Applications

Q46. Please indicate the procedures or protocols that your organization follows to ensure that external appliances and applications do not contain flawed programming or malicious code.

Most often, organizations ensure that they purchase only from trusted vendors in order to avoid vulnerabilities in applications. The notable exception in this trend is France, where purchasing from trusted vendors is less prevalent.


Pu

rch

ase

on

ly fr

...

Co

nd

uct

pe

ne

tra

ti...

Inte

rna

lly a

ud

it t..

.

Pe

rfo

rm S

tatic

C...

Pe

rfo

rm D

yna

mic

...

Re

ly o

n th

ird

-pa

rt...

Re

ly o

n th

ird

-pa

r...

Ass

ess

pre

vio

us.

..

Re

ly o

n th

e v

en

do

...

71%

64%

61%

30%

30%

28%

26%

19%

18%

69%

69%

64%

26%

25%

29%

28%

16%

17%

46%

70%

61%

26%

24% 35

%

28%

15%

4%

64%

55% 69

%

23%

19%

21%

22%

13% 19%

76%

79%

60%

27%

24% 31

%

27%

14%

18%

77%

65% 74

%

16%

32%

29%

52%

35%

13%

69%

66%

65%

27% 34

%

29%

28%

19% 26

%

Protocols for Screening External Applications


118

Sprawl

119


Information Security Architecture

Q47a. Does your organization have an information security architecture?

The majority in each country have an information security architecture.


Yes No

67%

19%

67%

20%

62%

18%

73%

12%

72%

17%

62%

27%

63%

27%

Information Security Architecture


120


Frequency of Information Security Architecture Update

Q47b. How often is your security architecture updated?

UK organizations are the most vigilant in updating their security architecture; nearly half update their systems every year.


Every year Every two to three years

Every four to five years

Every six to seven years

Every eight to nine years

We update less once than every

10 years

42%

27%

8%

1%

0% 1%

41%

28%

9%

1%

0% 1%

29%

20%

15%

0%

0% 2%

32%

34%

11%

1%

0% 1%

47%

26%

7%

1%

1%

0%

59%

23%

0% 3%

0%

0%

39%

29%

8%

0%

0% 2%

Frequency of Information Security Architecture Update


121


Concern About Architecture Sprawl

Q48. Overall, how concerned are you about ineffective architecture or sprawl?

Middle Eastern firms have the greatest concern regarding infrastructure sprawl, with nearly two in five reporting they are very concerned, and two thirds indicating they are at least somewhat concerned.


Very concerned Somewhat concerned

Neither concerned nor unconcerned

Somewhat un-concerned

Not at all concerned

23%

42%

14%

7%

5%

22%

43%

15%

7%

5%

15%

39%

13%

10%

7%

12%

41%

23%

7% 6%

18%

47%

15%

7%

5%

29%

40%

14%

10%

5%

37% 39

%

11%

4% 2%

Concern About Architecture Sprawl


122


Implications of Sprawl

Q49. Please indicate your level of concern for each of the following implications of technology sprawl. - Top two box scores


Pu

rch

ase

on

ly fr

om

tr...

Co

nd

uct

pe

ne

tra

tion

tes.

..

Inte

rna

lly a

ud

it th

e s

ol..

.

Pe

rfo

rm S

tatic

Co

de

a...

Pe

rfo

rm D

yna

mic

Co

de

...

Re

ly o

n th

ird

-pa

rty

au

di..

.

Re

ly o

n th

ird

-pa

rty

au

...

Ass

ess

pre

vio

us

cod

e...

Re

ly o

n th

e v

en

do

r's a

...

71%

64%

61%

30%

30%

28%

26%

19%

18%

69%

69%

64%

26%

25%

29%

28%

16%

17%

46%

70%

61%

26%

24% 35

%

28%

15%

4%

64%

55%

69%

23%

19%

21%

22%

13% 19

%

76%

79%

60%

27%

24% 31

%

27%

14%

18%

77%

65% 74

%

16%

32%

29%

52%

35%

13%

69%

66%

65%

27% 34

%

29%

28%

19% 26

%

Implications of Sprawl


123


Reasons For Sprawl

Q50. Please indicate which, if any, of the reasons below explain why your organization has security architecture sprawl? Select all that apply.

In all countries in the region save for the UK, professionals cite the ever evolving nature of security threats as the primary reason for sprawl, however in the UK professionals indicate that their organization has undertaken mergers and acquisitions that has resulted in architecture sprawl.


Se

curi

ty th

rea

ts ..

.

My

org

an

iza

tion

...

Th

ere

is d

ece

ntr

...

We

are

follo

win

g...

My

org

an

iza

tion

i...

Ve

nd

ors

pre

fer

t...

We

ha

ve a

do

pte

d ..

.

32%

24%

22%

17%

17%

16%

6%

29%

26%

20%

18%

16%

16%

6%

22%

23%

13%

10%

19%

15%

5%

32%

26%

19%

14%

14%

12%

7%

34%

36%

19%

17% 20

%

17%

5%

32%

21% 24

%

17%

13% 16

%

5%

32%

18% 25

%

21%

19%

20%

5%

Reasons for Sprawl


124


Strategies to Combat Sprawl

Q51. Please indicate how likely you or your organization is to use the following strategies to combat security technology sprawl? - Top two box scores

In most cases, South Africa and Middle Eastern countries are more likely to adopt measures to combat sprawl.


Re

du

ce th

e n

um

be

...

Avo

id n

ew

se

curi

t...

Re

tire

on

-pre

mis

e...

Sta

rt o

r in

cre

ase

...

Re

tire

ou

r se

curi

...

Pla

ce a

mo

rato

ri...

39%

37%

32%

29%

26%

26%

42%

39%

30%

32%

26%

26%

37%

33%

25%

39%

25%

21%

41%

37%

27%

23%

13% 23

%

45%

38%

29%

30%

28%

24%

50%

48%

36%

36%

27%

39%

51%

40% 45

%

40%

35% 41

%

Strategies to Combat Sprawl(Very/Somewhat Likely)


125


Active Security Contracts

Q52. With how many security product vendors do you or your organization have an active contract?


One to five secu-rity product ven-dors under con-

tract

Six to 10 11 to 20 21 to 30 31 to 40 41 to 50 More than 50 security product vendors under

contract

25%

20%

10%

4%

1% 1%

4%

26%

20%

11%

4%

1% 1%

4%

21% 23

%

10%

0% 0% 0%

6%

17%

17%

12%

3% 2%

1%

8%

22%

19%

11%

6%

1% 1%

5%

33%

25%

13%

2%

0% 0% 0%

33%

26%

13%

4%

1% 1% 1%

Active Security Contracts


126


Active Security Consoles

Q53. How many security management consoles does your security organization use?


One to five secu-rity management consoles in use

Six to 10 11 to 20 21 to 30 31 to 40 41 to 50 More than 50 security man-agement con-soles in use

30%

18%

7%

2%

1% 0%

3%

29%

19%

7%

2%

1% 1%

3%

21%

14%

7%

3%

0% 0%

5%

23%

16%

9%

4%

1% 0%

4%

28%

18%

7%

2% 1% 1%

3%

35%

29%

11%

0%

2%

0% 0%

33%

27%

8%

4%

0% 1% 0%

Active Security Consoles


127

Proactive Security Analytics

128


Implementation of Advanced Analytics Solutions

Q54. What is your organization's status on implementing advanced analytics solutions for the detection of advanced malware?

Advanced analytics solution adoption is highest in Germany, while Middle Eastern and British professionals are the most likely to have no plans to implement these solutions.


Already implemented Currently implementing Selecting a solution(s) Evaluating options No plans for implemen-tation

21

%

14

%

6%

17

%

18

%21

%

14

%

6%

18

%

18

%

23

%

18

%

2%

14

%

11

%

26

%

14

%

2%

22

%

9%

19

%

12

%

4%

17

%

23

%

21

%

16

%

14

% 17

%

16

%

22

%

16

%

11

%

19

%

19

%

Implementation of Advanced Analytics Solutions


129


Approaches for Advanced Analytics Implementation

Q55. In implementing an advanced analytics solutions, how likely is it that your organization will utilize each of the following approaches? - Top two box scores

In each country, respondents are most likely to prefer a solution using internal staff, relying on the provider for technical assistance when needed.


Engage a managed securities provider to implement and

operate

Engage a professional security services provider to implement a solution to be operated by in-

ternal staff

Implement and operate a solu-tion using internal staff, relying only on the solution provider's team for technical use assis-

tance

Evaluating options

32

%

43

% 52

%

17

%

36

%

47

% 52

%

18

%

36

% 41

%

42

%

14

%

34

% 40

%

56

%

22

%32

%

43

% 47

%

17

%

43

%

53

%

53

%

17

%

46

%

61

%

54

%

19

%

Approaches for Advanced Analytics Solutions Implementation


130


Anticipated Change in Required Skills

Q56. How do you anticipate that the skills requirements of security teams will change as advanced analytics solutions are implemented? - Top two box scores

Additional training is the expected consequence of implementing advanced analytics solutions.


Additional training for existing security staff

Hiring of security professionals with specialized skills or exper-

tise in advanced analytics

Hiring non-security profes-sionals with specialized skills

such as data scientists or other specialized skilled profession-

als

Some positions within the se-curity staff will be downsized or

eliminated as new positions are developed for advanced

analytics positions

72

%

53

%

27

%

27

%

75

%

52

%

26

%

28

%

65

%

45

%

22

%

22

%

75

%

52

%

29

%

26

%

73

%

51

%

24

%

23

%

83

%

60

%

40

%

36

%

79

%

67

%

35

%

35

%

Anticipated Change in Required Skills


131

Cloud Computing

132


Prioritizing Cloud Computing

Q57. To what extent is cloud computing a priority for your organization now and in the future? - Top two box scores

In each country, prioritization of cloud computing is expected to increase.


Now (currently) In the near future (within two years)

43%

57%

43%

56%49%

63%

47%

56%48%

61%

46%

63%

33%

46%

Prioritizing Cloud Computing (Top/High Priority)


133


Cloud Usage

Q58a. For which of the following services are you using cloud? Select all that apply.


Ap

plic

atio

n h

ost

ing

De

live

rin

g a

pp

lica

tion

...

Sto

rag

e o

f org

an

iza

tio...

Pro

vid

ing

co

mm

un

ica

t...

Big

da

ta p

roce

ssin

g/..

.

Ap

plic

atio

n d

eve

lop

...

Pro

vid

ing

se

curi

ty

Pro

vid

ing

acc

ess

for

s...

Pro

cess

ing

cu

sto

me

r ...

Sto

rag

e o

f PII

an

d/o

r o

...

De

alin

g w

ith d

em

an

d ..

.

58%

38%

35%

30%

26%

26%

22%

18%

15%

15%

15%

59%

38%

32%

33%

24%

24%

20%

21%

18%

12%

12%

55%

45%

41%

25% 30

%

27%

19%

17%

19%

11% 19

%

56%

34%

24%

40%

29%

18%

15% 21

%

23%

12%

11%

59%

41%

34%

32%

25%

28%

21%

21%

17%

16%

16%

53%

39%

31%

32%

27%

15% 22

%

19%

12%

10%

8%

52%

25%

22%

23%

22%

13% 22

%

17%

14%

9% 10%

Cloud Usage


134


Cloud Usage

Q58b. Considering all of your cloud computing usage, how is this proportioned according to the different approaches shown below? - Mean scores


Software as a service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)

44

24

32

43

25

32

47

26 27

43

26

31

41

25

34

44

20

35

43

26

31

Cloud Usage(Average %)


135


Cloud Usage

Q58c. Considering all of your cloud computing usage, how is this proportioned according to the different approaches shown below? - Mean scores


Public cloud computing services (e.g., Amazon

AWS)

Private cloud computing services (e.g., a dedicated

environment that uses virtu-alization)

Community cloud computing services

Hybrid cloud computing services

22

52

101619

56

1015

21

58

6

1517

55

14 1420

59

7

1418

51

9

2220

46

11

23

Cloud Usage(Average %)


136


Top Concerns About Cloud Computing

Q60a. Thinking about the different security aspects of cloud computing, how much of a security concern is each of the following for your organization? - Top two box scores


Exp

osur

e of

con

fiden

tial o

r...

Sus

cept

ibili

ty t

o cy

ber-

att.

..

Dat

a le

akag

e du

e to

mul

ti-..

.

Wea

k sy

stem

or

appl

icat

ion.

..

Inab

ility

to

audi

t cl

oud

serv

...

Lim

itatio

ns o

n in

cide

nt r

es..

.

Inab

ility

to

cond

uct

secu

r...

Inab

ility

to

supp

ort

fore

nsic

...

Dis

rupt

ions

in t

he c

ontin

uous

...

Inab

ility

to

quan

tify

risk

69%

59%

55%

53%

51%

50%

50%

49%

49%

48%

70%

55%

56%

53%

52%

47%

48%

47%

46%

48%

70%

54%

54%

47%

45%

40%

39% 43

%

42%

41%

71%

60%

43% 48

% 52%

46%

41%

44%

40%

43%

71%

57%

57%

54%

51%

51%

54%

48%

46% 52

%

76%

58% 64

%

56% 60%

55% 58%

58%

51%

51%

69%

62% 67

%

64%

59%

57%

59%

57%

57%

58%

Top 10 Concerns About Cloud Computing


137


Cloud Service Alliance Threats

Q60b. Thinking of the Cloud Security Alliance's recently identified 'Notorious 9 Security Threats', how much of a concern are each of the following? - Top two box scores

In most cases, South African respondents report greater concern with Service Alliance Threats.


Data breaches Data loss Account Hijack-ing

Insecure APIs Denial of Service

Malicious Insiders

Abuse and Ne-farious Use

Insufficient Due Diligence

76%

73%

61%

56%

56%

59%

55%

57%

76%

72%

61%

55%

56%

58%

53%

54%

77%

74%

70%

52%

53% 59

%

56%

46%

73%

63%

62%

55%

53%

50%

46%

59%

78%

74%

57%

56%

56%

57%

55%

57%

83% 89

%

67%

68%

62% 70

%

67%

65%

79%

77%

68%

60%

63% 68

%

57% 62

%



138


Cloud Security Certification

Q60c. If it were offered by a credible organization, how relevant do you believe that a Cloud Security and Certification program would be to you?

For the majority in the EMEA region, a cloud security certification would be at least somewhat relevant.


Very relevant Somewhat relevant Neither relevant nor not relevant

Not very relevant Not at all relevant

31%

39%

11%

6% 5%

30%

41%

12%

6% 5%

30%

35%

16%

7% 6%

27%

41%

14%

8%

6%

29%

42%

13%

5% 5%

38%

38%

10%

2%

8%

33%

43%

9%

6%

2%



139


Elevating Cloud Assurance

Q60d. Which one of the following offers the greatest chance of elevating information assurance in the cloud?

Strong data encryption is the top overall choice for elevating cloud information assurance, particularly in Germany.


Str

ong

encr

yptio

n o.

..

Con

tinuo

us m

onito

...

Inco

rpor

atin

g se

cur.

..

Ado

ptin

g se

curit

y ...

Impl

emen

ting

iden

ti...

Em

ploy

Rol

e B

ase.

..

Impl

emen

ting

Fed

R...

Det

ailin

g an

d sh

arin

...

Em

ploy

ing

secu

rity

...

18%

11%

9%

7% 6% 6% 4% 4% 4%

21%

9% 9% 9%

5% 5%

1%

4% 4%

22%

10%

8%

10%

4%

2% 1%

9%

4%

31%

8%

6%

4% 4% 4% 3%

5% 5%

18%

8% 9%

12%

5% 4%

1%

4% 3%

19%

6%

13%

13%

6%

2% 2% 0%

3%

17%

15%

6%

9%

5%

8%

2% 2%

5%

Elevating Cloud Assurance


140


Cloud Security Concerns in Government Agencies

QG10. How much of a security concern is each of the following for your government department agency when implementing cloud computing? - Top two box scores

In each case, South African respondents indicate that they have the most concern about each security issue.


Data loss prevention Ensuring that existing IT secu-rity policy is replicated in the

cloud

Ensuring that data and systems meet established COOP (con-

tinuity of operations) guidelines

Integration of cloud and mobil-ity

74%

66%

59%

39%

79%

70%

59%

46%

50%

83%

67%

50%

88%

58%

58%

42%

86%

71%

47%

42%

100%

100%

100%

60%7

3%

67%

60%

57%

Cloud Security Concerns in Government Agencies(Top/High Concern)


141


Elevating Information Assurance

Q61a. Which one of the following offers the greatest chance of elevating information assurance in the cloud?

In the greatest proportion of cases in each country, all of the listed information assurance measures are an important facet of cloud security.


Strong encryption of data

Continuous moni-toring

Employ Role Based Access

Controls (RBAC)

Implementing identity based

network solutions

Improved failover and service-level

performance

Improved per-formance and

availability

All of the above

15%

11%

5%

5%

3%

2%

34%

20%

11%

6%

5%

3%

2%

35%

13%

14%

6%

6%

1% 3%

39%

29%

9%

6% 7%

3%

2%

23%

18%

13%

5%

5%

1%

1%

38%

11%

17%

2%

6%

0% 3

%

48%

18%

11%

6% 8%

1% 3%

37%

Elevating Information Assurance


142


New Skill Development for Cloud

Q61b. In your opinion, does cloud computing require information security professionals to develop new skills not previously required?

The majority of respondents in each country believe that new skills are important for mastering cloud security.


Yes No

73%

16%

75%

16%

72%

15%

78%

13%

71%

21%

76%

19%

75%

13%

New Skill Development for Cloud


143


New Skills Needed for Cloud

Q61c. What skills will be required for dealing with cloud computing? Select as many as apply.


Ap

plic

atio

n o

f se

curi

ty ..

.

Kn

ow

led

ge

of r

isks

, vu

lne

...

An

en

ha

nce

d u

nd

ers

tan

di..

.

Ris

k m

an

ag

em

en

t

En

ha

nce

d k

no

wle

dg

e o

f m...

Kn

ow

led

ge

of c

om

plia

n...

Da

ta/in

form

atio

n c

en

tric

...

Au

dit

Se

curi

ty e

ng

ine

eri

ng

Se

rvic

e le

vel a

gre

em

en

t ...

66%

65%

62%

59%

56%

53%

49%

48%

48%

48%62

%

62%

59%

56%

53%

49%

47%

47%

43%

43%53

%

50%

49%

53%

55%

43%

37% 45

%

38%

25%

58%

59%

61%

51%

49%

46%

35%

31% 43

%

41%

68%

65%

65%

56%

61%

51%

52%

44%

37% 45

%

75%

75%

67%

56% 71

%

65%

56%

50%

54% 60%

56% 65

%

52% 64

%

50%

50%

52%

52%

53%

50%

New Skill Development for Cloud(Top 10)


144

The Frost & Sullivan Story

145

The Frost & Sullivan Story

Pioneered Emerging Market & Technology Research

• Global Footprint Begins

• Country Economic Research

• Market & Technical Research

• Best Practice Career Training

• MindXChange Events

Partnership Relationship with Clients

• Growth Partnership Services

• GIL Global Events

• GIL University

• Growth Team Membership™

• Growth Consulting

Visionary Innovation

• Mega Trends Research

• CEO 360 Visionary Perspective

• GIL Think Tanks

• GIL Global Community

• Communities of Practice

146

What Makes Us Unique

All services aligned on growth to help clients develop and implement innovative growth strategies

Continuous monitoring of industries and their convergence, giving clients first mover advantage in emerging opportunities

More than 40 global offices ensure that clients gain global perspective to mitigate risk and sustain long term growth

Proprietary Team Methodology integrates 7 critical research perspectives to optimize growth investments

Career research and case studies for the CEOs’ Growth Team to ensure growth strategy implementation at best practice levels

Close collaboration with clients in developing their research based visionary perspective to drive GIL

Focused on Growth

IndustryCoverage

Global Footprint

Career Best Practices

360 Degree Perspective

Visionary Innovation Partner

147

TEAM Methodology

Frost & Sullivan’s proprietary TEAM Methodology ensures that clients have a complete 360 Degree

PerspectiveTM from which to drive decision making. Technical, Econometric, Application, and Market

information ensures that clients have a comprehensive view of industries, markets, and technology.

Technical

Real-time intelligence on technology, including emerging technologies, new

R&D breakthroughs, technology forecasting, impact analysis,

groundbreaking research, and licensing opportunities.

Econometric

In-depth qualitative and quantitative research focused on timely and critical

global, regional, and country-specific trends, including the political,

demographic, and socioeconomic landscapes.

Application

Insightful strategies, networking opportunities, and best practices that can be

applied for enhanced market growth; interactions between the client, peers,

and Frost & Sullivan representatives that result in added value and

effectiveness.

Market

Global and regional market analysis, including drivers and restraints, market

trends, regulatory changes, competitive insights, growth forecasts, industry

challenges, strategic recommendations, and end-user perspectives.

148

Our Global Footprint 40+ OfficesScanning the Globe for Opportunities and Innovation

(ISC) 2 2015 Global Workforce Study Results Overview Regional Report: Europe, Middle East & Africa...

Documents

Transcript of (ISC) 2 2015 Global Workforce Study Results Overview Regional Report: Europe, Middle East & Africa...