Annual Security Report Blog Series #3: “Cisco Security Capabilities Benchmark Study”
Managing Director, Global Security Sales Organization (GSSO)
Technology, Thought Leadership, Security
In my last Friday blog, we talked about the ‘Industry Insights’ to be gained from the Cisco 2016 Annual Security Report, examining the security trends affecting enterprises. Today, I will be sharing with you some important findings from the ‘Cisco Security Capabilities Benchmark Study’ – a key section from the Cisco 2016 Annual Security Report.
The 2015 Cisco Security Capabilities Benchmark Study surveyed over 2,400 chief security officers (CSOs) and security operations (SecOps) managers in organizations of various sizes from different industries such as financial services, governments and transportation in several countries including China, Germany, India, Japan, the UK and the US. From the study, we gained timely information about the perceptions of these security professionals and the maturity level of security operations and security practices in use, and also compared these results with those of the inaugural 2014 study. Here are some of the key findings: -
Decline in Confidence amid Signs of Preparedness
Today, security threats are becoming even more sophisticated and advanced. The study reveals that, in the face of these growing threats, the perceptions of security professionals about their security readiness is shifting, and that confidence appears to be dwindling.
When we asked them how they would describe their security infrastructure, 59% of respondents suggested that their security infrastructure is very up-to-date and is constantly upgraded with the best technologies available, down from 64% in 2014. Furthermore, 37% of respondents felt their organizations were less equipped with the latest security tools in 2015, up from 33% in 2014.
Confidence is somewhat higher among CSOs, who are more optimistic than SecOps managers. 65% of CSOs believed their security infrastructure is up-to-date, compared with 54% of SecOps managers. The confidence of SecOps managers is likely to suffer because they respond to day-to-day security incidents, giving them a less positive view of their security readiness.
Organizations More Likely to Outsource
Deepening concerns about security are changing how these security professionals protect networks. For example, the study revealed that more security professionals are outsourcing at least some security functions. The percentage of respondents who did not outsource any security services dropped from 21% in 2014 to 12% in 2015. We are seeing more outsourcing of tasks such as security audits, consulting and incident response, which indicates that defenders are searching for expert help and that they believe outsourcing services will be more cost-efficient (53%), obtain unbiased insights (49%) and provide more timely response to incidents (46%) (Figure 1).
Adoption of Policy and Security Training
Apart from outsourcing security tasks, we are seeing more security training and an increase in formal written policies to improve their security knowledge and ability to respond to threats. Almost two out of three of these security professionals said their organizations are certified with standardized security policies or practices or are in the process of becoming Figure 1: Outsourced services overview certified.
On the other hand, it is gratifying to see that almost 9 out of 10 security staff attend security-focused conferences or training to improve and maintain their skills. Also, 97% of security professionals will conduct security training at least once a year, significantly more than the 82% in 2014. It is encouraging as well to find that more than 40% of the respondents increase security training and investment in security defense technologies after a public breach.
Budget Constraints Are A Major Barrier
The moves toward outsourcing, training and standardization of security policies are all positive developments. However, from the study, we also see security teams facing barriers to security upgrades, due primarily to budget constraints (39%) and compatibility issues (32%) (Figure 2). You may think that budget constraints only apply to SMBs and start-ups. However, organizations of all sizes and maturity levels rank budget constraints as a key hurdle in implementing more sophisticated security processes and tools.
Figure 2: Budget constraints are the major barrier to security upgrades
We are also seeing that organizations are giving more thought to how they structure their security budget. The survey shows a slight increase in the number of organizations that separate the security budget from the overall IT budget. In 2014, 6% of professionals said they had completely separated security and IT budgets; in 2015, that number rose to 9% (Figure 3).
Given the barriers of budget limitations and decline in confidence, organizations should continue to raise their awareness of their security preparedness, and prepare budgets support technology and personnel. Moreover, security practitioners should not only deploy tools that detect threats, but also explore effective solutions to help ensure an integrated threat defense.
Detailed facts and figures can be found in the “Cisco Security Capabilities Figure 3: Slight increase in organizations with separate security Benchmark Study” section of the full Cisco 2016 Annual Security Report which budgets you can download here.
In my next blog post, I will highlight the cybersecurity concerns on the minds of executives and the six tenets of integrated threat defense – the key discussion in the “A Look Forward” section from the Cisco 2016 Annual Security Report.
See you again next Friday.