Beruflich Dokumente
Kultur Dokumente
Survey Methodology
An invitation to participate in the survey was emailed to a global population of cybersecurity professionals
composed of individuals holding ISACAs Certified Information Security Manager (CISM) and Cybersecurity
Nexus Practitioner (CSX Practitioner) designations, individuals in information security positions, RSA
Conferences Loyalty Plus customers, and individuals preregistered for the 2016 RSA Conference. The survey
data were collected anonymously through SurveyMonkey. The results reveal many interesting findings that
indicate positives and negatives for cybersecurity professionals. The survey, which used multiple-choice and
Likert scale formats, was organized in four major sections:
Demographics
Organizational security
Threats, attacks and crime
Emerging trends
The populations invited to respond to the survey were selected ISACA certification holders and RSA
Conference constituents. Due to the nature of the survey, the targeted population consisted of individuals
who have cybersecurity job responsibilities. More than 842 individuals participated, of which 461 indicated
that their primary job function is cybersecurity or information security. The data represented in this report
reflect the information provided by those 461 individuals. A typical respondent can be described as:
81%
North America
A member
of ISACA
21%
financial services
Europe/Asia
46%
79%
Cybersecurity/
Information Security
Management
Working in technology
services/consulting
22%
39%
69%
Cybersecurity/
Information Security
Practitioners
21%
Employed in an
enterprise with at least
1,000 employees
While the norms of the sample population are interesting to consider, it is important to note some characteristics that
reflect the populations diversity. Among those surveyed, respondents hailed from more than 20 industries (figure 1)
and all five major global regions (figure 2).
Aerospace
Education/Student
3%
Financial Banking
22%
Government/
Military-National
15%
6%
Healthcare/Medical
3%
Insurance
Legal/Law/
Real Estate
2%
Manufacturing/
Engineering
5%
Mining/Construction/
Petroleum
2%
Pharmaceutical
1%
Public Accounting
<1%
Retail/Wholesale/
Distribution
3%
Technology Services/
Consulting
21%
Telecommunications/
Communications
6%
Transportation
2%
2%
Utilities
Other (please
specify)
5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
North America
24%
Europe
15%
Asia
Africa
5%
Latin America
5%
Oceania
5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Organizational Security
Cybersecurity incidents continue to escalate in frequency
and impact to enterprises. Each year breaches headline
the news with the resulting enterprise impact such as
loss of customer confidence, financial loss and, in some
situations, the inability of an enterprise to recover and
eventual shut down. It is clear that security breaches
are not a remote threat any longer but are now fact.
Enterprises are dealing with attacks daily (figure 3) and
they must be prepared to deal with adversaries that are
evolving and motivated to achieve their goal. In order
to address the threat landscape, enterprises must have
continued focus on cybersecurity risk so they can achieve
resilience when an incident does occur.
Fortunately, this years data demonstrate a plan for better
governance. Security has become a board and executive
Weekly
Monthly
At least quarterly
N/A
4%
5%
6%
21%
65%
11%
7%
Hacking
9%
25%
47%
16%
12%
Malicious code
13%
26%
32%
1%
2%
Loss of intellectual
property
4%
20%
72%
1%
1%
Intentional damage
to computer systems
5%
18%
74%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Daily
Weekly
Monthly
At least quarterly
N/A
1%
6%
Physical loss
10%
37%
45%
30%
17%
Phishing
15%
19%
20%
4%
5%
Denial of service
10%
27%
53%
3%
2%
Insider damage
10%
22%
64%
13%
2%
Dont know
4%
6%
75%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Very concerned
46%
Concerned
8%
Not concerned
1%
7%
Don't know
3%
N/A
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
70%
80%
90%
100%
CEO
63%
CIO
4%
CFO
1%
Audit
8%
Board of Directors
Undefined
3%
Don't know
3%
N/A
3%
0%
10%
20%
30%
40%
50%
60%
While the security team is frequently still positioned within IT, there is clear evidence that enterprise executives
are supporting the program. Support from the executive team comes in a variety of activities such as
enforcing policy, providing appropriate funding, and mandating awareness training (figure 6). Sixty-one
percent surveyed state that they expected an increase in their cybersecurity budgets in 2016. Budgeted items
include increased pay for skilled workers, skills development training, awareness programs and response
planning. In addition to increased spending on cybersecurity, 75 percent of respondents report that their
organizations cybersecurity strategy now aligns to enterprise objectives.
66%
63%
Mandating security
awareness training
58%
43%
6%
Don't know
7%
N/A
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
< 2 weeks
8%
1 month
17%
2 months
26%
3 months
28%
6 months
9%
11%
Dont know
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
While most organizations are eventually able to hire professionals into cybersecurity and information security
positions, most applicants submitting resumes do not have adequate skills to meet the needs of the business.
In 2014, 50 percent of respondents reported that less than half of the job candidates their organizations
reviewed were considered qualified upon hire. In 2015, that percentage increased, with 59 percent noting the
lack of qualification of half of the job candidates (figure 8).
1
Suby, Michael; Frank Dickson; The 2015 (ISC)2 Global Information Security Workforce Study, Frost & Sullivan, in partnership with (ISC)2, Booz Allen Hamilton, NRI Secure Technologies and
Cyber360, 2015, https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-(ISC)%C2%B2-Global-Information-Security-Workforce-Study-2015.pdf
10
< 25%
27%
25 - 50%
17%
50 - 75%
75 - 100%
12%
Dont know
12%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
75%
Communication
61%
Technical skills
61%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
11
While respondents recognize that they need to provide technical training for current employees, only 13 percent
of participants reported that their organizations spent more than US $50,000 on training and skills development.
In order to close the skills and knowledge gaps, enterprises still rely upon on-the-job training, training vendors
and self-instruction to educate their existing workforce. While on-the-job training remains primary, a sharp
increase in skills-based training and performance-based assessments is noted among techniques being
employed by organizations to address the skills gap (figure 10).
On-the-job training
Other training &
certification (e.g., ISC ,
63%
58%
Self-instruction
Vendor-specific
tool training
52%
Online training/
webinars (Skillsoft Federal Virtual
48%
Training Environment)
Skills-based training/
performance-based
assessment certifications
38%
27%
Formal education
16%
Organization is not
developing needed
technical skills
7%
Competitions
5%
5%
1%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
12
While many respondents report having an experienced staff that they rely on, they also recognize that
experience is not a determinant of requisite skills to deal with complex security incidents. The survey
data indicate that 92 percent of respondents organizations information security/cybersecurity staff
average at least three years of experience and 73 percent average more than five years of experience, yet
respondents are not feeling comfortable with their teams ability to detect and react. In 2014, 87 percent
of respondents reported that they are comfortable with their security teams ability to detect and respond
to incidents; however, that sense of comfort slipped to 75 percent in 2015. Of that 75 percent, 42 percent
indicated that their comfort with the teams ability is limited to simple incidents only (figure 11).
Yes
42%
17%
No
5%
Dont know
3%
N/A
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
The survey results indicate that organizations continue to focus on increasing cyber resilience through sharing information,
aligning cybersecurity policy with organizational objectives, and increasing investment in cybersecurity personnel,
technologies and related services. Although efforts to recruit talent have expanded from 2014, organizations still struggle
with the skills gap that exists among applicants and seasoned professionals. Even though significant increases in training
spending occurred in 2015, the methods that are most commonly used (e.g., on-the-job training, knowledge-based vendor
training or self-training) have not closed the gap. This is evidenced by the decrease in ratings indicating the respondents
degree of comfort that their organizations cybersecurity professionals can handle evolving threats.
13
31%
Hackers
25%
Non-malicious
insiders
21%
Malicious insiders
15%
Nation/state
13%
Hacktivists
12%
None of these
24%
Dont know
24%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
14
The survey also asked respondents to indicate which attack types most commonly penetrated their enterprises
networks. The responses show that the most prevalent successful attack types hinge on the human factor. According
to respondents, the attack types that most frequently exploited their organizations in 2015 were (in order) phishing,
malware and social engineering (figure 13). In 2015, social engineering moved ahead of hacking attempts, the attack
type that was third in the 2014 survey. The biggest change from the 2014 to the 2015 data is the 13 percent decrease
in loss of mobile devices.
60%
Malware
52%
Social engineering
41%
Hacking attempts
36%
Loss of mobile
devices
34%
16%
Insider theft
SQL injections
15%
Watering hole
8%
Man-in-the-middle
attacks
7%
15%
None of these
Dont know
11%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
15
Very likely
32%
Likely
17%
1%
8%
Dont know
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
16
Financial gain
Disruption of
services
18%
16%
Theft of PII
Intellectual
property theft
14%
Theft of classified
data
11%
6%
Dont know
3%
None of these
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
17
Yes
49%
No
18%
Dont know
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
18
42%
Decrease in the
short-term
3%
Increase in the
long-term
62%
Decrease in the
long-term
7%
12%
6%
9%
Dont know
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
19
Another emerging organizational concern points to the exponential growth in the IoTInternet protocol (IP)-enabled
devices. The IoT is the network of physical objects or things embedded with electronics, software, sensors and
network connectivity, enabling objects to collect and exchange data. The IoT provides objects remote access and
control across existing network infrastructures, creating opportunities for integration between the physical world
and computer-based systems that improve efficiency and accuracy and aid economic benefit.
As expected, more than half of the ISACA/RSA Conference survey respondents (53 percent) are concerned or
very concerned that the IoT will expand attack surfaces further and exacerbate cyber risk (figure 18).
19%
Concerned
34%
Not concerned
9%
Not concerned
at all
4%
9%
Dont know
25%
N/A
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
20
Conclusions
Cybersecurity threats continue to plague enterprises.
In fact, 74 percent of respondents expect to fall prey
to a cyberattack in 2016. The report data reveal that
almost 60 percent of respondents experienced a
phishing attack in 2015 and in 30 percent of these
organizations, it is occurring on a daily basis. In
addition, 20 percent are dealing with insider damage
and theft of intellectual property at least quarterly.
This is especially problematic for many organizations
that are simultaneously unable to hire or retain
technical talent.
Results indicate that cybercrime is a credible threat
to enterprise resiliency as are advanced persistent
threat (APT) and traditional attack vectors. Traditional
attack vectors appear to be as useful to adversaries
as ever, with phishing, social engineering and
hacking attempts being the top three attack types to
successfully exploit enterprise networks in 2015. This
indicates a clear need to increase awareness training
for employees as phishing and social engineering
attack success is dependent on humans. As
emerging trends continue to evolve, security
professionals will need to be able to protect against
threats that might exploit enterprises; however,
people are not going away and so it is important
to continue to develop programs to help inspire a
culture of security.
21
ISACA
Disclaimer
specific circumstances.
www.facebook.com/ISACAHQ
22
ACKNOWLEDGMENTS
ISACA Board of Directors
Eddie Schwartz
Gregory T. Grocholski
Christos K. Dimitriadis
Rosemary M. Amato
Garry J. Barnes
Robert A. Clyde
CISM,
Clyde Consulting LLC, USA, Vice President
Theresa Grafenstine
Leonard Ong
Andre Pitkowski
Tony Hayes
Robert E. Stroud
CGEIT, CRISC,
USA, Past International President
Zubin Chagpar
Matt Loeb
CGEIT, CAE,
ISACA, USA, Director
Jo Stewart-Rattray
23