2. Why a Rotman-TELUS Study?
Why Canada?
Canada has its own security culture. Decisions should be
made using our own experiences
Why Rotman?
Security is a business issue; Rotman is a business thought
leader
Why TELUS?
We continue in our commitment to security research
through TELUS Security Labs
2
3. Why this study matters
The study answers key questions like:
What’s happening to my peers?
What issues should I be concerned about?
How do I compare to top performers?
What best practices should we adopt?
What does “secure enough” look like?
3
4. Study enhancements
Focused questions
Explored topics that were likely to change year-on-year
Focus on funding and staffing “post recession”
Examined concerns around social media, virtualization,
cloud computing and mobile devices
Looked at the impact of outsourcing on security
effectiveness
Consolidated questions to improve response rates
4
5. 5
The threat landscape continues to grow
Breaches have grown 29%
from 2009
Getting better at keeping
out malware
Breach costs are down by
78%
0
4
8
12
16
2010 2009 2008
6. TELUS Security Labs
www.telussecuritylabs.com
30 researchers, $3M budget
Security threat research and outsourced development for
security product vendors
Primary customers are 45 of the world’s leading security
product vendors
6
7. 7
$$$: Financial malware have started looking beyond Internet Explorer to steal credentials.
Code Reuse: Master Boot Record (MBR) infector rootkits are making a comeback and
those already there are also infecting newer architectures such as IA-64. (Zimuse,
Alureon/Tidserv, Mebratix, Yonsole)
We think with HTML5 exploit attacks will increase in 2011. Look out for PDF attachments
to email!
8. 8
Attacks are more focused
Getting better at keeping
out malware and common
attacks (21% drop)
Breach costs are down by
78%
Attackers are apparently
becoming less
opportunistic
1. Malware and spam
2. Device theft
3. Phishing
4. Unauthorized access to
information by employees
5. Bots within the
organization / Denial of
Service attacks
Top Breach Types
9. Insiders continue to be a problem
1 in 3 breaches originates internally
• Accidental or innocent
• Deliberate and malicious
• Device theft or loss
9
10. 10
Data loss and compliance top of mind
Contracts are an effective
mechanism for managing
third party security
compliance
Publicly traded
organizations more
concerned about new
technology, less concerned
about user accountability
1. Loss of sensitive data
2. Compliance with
Regulations
3. Managing security of new
technologies
4. User understanding and
accountability of access
5. Managing business
partner risks
Ranked Concerns
11. A pattern of under investment
Budgets cut on average by 10% in 2009
Less investment in 2010 with average budgets moving to
6.5% of the IT budget
Use of outsourcing has increased
11
0%
10%
20%
30%
< 1 % 1% - 2% 3% - 4% 5% - 6% 7% - 9% 10% -15% 16% - 25% 25% plus
Government Private Public
Average Optimal
12. 12
Security leadership in demand
$70,000
$90,000
$110,000
$130,000
$150,000
CIO CSO Director
2010 2009
The business is increasingly
directing how security risks
should be managed
Half of respondents have
10+ years of experience
Most top earners had 6+
years in IT security
13. 13
Watch for security employee satisfaction
Managers and below are
seeing slight salary
reductions
Individual security
professionals are tasked
with more
Team sizes have shrunk
As the economy recovers
staff retention will be an
issue
$70,000
$90,000
$110,000
Manager Security
Analyst
System
Admin
2010 2009
14. A note of caution
Reduced budgets and increased security
workloads are laying the ground for long
term erosion of our security posture
14
15. Outsourcing and Security Incidents
Outsourcing appears to have no significant negative
impact on an organization’s security incident rate
• Consistent with the 2009 study, no correlation between
breach rates and the decision whether or not to
outsource could be found.
15
16. Secure development practices are lagging
No significant increase in the number of companies using
secure development practices
1 in 4 respondents just assume secure development will
happen
A concern as respondents are reporting more data centric
attacks
However, those that are already include security into their
development practices are increasing their investment
• Twice as likely to adopt preventative practices
• ~90% test their system security
16
17. 17
The company that owns the Nasdaq Stock Market
confirmed over the weekend that its computer network
had been broken into, specifically a service that lets
leaders of companies, including board members, securely
share confidential documents.
Wall St Journal 7 Feb 2011
Dozens of military, government and education websites have been hacked
and are up for sale, according to researchers from Imperva's Hacker
Intelligence Initiative (HII).
The list includes defence, state and university sites in Europe and the US
that have been hacked exploiting SQL injection vulnerabilities, the
researchers said.
Administrator access to these sites is being sold at $55 to $499 each, said
Noa Bar Yosef, senior security strategist at Imperva.
In some cases, hackers are selling personally identifiable information (PII)
from infiltrated sites at $20 for 1,000 records.
Computer Weekly 24 Jan 2011
18. 18
Invest in prevention
1. Integration of security
into development
2. Business partner security
policy compliance
3. Business partner privacy
policy compliance
4. Creating a vulnerability
management process
5. Developing a security
policy
1. SSL VPN
2. Firewalls
3. IPSEC based VPN
4. Anti-Virus
5. Email Security (anti-spam,
anti-malware)
Top 5 Initiatives Top 5 Technologies
19. 19
Challenge of new technologies
Organizations that block
social media experienced
marginally more breaches
than those that allow it
The dilemma of smart
phones: how to secure
them without making them
dumb phones
20. 20
Complexity undermines initiatives
Complex technologies,
such as encryption, are
failing to deliver value
Technology integrators are
not addressing
requirements management
20. Security Information &
Event management
(SIEM)
21. Data Leakage Prevention
22. Application Security
Assessment Tools
(web/code)
23. Database Encryption
24. Email Encryption
Lowest ranked technologies
21. 21
The obligatory cloud slide
1. Data location
2. Outside the business
3. Multi-tenancy
4. Ability to audit
5. Remove data form the
cloud
6. Difficult to perform
forensics
7. Availability
1. Malicious control of the
hypervisor
2. Keeping VM images
patched
3. Shared resource
dependencies
4. Monitoring inter-VM
communications
5. No visibility into host
system security
2009 Concerns 2010 Concerns
22. 22
The key concerns of government
1. Disclosure or loss of
sensitive information
2. Compliance
3. User accountability
4. Security risks from new
technology
5. Managing risks from third
parties
NB: these logos do not represent
response rates to this survey
23. Top performers
Building capabilities to manage the vulnerability lifecycle
from start to finish
Investing in senior leadership
Integrating security into their development lifecycle
And our advice from 2008 and 2009 still holds true today
Invest in the right level of staff and give them authority
Focus on training for IT, business and external partners
If you don’t plan on enforcing a security policy be prepared
for breaches
23