IT Security Breaches: The Costs and the Cures
description
Transcript of IT Security Breaches: The Costs and the Cures
IT Security Breaches: The Costs and the CuresTodd ThibodeauxPresident and CEOCompTIA
Who We Are | What We Do
EDUCATION
CERTIFICATIONS
ADVOCACY
PHILANTHROPY
The Usual Opening…
Scary Security Headline: Oh the Humanity
Wait, How About…
Technology, Training, Teamwork Thwart Security Breach
Setting the Stage: The Good and the Not so Good
More organizations rate security a high priority; although still often viewed as an IT problem
# of security breaches roughly constant; severity level trending upwards + new threats and vulnerabilities
IT professionals rate human error a primary cause of many security breaches
Improvements to security landscape attributed to better technology, policy and training
Spending on security held up relatively well in 2010
2008 2010 2012
19%
7% 3%
46% 46%
39%35%
49%
58%
Lower Half PriorityMiddle PriorityUpper Half Priority
Forecast
Prioritization of security relative to all strategic IT initiatives
Prioritization of InfoSec Trends Upwards
Changes to the Security Landscape
Increasing Concerns Increasing Areas of Improvement
Rise of social networking 52% Improved technology to protect against threats 55%
More reliance on Internet-based applications 50% Improved IT staff expertise 41%
Growing criminalization and organization of hackers 48% Improved security policies 36%
Greater interconnectivity of devices 46% Improved ability of end-users to avoid security threats 33%
Sophistication of security threats exceeding staff’s expertise 42% Improved ability to enforce
security policies 24%
More access points 42% More exec. mgt. support of security 16%
Many Variables to Consider
Enforcing the company security policy
Instant messenger-based threats
Mobile phone or mobile device security
Email-based threats
Data theft
Understanding security risks of cloud computing
Social engineering/Phishing
Malware (e.g. viruses/worms/botnets)
Browser-based threats
Increasing sophistication of security threats
10%
12%
9%
11%
5%
7%
7%
7%
8%
6%
62%
59%
57%
51%
55%
52%
50%
46%
44%
45%
28%
29%
34%
38%
39%
42%
43%
47%
48%
49%
More Critical
No Change
Less Critical
5%
61%
26%
8%
Economic Recession Affects Security
Likelihood of new internal security threat due to departing or disgruntled employees
Elements of Human Error that Contribute to Security Breaches
Inadequate security policy (e.g. outdated, not compre-hensive)
Failure of IT staff to follow security procedures
Inadequate IT staff time to manage security threats
Lack of security training
Lack of security expertise
Failure of end users to comply with security policy
18%
21%
30%
36%
37%
49%
Actions Taken After Security Breaches
Rely more heavily on outside security experts
Hire additional IT staff with security expertise
Engage in more penetration testing
Revise / update security training
Expand security training among staff
Formulate new policies
Invest in more or better security technology
Review security policies
9%
9%
9%
21%
19%
24%
31%
30%
15%
18%
19%
33%
33%
37%
45%
50%
Firms where Security an Upper Half Prior-ityFirms where Security a Middle or Lower Priority
Top Areas where Organizations want to Improve their Response to Security Breaches
Engage in e-discovery
Inform executive management faster
Inform the entire staff faster
Contact outside security expert faster
Take systems offline faster
Improve process for quickly researching issue
Update virus protocols faster
Faster or better assessment of the issue
4%
6%
6%
5%
8%
18%
14%
34%
2%
4%
8%
10%
14%
19%
20%
21%
Exec Mgt.Senior Mgt.
Security Investments that Yield Highest ROI
Penetration testing
Investing in computers/OS less vulnerable to threats
Security hardware
Security policies and procedures
End-user training
IT staff training
Security software
29%
30%
50%
52%
53%
62%
68%
Security Spend Wish List
End-user training
IT Staff training or certification
Added storage/server capacity
Security software – spam email filters
Security software – monitoring-related
Security software – malware protection
Firewall or other security infrastructure hardware
20%
21%
22%
26%
32%
42%
56%
Wrap-up | Q&A