This session will present key results of ISACA and RSA’s State of Cybersecurity Survey. Learn findings of the current cybersecurity landscape. Understand current threats and vulnerabilities as well as how enterprises are responding. Results will include top threats faced, as well as information on controls, skills employers are looking for, security organizational structures and incident plans.
(Source: RSA USA 2016-San Francisco)
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
State of Cybersecurity: 2016 Findings and Implications
1. SESSION ID:
#RSAC
Ron Hale Ph.D., CISM
State of Cybersecurity:
2016 Findings and Implications
AST1-R02
Chief Knowledge Officer
ISACA
rhale@isaca.org
Jennifer Lawinski
Editor-in-Chief
RSA Conference
Jennifer.lawinski@rsa.com
3. #RSAC
Top 10 Topics
3
1. Internet of Things
2. Industrial Control Systems and the Industrial Internet of Things
3. Encryption
4. Artificial Intelligence and Machine Learning.
5. Crowdsourcing
6. The Role of the Researcher
7. Healthcare and Automotive
8. Security Meets the Board of Directors
9. Privacy and Legislative Volatility
10. INAMOIBW
4. #RSAC
The Internet of Things is a Big Deal
4
For the second year in a row submissions around IoT surged,
showing that it’s a topic on the minds of security
professionals.
The survey this year asked questions about IoT and
respondents agree it’s a major issue that they’ll be facing in
years to come.
5. #RSAC
AI and Machine Learning Have You Worried
5
More sessions focused on artificial intelligence and machine
learning like “Rise of the Hacking Machines," and the survey
results showed that security pros are concerned.
6. #RSAC
Security Meets the Board of Directors
6
Companies are looking to bridge the gap between threat
intelligence and risk management, but many of the
respondents to our survey don’t feel they have the security
personnel and processes in place to handle serious security
threats.
8. #RSAC
Four Prominent Questions
8
1. What are enterprises experiencing in terms of cyber-incidents?
2. How concerned are enterprise decision makers?
3. Are security organizations capable of addressing cyber-incidents?
4. What does the future hold given new technology directions?
9. #RSAC
Were You a Victim in 2015?
9
Yes
No
Don’t know
33.41%
48.91%
17.68%
10% 20% 30% 40% 50% 60%
10. #RSAC
Likelihood of Being a Victim in 2016?
10
Very Likely
Likely
Not Very Likely
Not Likely at All
Don’t Know
42.17%
32.17%
16.52%
1.09%
8.04%
10% 20% 30% 40% 50% 60%
11. #RSAC
Frequency of Attack
11
Online Identity Theft
Hacking
Malicious Code
Loss of Intellectual Property
Intentional Damage to Computer Systems
Physical Loss
Phishing
Denial of Service
Insider Damage
Don’t Know
Daily
4.08%
11.06%
16.36%
1.44%
0.95%
1.42%
29.67%
4.05%
2.91%
13.13%
Monthly
5.52%
9.18%
12.85%
4.08%
5.01%
9.69%
15.19%
9.76%
9.69%
3.86%
Weekly
4.56%
7.29%
12.38%
2.40%
1.43%
6.38%
16.82%
5.48%
1.69%
2.32%
Quarterly
20.62%
25.18%
26.40%
19.90%
18.38%
37.12%
18.69%
27.38%
21.79%
6.18%
22.8%8.4% 6.3% 8.7%
1
2
3
4
12. #RSAC
Frequency of Attack – Known and Unknown
12
Online Identity Theft
Hacking
Malicious Code
Loss of Intellectual Property
Intentional Damage to Computer Systems
Physical Loss
Phishing
Denial of Service
Insider Damage
Don’t Know
Known
34.77%
52.71%
67.99%
27.82%
25.78%
54.61%
80.73%
46.67%
36.08%
25.48%
Unknown
65.23%
47.29%
32.01%
72.18%
74.22%
45.39%
19.63%
53.33%
63.92%
74.52%
53.8%46.2%
13. #RSAC
Ability to Detect and Respond
13
31.41%
42.08%
17.35%
4.56%
Yes
Yes – Simple Issues
No
Do not know
Not applicable 2.60%
10% 20% 30% 40% 50% 60%
14. #RSAC
Level of Board Concern
14
Very concerned
Concerned
Not concerned
Not concerned at all
Don’t know
Not applicable
35.7%
46.0%
7.8%
2.6%
0.9%
7.0%
81.7%
10% 20% 30% 40% 50% 60%
15. #RSAC
Executive Team Support for Risk Mitigation
15
Enforcing security policy
Providing funding
Following food practices
Mandating awareness
Do not know
Not applicable
66.08%
63.0%
42.95%
58.37%
5.95%
6.61%
10% 20% 30% 40% 50% 60%
17. #RSAC
Time to Fill Open Cyber Positions
17
< 2 Weeks
1 Month
2 Months
3 Months
6 Months
Cannot Fill
Don’t Know
1.1%
8.1%
17.5%
26.2%
27.5%
9.0%
10.7%
10% 20% 30% 40% 50% 60%
18. #RSAC
Applicants Qualified on Hire
18
32.7%
26.6%
16.8%
11.8%
12.2%
Less than 25%
25 – 50%
50 – 75%
75 – 100%
Do Not Know
10% 20% 30% 40% 50% 60%
19. #RSAC
Most Significant Skill Gap
19
60.9%
75.3%
61.1%
0.6%
Technical skills
Business
Understanding
Communications
Other
20. #RSAC
How Are Skills Developed
20
On the job training
Skilled based training / Performance based testing
Vendor specific tool training
Other training & certifications
Formal education
Technical training center or 3rd party trainers
Cyber competitions
Online training / webinars
Self-instruction
Not developing skills
Does not need to develop skills
Other
85.8%
38.1%
51.9%
63.2%
16.0%
26.7%
5.3%
47.9%
58.0%
7.0%
0.9%
4.8%
#1
#2
#3
#4
21. #RSAC
Artificial Intelligence and Cyber Risk
21
41.9%
2.8%
62.0%
Increase in the short-term
Decrease in the short-term
Increase in the long-term
Decrease in the long-term
Remain the same in the short-term
Remain the same in the long-term
Don’t know
7.4%
11.7%
5.6%
8.9%
10% 20% 30% 40% 50% 60%
22. #RSAC
Concern for Internet of Thing Risk
22
18.7%
34.3%
9.3%
Very concerned
Concerned
Not concerned
Not concerned at all
Don’t know
Not applicable
3.9%
9.11%
24.7%
10% 20% 30% 40% 50% 60%
23. #RSAC
Action Items
23
Assess your capabilities to detect and respond to incidents
Have an honest discussion with decision makers
Identify skill needs and develop a strategy
24. #RSAC
For a Copy of the Report
24
www.isaca.org/state-of-cybersecurity-2016