SecurityDreamer

Overview

Each year since 2005, SecurityDreamer blogger and industry analyst, Steve Hunt, conducts surveys of end user security executives, tracking trends related to the business of security. We cover physical security and IT security equally at SecurityDreamer, carving our unique niche in the industry. Here is a taste of our findings. Sorry, the complete findings are not available except to Steve Hunt’s consulting clients and participants in the research.

Methodology

I find that narratives yield more insight and are more accurate than statistics. Therefore, the SecurityDreamer approach is to conduct dozens of personal interviews, by phone, email or in person. Each interview covers a subset of topics. Data gathered is generally qualitative and anecdotal, rather than quantitative.

Topics Included

Awareness

Budgeting/Spending

Business Continuity

Consultants, Use of

Event Management

Executive Buy-in

Identity & Access Management

Identity Theft

Interdepartmental Collaboration

Operational Best Practices

Penetration Testing

Physical Information Protection

Social Engineering

Staffing/Headcount

Strategy & Planning

Technology Lifecycle Management

Technology Selection

Approximately 50 companies participated in the survey, representing 11 industries.

Industry	%
Energy	19
Finance	16
Business Svcs	14
Online Merchants	13
Banking	8
Healthcare	8
Retail	6
High-Tech	6
HighTech	4
Entertainment	3
Food&Hospitality	3

 

Summary Findings from the SecurityDreamer Research

Increased Spending

While operational security budgets saw little growth across all industries, spending for new projects increased steadily in Energy, Finance, High-Tech and Entertainment. New IT security and physical security projects most notably included

• Security operations centers
• Virtual command centers
• Security information management systems (SIEM, PSIM)
• Networked cameras and sensors at high-risk facilities

Greatest Challenge

CSOs and CISOs complained that their greatest business challenge is metrics: Normal operational metrics, such as improved response time to security incidents, or numbers of malicious code detections are not compelling to business leaders. Security executives seek better ways to calculate ROI, justify purchases, and measure the success of deployments.

Most Surprising finding of 2012

Collecting Company Wisdom. Far more companies in more industries are documenting processes than we’ve seen in previous surveys.  Continual Improvement (a la Baldrige, Kaizen, Six Sigma, etc) appears to be the primary motivation. Security executives realize that much of the know how of security operations resides in the heads of its local security managers. In a hope to benefit from the sharing of this business intelligence, companies are using a variety of techniques (surveys, performance reviews, online forms) to gather it.

Least Aware of This Threat

Physical threats to information rose to the top of the list of issues about which CISOs and CSOs know the least.  Every security executive we interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.

Least Prepared for This Threat

Two related concepts represent the threat for which nearly all security executives feel least prepared to address: Social engineering and physical penetration.  Every security executive confessed that confidential company information was as risk of social engineer attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.).  Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by

• an unauthorized visitor tailgating into the building
• an attacker bypassing security controls at doors and fences
• rogue employees or contractors
• an internal attacker of any type