IT Security Breaches: The Costs and the CuresTodd ThibodeauxPresident and CEOCompTIA

Who We Are | What We Do

EDUCATION

CERTIFICATIONS

ADVOCACY

PHILANTHROPY

The Usual Opening…

Scary Security Headline: Oh the Humanity

Wait, How About…

Technology, Training, Teamwork Thwart Security Breach

Setting the Stage: The Good and the Not so Good

More organizations rate security a high priority; although still often viewed as an IT problem

# of security breaches roughly constant; severity level trending upwards + new threats and vulnerabilities

IT professionals rate human error a primary cause of many security breaches

Improvements to security landscape attributed to better technology, policy and training

Spending on security held up relatively well in 2010

2008 2010 2012

19%

7% 3%

46% 46%

39%35%

49%

58%

Lower Half PriorityMiddle PriorityUpper Half Priority

Forecast

Prioritization of security relative to all strategic IT initiatives

Prioritization of InfoSec Trends Upwards

Changes to the Security Landscape

Increasing Concerns Increasing Areas of Improvement

Rise of social networking 52% Improved technology to protect against threats 55%

More reliance on Internet-based applications 50% Improved IT staff expertise 41%

Growing criminalization and organization of hackers 48% Improved security policies 36%

Greater interconnectivity of devices 46% Improved ability of end-users to avoid security threats 33%

Sophistication of security threats exceeding staff’s expertise 42% Improved ability to enforce

security policies 24%

More access points 42% More exec. mgt. support of security 16%

Many Variables to Consider

Enforcing the company security policy

Instant messenger-based threats

Mobile phone or mobile device security

Email-based threats

Data theft

Understanding security risks of cloud computing

Social engineering/Phishing

Malware (e.g. viruses/worms/botnets)

Browser-based threats

Increasing sophistication of security threats

10%

12%

9%

11%

5%

7%

7%

7%

8%

6%

62%

59%

57%

51%

55%

52%

50%

46%

44%

45%

28%

29%

34%

38%

39%

42%

43%

47%

48%

49%

More Critical

No Change

Less Critical

5%

61%

26%

8%

Economic Recession Affects Security

Likelihood of new internal security threat due to departing or disgruntled employees

Elements of Human Error that Contribute to Security Breaches

Inadequate security policy (e.g. outdated, not compre-hensive)

Failure of IT staff to follow security procedures

Inadequate IT staff time to manage security threats

Lack of security training

Lack of security expertise

Failure of end users to comply with security policy

18%

21%

30%

36%

37%

49%

Actions Taken After Security Breaches

Rely more heavily on outside security experts

Hire additional IT staff with security expertise

Engage in more penetration testing

Revise / update security training

Expand security training among staff

Formulate new policies

Invest in more or better security technology

Review security policies

9%

9%

9%

21%

19%

24%

31%

30%

15%

18%

19%

33%

33%

37%

45%

50%

Firms where Security an Upper Half Prior-ityFirms where Security a Middle or Lower Priority

Top Areas where Organizations want to Improve their Response to Security Breaches

Engage in e-discovery

Inform executive management faster

Inform the entire staff faster

Contact outside security expert faster

Take systems offline faster

Improve process for quickly researching issue

Update virus protocols faster

Faster or better assessment of the issue

4%

6%

6%

5%

8%

18%

14%

34%

2%

4%

8%

10%

14%

19%

20%

21%

Exec Mgt.Senior Mgt.

Security Investments that Yield Highest ROI

Penetration testing

Investing in computers/OS less vulnerable to threats

Security hardware

Security policies and procedures

End-user training

IT staff training

Security software

29%

30%

50%

52%

53%

62%

68%

Security Spend Wish List

End-user training

IT Staff training or certification

Added storage/server capacity

Security software – spam email filters

Security software – monitoring-related

Security software – malware protection

Firewall or other security infrastructure hardware

20%

21%

22%

26%

32%

42%

56%

Wrap-up | Q&A