Cyber_security_survey201415_2

CYBER SECURITYSURVEY 2014/15

For the purposes of the survey, cyber security is defined as an umbrella term encompassing information security and information assurance.

The survey was designed and analysed with the help of Ed Savage, who leads PA Consulting Group's Cyber Security Team. [email protected]

ContentsAbout the survey 4About the respondents and their organisations 4The findings 6Conclusion 9About Harvey Nash's Information Security Practice 11

#HNCyberSurvey

WelcomeWhat does the word ‘cyber’ mean to you?

It's a word that in the last few years has appeared everywhere, with increasing regularity. And it's used by people in a range of different situations. We have cybercrime, cyber warfare, cyber-attack and cyber security as just a few examples.

In industry the same ambiguity prevails. How important is cyber and how should it be dealt with? Just like the lack of clarity over the word itself, there is a lack of a coherent strategy to deal with the challenges posed.

All this rests on the backdrop of an industry-wide revolution. Who owns technology? Who does a CISO report into? What is the monetary value of cyber?

Cyber threats pose a considerable risk to UK companies and industry is by far the biggest victim of cyber crime. 81% of large businesses and 60% of small businesses suffered a breach in the last year with the average cost of breaches to business nearly doubling since last year (BIS 2014 Information Security Breaches Survey).

On Nov 5th, Minister for Cabinet Office, Francis Maude said: “Protecting the cyber security of UK businesses is an important part of this government’s long-term economic plan – we want the UK to be one of the most secure places in the world to do business".

To further highlight the lack of understanding our own CIO Survey listed security second-bottom on the priority list. Yet our Technology Survey placed it as the second most important topic. Both cannot be right.

So I'm really excited to share this survey. Its our attempt to create a narrative with you, and possibly unlock some key answers. I hope we give you the information to help determine what ‘cyber’ means to you, and to your organisation.

Andrew HeyesManaging DirectorHarvey Nash

HARVEY NASH CYBER SECURITY SURVEY 2014/154

About the survey

The survey was completed during the Summer of 2014. There were 161 respondents, representing companies from across the economy (including 20% from SMEs); the biggest group were in financial services (28%); there were also responses from government departments (9%), the education and voluntary sectors (4%). Predominantly, the respondents were the people responsible for delivering cyber security for their organisation; 10% of responses were from academics and professional advisors.

Respondees by size of organisation (staff) % breakdown of responses by sector

About the respondents and their organisations

Almost all (94%) of those who lead on cyber and information security are men. Just over half have the title of Head of Information Security. Most are within a technical function, reporting to the CIO, CTO, Chief Architect etc. However, recognising that cyber is not just a technical issue, it is interesting that 38% now report to non-technical senior executives, such as the CEO, FD or COO of their organisation.

Over a third of cyber security leaders are now earning over £100k pa, with the largest group of high earners (35%) working in Finance and Banking. The highest earners overall are now topping £200k pa.

Breakdown by salary2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

60

50

40

30

20

10

0

Upto£80,000 £81,000-£100,000 £101,000-£150,000

£150,000-£200,000 £200,000plus

34%

30%

28%

5%3%

Createinfographics

100 101 - 150 501 - 10001001 - 5000 5001 - 10,000 10,000+

12%

8%

8%

19%

11%

42%

Education Finance and BankingOther Governent Health ITServices Professional services

Manufacturing Media

3%

28%

8%9%

3%

6%

6%

8%

44

100 101 - 150 501 - 10001001 - 5000 5001 - 10,000 10,000+

12%

8%

8%

19%

11%

42%

Education Finance and BankingOther Governent Health ITServices Professional services

Manufacturing Media

3%

28%

8%9%

3%

6%

6%

8%

44


It is believed that there are skills shortages across the profession. The search for senior leaders and architects is seen as the most challenging.

What skills are lacking

Skills shortages are the most common reason for buying-in help and many organisations are doing so in some way. Only 9% of organisations are using external expertise to help develop their cyber strategy. Yet penetration testing, where an independent view is often particularly valued, is outsourced for 75% of organisations.

Reasons for outsourcing CS

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

60

50

40

30

20

10

0

Upto£80,000 £81,000-£100,000 £101,000-£150,000

£150,000-£200,000 £200,000plus

34%

30%

28%

5%3%

0 3 6 9 12 15 18

18%SOCAnalyst

15%SecurityEngineering

16%Governance,riskandcompliance

19%SecurityArchitecture

19%SeniorCyberLeaders

14%Other

Createinfographics

0 10 20 30

24%Aspartofawidermanagedservicecontract

22%Toachievecostsavings

35%Lackofin-housecybersecurityskills

19%Tomeetlegalorregulatoryrequirements

Createinfographics


The findings:

There are a lot of reasonably positive findings in the survey, which from our experience suggests an improving grasp of the risk:

~80%:o Can clearly identify the owner of cyber risk

o Test their organisation’s cyber security

o Have a process in place to identify new vulnerabilities in their technology

o Can effectively bring together information from technical, people and physical security domains

o Link with other organisations to share situational awareness

o Understand the legal issues around a cyber breach

o Have worked out how they would recover from an incident

~90%:o Implement defence in depth

Further, there seems to be a reasonable degree of confidence, in what is naturally a risk-averse profession. 72% of our respondents consider that the cyber risk in their organisation is effectively managed.

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

60

50

40

30

20

10

0

Upto£80,000 £81,000-£100,000 £101,000-£150,000

£150,000-£200,000 £200,000plus

34%

30%

28%

5%3%

0 10 20 30 40 50

18%Verywell

54%Quitewell

25%Mostlycovered

3%Notcovered

0 3 6 9 12 15 18

18%SOCAnalyst





14%Other

Createinfographics

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

60

50

40

30

20

10

0

Upto£80,000 £81,000-£100,000 £101,000-£150,000

£150,000-£200,000 £200,000plus

34%

30%

28%

5%3%

0 5 10 15 20

16%Lackofseniorlevelbuyin

24%Lackofbudget

23%Lackofasecurityculturewithintheorganisation

12%Lackofcybersecurityskills

20%Lackofunderstandingoftherealrisksthatweface

7%Other

0 2 4 6 8 10 12 14 16 18

18%SOCAnalyst





14%Other

Createinfographics

Factors hinder the successful implementation of CS

How well covered is your company from CS risk


At the extremes, around 18% believe that everything possible has been done and only 3% suggest that their organisation has not covered the basics. The implementation of security is hampered most often by a lack of budget, with the lack of a security culture and poor understanding of the risk also significant issues.

Most, but not all of the organisations who process payment card data, have implemented PCI DSS. Yet the wider adoption of standards is not as prevalent as might be expected. Surprisingly only 30% have ISO 27001 accreditation and 11% are now using the relatively new PAS 555.

There are a lot of reports about the high level of cyber breaches but it is often hard to understand their real impact. This survey reveals that a third of organisations have suffered what is considered to be a business-affecting cyber incident in the last 12 months. From the survey responses, this does not appear to correlate with a weak security posture.

How often do you link with other organisations in your sector or industry to share cyber security matters?

Yearly 19%

Monthly 34%

Weekly 19%

Daily 9%

Never 18%

It is worrying that 18% of security professionals do not know what they are trying to protect and 28% do not know who has access to the organisation’s most sensitive assets. Further, a quarter of organisations do not include cyber security considerations in their risk processes and a third do not take a through-life approach to security. A quarter have not planned or prepared their recovery process following an incident. All these matters are important gaps in effective security that should be urgently addressed.

Understanding of cyber risk

The understanding of cyber risk at senior level is improving. Yet it appears not to be well understood more widely in organisations. The HR function should play a significant role in security, not least through effective pre-employment screening, performance management and discipline, and the management of change and exit. Security professionals need to reach out to their HR colleagues and help educate them about the risk.

Western Europe USA Japan China India Africa

1870 1913 1950 1973 2003

9000

8000

7000

6000

5000

4000

3000

2000

1000

0

80

70

60

50

40

30

20

10

0

TheB

oard

’sRi

skCo

mm

ittee CEO

CFO

CIO/

CTO

Othe

rswi

thin

tech

nolo

gy HR

Lega

l

Sale

san

dM

arke

ting

Busin

ess

oper

atio

ns

Good or better

Limited or none


No connected organisation can have effective cyber security without addressing vulnerabilities across its whole enterprise. Yet whilst the cyber risk is reportedly considered in almost all procurement decisions, around a quarter of organisations are not including security requirements in their contracts and even for those who do, a third do not assess or measure the cyber security of their suppliers. Whilst the government’s new Cyber Essentials Scheme may provide one new solution for this, less than half of respondents feel that current government guidance on cyber risk has been helpful.

Do you feel the government provides useful guidance to help you manage your cyber security risk?

Yes 43%

No 57%

Is CS of suppliers measured / assessed?

Have security considerations ever changed a procurement decision

Yes No Don't know

68%

26%

6%

Yes No Don't know

55%30%

15%


Conclusion

Despite a third suffering a business-affecting cyber security incident in the last year, cyber security leaders are generally happy that their organisation is doing what it can to address the risk. However, the lack of budget and poor understanding of the risk are key blockers to doing more.

The survey reveals that a lot of good practice is being followed, but there are some worrying gaps: a significant minority do not know what they are protecting, or who has access to the organisation’s crown jewels; the supply chain security risk is also not properly addressed. Another major area for improvement is for security professionals to reach out and help explain the risk further, especially to the HR function, which does not yet understand cyber risk and so cannot contribute towards addressing people risk.


Harvey Nash Information Security Practice

Our Information Security practice is the newest of our specialist vertical teams, and is run by consultants dedicated to this increasingly vital function. Over the last 18 months, we’ve seen demand for information security related skillsets increase by 70% across the UK alone. This is a clear response to the ever-changing threat landscape and the challenges our industry faces in keeping data, information and assets secure. Our extensive global network and talent pool means our team can provide tailored resourcing strategies to meet this demand. Our Information Security team offer a complete end-to-end recruitment service. We deliver both contract and permanent staff for technical, governance, risk and strategic security skill sets. We have a successful track record of placing professionals at global Chief Information Security Officer level through to Security Operation Analysts. Our team are also heavily involved in thought leadership, advisory services and have contributed to articles written by Computing and Bloomberg.

Stephanie CratesHead of Information Security Practice, London

E: [email protected] T: 020 7333 1854M: 07568 116387

James WalshHead of Information Security Practice, Birmingham

E: [email protected] T: 0121 717 1946M: 07896 019475


PA Consulting Group

PA Consulting Group is an employee-owned firm of over 2,500 people, we work with business and governments worldwide through our offices in North America, Europe, the Nordics, the Gulf and Asia Pacific.We bring together business knowledge and technical expertise to offer a market-leading, end-to-end cyber security capability that helps organisations to significantly improve their cyber security and resilience. Our services include:

• Security strategy, leadership and governance to ensure that you have a properly informed, risk and resilience-led security strategy with clear accountability and responsibility.

• Risk management and assurance against all industry and regulatory standards, such as ISO27001, PAS 555, Cyber Essentials and PCI DSS to identify and plan areas for improvement.

• Technical security services including penetration testing, computer forensics, enterprise architecture, biometrics and identity management, eDiscovery, secure coding and infrastructure, and SCADA and process control security, to give you practical help and tools to implement, test and assure your security solutions.

• Security culture development to identify and develop pragmatic and effective cultural solutions to reduce people risk, including social engineering vulnerability assessment, behavioural analysis and development of an effective security culture.

• Cyber security education and training including university accredited, hands-on technical training in information security, ethical hacking and computer forensics.

If you would like to contact us please email [email protected]


Date post:	12-Aug-2015
Category:	Documents
Upload:	stephanie-crates
View:	148 times
Download:	2 times

Cyber_security_survey201415_2

Documents