SlideShare a Scribd company logo

Cyber_security_survey201415_2

S
Stephanie Crates

The document summarizes key findings from the Harvey Nash Cyber Security Survey 2014/15. The survey received 161 responses from organizations across different sectors. Key findings include: - About 80% of respondents could clearly identify cyber risk owners and had security testing processes, but 18% did not know what assets to protect. - A third suffered a cyber incident in the past year, but this did not correlate with security posture. - Budget limitations and lack of security culture hindered implementation. - Supply chain security risks were not fully addressed. - There were gaps in understanding of cyber risk, especially among HR functions.

1 of 12
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
CYBERSECURITY SURVEY2014/15
For the purposes of the survey, cyber security is defined as an umbrella term encompassing information security and information assurance. The survey was designed and analysed with the help of Ed Savage, who leads PA Consulting Group's Cyber Security Team. cybersecurity@paconsulting.com Contents About the survey 4 About the respondents and their organisations 4 The findings 6 Conclusion 9 About Harvey Nash's Information Security Practice 11 #HNCyberSurvey
Welcome What does the word ‘cyber’ mean to you? It's a word that in the last few years has appeared everywhere, with increasing regularity. And it's used by people in a range of different situations. We have cybercrime, cyber warfare, cyber-attack and cyber security as just a few examples. In industry the same ambiguity prevails. How important is cyber and how should it be dealt with? Just like the lack of clarity over the word itself, there is a lack of a coherent strategy to deal with the challenges posed. All this rests on the backdrop of an industry-wide revolution. Who owns technology? Who does a CISO report into? What is the monetary value of cyber? Cyber threats pose a considerable risk to UK companies and industry is by far the biggest victim of cyber crime. 81% of large businesses and 60% of small businesses suffered a breach in the last year with the average cost of breaches to business nearly doubling since last year (BIS 2014 Information Security Breaches Survey). On Nov 5th, Minister for Cabinet Office, Francis Maude said: “Protecting the cyber security of UK businesses is an important part of this government’s long-term economic plan – we want the UK to be one of the most secure places in the world to do business". To further highlight the lack of understanding our own CIO Survey listed security second-bottom on the priority list. Yet our Technology Survey placed it as the second most important topic. Both cannot be right. So I'm really excited to share this survey. Its our attempt to create a narrative with you, and possibly unlock some key answers. I hope we give you the information to help determine what ‘cyber’ means to you, and to your organisation. Andrew Heyes Managing Director Harvey Nash
HARVEY NASH CYBER SECURITY SURVEY 2014/15 4 About the survey The survey was completed during the Summer of 2014. There were 161 respondents, representing companies from across the economy (including 20% from SMEs); the biggest group were in financial services (28%); there were also responses from government departments (9%), the education and voluntary sectors (4%). Predominantly, the respondents were the people responsible for delivering cyber security for their organisation; 10% of responses were from academics and professional advisors. Respondees by size of organisation (staff) % breakdown of responses by sector About the respondents and their organisations Almost all (94%) of those who lead on cyber and information security are men. Just over half have the title of Head of Information Security. Most are within a technical function, reporting to the CIO, CTO, Chief Architect etc. However, recognising that cyber is not just a technical issue, it is interesting that 38% now report to non- technical senior executives, such as the CEO, FD or COO of their organisation. Over a third of cyber security leaders are now earning over £100k pa, with the largest group of high earners (35%) working in Finance and Banking. The highest earners overall are now topping £200k pa. Breakdown by salary2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 60 50 40 30 20 10 0 Up to £80,000 £81,000 - £100,000 £101,000 - £150,000 £150,000 - £200,000 £200,000 plus 34% 30% 28% 5% 3% Create infographics 100 101 - 150 501 - 1000 1001 - 5000 5001 - 10,000 10,000+ 19% 11% Education Finance and Banking Other Governent Health IT Services Professional services Manufacturing Media 3% 28% 8%9% 3% 6% 6% 8% 4 4 100 101 - 150 501 - 1000 1001 - 5000 5001 - 10,000 10,000+ 12% 8% 8% 19% 11% 42% Education Finance and Banking Other Governent Health IT Services Professional services Manufacturing Media 3% 28% 8%9% 3% 6% 6% 8% 4 4
HARVEY NASH CYBER SECURITY SURVEY 2014/15 5 It is believed that there are skills shortages across the profession. The search for senior leaders and architects is seen as the most challenging. What skills are lacking Skills shortages are the most common reason for buying-in help and many organisations are doing so in some way. Only 9% of organisations are using external expertise to help develop their cyber strategy. Yet penetration testing, where an independent view is often particularly valued, is outsourced for 75% of organisations. Reasons for outsourcing CS Up to £80,000 £81,000 - £100,000 £101,000 - £150,000 £150,000 - £200,000 £200,000 plus 30% 0 3 6 9 12 15 18 18%SOC Analyst 15%Security Engineering 16%Governance, risk and compliance 19%Security Architecture 19%Senior Cyber Leaders 14%Other Create infographics 0 10 20 30 24%As part of a wider managed service contract 22%To achieve cost savings 35%Lack of in-house cyber security skills 19%To meet legal or regulatory requirements Create infographics
HARVEY NASH CYBER SECURITY SURVEY 2014/15 6 The findings: There are a lot of reasonably positive findings in the survey, which from our experience suggests an improving grasp of the risk: ~80%: o Can clearly identify the owner of cyber risk o Test their organisation’s cyber security o Have a process in place to identify new vulnerabilities in their technology o Can effectively bring together information from technical, people and physical security domains o Link with other organisations to share situational awareness o Understand the legal issues around a cyber breach o Have worked out how they would recover from an incident ~90%: o Implement defence in depth Further, there seems to be a reasonable degree of confidence, in what is naturally a risk-averse profession. 72% of our respondents consider that the cyber risk in their organisation is effectively managed. 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 30 20 10 0 Up to £80,000 £81,000 - £100,000 £101,000 - £150,000 £150,000 - £200,000 £200,000 plus 34% 30% 28% 5% 3% 0 10 20 30 40 50 18%Very well 54%Quite well 25%Mostly covered 3%Not covered 0 3 6 9 12 15 18 18%SOC Analyst 15%Security Engineering 16%Governance, risk and compliance 19%Security Architecture 19%Senior Cyber Leaders 14%Other Create infographics 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 60 50 40 30 20 10 0 Up to £80,000 £81,000 - £100,000 £101,000 - £150,000 £150,000 - £200,000 £200,000 plus 34% 30% 28% 5% 3% 0 5 10 15 20 16%Lack of senior level buy in 24%Lack of budget 23%Lack of a security culture within the organisation 12%Lack of cyber security skills 20%Lack of understanding of the real risks that we face 7%Other 18%SOC Analyst Factors hinder the successful implementation of CS How well covered is your company from CS risk
HARVEY NASH CYBER SECURITY SURVEY 2014/15 7 At the extremes, around 18% believe that everything possible has been done and only 3% suggest that their organisation has not covered the basics. The implementation of security is hampered most often by a lack of budget, with the lack of a security culture and poor understanding of the risk also significant issues. Most, but not all of the organisations who process payment card data, have implemented PCI DSS. Yet the wider adoption of standards is not as prevalent as might be expected. Surprisingly only 30% have ISO 27001 accreditation and 11% are now using the relatively new PAS 555. There are a lot of reports about the high level of cyber breaches but it is often hard to understand their real impact. This survey reveals that a third of organisations have suffered what is considered to be a business- affecting cyber incident in the last 12 months. From the survey responses, this does not appear to correlate with a weak security posture. How often do you link with other organisations in your sector or industry to share cyber security matters? Yearly 19% Monthly 34% Weekly 19% Daily 9% Never 18% It is worrying that 18% of security professionals do not know what they are trying to protect and 28% do not know who has access to the organisation’s most sensitive assets. Further, a quarter of organisations do not include cyber security considerations in their risk processes and a third do not take a through-life approach to security. A quarter have not planned or prepared their recovery process following an incident. All these matters are important gaps in effective security that should be urgently addressed. Understanding of cyber risk The understanding of cyber risk at senior level is improving. Yet it appears not to be well understood more widely in organisations. The HR function should play a significant role in security, not least through effective pre-employment screening, performance management and discipline, and the management of change and exit. Security professionals need to reach out to their HR colleagues and help educate them about the risk. Western Europe USA Japan China India Africa 1870 1913 1950 1973 2003 9000 8000 7000 6000 5000 4000 3000 2000 1000 0 80 70 60 50 40 30 20 10 0 TheBoard’s RiskCommittee CEO CFO CIO/CTO Otherswithin technology HR Legal Salesand Marketing Business operations Good or better Limited or none
HARVEY NASH CYBER SECURITY SURVEY 2014/15 8 No connected organisation can have effective cyber security without addressing vulnerabilities across its whole enterprise. Yet whilst the cyber risk is reportedly considered in almost all procurement decisions, around a quarter of organisations are not including security requirements in their contracts and even for those who do, a third do not assess or measure the cyber security of their suppliers. Whilst the government’s new Cyber Essentials Scheme may provide one new solution for this, less than half of respondents feel that current government guidance on cyber risk has been helpful. Do you feel the government provides useful guidance to help you manage your cyber security risk? Yes 43% No 57% Is CS of suppliers measured / assessed? Have security considerations ever changed a procurement decision Yes No Don't know 68% 26% 6% Yes No Don't know 55% 30% 15%
HARVEY NASH CYBER SECURITY SURVEY 2014/15 9 Conclusion Despite a third suffering a business-affecting cyber security incident in the last year, cyber security leaders are generally happy that their organisation is doing what it can to address the risk. However, the lack of budget and poor understanding of the risk are key blockers to doing more. The survey reveals that a lot of good practice is being followed, but there are some worrying gaps: a significant minority do not know what they are protecting, or who has access to the organisation’s crown jewels; the supply chain security risk is also not properly addressed. Another major area for improvement is for security professionals to reach out and help explain the risk further, especially to the HR function, which does not yet understand cyber risk and so cannot contribute towards addressing people risk.
HARVEY NASH CYBER SECURITY SURVEY 2014/15 10 Harvey Nash Information Security Practice Our Information Security practice is the newest of our specialist vertical teams, and is run by consultants dedicated to this increasingly vital function. Over the last 18 months, we’ve seen demand for information security related skillsets increase by 70% across the UK alone. This is a clear response to the ever- changing threat landscape and the challenges our industry faces in keeping data, information and assets secure. Our extensive global network and talent pool means our team can provide tailored resourcing strategies to meet this demand. Our Information Security team offer a complete end-to-end recruitment service. We deliver both contract and permanent staff for technical, governance, risk and strategic security skill sets. We have a successful track record of placing professionals at global Chief Information Security Officer level through to Security Operation Analysts. Our team are also heavily involved in thought leadership, advisory services and have contributed to articles written by Computing and Bloomberg. Stephanie Crates Head of Information Security Practice, London E: stephanie.crates@harveynash.com T: 020 7333 1854 M: 07568 116387 James Walsh Head of Information Security Practice, Birmingham E: james.walsh@harveynash.com T: 0121 717 1946 M: 07896 019475
HARVEY NASH CYBER SECURITY SURVEY 2014/15 11 PA Consulting Group PA Consulting Group is an employee-owned firm of over 2,500 people, we work with business and governments worldwide through our offices in North America, Europe, the Nordics, the Gulf and Asia Pacific. We bring together business knowledge and technical expertise to offer a market-leading, end-to-end cyber security capability that helps organisations to significantly improve their cyber security and resilience. Our services include: • Security strategy, leadership and governance to ensure that you have a properly informed, risk and resilience-led security strategy with clear accountability and responsibility. • Risk management and assurance against all industry and regulatory standards, such as ISO27001, PAS 555, Cyber Essentials and PCI DSS to identify and plan areas for improvement. • Technical security services including penetration testing, computer forensics, enterprise architecture, biometrics and identity management, eDiscovery, secure coding and infrastructure, and SCADA and process control security, to give you practical help and tools to implement, test and assure your security solutions. • Security culture development to identify and develop pragmatic and effective cultural solutions to reduce people risk, including social engineering vulnerability assessment, behavioural analysis and development of an effective security culture. • Cyber security education and training including university accredited, hands- on technical training in information security, ethical hacking and computer forensics. If you would like to contact us please email cybersecurity@paconsulting.com
HARVEY NASH CYBER SECURITY SURVEY 2014/15 12

More Related Content

PPTX
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Jeremiah Grossman
 
PPTX
Youth Opinions of Careers in Information Technology
CompTIA
 
PPTX
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
accenture
 
PPTX
Securing the Digital Economy: Reinventing the Internet for Trust
Accenture Insurance
 
PDF
2016 Global data valuation survey
Brunswick Group
 
PPTX
2018 State of Cyber Resilience Report - Ireland
Accenture Security
 
PDF
Service solahart jakarta timur 081380240365
cv davinatama service
 
PPT
Start Fund Q3 2009
Elliott Dahan
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Jeremiah Grossman
 
Youth Opinions of Careers in Information Technology
CompTIA
 
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
accenture
 
Securing the Digital Economy: Reinventing the Internet for Trust
Accenture Insurance
 
2016 Global data valuation survey
Brunswick Group
 
2018 State of Cyber Resilience Report - Ireland
Accenture Security
 
Service solahart jakarta timur 081380240365
cv davinatama service
 
Start Fund Q3 2009
Elliott Dahan
 

What's hot (20)

PPTX
SolarWinds IT Pro Day 2017 Survey: Bet You Didn’t Know – Little-Known Facts A...
SolarWinds
 
PDF
The State of the Federal IT Market 2018
accenture
 
PPTX
CIMA Ethical Leadership and Responsible Business Presentation. Aug 2013.
The Performance Hub
 
PDF
Deloitte stay ahed of the game
Franco Ferrario
 
PPTX
SolarWinds IT Pro Day 2017 Survey: Bet You Didn’t Know – Little-Known Facts A...
SolarWinds
 
PDF
Healthcare Providers: 2018 State of Cyber Resilience
accenture
 
PDF
Enterprise Service Management (ESM): How to Build High-Value Services on Exis...
Enterprise Management Associates
 
PDF
Shutting down fraud, waste, and abuse: Moving from rhetoric to real solutions...
Deloitte United States
 
PDF
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
Leona Markham
 
PPTX
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
SolarWinds
 
PPTX
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 
PDF
Stateofthe cio 2022 sample slides
IDG
 
PPTX
State of Cyber Resilience In Australia 2018
Accenture Australia
 
PDF
DIGIT Leader 2019
Ray Bugg
 
PDF
Service solahart bogor 0821225416663
solahartdki
 
PPTX
Vc us v4.0
FixNix Inc.,
 
PPTX
Wealthtech trends from the T3 2019 Advisor Conference
craigezra
 
PPTX
SolarWinds IT Pro Day 2017 Survey: Bet You Didn’t Know – Little-Known Facts A...
SolarWinds
 
PDF
Accenture-Start-your-Career-with-Accenture-English2015
Syed Ahmed
 
PDF
Fjord Trends 2020 COVID-19 Presentation
Accenture Middle East
 
SolarWinds IT Pro Day 2017 Survey: Bet You Didn’t Know – Little-Known Facts A...
SolarWinds
 
The State of the Federal IT Market 2018
accenture
 
CIMA Ethical Leadership and Responsible Business Presentation. Aug 2013.
The Performance Hub
 
Deloitte stay ahed of the game
Franco Ferrario
 
SolarWinds IT Pro Day 2017 Survey: Bet You Didn’t Know – Little-Known Facts A...
SolarWinds
 
Healthcare Providers: 2018 State of Cyber Resilience
accenture
 
Enterprise Service Management (ESM): How to Build High-Value Services on Exis...
Enterprise Management Associates
 
Shutting down fraud, waste, and abuse: Moving from rhetoric to real solutions...
Deloitte United States
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
Leona Markham
 
SolarWinds Federal Webinar: Government Cyber Security Survey: What you told us
SolarWinds
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 
Stateofthe cio 2022 sample slides
IDG
 
State of Cyber Resilience In Australia 2018
Accenture Australia
 
DIGIT Leader 2019
Ray Bugg
 
Service solahart bogor 0821225416663
solahartdki
 
Vc us v4.0
FixNix Inc.,
 
Wealthtech trends from the T3 2019 Advisor Conference
craigezra
 
SolarWinds IT Pro Day 2017 Survey: Bet You Didn’t Know – Little-Known Facts A...
SolarWinds
 
Accenture-Start-your-Career-with-Accenture-English2015
Syed Ahmed
 
Fjord Trends 2020 COVID-19 Presentation
Accenture Middle East
 
Ad

Viewers also liked (20)

PPTX
Cyber crime: A Quick Survey
Arindam Sarkar
 
PPTX
III. Au delà de toutes les idoles
Pierrot Caron
 
PDF
HP Envy x2 11-g010nr 11.6-Inch
preter
 
PDF
Why We Share
Swystun Communications
 
PDF
Creative Thinking in Affordable Housing
Stuart Leo
 
DOCX
Brunito
Bruno Fuentes
 
PPSX
Riverside elms..offplan,nairobi
Sultan one leasing agency
 
PPTX
BCOER Alberta Presentation
BCcampus
 
PPTX
Redes sociales
itayetzy de la o
 
PPTX
Lisley gonzale con una nueva cancion
Lisley Gonzalez
 
DOCX
Articulossss
paula941005
 
PDF
Portfolio
Charmainne Alonzo
 
PDF
Proyecto libano
formadortic2013
 
PDF
Jd
Arbenng
 
PPTX
Presentación1 historia de la penicilina
ERIKAMUYULEMA
 
PPTX
El aborto
diana fabiola murillo vazquez
 
PDF
Fushat dhe valet_elektromagnetike_detyra_te_zgjidhura_fiek
Arbenng
 
PDF
Gjeometria deskriptive ushtrime_laboratorike_fim1
Arbenng
 
PPTX
Presentación grecia y platon
Merly Prieto Torres
 
PPT
Fingerprint presentation...
Stina14
 
Cyber crime: A Quick Survey
Arindam Sarkar
 
III. Au delà de toutes les idoles
Pierrot Caron
 
HP Envy x2 11-g010nr 11.6-Inch
preter
 
Why We Share
Swystun Communications
 
Creative Thinking in Affordable Housing
Stuart Leo
 
Brunito
Bruno Fuentes
 
Riverside elms..offplan,nairobi
Sultan one leasing agency
 
BCOER Alberta Presentation
BCcampus
 
Redes sociales
itayetzy de la o
 
Lisley gonzale con una nueva cancion
Lisley Gonzalez
 
Articulossss
paula941005
 
Portfolio
Charmainne Alonzo
 
Proyecto libano
formadortic2013
 
Jd
Arbenng
 
Presentación1 historia de la penicilina
ERIKAMUYULEMA
 
El aborto
diana fabiola murillo vazquez
 
Fushat dhe valet_elektromagnetike_detyra_te_zgjidhura_fiek
Arbenng
 
Gjeometria deskriptive ushtrime_laboratorike_fim1
Arbenng
 
Presentación grecia y platon
Merly Prieto Torres
 
Fingerprint presentation...
Stina14
 
Ad

Similar to Cyber_security_survey201415_2 (20)

PDF
SVB Cybersecurity Impact on Innovation Report - Overview
Silicon Valley Bank
 
PDF
CAPP Conference Survey
CynergisTek, Inc.
 
PDF
2015 Global data valuation survey
Brunswick Group
 
PPTX
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
PDF
The Path to Digital Leadership in Asia
Cognizant
 
PDF
How boards can lead the cyber-resilient organisation
The Economist Media Businesses
 
PDF
Cyber security 2013 - Technical Report
Mandar Kharkar
 
PPT
Managing Corporate Information Security Risk in Financial Institutions
Mark Curphey
 
PPTX
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman
 
PDF
Harvey Nash UK & IRE Cyber Security Survey 2016
Bryan Smith
 
PPTX
Small Business Tracking Study - Technology
jgerber117
 
PDF
Securing the Digital Future
Cognizant
 
PDF
Information Security - Hiring Trends and Trends for the Future PDF
Alexander Goodwin
 
PPTX
Matt_Cyber Security Core Deck September 2016.pptx
Nakhoudah
 
PPTX
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
PDF
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
Sarah Jarvis
 
PDF
Cyber security investments 2021
Management Events
 
PDF
2015-ISBS-Technical-Report-blue-digital
James Fisher
 
PDF
PWC 2014 Global Digital IQ Survey
polenumerique33
 
PDF
Etude PwC Digital IQ (2014)
PwC France
 
SVB Cybersecurity Impact on Innovation Report - Overview
Silicon Valley Bank
 
CAPP Conference Survey
CynergisTek, Inc.
 
2015 Global data valuation survey
Brunswick Group
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
The Path to Digital Leadership in Asia
Cognizant
 
How boards can lead the cyber-resilient organisation
The Economist Media Businesses
 
Cyber security 2013 - Technical Report
Mandar Kharkar
 
Managing Corporate Information Security Risk in Financial Institutions
Mark Curphey
 
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman
 
Harvey Nash UK & IRE Cyber Security Survey 2016
Bryan Smith
 
Small Business Tracking Study - Technology
jgerber117
 
Securing the Digital Future
Cognizant
 
Information Security - Hiring Trends and Trends for the Future PDF
Alexander Goodwin
 
Matt_Cyber Security Core Deck September 2016.pptx
Nakhoudah
 
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
Sarah Jarvis
 
Cyber security investments 2021
Management Events
 
2015-ISBS-Technical-Report-blue-digital
James Fisher
 
PWC 2014 Global Digital IQ Survey
polenumerique33
 
Etude PwC Digital IQ (2014)
PwC France
 

Cyber_security_survey201415_2

  • 2. For the purposes of the survey, cyber security is defined as an umbrella term encompassing information security and information assurance. The survey was designed and analysed with the help of Ed Savage, who leads PA Consulting Group's Cyber Security Team. cybersecurity@paconsulting.com Contents About the survey 4 About the respondents and their organisations 4 The findings 6 Conclusion 9 About Harvey Nash's Information Security Practice 11 #HNCyberSurvey
  • 3. Welcome What does the word ‘cyber’ mean to you? It's a word that in the last few years has appeared everywhere, with increasing regularity. And it's used by people in a range of different situations. We have cybercrime, cyber warfare, cyber-attack and cyber security as just a few examples. In industry the same ambiguity prevails. How important is cyber and how should it be dealt with? Just like the lack of clarity over the word itself, there is a lack of a coherent strategy to deal with the challenges posed. All this rests on the backdrop of an industry-wide revolution. Who owns technology? Who does a CISO report into? What is the monetary value of cyber? Cyber threats pose a considerable risk to UK companies and industry is by far the biggest victim of cyber crime. 81% of large businesses and 60% of small businesses suffered a breach in the last year with the average cost of breaches to business nearly doubling since last year (BIS 2014 Information Security Breaches Survey). On Nov 5th, Minister for Cabinet Office, Francis Maude said: “Protecting the cyber security of UK businesses is an important part of this government’s long-term economic plan – we want the UK to be one of the most secure places in the world to do business". To further highlight the lack of understanding our own CIO Survey listed security second-bottom on the priority list. Yet our Technology Survey placed it as the second most important topic. Both cannot be right. So I'm really excited to share this survey. Its our attempt to create a narrative with you, and possibly unlock some key answers. I hope we give you the information to help determine what ‘cyber’ means to you, and to your organisation. Andrew Heyes Managing Director Harvey Nash
  • 4. HARVEY NASH CYBER SECURITY SURVEY 2014/15 4 About the survey The survey was completed during the Summer of 2014. There were 161 respondents, representing companies from across the economy (including 20% from SMEs); the biggest group were in financial services (28%); there were also responses from government departments (9%), the education and voluntary sectors (4%). Predominantly, the respondents were the people responsible for delivering cyber security for their organisation; 10% of responses were from academics and professional advisors. Respondees by size of organisation (staff) % breakdown of responses by sector About the respondents and their organisations Almost all (94%) of those who lead on cyber and information security are men. Just over half have the title of Head of Information Security. Most are within a technical function, reporting to the CIO, CTO, Chief Architect etc. However, recognising that cyber is not just a technical issue, it is interesting that 38% now report to non- technical senior executives, such as the CEO, FD or COO of their organisation. Over a third of cyber security leaders are now earning over £100k pa, with the largest group of high earners (35%) working in Finance and Banking. The highest earners overall are now topping £200k pa. Breakdown by salary2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 60 50 40 30 20 10 0 Up to £80,000 £81,000 - £100,000 £101,000 - £150,000 £150,000 - £200,000 £200,000 plus 34% 30% 28% 5% 3% Create infographics 100 101 - 150 501 - 1000 1001 - 5000 5001 - 10,000 10,000+ 19% 11% Education Finance and Banking Other Governent Health IT Services Professional services Manufacturing Media 3% 28% 8%9% 3% 6% 6% 8% 4 4 100 101 - 150 501 - 1000 1001 - 5000 5001 - 10,000 10,000+ 12% 8% 8% 19% 11% 42% Education Finance and Banking Other Governent Health IT Services Professional services Manufacturing Media 3% 28% 8%9% 3% 6% 6% 8% 4 4
  • 5. HARVEY NASH CYBER SECURITY SURVEY 2014/15 5 It is believed that there are skills shortages across the profession. The search for senior leaders and architects is seen as the most challenging. What skills are lacking Skills shortages are the most common reason for buying-in help and many organisations are doing so in some way. Only 9% of organisations are using external expertise to help develop their cyber strategy. Yet penetration testing, where an independent view is often particularly valued, is outsourced for 75% of organisations. Reasons for outsourcing CS Up to £80,000 £81,000 - £100,000 £101,000 - £150,000 £150,000 - £200,000 £200,000 plus 30% 0 3 6 9 12 15 18 18%SOC Analyst 15%Security Engineering 16%Governance, risk and compliance 19%Security Architecture 19%Senior Cyber Leaders 14%Other Create infographics 0 10 20 30 24%As part of a wider managed service contract 22%To achieve cost savings 35%Lack of in-house cyber security skills 19%To meet legal or regulatory requirements Create infographics
  • 6. HARVEY NASH CYBER SECURITY SURVEY 2014/15 6 The findings: There are a lot of reasonably positive findings in the survey, which from our experience suggests an improving grasp of the risk: ~80%: o Can clearly identify the owner of cyber risk o Test their organisation’s cyber security o Have a process in place to identify new vulnerabilities in their technology o Can effectively bring together information from technical, people and physical security domains o Link with other organisations to share situational awareness o Understand the legal issues around a cyber breach o Have worked out how they would recover from an incident ~90%: o Implement defence in depth Further, there seems to be a reasonable degree of confidence, in what is naturally a risk-averse profession. 72% of our respondents consider that the cyber risk in their organisation is effectively managed. 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 30 20 10 0 Up to £80,000 £81,000 - £100,000 £101,000 - £150,000 £150,000 - £200,000 £200,000 plus 34% 30% 28% 5% 3% 0 10 20 30 40 50 18%Very well 54%Quite well 25%Mostly covered 3%Not covered 0 3 6 9 12 15 18 18%SOC Analyst 15%Security Engineering 16%Governance, risk and compliance 19%Security Architecture 19%Senior Cyber Leaders 14%Other Create infographics 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 60 50 40 30 20 10 0 Up to £80,000 £81,000 - £100,000 £101,000 - £150,000 £150,000 - £200,000 £200,000 plus 34% 30% 28% 5% 3% 0 5 10 15 20 16%Lack of senior level buy in 24%Lack of budget 23%Lack of a security culture within the organisation 12%Lack of cyber security skills 20%Lack of understanding of the real risks that we face 7%Other 18%SOC Analyst Factors hinder the successful implementation of CS How well covered is your company from CS risk
  • 7. HARVEY NASH CYBER SECURITY SURVEY 2014/15 7 At the extremes, around 18% believe that everything possible has been done and only 3% suggest that their organisation has not covered the basics. The implementation of security is hampered most often by a lack of budget, with the lack of a security culture and poor understanding of the risk also significant issues. Most, but not all of the organisations who process payment card data, have implemented PCI DSS. Yet the wider adoption of standards is not as prevalent as might be expected. Surprisingly only 30% have ISO 27001 accreditation and 11% are now using the relatively new PAS 555. There are a lot of reports about the high level of cyber breaches but it is often hard to understand their real impact. This survey reveals that a third of organisations have suffered what is considered to be a business- affecting cyber incident in the last 12 months. From the survey responses, this does not appear to correlate with a weak security posture. How often do you link with other organisations in your sector or industry to share cyber security matters? Yearly 19% Monthly 34% Weekly 19% Daily 9% Never 18% It is worrying that 18% of security professionals do not know what they are trying to protect and 28% do not know who has access to the organisation’s most sensitive assets. Further, a quarter of organisations do not include cyber security considerations in their risk processes and a third do not take a through-life approach to security. A quarter have not planned or prepared their recovery process following an incident. All these matters are important gaps in effective security that should be urgently addressed. Understanding of cyber risk The understanding of cyber risk at senior level is improving. Yet it appears not to be well understood more widely in organisations. The HR function should play a significant role in security, not least through effective pre-employment screening, performance management and discipline, and the management of change and exit. Security professionals need to reach out to their HR colleagues and help educate them about the risk. Western Europe USA Japan China India Africa 1870 1913 1950 1973 2003 9000 8000 7000 6000 5000 4000 3000 2000 1000 0 80 70 60 50 40 30 20 10 0 TheBoard’s RiskCommittee CEO CFO CIO/CTO Otherswithin technology HR Legal Salesand Marketing Business operations Good or better Limited or none
  • 8. HARVEY NASH CYBER SECURITY SURVEY 2014/15 8 No connected organisation can have effective cyber security without addressing vulnerabilities across its whole enterprise. Yet whilst the cyber risk is reportedly considered in almost all procurement decisions, around a quarter of organisations are not including security requirements in their contracts and even for those who do, a third do not assess or measure the cyber security of their suppliers. Whilst the government’s new Cyber Essentials Scheme may provide one new solution for this, less than half of respondents feel that current government guidance on cyber risk has been helpful. Do you feel the government provides useful guidance to help you manage your cyber security risk? Yes 43% No 57% Is CS of suppliers measured / assessed? Have security considerations ever changed a procurement decision Yes No Don't know 68% 26% 6% Yes No Don't know 55% 30% 15%
  • 9. HARVEY NASH CYBER SECURITY SURVEY 2014/15 9 Conclusion Despite a third suffering a business-affecting cyber security incident in the last year, cyber security leaders are generally happy that their organisation is doing what it can to address the risk. However, the lack of budget and poor understanding of the risk are key blockers to doing more. The survey reveals that a lot of good practice is being followed, but there are some worrying gaps: a significant minority do not know what they are protecting, or who has access to the organisation’s crown jewels; the supply chain security risk is also not properly addressed. Another major area for improvement is for security professionals to reach out and help explain the risk further, especially to the HR function, which does not yet understand cyber risk and so cannot contribute towards addressing people risk.
  • 10. HARVEY NASH CYBER SECURITY SURVEY 2014/15 10 Harvey Nash Information Security Practice Our Information Security practice is the newest of our specialist vertical teams, and is run by consultants dedicated to this increasingly vital function. Over the last 18 months, we’ve seen demand for information security related skillsets increase by 70% across the UK alone. This is a clear response to the ever- changing threat landscape and the challenges our industry faces in keeping data, information and assets secure. Our extensive global network and talent pool means our team can provide tailored resourcing strategies to meet this demand. Our Information Security team offer a complete end-to-end recruitment service. We deliver both contract and permanent staff for technical, governance, risk and strategic security skill sets. We have a successful track record of placing professionals at global Chief Information Security Officer level through to Security Operation Analysts. Our team are also heavily involved in thought leadership, advisory services and have contributed to articles written by Computing and Bloomberg. Stephanie Crates Head of Information Security Practice, London E: stephanie.crates@harveynash.com T: 020 7333 1854 M: 07568 116387 James Walsh Head of Information Security Practice, Birmingham E: james.walsh@harveynash.com T: 0121 717 1946 M: 07896 019475
  • 11. HARVEY NASH CYBER SECURITY SURVEY 2014/15 11 PA Consulting Group PA Consulting Group is an employee-owned firm of over 2,500 people, we work with business and governments worldwide through our offices in North America, Europe, the Nordics, the Gulf and Asia Pacific. We bring together business knowledge and technical expertise to offer a market-leading, end-to-end cyber security capability that helps organisations to significantly improve their cyber security and resilience. Our services include: • Security strategy, leadership and governance to ensure that you have a properly informed, risk and resilience-led security strategy with clear accountability and responsibility. • Risk management and assurance against all industry and regulatory standards, such as ISO27001, PAS 555, Cyber Essentials and PCI DSS to identify and plan areas for improvement. • Technical security services including penetration testing, computer forensics, enterprise architecture, biometrics and identity management, eDiscovery, secure coding and infrastructure, and SCADA and process control security, to give you practical help and tools to implement, test and assure your security solutions. • Security culture development to identify and develop pragmatic and effective cultural solutions to reduce people risk, including social engineering vulnerability assessment, behavioural analysis and development of an effective security culture. • Cyber security education and training including university accredited, hands- on technical training in information security, ethical hacking and computer forensics. If you would like to contact us please email cybersecurity@paconsulting.com
  • 12. HARVEY NASH CYBER SECURITY SURVEY 2014/15 12