Research: 2010 Strategic Security Survey
Global Threat, Local Pain: 2010 Strategic Security Survey
The value of all that expensive security technology is diminishing. In 2010, the adversaries we need to worry about are sophisticated, and they’re waging psychological war. The term “advanced persistent threat,” or APT, originated in government circles but is now commonly used by infosec pros referring to determined, professional attackers who aren’t looking for splashy site defacements. They want to burrow into your network and stay there. We know it’s happening, yet in many cases, upper management is still living in a kinder, gentler time.
“The people at the top have no idea of what the current threat landscape is like,” says one newly minted IT pro. “In fact, when my branch tried to report an intrusion to headquarters, we were told that such a thing could not have happened because the company has a firewall. The level of ignorance is actually stunning.” That’s a common theme, and why we’re worried that just 16% of the 1,002 business IT professionals responding to our 2010 InformationWeek Analytics Strategic Security Survey say their organizations are more vulnerable to malicious attacks and security breaches than they were a year ago, a tiny uptick from 13% in our 2009 poll. When asked if their organizations had experienced a security breach or espionage in the past year, only 23% say yes.
Maybe they’re right, maybe not. But one thing we do know: In this war, complacency can get you killed.
Fortunately, the stars seem to be lining up on our side. The economy is doing better, which should free up additional security dollars. Google’s well-publicized travails in China have raised awareness of organized threats. A new strategic U.S. Cyber Command, part of the U.S. Strategic Command, has been established. We’re seeing increased enforcement of HIPAA requirements and the potential for a federal breach notification law. And yes, we believe regulation is a good thing for IT, even if it does increase complexity.
We surveyed and talked with more than 1,000 organizations in government, financial, healthcare, manufacturing and other sectors to determine the state of security in 2010. In this report, we’ll analyze results and discuss why we need a new way of looking at security. The wrong technology expenditures will yield vastly diminished returns, so we’ll ensure you don’t spend time, money and energy trying to solve yesterday’s problems. And, we’ll explain why you need to take a marketing pro to lunch, sooner rather than later. (1070510)
Survey Name: InformationWeek Analytics 2010 Strategic Security Survey
Survey Date: April 2010
Region: North America
Number of Respondents: 1,002
Table of Contents
5 Author’s Bio
6 Executive Summary
8 Research Synopsis
9 Into the Light
12 No Easy Answer
20 Quantum Shift
24 Watch Where You Surf
37 Just Like Magic
44 What’s In Our Future
47 Appendix
About the Author
Michael A. Davis is the CEO of Savid Technologies, a technology and security consulting firm based in Chicago, and an InformationWeek Analytics contributor. Michael is also a contributing author of Hacking Exposed, the No. 1 text on hacker methodology, and the new Hacking Exposed: Malware and Rootkits.
He is a senior member of the HoneyNet project, where he is working to develop data and network control mechanisms for Windows-based honeynets. Michael is an active developer in the open source community and has ported many popular network security applications to the Windows platform, including snort, honeyd, dsniff, and ngrep. He has spoken at several conferences around the world, including Defcon, CanSecWest, Toorcon and MISTI, as well as to local groups.
|
Thread View | Flat View | 8Comments |
 Global Threat Local PainComment by ANON1241778992248 Sep-08,2010 12:52:13 PMI work for a security company and your comment about “The people at the top have no idea of what the current threat landscape is like,” and "The level of ignorance is actually stunning” could not be more accurate. We work with mostly banks and the top management people don't have a clue. And, for the most part, IT folks are just not very good at educating management as to how poor their level of security really is. This may have something to do with job security for those who have been there for a while. Help in education both sides is critical to heading off a devastating breach. Your report will help in bringing management and IT staffers to the table before its too late.Reply |
   Re: Global Threat Local PainComment by mdavis@savidtech.com Oct-29,2010 6:08:33 PMIt is a growing problem as you mentioned. I have been working on research that helps IT and IS engineers communicate better with executives and it is rather interesting. Specifically, the use of industry data decreases executive management buy-in and the use of scenarios based of people in your company can have more of an effect. Email me and I will send you the presentation I gave at blackhat on this topic.Reply |
Re: Complancency can get you killedComment by mdavis@savidtech.com Sep-07,2010 5:00:10 PMJimM, you are correct in that a breach may not get you killed physically but it can end your career pretty quickly and I know a fair number of people who do risk their lives, physically, every day that rely upon the information provided by systems that if breached, and information is changed, can physically kill people. Your concern is the exact point I was trying to make in the report. Having no security controls in place, is not the symptom, it is the problem. The symptom is that without those controls, other issues arise. Health care system being infected with malware can cause patients to not be treated in time or properly. What will happen when your car can be infected with malware via wireless? Could it cause you to drive off the road? Who knows right now, but the fact remains that security does more than just help check off the compliance box.Reply |
Complacency can get you killed?Comment by JimM Aug-22,2010 4:06:04 PMMichael,Please drop the excessive hyperbole. You can say a lot of things about computer security, but I haven't seen many people in the morgue these days from a hack. And what exactly do you know about wars or people getting killed? I don't mind if you want to hype the problem, but please keep it in perspective. There are a lot of people who know much more about wars and getting killed and it's inappropriate for you to make a comparison like this to sell information security.Reply |
Spainair 2008 crash - 154 deathsComment by ttate465 Sep-08,2010 10:27:30 AMYou want bodies in a morgue due to a hack/malware. See the investigation report about the Spainair 2008 crash with 154 deaths. Malware contributed to this event.http://itknowledgeexchange.techtarget.com/it-trenches/investigation-indicates-trojan-contributed-2008-spainair-crash/Reply |
... excessive hyperbole? ... are you serious??Comment by JohnMCATV Sep-08,2010 10:37:44 AM... this IS a serious problem! Sorry, dude, but it's attitudes like yours that take focus off of a problem and lean towards a more nit-picking distraction from the issue. As far as "I haven't seen any deaths due to a hack" .... read your other replies ... you sound like you could be one of the CEO's of a "Security" company.Reply |
good articleComment by nabha May-23,2010 11:33:10 AMgood articleReply |
Can it really be 13 years?Comment by lgarey@techweb.com May-23,2010 11:10:15 AMWhy yes, we've done the annual Strategic Security report for that long -- since before my time, and the author of this report was still unable to drive! Take a look, let us know what you think, what we should cover for next year. --LornaReply |
