Slight improvement in Cybersecurity based on 18th Annual GISS by EY

EY Survey Participants: 1,755 Survey respondents | 67 counties worldwide | 25 industry sections | 21% of participating company revenue (majority) is between 500 Million – 2 Billion | 26% were Banking/Capital Markets and Technology industry sectors | 31% were organization with less than 1000 employees | 30% were CISO, 19% Information Security Executive and 17% CIO

Key stats:

• Main obstacles for information security operation’s contribution and value to the organization: 62% budget constraints | 57% lack of skilled resources | 32% lack of executive awareness or support | 28% lack of quality tools for managing information security | 28% management and governance issues and 23% fragmentation of compliance/regulation
• Reported source for threat: 59% criminal syndicates vs. 53% last year | 56% employee (although ranks as medium priority) | 54% hacktivists vs. 46% prior | 43% lone wolf hacker | 36% external contractor onsite | 35% state-sponsored attacker vs. 27% prior
• Highest priority for information security over the next 12 months include: 56% data leakage and data loss prevention | 55% business continuity and disaster recovery resilience | 47% identify and access management | 44% security awareness and training | 44% incident response capability | 41% security operations e.g. anti-virus, encryption, patch
• Significant drops including: 18% do NOT have Identity and Access Management (IAM) program vs. 12% prior | 47% do NOT have a Security Operations Center (SOC) vs. 42% prior
• 81% of senior executives agree that data should be at the heart of all decision-making
• 88% say information security do NOT meet organizational needs vs. 89% last year
• 37% do NOT have data protection program (of which 27% has an information data protection or is ad-hoc)

Threat Intelligence is a important piece in being able to identify threats/incidents since spotting small anomalies that are indicative of a long-term breach can be difficult to discern – specially based on sophistication of attacks, constantly change tactics, lack of skill resources, collaboration and mechanism to adapt to change.

• 59% say SOC do not have a paid subscription to cyber threat intelligence feeds
• 36% do not have threat intelligence program vs. 34% prior
• 66% of organizations that have a SOC did not discover the cybersecurity incident and didn’t have a cyber threat feed
• 54% do not have a role or department in their Information Security function focusing on emerging technology or its impact – includes 36% with no plan one
• 34% rank there security monitoring as mature / very mature vs. 30% prior
• 53% would rate there network security mature / very mature vs. 52% prior
• 57% say lack of skill resources is a challenge vs. 53% last year

Vulnerability identification and threat management: 24% do not have a vulnerability identification program| 63% say threat and vulnerability management is medium or low priority vs. 66% prior | 34% have an informal vulnerability identification program and regularly test.
In 2014, top risks were around unaware/careless employees and outdate information security controls/architecture.  The 2015 results show a 10-20% reduction but an increase in Phishing and Malware.

Top Vulnerability that increase risk over last 12 months

• 18% highest is careless or unaware employees
• 15% outdated information security controls and architecture
• 10% related to cloud computing use
• 10% unauthorized access
• Others include: use of social media (50% ranked as low priority) and mobile computing 

Top Threat that increase risk over last 12 months

• 19% phishing
• 16% zero-day attacks
• 16% malware e.g. viruses
• 15% cyber attacks to steal financial information
• 15% cyber attacks to disrupt or deface the organization
• 13% cyber attacks to steal intellectual property or data
• Others include: natural disasters, espionage, internal attack/disgruntled employees, fraud and spam

Finally, EY’s AAA model helps building an “Active Defense” starts with analysis by a Cyber Threat Intelligence professional, then having a defined, iterative and operational cycle that integrates and enhances enterprise security:

• ACTIVATE requires: assessment, roadmap, board-level support, standards, SOC, BCP and IRP testing, cybersecurity controls and implementation. Addition in 2015 will be: define organization’s ecosystem and cyber awareness training
• ADAPT requires: transformation program to design/implement emerging technology and improve cybersecurity maturity, decision on in-house and outsource, and RACI (Responsible Accountable Consulted Informed) matrix for cybersecurity 
• ANTICIPATE requires: design/implement cyber threat intelligence strategy, define/encompass organization cyber ecosystem, use forensic data analysis, involve everyone for understanding, an prepare for the worst by having breach response strategy

Closing the gap between current state today and future to-be state was reported to be: Awareness (largest), Architecture, Data infrastructure (events /alerts/logs), Identity and access management, Metrics and reporting, and network security.