The State of IT Security for 2019
1 like1,446 views
The document summarizes the results of a survey of 319 IT professionals about the state of IT security. Key findings include: - 85% were confident in their organization's security program, though 41% reported a security breach in the past. - Top security investments were internal staffing, network firewalls, virus protection and malware protection. - Growing complexity of regulations and insufficient security staffing were the top security challenges. - Top priorities for the coming year were security and cloud computing.
![39% of respondents
reported that they have
not had a security
breach.
Of those who had a
breach, 50% noted that
they found the breach in
less than a day; 26%
found it in 7 days or less
[Not shown on graph].
The State of IT Security for 201915
Breach and Time to Detection Here
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
How long did it take to detect your organization’s most recent security breach?](https://image.slidesharecdn.com/2019securitygeneralremovecsandsprod-190109184617/85/The-State-of-IT-Security-for-2019-15-320.jpg)
![The most common type of
breaches were Virus /
Malware or Phishing, each
reported by roughly three-
quarters of those who had
a breach.
Virus attacks came from
internal sources roughly
half the time. Phishing
was reported as coming
from external sources 78%
of the time [Not shown].
The State of IT Security for 201916
Types of Breach
Note that this was a select all that
apply question so responses will not
total to 100%.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Type of Breach](https://image.slidesharecdn.com/2019securitygeneralremovecsandsprod-190109184617/85/The-State-of-IT-Security-for-2019-16-320.jpg)
The State of IT Security for 2019
- 1. The State of IT Security for 2019 1
- 2. Respondent Profile The State of IT Security for 20192 • 319 professionals responded.* • 82% of respondents plan, manage or administer Information Technology (IT) systems at their company. • 24% of respondents have primary responsibility for security at their organization. Another 57% share the responsibility. • 78% of respondents have more than 100 employees at their organization. 66% have more then 500. • The most often reported industries were Government & Public Safety (11%), Education, Finance Services or Healthcare (8% each).**
- 3. The State of IT Security for 20193 Principal Findings • The most common regulatory standards to which companies adhered were GDPR (37%), followed by HIPPA and SOX (32%). • Staffing for security: Overwhelmingly, IT organizations rely on in-house staff for security (94%). 43% use a third party consulting firm.* o In-house staff perform a considerable majority of security audits (69%). Of those who audit, the most common schedule for auditing is “annually” (32%). o Unsurprisingly, the top security measure that companies will invest in for the coming year is internal staffing/skills (almost 4 out of 10 respondents). • Fairly high confidence in company security: 85% of respondents are either very confident or somewhat confident in the effectiveness of their organization's security program. Those who audit are more confident in their security than those who do not (87% vs. 50%). • Security breach: 41% noted their company had experienced a security breach.** 39% had not, and 20% did not know.
- 4. • Most common types of breaches: Viruses or Malware/Phishing were each reported by roughly threequarters of professionals who’d experienced breaches. o Interestingly, virus attacks came from internal sources approximately half the time. Phishing came from external sources 78% of the time.* o After a breach, companies’ most common action was to increase training for IT staff (43%). • Breach detection: Of those who experienced breaches, 50% noted that they found the breach in less than a day; 26% found it in 7 days or less. • Leading three investments in security today: 65% of respondents or more have invested in Network firewall, Virus protection, and Malware protection.** • Top security challenges: Only one security challenge yielded more than one-quarter of the response—Cloud services (28%). Growing complexity of regulations and insufficient IT security staffing yielded 20% and 19% respectively.*** • Top two IT priorities in the coming year: Security (42%) and Cloud computing(35%).**** The State of IT Security for 20194 Principal Findings
- 5. • The Security survey revealed mixed results regarding companies’ security environments. Survey findings could be viewed as a glass-half-full or half-empty scenario, depending upon your perspective. o In general, a considerable majority are either very or somewhat confident in their security programs. o Still, many professionals reported that their companies have experienced security breaches, and of those that had breaches, half discovered them in less than a day. o The majority of companies perform security audits, although these audits are most commonly done once a year. It’s worth noting that field of security is changing rapidly, and malicious hackers are developing newer and more sophisticated ways to breach security.* Results showed that the practice of auditing appears to give professionals greater confidence in their security. o Organizations largely lean on internal staff for security. Accordingly, many—but not all companies—are investing in staffing and training. The State of IT Security for 20195 Conclusions
- 6. • Today’s investments in security: Results showed that organizations have invested in myriad security solutions, the top ones being network firewall, virus protection, and malware protection. These are fundamental applications and approaches—the basic underpinnings of security.* • Investments in the coming year: Professionals noted that security was their top IT priority in the coming year. Staffing/training is planned by almost 40% of respondents. Yet, less than a third indicated investments in other security measures or technologies.** These survey findings suggest that companies are not planning to leverage the full range of security tools available within the coming year. New technology is essential in combating cyber security threats. The State of IT Security for 20196 Conclusions
- 7. For security purposes, respondents most often had first hand knowledge of Window servers (69%), followed by Network infrastructure (54%). They were least familiar with Data Lake or Hadoop Cluster(s) (7%). The State of IT Security for 20197 IT Infrastructure Familiar With Note that this was a select all that apply question so responses will not total to 100%. 0% 10% 20% 30% 40% 50% 60% 70% 80% What components of your company’s IT infrastructure are you familiar with and have first-hand knowledge of, as they relate to security? Choose all that apply.
- 8. The regulation that most respondents had to adhere to was GDPR (37%), followed by HIPAA and SOX (32% each). Only 6% selected 23 NYCRR 500. The State of IT Security for 20198 Regulations Adhere To Note that this was a select all that apply question so responses will not total to 100%. 0% 5% 10% 15% 20% 25% 30% 35% 40% What regulations must your organization adhere to? Choose all that apply.
- 9. 94% of respondents reported that In-house staff is responsible for security. 43% indicated Third party consulting firm and 26% selected Cloud or managed service provider. The State of IT Security for 20199 Who Responsible for Security? Note that this was a select all that apply question so responses will not total to 100%. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% What types of staffing resources does your organization use for IT security? Choose all that apply.
- 10. 85% of respondents are either Very confident or Somewhat confident in the effectiveness of their organization's security program. 10 Confidence in Security Program 0% 10% 20% 30% 40% 50% 60% How confident are you in the effectiveness of your organization’s security program? The State of IT Security for 2019
- 11. Almost half of respondents reported Increased spending on security-related technology (46%) over the past three years. 35% (each) indicated Developed or significantly updated a security program and Increased spending on internal resources to support cybersecurity initiatives. Only 2% of respondents selected Failed the cybersecurity portion of a regulatory compliance audit. The State of IT Security for 201911 Security Related Occurrences in Last 3 Years Note that this was a select all that apply question so responses will not total to 100%. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Which of the following has occurred in your company over the past 3 years? Choose all that apply.
- 12. Almost one-third of respondents perform security audits annually (32%). 74% perform them either annually or more frequently. The State of IT Security for 201912 Frequency of Security Audits 0% 5% 10% 15% 20% 25% 30% 35% Approximately how often does your organization perform compliance or security audits?
- 13. More than two-thirds of respondents have security audits performed by In- house staff (69%). 44% report using third party auditors and 39% use consultants. The State of IT Security for 201913 Who Performs Security Audits? Note that this was a select all that apply question so responses will not total to 100%. 0% 10% 20% 30% 40% 50% 60% 70% 80% Who performs your compliance or security audits? Choose all that apply.
- 14. At least two-thirds of respondents selected the following areas as being involved in their security audits: Application security, Backup/disaster recovery processes, Network security, Antivirus programs, and Password policies. Only 35% (each) examined Equipment disposal policies or Encryption key management. The State of IT Security for 201914 Areas of Security Audit Note that this was a select all that apply question so responses will not total to 100%. 0% 10% 20% 30% 40% 50% 60% 70% 80% What security-related areas are examined during your security audits? Choose all that apply.
- 15. 39% of respondents reported that they have not had a security breach. Of those who had a breach, 50% noted that they found the breach in less than a day; 26% found it in 7 days or less [Not shown on graph]. The State of IT Security for 201915 Breach and Time to Detection Here 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% How long did it take to detect your organization’s most recent security breach?
- 16. The most common type of breaches were Virus / Malware or Phishing, each reported by roughly three- quarters of those who had a breach. Virus attacks came from internal sources roughly half the time. Phishing was reported as coming from external sources 78% of the time [Not shown]. The State of IT Security for 201916 Types of Breach Note that this was a select all that apply question so responses will not total to 100%. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Type of Breach
- 17. Mean time to respond was the breach metric most often met (41%). This was followed by Mean time to resolve at 35%. % of incidents resulting in loss was the metric least met (14%). The State of IT Security for 201917 Breach Metrics Note that this was a select all that apply question so responses will not total to 100%. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Which of the following security metrics were you able to meet during the most recent security breach at your organization? Choose all that apply.
- 18. 43% of respondents Increased training for IT staff as a result of a breach. Only 15% Hired new IT staff. The State of IT Security for 201918 Response to Breach Note that this was a select all that apply question so responses will not total to 100%. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% What organizational changes, if any, did your company make in response to the most recent security breach? Choose all that apply.
- 19. Three security measures have been invested in by 65% of respondents or more: Network firewall, Virus protection, and Malware protection. Only 18% reported investing in Data tokenization. The State of IT Security for 201919 Security Measures Invested In Note that this was a select all that apply question so responses will not total to 100%. 0% 10% 20% 30% 40% 50% 60% 70% 80% What security measures has your organization invested in? Choose all that apply.
- 20. Responses to security challenges showed a wide spread. Only one challenge yielded more than one-quarter of response: Adoption of cloud services (28%). Three areas were selected the least: Lack of management support for security efforts, Line of business owned by departments other than IT, and Inadequate security-related policies (4% for each). The State of IT Security for 201920 Top Three Security Challenges Note that respondents were directed to select their top 3 challenges so figures will not total to 100%. 0% 5% 10% 15% 20% 25% 30% What are your organization’s top 3 security-related challenges?
- 21. Regarding future security measures, almost 4 out of 10 respondents will invest in Internal staffing/skills (39%). Virus protection and Malware protection each received roughly 25% response. Command line control had the lowest response at 5%. The State of IT Security for 201921 Future Security Measures Note that this was a select all that apply question so responses will not total to 100%. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% In the coming year, what security measures will your organization invest in? Choose all that apply.
- 22. Interestingly, Security and Cloud computing were the top two IT priorities for the coming year (42% and 35%, respectively). Outsourcing projects was the lowest at 3%. The State of IT Security for 201922 Overall IT Priorities Note that respondents were asked for their top 5 priorities so figures will not total to 100. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% What are your organization’s top 5 overall IT priorities for the coming year?
- 23. 2018 Security23