Research: 2010/2011 CSI Survey
2010/2011 Computer Crime and Security Survey
With this document, the CSI Survey achieves its fifteen-year mark. Both the aims and format of the survey continue to evolve. As you’ll see in the findings that follow, many of the results reported by our respondents easily could have been predicted based on looking at results from the past several years. There has always been an almost surprising stability to answers about tools and methodology in this survey and this year is not an exception.
What is different, broadly speaking, is that there is considerably more context within which these results may be interpreted. There are a number of very good reports of various kinds now available on the Web. All of them that we’re aware of, with the exception of this one, are either provided by vendors or are offered by analyst firms. That’s not to say that there’s anything wrong with these sources. A tremendous amount of useful information is offered in these various reports. But independent research seems fundamental and we believe the survey provides this. Beginning last year, there were three important changes to this survey. The first was that a “Comprehensive” edition was offered, one of its key objectives being to attempt to take other report findings into account so that a proper context could be achieved. Additionally, the survey questionnaire added questions that attempted to determine not only what security technologies respondents used, but additionally how satisfied they are with those technologies. This year, we continue both with a more comprehensive report document but also with the questions regarding satisfaction with results.
As was the case last year, respondents did not seem to feel that their challenges were attributable to a lack of investment in their security programs or dissatisfaction with security tools, but rather that, despite all their efforts, they still could not be certain about what was really going on in their environments, nor whether all their efforts were truly effective. This lack of visibility into the severity of threats and the degree to which threats are effectively mitigated is a perennial problem in security and it presents problems for anyone trying to make sense of the state of information security. If respondents are unsure about what is happening on their networks, one could well argue, how can they possibly provide meaningful information on a survey questionnaire?
We would argue that, for typical security incidents, enterprise security departments have relatively reliable and accurate powers of observation. They generally know when one strain or another of a virus is making its way through their end-user population’s computers. They know when money goes missing from key bank accounts. And even if their perceptions on some points aren’t necessarily altogether accurate, having a gauge of the perceptions of security practitioners can be useful. The respondents’ concern about visibility into their networks has more to do with stealthier forms of data exfiltration and with newer, more complex attacks. Along with the respondents, we see plenty to worry about in this regard and will discuss it further at more than one point in this report. Finally, although most of the survey questions produce numbers and figures detailing the types and severity of respondents’ security incidents and the particular components of their security programs, some of the most enlightening discoveries were found in the open-ended questions about respondents’ hopes and fears.
About the Author
CSI (Computer Security Institute) is a brand within Black Hat. The Black Hat Briefings have become the biggest and the most important security conference series in the world by serving the information security community with timely, actionable security information in a friendly, vendor-neutral environment. Black Hat provides briefings and training to leading corporations and government agencies around the world. Black Hat differentiates itself by working at many levels within the corporate, government, and underground communities. This unmatched informational reach enables Black Hat to be continuously aware of the newest vulnerabilities, defense mechanisms and industry trends.
Black Hat Briefings and Trainings are held annually in Abu Dhabi, Barcelona, Las Vegas and Washington DC. Black Hat is a division of UBM TechWeb. More information is available at http://www.blackhat.com.
|
Thread View | Flat View | 1Comments |
 MIA Information Security Cost JustificationComment by DonTurnblade,MBA,MS,CISSP Oct-03,2011 6:47:26 PMOnly about 15% to 17% of outfits even use NPV or IRR methods to estimated Financial Risk Exposures to Data Flows, IT Infrastructure, Business Alliances or Customers. This is truly sad. Domain 3 of the CISSP certification states that Information Security is based on this justification. Something vital is lost deeply in the woods here. Next, there is not enough data to know what Fraud or Breaches cost. Since this survey is largely composed of InfoSec professional responses, the result says something truly sad. We do a good job herding the business out of fear but not in matching InfoSec measures to their genuine financial benefit.If 15 cents is all that is needed to protect 1 Billion USD, then do it. If 1 Billion USD is all that is needed to protect 15 cents, then do not do it. Without an NPV and IRR case, how could you possibly know when Security would not pay for itself?Reply |
