Download pdf - Managing the Crown Jewels and Other Critical Data · Managing the Crown Jewels and Other Critical Data When tackling cyber risk, board involvement ... Based on our analysis, there

Internal Audit, Risk, Business & Technology Consulting

Managing the Crown Jewels and Other Critical DataWhen tackling cyber risk, board involvement and effective communication continue to drive performance. Learn more in this report on the key findings from Protiviti’s 2017 Security and Privacy Survey.

2017 Security and Privacy Survey · 1protiviti.com

Executive Summary

Global cybersecurity risk has never been higher, yet its magnitude is almost certain to

intensify in the months and years to come. Cybercriminal activity against global companies

surged in the past year, and there are growing signs — including expert analysis1 — suggesting

that a form of global cyberwar has commenced.

1 Belam, Martin. “We’re living through the first world cyberwar — but just haven’t called it that,” The Guardian, Dec. 30, 2016: www.theguardian.com/commentisfree/2016/dec/30/first-world-cyberwar-historians.

Although these attacks vary in their intent, businesses

remain in the crosshairs of these incursions. In addition

to being something for which a company requires

strong defenses, information security also needs to be

planned for as organizations consider and deploy new

approaches to generate revenue. Such conditions make

cybersecurity a critical organizational priority and a

top concern in the boardroom, C-suite, information

technology function and every area of the business.

It is imperative that boards and executive leadership

keep close tabs on the state of their company’s

cybersecurity programs. Protiviti’s latest Security

and Privacy Survey delivers insights on the specific

policies and qualities that distinguish top-performing

companies from other organizations with regard

to security and privacy practices. Our survey also

identifies prime opportunities companies can leverage

to strengthen their security capabilities.

As we detail in the following pages, our survey

results show cause for optimism, but there are

concerns as well. Positive signs are particularly

evident in companies where (1) the board of directors

is highly engaged in information security matters;

and (2) management has in place a robust set of key

information security policies.

https://www.theguardian.com/commentisfree/2016/dec/30/first-world-cyberwar-historians

https://www.theguardian.com/commentisfree/2016/dec/30/first-world-cyberwar-historians

2 · Protiviti

01Having an engaged board and a comprehensive set of security policies make a huge difference — In assessing the results for companies in which the board has a high level of engagement in information security, these organizations perform noticeably better than other companies in nearly all facets of information security best practices. The same holds true for organizations that have all core information security policies in place (which we define in our report). When it comes to security, these foundational qualities distinguish top-performing organizations from the rest of the pack.

02Most organizations need to enhance their data classification and management — An alarming number of companies appear unable to confidently identify or locate their most valuable data assets. Protecting these “crown jewels” requires a data classification scheme supported by effective policies in place and adhered to throughout the enterprise.

03Security effectiveness hinges on policies as well as people — Along with board engagement, incorporating a comprehensive set of information security policies is a key differentiator for organizations that have a strong security posture. These policies should be supported with effective training programs and communications throughout the organization, especially given the frequency with which the “human element” is targeted as a path to enable data and security breaches.

04Vendor risk management must mature — As the use of cloud-based storage and external data-management vendors increase, the importance of vendor risk management grows. Notable gaps currently exist between top-performing organizations and other companies when it comes to overall knowledge of vendors’ data security management programs and procedures — areas that might stand between an organization’s crown jewels and cyberattackers.

Our Key Findings


Survey Methodology

Protiviti conducted its 2017 Security and Privacy Survey in the fourth quarter of 2016. More than 700 chief

information officers, chief information security officers, chief technology officers, technology vice presidents and

directors, and other technology managers and professionals completed an online questionnaire designed to assess

security and privacy policies, data governance, data retention and storage, data destruction policies, and third-

party vendors and access, among other topics. Respondent demographics can be found on page 39.

Since completion of the survey was voluntary, there is some potential for bias if those choosing to respond have

significantly different views on matters covered by the survey than those who did not respond. Therefore, our

study’s results may be limited to the extent that such a possibility exists. In addition, some respondents answered

certain questions while not answering others. Despite these limitations, we believe the results herein provide

valuable insights regarding security and privacy standards in place in organizations today.

4 · Protiviti

Board Engagement, Comprehensive Data Policies Distinguish High-Performing Information Security Programs

Based on our analysis, there are two critical success

factors present in organizations that adhere to security

and privacy best practices:

• High levels of engagement and understanding

by the board of directors regarding information

security risks

• Having all five “core” information security policies

in place

In other Protiviti research, we have observed this

correlation between board engagement in information

security and the overall security posture of the

organization, including in our 2015 IT Security and

Privacy Survey report.2 Similarly, our results this year

show a notable difference between organizations that

have all “core” information security policies in place

— specifically, a records retention/destruction policy,

a written information security policy, an acceptable

use policy, a data encryption policy, and a social

media policy — and those that do not; the former

organizations demonstrate stronger information

security practices overall.

Throughout our report, we compare the results from

these two groups of companies that exhibit the

above success factors (which we categorize as “top-

performing organizations”) with companies that do

not exhibit them, and pinpoint notable gaps.

2 The Battle Continues — Working to Bridge the Data Security Chasm: Assessing the Results of Protiviti’s 2015 IT Security and Privacy Survey, www.protiviti.com/US-en/insights/it-security-survey.

https://www.protiviti.com/US-en/insights/it-security-survey


How engaged is your board of directors with information security risks relating to your business?

All respondents Large Companies (≥ $1B)

Small Companies (< $1B)

Current 2015 Current 2015 Current 2015

High engagement and level of understanding by the board 33% 28% 37% 32% 26% 24%

Medium engagement and level of understanding by the board 37% 32% 37% 33% 39% 33%

Low engagement and level of understanding by the board 12% 15% 9% 11% 20% 19%

Don't know 18% 25% 17% 24% 15% 24%

Which of the following policies does your organization have in place? (Multiple responses permitted)



Current 2015 Current 2015 Current 2015

Acceptable use policy 80% 77% 82% 82% 77% 72%

Record retention/destruction policy 78% 74% 81% 80% 72% 71%

Data encryption policy 70% 67% 77% 79% 60% 58%

Written information security policy (WISP) 69% 66% 72% 72% 65% 60%

Social media policy 59% 55% 61% 61% 53% 50%

Insights

• One-third of all respondents describe their board’s

engagement with and understanding of information

security risks as “high.” Thirty-seven percent of

all respondents describe their board’s engagement

level as “medium.” Not surprisingly, each of these

figures indicates a promising increase compared

to the results of Protiviti’s 2015 IT Security and

Privacy Survey. The results reflect an increasing

involvement and interest from boards of directors,

which we believe is very positive. (Note that in

the remainder of our report, we define this group

of top-performing organizations as those whose

boards have a “high” level of engagement in and

level of understanding with regard to information

security in the organization.)

6 · Protiviti

3 From Cloud, Mobile, Social, IoT and Analytics to Digitization and Cybersecurity: Benchmarking Priorities for Today’s Technology Leaders, Protiviti, November 2016, www.protiviti.com/ITtrends.

• The board’s growing engagement with information

security reflects the fact that the issue is not merely

about technology, but rather represents a top

strategic risk. Other recent research from Protiviti

confirms this: Information security capabilities,

along with related incident response capabilities,

dominate the priority lists for chief information

officers, chief information security officers and

other technology executives, according to our recent

survey of technology leaders.3

• In a positive trend, the adoption of core security

and privacy policies is increasing among all

companies. The most commonly used formal

security and privacy policies include acceptable use

(in place among 80 percent of organizations), record

retention/destruction (78 percent), data encryption

(70 percent), written information security (69

percent), and social media (59 percent). That said,

there is significant progress to be made: Only 38

percent of responding companies have all five core

information security policies in place today.

Looking Ahead: Trends to Watch

• As the frequency and magnitude of information

security breaches grow and present greater long-

term risk to organizations, boards of directors are

likely to increase their engagement with security in

their organizations. They will call on management

and technology leaders to provide greater under-

standing and clarity around the organization’s

security posture.

• As organizations increase their reliance on

digital assets, information security knowledge

and engagement will become significantly more

important at every level of the organization.

Technology leaders will need to clearly communicate

relevant security matters, from policies and practices

to incidents, to a growing number of stakeholders

while ensuring their messages are effective and

relevant for each audience. What we term as “metrics

of merit” will need to be adapted to ensure they are

providing insight to these various stakeholders.

• Metrics help focus limited security resources on

the issues that matter most. Balancing security

and costs will continue to be a challenge as the

complexity of cyberthreats increases while business

pressures force security departments to compete

for dollars intended for growth and innovation.

Action Items for Technology Leaders

• If your organization is among those without all core

security policies in place, swift action is required to

implement these policies.

• Develop and improve communications with the

board — either directly or indirectly — regarding key

top-line cybersecurity risks, initiatives and metrics.

• In all forms of board communications concerning

security, recognize the importance of translating

technical matters into plain English and priori-

tizing issues based on the risks each poses to

the organization.

• Ensure that your communications to all levels of

management provide a consistent message to the

various stakeholders.

http://www.protiviti.com/ITtrends


News Flash: Confidence in Preventing a Breach Remains Low, Awareness of Security Exposure Rises

During a year in which cybersecurity incursions

struck numerous well-known organizations, hackers

hijacked connected devices in U.S. homes, and

geopolitical cyber breaches materialized during the

U.S. presidential election, information security risks

dominated media coverage. This coverage is driving

high interest in organizational information security

capabilities and, perhaps, increasing management’s

awareness of information security issues. However,

while rising interest and awareness are welcome, this is

not directly translating to higher levels of confidence in

information security capabilities.

How has recent press coverage on “cyberwarfare” and/or “cybersecurity” affected your interest in, and focus on, the subject of information security?

Comparing Top-Performing Organizations

Current 2015

Companies with high

board engagement

in information security

Companies without

high board engagement


Companies with all core information

security policies

Companies without all core

information security policies

Significantly more interest and focus 31% 23% 41% 30% 30% 32%

Somewhat more interest and focus 41% 36% 35% 43% 39% 42%

No change in interest and focus 27% 38% 24% 26% 31% 25%

Less interest and focus 1% 3% 0% 1% 0% 1%

8 · Protiviti

On a scale of 1 to 10, where “10” is a high level of awareness and “1” is little or no awareness, please rate senior management’s level of awareness with regard to your organization’s information security exposures:

8.7 7.2 8.3 7.4Companies with high board engagement in information security

Companies without high board engagement in information security

Companies with all core information security

policies

Companies without all core information

security policies

On a scale of 1 to 10, where “10” is a high level of confidence and “1” is little or no confidence, rate your level of confidence that your organization is able to monitor, detect and escalate potential security incidents by a well-funded attacker:




policies


security policies


Is this level of confidence based on something your organization measures and communicates? (Shown: Percentage of “yes” responses to prior question)

83% 62% 75% 62%Companies with high board engagement in information security


Companies with all core information security policies


security policies

On a scale of 1 to 10, where “10” is a high level of confidence and “1” is little or no confidence, rate your level of confidence that your organization is able to prevent a targeted external attack by a well-funded attacker:





security policies

10 · Protiviti

Insights

• Cybersecurity breaches and cyberwarfare incidents

achieved a new level of intensity during the past

year, a disquieting trend that has been documented

extensively in the press. While this attention is

driving more awareness of information security

matters among boards and senior management

teams, most technology leaders lack high confi-

dence in their organization’s ability to prevent,

monitor, detect or escalate security breaches by

a well-funded external attacker or by a company

insider. However, there is a benefit to not being

overconfident: It can stave off complacency while

helping to sustain a commitment to continually

adapt and improve current practices as cyberat-

tacks grow more sophisticated.

• As is the case with other areas examined in

this report, there are notable gaps between

top-performing organizations — those with high

board engagement in information security and

those with all core information policies in place.

Respondents in top-performing companies are

far more likely to express confidence in their

organization’s ability to prevent cyberattacks.

• Respondents in top-performing organizations are far

more likely to attribute their high confidence levels in

monitoring, detecting and escalating cyberattacks to

the measures and communication mechanisms their

organizations use to manage information security. In

addition, the fact that the board has more involvement

is likely driving clarity and consistency in reporting.

This suggests that the strength of an organization’s

information security, at least in part, comes from a

comprehensive set of processes, procedures, metrics,

relationships and interactions that support it.

On a scale of 1 to 10, where “10” is a high level of confidence and “1” is little or no confidence, rate your level of confidence that your organization is able to prevent an opportunistic breach as a result of actions by a company insider (employee or business partner):





security policies



• Security teams should expect cybersecurity incidents

to increase and to expand in their sophistication and

format. Distributed denial of service (DDoS) attacks,

advanced persistent threats (APTs), social engineering,

insider threats and malware likely will be joined

by new modes of attack, some of which have yet to

emerge as mainstream threats. Management teams

and boards should also expect increasing media

coverage as well as a greater number of regulatory

rules related to cybersecurity. All of this should result

in boards asking more, and more detailed, questions

about organizational security efforts.

• As cybersecurity activity increases, organizations

will need to increase their focus on the human side of

security exposures in addition to the technological and

policy shortcomings of security capabilities.


• To the extent possible, be proactive in commu-

nicating with management on a regular basis

regarding cybersecurity measures, including efforts

that comply with legal and industry regulations.

• Implement easy-to-understand metrics to show

the board and management you are attempting to

measure effectiveness and progress. There will be

expectations that controls will increase in maturity;

therefore, ensure there are measures to support

whether these controls are effective.

• Incorporate testing to ensure defenses and controls

are operating effectively and to constantly tweak

these controls against new attacks. Organizations at

higher levels of maturity will move toward increased

use of red and blue team activity integrated not

only to test defense mechanisms, but also to refine

detective controls.

• Ensure the organization has a formal and documented

crisis response plan that is tested on at least an

annual basis.

• Provide regular training to all personnel on

security-related policies and corporate practices,

including but not limited to identifying social

engineering “red flags.”

• Implement controls that combat the social

engineering attack vector — two-factor

authentication and proxy-based controls

that might catch malware before it installs

or that disrupt command and control

communications if it does install.

12 · Protiviti

Understanding the “Crown Jewels” of Security: Data Classification, Management and Policies

When it comes to information security, top-performing

companies have a comprehensive set of core policies —

formal rules that address record retention/destruction,

information security, acceptable use, data encryption

and social media. Developing, updating and adapting

these policies in the face of changing business

conditions and fast-changing cyber risks requires

ongoing work.

Therefore, it is useful to understand the data

classification and management efforts, data leakage

prevention mechanisms, and communications among

top-performing companies. Data classification and

management is particularly vital because it identifies

the organization’s most valuable digital assets (i.e.,

the “crown jewels”). Technology security functions

that possess this information are best positioned to

ensure that all data assets are protected in the most

appropriate and cost-effective manner.

How would you rate your management’s understanding of what comprises its “crown jewels” — in other words, its sensitive data and information?

Current 2015 2014

Excellent understanding 31% 29% 23%

Good understanding 50% 45% 51%

Limited understanding 14% 16% 22%

Little or no understanding 2% 3% 3%

Don’t know 3% 7% 1%


Organizations in which management has an excellent understanding of what comprises its “crown jewels” — in other words, its sensitive data and information:





security policies

Organizations that use a technology tool to assist in identifying where their “crown jewels” exist:

43% 49% 38%All respondents Large companies (≥ $1B) Small companies (< $1B)

Insights

• Interestingly, less than half of organizations use

a tool to help them identify the location of their

crown jewels, yet more than 80 percent believe they

have an excellent or good understanding of what

comprises their crown jewels. Organizations should

consider investing in tools and technology to help

support this area, as it is difficult to protect sensitive

data if they are not clear as to where it exists.

14 · Protiviti

Does your company have a clear data classification scheme and policy in place that categorize the organization’s data and information — sensitive, confidential, public, etc.?4

Scheme Policy

Current 2015 2014 Current 2015 2014

Yes 58% 50% 58% 70% 65% 71%

No 23% 22% 33% 16% 15% 24%

Don't know 19% 28% 9% 14% 20% 5%

4 Data classification scheme: The groups or categories under which data is classified — for example: highly classified/secret, sensitive, internal use only, non-sensitive/public, etc.

Data classification policy: The guidelines dictating how, when and where the organization — including but not limited to all employees, functions and third parties working on behalf of the organization — classifies, manages and secures its data.

Organizations that have a clear data classification scheme in place that categorizes the organization’s data and information — sensitive, confidential, public, etc.:





security policies


Organizations that have a clear data classification policy in place that categorizes the organization’s data and information — sensitive, confidential, public, etc.:





security policies

If you have not done a full data classification, how would you rate your level of awareness with regard to what your “crown jewels” are — in other words, your most valuable assets?


Current 2015

Companies with high

board engagement


Companies without




security policies



Very aware 38% 40% 58% 29% 57% 28%

Somewhat aware 49% 45% 37% 56% 36% 56%

Little awareness 10% 10% 4% 13% 6% 12%

No awareness 3% 5% 1% 2% 1% 4%

16 · Protiviti

How does your organization communicate the expectations of its security policies and procedures to employees? (Multiple responses permitted)


Current 2015

Companies with high

board engagement


Companies without




security policies



We include security policies and procedures in our annual training, which is mandatory for all employees

60% 53% 67% 57% 77% 50%

We have internally developed, security-specific training modules that we require all employees to take in addition to our standard annual training

38% 34% 41% 35% 48% 33%

We support participation by our employees in outside education on security policies and procedures

33% 23% 44% 28% 35% 31%

We do not have any formal employee communications or training related to security policies and procedures

10% 23% 4% 13% 1% 15%

Insights

• While a strong majority of companies have a good

or excellent understanding of their most sensitive

data and information, top performers are far more

likely to have an “excellent” understanding of these

crown jewels than other organizations.

• A majority (58 percent) of all companies use a data

classification scheme to categorize organizational

data, but top performers (74 percent) are signifi-

cantly more likely to have one in place.

• At its foundation, the question that companies need

to ask is, “What is it that we are trying to protect?”

Companies without a formal data classification

approach risk not knowing what, or where, their

most valuable data assets are. This lack of clarity can

expose crown jewels to much higher risk of loss or

theft and/or contribute to highly inefficient, expen-

sive data security programs. In many instances,

an organization’s lack of a data classification and

management policy has resulted in the exposure

of private employee records, pre-release quarterly

financial data and loss of intellectual property.

• Organizations that do not currently stratify their

information assets should move quickly to establish

a basic scheme, rather than become bogged down

trying to design a perfect approach. Our experience

shows that it is better to develop an initial classifi-

cation system, bare-bones or otherwise; implement

it; and then adjust as necessary.


Insights

• A strong majority of organizations have in place

some form of formal employee communications or

training related to technology and data security. This

is good news, given how crucial the human factor is

in preventing breaches and cyberattacks. Once again,

top-performing organizations are more likely to have

implemented annual training, more specific training

modules and outside education programs to bolster

the security knowledge and skills of their workforces.

However, more progress is needed. If an organization

has yet to implement internal training programs, it

should consider investing in outside training sooner

rather than later.

How well do you think management communicates to the organization/all employees the need to differentiate between public and sensitive data and how each is treated?


Current 2015 2014

Companies with high

board engagement


Companies without




security policies



Management does an excellent job of communicating these differences and how to treat each type of data

27% 23% 20% 48% 14% 39% 20%

Management does an acceptable job of commu-nicating these differences and how to treat each type of data, but there is room for improvement

47% 45% 50% 41% 50% 44% 49%

There is substantial room for improvement in how management communicates these differences and how to treat each type of data

18% 20% 22% 8% 28% 13% 22%

Management has not communicated these differences or how to treat each type of data

4% 5% 7% 0% 6% 1% 5%

Don’t know 4% 7% 1% 3% 2% 3% 4%

18 · Protiviti

From the following, please select the statement that best describes your organization’s data retention and storage process:

Current 2015 2014

We retain all data and records with no defined destruction date 11% 12% 17%

We retain all data and records for a certain period of time, with a defined destruction date

39% 45% 43%

We have a basic classification system to define data, with a few specific retention policies and destruction dates depending on the classification

22% 14% 18%

We have a detailed classification system to define data, with varying retention policies and destruction dates depending on the classification

19% 13% 15%

Our organization does not have a formal data retention and destruction policy

3% 4% 5%


How would you rate your IT department’s support of the lifecycle of the organization’s data, from acquisition to retention/storage to (if applicable) destruction?

Current 2015 2014

Excellent understanding 23% 27% 27%

Good understanding 51% 47% 52%

Limited understanding 18% 14% 16%

Little or no understanding 2% 4% 3%



Organizations in which the IT department has an excellent understanding of the data lifecycle:





security policies

How well do your C-suite executives (CEO, CFO, etc.) know and understand your organization’s data retention and destruction policy?

Current 2015 2014

They know and understand the policy very well 33% 34% 26%

They have some knowledge and understanding of the policy’s general concepts

43% 40% 48%

They have limited knowledge about the policy 17% 16% 16%

They have little or no knowledge about the policy 4% 5% 4%

Our organization does not have a formal data retention and destruction policy

3% 5% 6%

20 · Protiviti

Percentage of organizations in which C-suite executives know and understand the organization’s data retention and destruction policy very well:





security policies

Which of the following sensitive data types does your organization specifically prioritize? (Multiple responses permitted)


Current 2015

Companies with high

board engagement


Companies without




security policies



Payment Card Industry (PCI) data 53% 47% 60% 49% 60% 49%

Private client/customer data 80% 80% 86% 76% 87% 76%

Healthcare data 42% 51% 45% 39% 51% 37%

Organization’s intellectual property 61% 63% 69% 56% 76% 52%


Insights

• A closer look at how organizations classify and

manage data — by understanding and managing the

complete data lifecycle, prioritizing certain assets

over others, and keeping the C-suite informed of

the current data retention and destruction policy —

reveals that top-performing organizations likely

embrace a more sophisticated and nuanced approach

to data classification. For example, 29 percent of

organizations with all core security policies in place

maintain a “detailed classification system to define

data, with varying retention policies and destruction

dates,” while only 13 percent of organizations without

all core policies in place maintain a similarly detailed

classification system.

• The technology department’s understanding of the

data lifecycle — from acquisition to retention/storage

to destruction — marks an important component of

a sound data classification and management system.

Top-performing organizations are more than twice

as likely as other companies to rate as excellent

their technology department’s understanding of

the data lifecycle. In fact, the numbers for other

organizations are quite low.

• Similarly, respondents from top-performing organi-

zations are two to three times more likely than other

organizations to report that C-suite executives know

and understand the data retention and destruction

policy very well.

What types of policies does your organization have in place to prevent data leakage? (Multiple responses permitted)

Current 2015 2014

Password policy (or standard) 69% 67% 77%

Data protection and privacy policy 60% 58% 67%

Network and network devices security policy 55% 56% 59%

Users (privileged) access policy 54% 56% 59%

Workstation/laptop security policy 55% 56% 59%

Encryption policy (or standard) 63% 55% NA

Information security policy 60% 54% 67%

Data classification policy 52% 46% 53%

Incident response policy 51% 45% 46%

Third-party access control policy 44% 43% 49%

Removable media policy 42% 38% 44%

Information exchange policy 37% 31% 30%

Cloud acceptable usage policy 24% 20% 24%

22 · Protiviti

What types of policies does your organization have in place to prevent data leakage? (Multiple responses permitted)


Companies with high board engagement


Companies without high board

engagement in information security



security policies

Password policy (or standard) 73% 67% 86% 60%

Data protection and privacy policy 75% 52% 83% 47%

Information security policy 70% 53% 81% 47%

Network and network devices security policy 66% 50% 77% 42%

Users (privileged) access policy 62% 47% 75% 41%

Workstation/laptop security policy 65% 47% 82% 39%

Encryption policy (or standard) 74% 56% 86% 50%

Data classification policy 66% 44% 77% 37%

Third-party access control policy 53% 38% 71% 29%

Incident response policy 61% 45% 75% 37%

Removable media policy 52% 34% 71% 24%

Information exchange policy 45% 32% 57% 25%

Cloud acceptable usage policy 36% 18% 46% 12%


Has the recent European Union announcement of the General Data Protection Regulation (GDPR) caused your organization to have to rework existing Safe Harbor or binding corporate rules?


All respondents

Companies with high board

engagement in information

security

Companies without




security policies



Yes, we have done a significant amount of rework of our existing rules

14% 22% 11% 13% 14%

Yes, we have done some rework of our existing rules 25% 26% 30% 24% 26%

No, there has been no impact 35% 32% 40% 35% 35%

I am not familiar with the GDPR 26% 20% 19% 28% 25%

Insights

• When it comes to addressing data leakage, security

groups deploy a wide range of specific policies

related to password selection, network access,

device protection, encryption, third-party access

and much more. Given that most of these individual

policies are required or strongly recommended by

government regulators and industry groups, they

should be more prevalent in organizations.

• By not having these policies in place, organizations

face potential legal liability along with significant

security risks. This is especially the case concerning

the low use of privileged access and cloud acceptable

usage policies, considering the high security risks

these areas pose.

• It is interesting to see a significant year-over-year

increase in the use of encryption. Paired with the

earlier observation that organizations lack high

confidence that they can prevent a breach from

happening, encrypting sensitive data and having

good incident response practices are excellent

parallel activities.

• While top-performing organizations are more

likely to have each of these policies in place, a

surprising number have yet to implement these

types of guidelines.


• Increasing, and increasingly sophisticated, cyber-

attacks will likely result in more regulations and

oversight, as governments and regulatory authorities

seek to bolster protections of consumer and

organizational data. Many of these new rules will

impose greater pressure, including but not limited

to monetary fines, on organizations whose data

classification and management capabilities prove

ineffective in preventing high-risk breaches.

24 · Protiviti

• More attention, and possibly increased regulatory

attention, will focus on security training, commu-

nications and related “human” mechanisms as

social engineering efforts by bad actors result in

more cyberattacks.

• Organizations should review the potential impact

to them of the recent General Data Protection

Regulation requirements.5


There is a proven logic path that organizations should

follow as they work to understand and classify their data:

• Determine what your crown jewels are, then identify

where they are via self-assessment and confirm

with the use of appropriate tools.

• Identify the threats to these crown jewels.

• Conduct a thorough threat and risk analysis.

• Identify the inherent risks — including the probability

and impact of these threats — and the processes and

systems that are in place to minimize them.

• Determine the residual risk after considering all

current processes and systems to minimize the

inherent risks.

• Based on residual risk, evaluate the organization’s

program, frameworks and implementation to

continually test and reduce residual risk, seek

trends, and monitor metrics.

• Develop an incident response plan that includes

periodic and comprehensive testing, because in all

likelihood the organization will experience a secu-

rity event of some kind.

• Assess year-over-year trends in this process to

identify where risks are receding and growing.

– Leverage outside resources who are security

experts — recognize that you may not have

the knowledge in-house to conduct effective

trainings, nor the resources to keep up-to-date

with industry regulations, current approaches to

cyberattacks, emerging security trends and more.

– Set the right tone for the organization by

establishing strong data leakage policies and

communicating them. Even basic messages to

staff are important, such as reminders to not open

email attachments from people you don’t know.

5 For additional information, read Protiviti’s Flash Report, “Preparing for the General Data Protection Regulation — The Clock Starts Ticking Now,” May 31, 2016, available at www.protiviti.com.

http://www.protiviti.com


A Look at the IT Security Organization: Structures, Budgets and Reporting Relationships

To whom does the IT security organization report in your company?

Chief Information Officer 61%

Chief Executive Officer 11%

Chief Financial Officer 6%

Chief Compliance Officer 6%

Board of Directors 2%

Other 5%

Don’t know 9%

To whom does the chief information security officer (CISO) report in your company?Base: Organizations that have a CISO


Chief Executive Officer 20%

Chief Financial Officer 5%

Board of Directors 4%

Chief Compliance Officer 4%

Other 5%

Don’t know 7%

Percentage of organizations that have a CISO:




policies


security policies

Approximately how many full-time professionals are employed in your IT security organization?

Large Companies

(≥ $1B)

Small Companies

(< $1B)

More than 50 50% 17%

31 to 50 6% 9%

16 to 30 14% 15%

5 to 15 15% 23%

Less than 5 6% 29%

Don’t know 9% 7%

26 · Protiviti

Approximately what percentage of your organization’s overall IT budget is dedicated to security?Base: C-suite respondents

1% to 4% 16%

5% to 9% 29%

10% to 20% 29%

21% to 30% 8%

31% to 40% 8%

41% to 50% 2%

More than 50% 1%

Don’t know 7%

Insights

• Top-performing organizations are significantly

more likely to have a CISO. Not surprisingly, large

organizations also are more likely to have a CISO

compared to small and midsize companies. In all

organizations with CISOs, these individuals most

commonly report directly to the CIO and CEO.

• Although a majority of security organizations

report to the CIO, keep in mind that technology

and data security is an enterprisewide issue —

and one that requires training, communications,

relationships and supporting processes in all areas

of the company.

Who is responsible for creating and overseeing data governance in your organization?

Current 2015 2014

Chief Information Officer 37% 33% 41%

Chief Security Officer 29% 25% 20%

Individual department leaders (HR, Legal, Marketing, etc.) 12% 9% 14%

Chief Privacy Officer 4% 5% 4%

Chief Financial Officer 3% 4% 5%

Other 5% 7% 8%

Don’t know 10% 17% 8%


Who is responsible for executing the data governance strategy/policy in your organization?

Current 2015 2014



Individual department leaders (HR, Legal, Marketing, etc.) 16% 14% 20%


Chief Financial Officer 4% 3% 2%

Other 4% 6% 8%

Don’t know 10% 16% 9%

Of the following security certifications, please note those that your organization has achieved:


Companies with high board engagement


Companies without high board

engagement in information security



security policies

ISO 27001-2 65% 52% 66% 48%

NIST 800-53 53% 38% 53% 37%

BITS-AUP 45% 34% 49% 29%

SSAE-16 57% 40% 64% 35%

HITRUST 44% 30% 44% 28%

SOC 2 54% 38% 57% 34%

28 · Protiviti

Views From the C-Suite on Vendor Risk and Data Management6

Vendor risk management has become a “front burner”

issue for technology functions and management teams

as external vendors and partners become more involved

with an organization’s data management and storage.

Note that 44 percent of all organizations store at least a

portion of their most sensitive data in the cloud.

6 The data reported in this section, unless otherwise noted, is based on responses from C-suite participants (chief information officers, chief technology officers, chief security officers, chief information security officers).

Where is your company’s sensitive data stored? (Multiple responses permitted)



On-site servers 62% 67% 60%

Off-site servers 47% 50% 44%

Cloud-based vendor 44% 43% 48%

On users’ computers 18% 15% 23%

Don’t know 11% 7% 11%

Not stored in any centralized location 7% 8% 7%


Compared to two years ago, is your organization working more today with large databases (“big data”) for business intelligence purposes?

Yes, significantly more 36%

Yes, somewhat more 43%

No, we are working with large databases for BI purposes, but at the same level as 2 years ago

11%

No, we are not working with large databases for BI purposes 8%

Don’t know 2%

From what source is that information being accessed or pulled?Base: C-suite respondents in organizations that are working more with large databases for business intelligence purposes

Existing, company-owned data 58%

Third-party data 13%

Combination of company-owned and third-party data 29%

KEY FACTS

Organizations that have ensured they have all proper contracts and policies in place (including

breach notification processes)

83%Organizations whose vendors are aware of the

sensitivity of data being shared, and they are managing and securing that data in a manner consistent with

data classification requirements

84%

30 · Protiviti

How comfortable is your organization with processing and storing sensitive data in the cloud?Base: C-suite respondents in organizations that are working more with large databases for business intelligence purposes

Our organization is comfortable doing this in either a public or private cloud environment 31%

Our organization is comfortable doing this in a private cloud environment only 45%

We have reservations about doing this in a public cloud environment, but still do so 15%

We have reservations about doing this in a private cloud environment, but still do so 2%

We do not allow this kind of data to be stored or processed in any cloud environment 7%

On a scale of 1 to 10, where “10” is highly knowledgeable and “1” is not at all knowledgeable, how would you rate your organization’s level of knowledge about the data security management programs and procedures of its third-party vendors?Base: All respondents





security policies


Insights

• Despite great strides in cloud adoption and a large

movement of sensitive data to the cloud, many

organizations remain concerned with security over

this relatively new area.

• The growing use of business partners to support

business processes (especially those providing

cloud storage) elevates the importance of vendor

risk management policies and practices in the

context of security. Although this survey and

other research indicate that strides are being made

with regard to mitigating third-party data risks,

significant progress is needed. For example, while

44 percent of organizations store sensitive data

with cloud vendors, 45 percent of organizations are

only comfortable storing sensitive data in a private

cloud environment.

• Board engagement is a key element of high-

performing security programs; it also marks a key

component of effective vendor risk management,

according to the findings of the 2016 Vendor Risk

Management Benchmark Study conducted by the

Shared Assessments Program and Protiviti. That

research indicates that boards are less engaged

with vendor risks than they are regarding the

organization’s own information security risks.7


• Vendor risk management will become a more

important priority, and a growing board-level

concern, due to two related factors: growing reliance

on data and data-management vendors (e.g., cloud

storage and software providers), and the increasing

number and magnitude of data breaches targeting

organizations and their vendors.

• This growing focus on vendor risk management will

drive more organizations to deploy increasingly

sophisticated measures to assess their vendors,

including but not limited to calculating and distrib-

uting vendor assessment metrics, and implementing

metrics and reporting for compliance with required

training and awareness of vendor risk policies.


• Given the increasing use of cloud-based vendors

for storing sensitive data, assess how to adapt the

organization’s security strategy for cloud or hybrid

security models.

• Consider whether your organization’s approach to

vendor risk management is commensurate with the

quantity and sensitivity of data stored with vendors

and/or in the cloud.

• While assessing improvement opportunities

related to vendor risk management processes, focus

on two areas that tend to be less mature than other

vendor risk management components, according

to the 2016 Vendor Risk Management Benchmark

Study from the Shared Assessments Program and

Protiviti: skills and expertise; and tools, measure-

ment and analysis.8

7 2016 Vendor Risk Management Benchmark Study: The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management, Shared Assessments Program and Protiviti, December 2016, www.protiviti.com/vendor-risk.

8 Ibid.

http://www.protiviti.com/vendor-risk

32 · Protiviti

Does your organization embrace and enforce secure application development practices?Base: C-suite respondents in organizations that are working more with large databases for business intelligence purposes

Yes, through policy only 19%

Yes, through policy and training 44%

Yes, through policy, training and technical solutions to ensure applications are secure 29%

No, secure application development is ad hoc in our organization 8%

Assessing Application Development and Security

What is your company’s policy on provisioning accounts for external access?

Create accounts within an internal active directory 28%

Create accounts within an active directory for external users only 19%

Never create such accounts and do not permit access 10%

Company has custom in-house solution 10%

Federate with external parties 7%

Federate with third-party providers 4%

Do not have such a policy 5%

Don’t know 17%


What is your company’s policy on granting external access to sensitive data?

Unique credentials accessible over a secured VPN 29%

Multi-factor authentication 17%

Grant access on the premises only 15%

Never grant access 15%

SSL access over Internet 7%

Do not have such a policy 4%

Don’t know 13%

Insights

• Application development can be a major source

of vulnerability for organizations. It is somewhat

alarming that few companies are taking actions

beyond just policy and training to ensure they have

secure application development practices in place.

This suggests that applications will continue to be

an area on which attackers focus.

• It also is surprising to see that just 17 percent of

organizations use multi-factor authentication

for external access. This is a problem in today’s

sophisticated technology environments, where

relying solely on passwords is a very weak control.

34 · Protiviti

Getting Incident Response in Gear

If your organization experienced a data breach or hacking incident, does it have a formal and documented crisis response plan that would be activated and executed?

Current 2015 2014

Yes 67% 56% 56%

No 20% 24% 34%

Don’t know 13% 20% 10%

Incident response should be a mainstay of an effective

security program. While organizations are making

some strides with regard to their incident response

capabilities, most still have a long way to go, particularly

with regard to having a formal crisis response plan and

performing periodic fire drills.


Organizations that have a formal and documented crisis response plan:





security policies

As defined in your organization’s documented crisis response plan, who needs to be involved in addressing a data breach or hacking incident? (Multiple responses permitted)

Current 2015 2014



General Counsel/ Chief Legal Officer 53% 47% 46%

Chief Executive Officer 44% 43% 43%


Corporate Communications 40% 40% 41%

Commentary

• Two-thirds of all organizations have a formal,

documented crisis response plan in place and ready

for activation when a data breach or information

security event occurs. Considering the prevalence

of cyberattacks and, for most organizations, the

growing likelihood that a breach will occur, it is

concerning that one-third of all organizations lack a

formal crisis response plan.

• As was the case in past security surveys we have

conducted, top-performing organizations are far

more likely to have formal crisis response plans

ready to be executed when a breach occurs.

36 · Protiviti

IF YES: How frequently does your organization perform its fire drills?

Current 2015 2014

Monthly 14% 9% 7%

Quarterly 35% 38% 30%

Semi-annually 30% 30% 27%

Annually 21% 23% 36%

When was your organization’s incident response plan most recently updated?

Current 2015 2014

Within the past year 51% 48% 46%

Within the past two years 27% 24% 22%

Within the past five years 11% 12% 9%

Longer than five years 2% 3% 4%

Our plan has not been updated 9% 13% 19%

With regard to IT security, does your organization periodically perform “fire drills” to test your ability to execute the organization’s incident response plan?

Current 2015 2014

Yes 52% 40% 46%

No 30% 39% 49%

Don’t know 18% 21% 5%


Insights

• Compared to our 2015 study, organizations today

are more likely to perform periodic fire drills (like

tabletop exercises) to test their incident response

plans, to run these fire drills on a quarterly or

monthly basis, and to have updated their incident

response plans within the past year. While this

progress is promising, the numbers are still low.

More improvement is needed in having a higher

percentage of firms perform these drills.

• It is important for boards, senior management

teams and technology functions to understand that

the effectiveness of incident response plans hinges

on their execution, and the only way to gauge how

these plans will work in reality is to periodically test

them in simulations. The most effective incident

response plans are “living documents” that are

regularly updated to reflect rapidly changing

market conditions, emerging security risks and

internal changes. Similar principles governed

pre-digital-age business continuity management

and disaster recovery planning.

Organizations that have updated their incident response plan within the past year:





security policies

Does your organization have a forensics provider on retainer?*

Yes, we have a forensics provider on a paid retainer 33%

Yes, we have a forensics provider on an unpaid retainer 27%

No, we have in-house forensics capabilities 20%

We have no forensics capabilities either internally or through a provider 15%

Don’t know 5%

* C-suite responses shown

38 · Protiviti


• Some industry regulations and guidelines already

recommend that organizations test their incident

response plans at least annually. New industry

guidelines and business regulations that will come

out in the next 24 months may include requirements

for documented crisis response plans along with

periodic testing.

• The occurrence of a historically massive (or

otherwise unique) cyberattack would likely

motivate boards and senior management teams

to communicate to their technology leaders and

security teams to ensure incident response plans

are in place and simulations are being performed.


• On at least an annual basis, plan and conduct

periodic testing and cybersecurity “war games,”

which are critical elements of an IT security

program. Test the plan via different use cases;

otherwise, it is unlikely to be effective.

• Conduct specific tests on social engineering and

share the results with management.

• Understand who in the IT department or broader

organization has responsibility over the lifecycle

of a cybersecurity incident, from identifying it

to managing technology remediation issues and

communicating to management, among numerous

other tasks.

• Establish relationships with federal and local

law enforcement agencies to ensure a rapid and

effective response to a cyberattack (regulatory

authorities are beginning to emphasize this more

in their guidance).


Demographics

Position (title/role)


Chief Technology Officer 6%

Chief Security Officer 3%

Chief Information Security Officer 5%

IT VP/Director 26%

IT Audit VP/Director 3%

IT Manager 31%

IT Audit Manager 1%

IT Staff 8%

IT Audit Staff 2%

Other 8%

Size of Organization (by gross annual revenue)

$20 billion or greater 14%

$10 billion - $19.99 billion 10%



$500 million - $999.99 million 17%

$100 million - $499.99 million 12%

Less than $100 million 11%

Type of Organization

Public 51%

Private 37%

Not-for-profit 7%

Government 5%

Industry

Technology 17%

Financial Services 17%

Manufacturing 11%

Government/Education/Not-for-profit 10%

Retail 6%

Insurance 5%

Healthcare Provider 4%

Communications 4%

Energy 3%

Consumer Products 3%

Distribution 2%

Life Sciences/Biotechnology 2%

Utilities 2%

Real Estate 1%

Healthcare Payer 1%

Hospitality 1%

Other 11%

More than 700 technology executives and professionals (n = 708) participated in the survey. Following are details

regarding the respondents and the size of companies represented in the study.9

9 All demographic information was provided voluntarily by respondents. Percentages in the tables correspond to those providing this information rather than the total sample of respondents.

40 · Protiviti

ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

ABOUT OUR TECHNOLOGY CONSULTING SOLUTIONS

Emerging technologies and changing business models are driving a shift in the role of IT — from leveraging technology in support of the business to the higher, more strategic goal of protecting and enhancing business value. Today, it is critical that you have strong IT processes and practices to ensure the alignment of IT and business strategy and to drive excellence through the IT infrastructure and the operations it supports.

Protiviti’s global Technology Consulting practice helps CIOs and IT leaders design and implement advanced solutions in IT governance, security, data management, applications and compliance. Protiviti works to address IT security and privacy issues and deploy advanced and customized application and data management structures that not only solve problems, but also add value to organizations. Technology will drive your future, and with Protiviti you can be confident it takes you where you want to go.

Kurt UnderwoodManaging DirectorGlobal Leader, Technology Consulting [email protected]

CONTACTS

Scott LaliberteManaging [email protected]

Cal SlempManaging [email protected]

Jeff SanchezManaging [email protected]

Mark LippmanManaging [email protected]

Chris LoudenManaging [email protected]

Michael PorierManaging [email protected]

Andrew RetrumManaging [email protected]

Ryan RubinManaging [email protected]

David StantonManaging [email protected]

David TaylorManaging [email protected]

Michael WalterManaging [email protected]

David AdamsonManaging Director+61.02.8220.9500 [email protected]

Billy GouveiaManaging Director+1.212.708.6391 [email protected]

Daniel HansenManaging Director+1.415.402.3697 [email protected]

mailto:kurt.underwood%40protiviti.com?subject=

mailto:mark.lippman%40protiviti.com?subject=

mailto:chris.louden%40protiviti.com?subject=

mailto:michael.porier%40protiviti.com?subject=

mailto:andrew.retrum%40protiviti.com?subject=

mailto:ryan.rubin%40protiviti.co.uk?subject=

mailto:david.stanton%40protiviti.com?subject=

mailto:david.adamson%40protiviti.com.au?subject=

mailto:billy.gouveia%40protiviti.com?subject=

mailto:daniel.hansen%40protiviti.com?subject=

© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0217-101096 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

© 2

01

5 P

roti

viti

In

c. A

n E

qu

al O

pp

ort

un

ity

Emp

loye

r. M

/F/D

isab

ilit

y/Ve

t. P

RO

-05

15

THE AMERICAS UNITED STATESAlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasFort LauderdaleHouston

Kansas CityLos AngelesMilwaukeeMinneapolisNew YorkOrlandoPhiladelphiaPhoenixPittsburghPortlandRichmondSacramento

Salt Lake City San FranciscoSan JoseSeattleStamfordSt. LouisTampaWashington, D.C.WinchesterWoodbridge

ARGENTINA*Buenos Aires

BRAZIL*Rio de Janeiro Sao Paulo

CANADAKitchener-Waterloo Toronto

CHILE*Santiago

MEXICO*Mexico City

PERU*Lima

VENEZUELA*Caracas

EUROPE MIDDLE EAST AFRICA

FRANCEParis

GERMANYFrankfurtMunich

ITALYMilanRomeTurin

NETHERLANDSAmsterdam

UNITED KINGDOMLondon

BAHRAIN*Manama

KUWAIT*Kuwait City

OMAN*Muscat

QATAR*Doha

SAUDI ARABIA*Riyadh

SOUTH AFRICA*Johannesburg

UNITED ARAB EMIRATES*Abu DhabiDubai

ASIA-PACIFIC CHINABeijingHong KongShanghaiShenzhen

JAPANOsaka Tokyo

SINGAPORESingapore

INDIA*BangaloreHyderabadKolkataMumbaiNew Delhi

AUSTRALIABrisbaneCanberraMelbourneSydney

*MEMBER FIRM