2. 2
BRG Overview
Over 1,000 professionals in 37 offices
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
3. 3
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Study Background
Why the need for cybersecurity benchmarking?
• Financial and non-financial consequences of a successful cyber attack
• Governance and Technology
• Gain understanding how other peers implement Information Security
• Study results from two different points of view:
– overall results across all participants to provide a thorough and balanced
view of the current state of Cybersecurity
– an individual assessment for each participant where individual answers
are discussed and compared against other study respondents
4. 4
Study Background
Target group: Executive Management and Board of
Directors from different sectors
Survey: 103 Questions, approximately 60 minutes.
Online questionnaire; select phone
interviews
Timeline: Q1 and Q2 2016
Results: Q3 2016
Participants received: Anonymized evaluation of participant data
including indication of their individual
answers
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
7. 7
Study Participants
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Primary Industry of Organization Title or Level in Organization
Total Employees with Average FTE IT Employees
9. 9
Who does the CISO/CSO report to?
Growing Importance of CISO
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
54% of organizations report an Information Security Officer is in place
10. 10
How would you rate your organization’s information security culture?
Security Culture
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
73% of organizations have a formal cybersecurity training and awareness program
11. 11
Rate the effectiveness of your organization’s cyber security program
Cybersecurity Effectiveness
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
80% of organizations report that senior managers approach
information security as an enterprise risk-management issue
12. 12
How would you rate your organization’s cyber security incident
response capabilities?
Incident Response Capability
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
60% of organizations inform governments and regulators of cybersecurity breaches
13. 13
What strategic initiatives has your
organization adopted in its security program?
Strategic Initiatives
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
90% of organizations do not have a cybersecurity strategy for the Internet of Things
14. 14
Board and Executive Leadership
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
15. 15
Areas in which the Board of Directors actively participate:
Board Engagement
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
55% of organizations report that the Board of Directors actively participate in overall
cybersecurity strategy
16. 16
Areas board participation has helped improve your organization’s
information security program:
Board Influence
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
17. 17
How does the board oversee cyber security-related issues?
Board Oversight
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
18. 18
How would you rate the organizational leadership support for cybersecurity?
Rate senior management focus on information security
Leadership Support & Focus
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
19. 19
How do you measure the effectiveness of the organization’s
cyber security program?
Feedback Mechanisms
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
69% of organizations rely on auditors, both internal and external as a measure of their
cybersecurity effectiveness
21. 21
Has your organization performed a cyber risk appetite assessment?
Has your organization performed a cyber threat assessment?
Cybersecurity Risk Assessments
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISO
CISO
47% of organizations do not believe that leadership has a functional understanding of their
network security
22. Are there formal security and operational procedures documented?
22
Documented Procedures
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
91%
of organizations
document their
cybersecurity
policies and
procedures
23. 23
Areas for improvement and awareness programs?
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Improvement & Awareness
24. 24
How often does executive management receive periodical briefings
on the state of your organization’s network security system?
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Executive Briefings
30% of executive management receive a briefing once every six months or less
26. Which information security standard and best practice does
your organization follow?
26
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Security Standards
37%
of organizations
used ISO27001,
with financial
services at 43%
27. Security controls and business continuity plans are tested on a regular basis?
27
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Controls Testing
28. How often are the security controls of the enterprise
systems and interconnected systems reviewed?
28
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
System Reviews
24% of organizations do not routinely test security controls and business continuity plans
on a regular basis
29. How often are self-assessments conducted?
29
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Self-assessments
30% of organizations do not routinely undertake self-assessments
CISO
30. How often are external security assessments conducted?
30
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
External Assessments
CISO
31. What steps has your organization taken in order to obtain assurances from
external service providers and vendors that their security meets standards?
31
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
External Service Providers &
VendorsCISO
63% of organizations have ensured external service providers and vendor
contracts include provisions for security
33. Rate your organization’s cyber security
risk management program
33
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Risk Management Effectiveness
42%
of organizations
somewhat agree that
cybersecurity risks are
being considered in
business decision making
7%
of organizations strongly
agree that cybersecurity
risks are being
considered in business
decision making
34. Rate your organization’s cyber security
Information Governance capabilities
34
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Information Governance
Capabilities
56% of organizations rate their Information Governance capabilities as
‘slightly’ or ‘somewhat effective’
35. Rate your company’s information security governance maturity level
35
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
IS Governance Maturity
CISO
36. Rate your company’s IT risk management maturity level
36
IT Risk Management Maturity
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
CISOCISO
37. Rate your company’s cloud computing maturity level
37
Cloud Computing Maturity
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
57% of organizations do not allow use of public cloud services
38. 38
Does the organization incident response plan outline regulatory and
governmental notification protocols for breaches?
Regulatory & Government
Reporting
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
57% of organizations are required by regulatory and government
agencies to disclose system breaches
40. What type of breaches did your organization experience?
40
Type of Cybersecurity Breaches
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
51% of organizations do not believe
they are well equipped to handle a
breach
46%
of organizations report having
experienced a cybersecurity
breach
41. 45% of organizations report current employees as the
most likely source of cybersecurity breach incidents
41
What was the estimated source of data breach incidents?
Sources of Breaches
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
42. Type of staff-related incidents the organization experienced?
42
Staff-related Incidents
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
43. 43
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Key Observations
Despite a strong focus on cybersecurity culture, many organizations do
not believe their cybersecurity programs are fully effective
45% of respondents reported that they needed to improve security awareness
and training
Current employees are the likely cause behind most cybersecurity
breaches
Respondents reported that current employees were the likely source of 45% of
data breach incidents, followed by 22% of incidents caused by hackers
and 13% by former employees
Viruses and malicious software are the most common breaches.
Respondents reported that infections from viruses or malicious software
accounted for 39% of all data breaches, followed by system failures or data
corruption accounting for 35% of breaches
44. 44
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Key Observations
Most organizations do not have strategies for the emerging fields of the
Internet of Things or Big Data
90% of respondents do not have a cybersecurity strategy for the Internet of
Things, and 86% do not have a strategy for Big Data
Organizations lack confidence in their cybersecurity incident response
capability
65% of respondents reported having a formal cyber incident response plan,
and 60% incorporated regulatory and government notification protocols for
breaches. However, when asked if their organization was well equipped to
handle a cyber breach, 51% of respondents were neutral or disagreed
Organizations anticipate an increase in information security budgets
54% of respondents reported that they expected an increase in their 2016
cybersecurity budget. However, 48% of respondents reported they were neutral
or disagreed when asked if leadership allocated adequate budget for
cybersecurity efforts
45. 45
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Recommendations
1. Hire
Experts
2.
Establish a
Plan of
Action
3. Train
Your Staff
4. Identify
Problems
5. Learn
from your
mistakes
5 Steps to Prepare for a Data Breach
46. 46
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Recommendations
Board & Executive Leadership Engagement and By-In
• Review and approve the cyber risk appetite and tolerance at board level
• Ensure the board has sufficient cybersecurity expertise and/or access to such expertise
Security Culture
• Build cybersecurity in to all activities and develop enterprise-wide cyber risk management
strategies and procedures
• Incorporate cybersecurity within business strategy and risk management frameworks
Documented Vendor Protocols
• Develop procedures to identify and manage cyber risks associated with outside vendors,
suppliers, customers, utilities, and other external organizations and service providers
• Include provisions to conduct cybersecurity audits
External Audits
• Undertake testing to include the potential for multiple attacks and the impact of interruptions on
critical infrastructure
• Ensure there is a robust cyber resilience and incident response program
Qualified Talent
• Pro-actively undertake cyber threat intelligence gathering and ongoing security analytics
• Invest in your people to ensure there is high awareness and ownership for cybersecurity across
the organization
47. 47
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
• Needs to be early stages of collaboration to show the connection points
between Corporate and Academic institutions
• National Cybersecurity Framework and Cybersecurity Education needs to
be aligned
• Anticipate use cases for
– Organizing academic curriculum
– Workforce roles and responsibilities
– Professional certifications
Cybersecurity Workforce Development
National Cybersecurity
Education Initiative
National Cybersecurity
Awareness
Formal Cybersecurity
Education
Cybersecurity Workforce
Structure
Cybersecurity workforce
training & professional
development
Recommendations
48. 48
The full study is available at:
http://www.thinkbrg.com/media/publication/828_CSPBS_Report.pdf
Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study
Tony Moroney | Managing Director | International Financial Services
Berkeley Research Group, LLC
6 New Street Square, 15th Floor | London, EC4A 3BF
D +44 (0) 20 3597 5167 | M +353 87 2556947 | F +44 (0)20 3808 2784
tmoroney@thinkbrg.com | thinkbrg.com
Faisal Amin | Director | Benchmarking & Strategic Research
Berkeley Research Group, LLC
700 Louisiana Street, Suite 2600 | Houston, TX 77002
D 713.493.2552 | O 713.481.9410 | M 281.788.9573 | F 832.862.2284
famin@thinkbrg.com | thinkbrg.com