ori 6

gin pa
al ges
res of

MarketFocus
ea
rch

In-depth analysis from Hewlett Packard Enterprise January 2016

COMPANIES CAUTIOUSLY OPTIMISTIC ABOUT

CYBERSECURITY
What steps should CISOs and CIOs be taking to ensure
a breach doesn’t happen at their organizations?
 MarketFocus

Companies cautiously optimistic about

cybersecurity
Respondents to a new survey by SC Magazine, sponsored by HPE, are generally very confident about protect-
ing known threats from their networks. But given the threat landscape from unknown threats, what steps should
CISOs and CIOs be taking to ensure a breach doesn’t happen at their organizations? Steve Zurier reports.

C
ould it be that after all the negative stories say? What about the unnamed mass of companies
about data breaches there’s still a false sense that get breached daily but are lucky enough not to
of security that companies simply won’t be a have their fate make headlines in the daily news?
victim of an attack? A recent study by SC Magazine, According to testimony submitted to Congress in
sponsored by Hewlett September 2015 by Di-
Packard Enterprise To protect your digital enterprise what do you rector of National Intel-
(HPE), found that only consider your current highest priority? ligence James Clapper, at
44 percent believe that Safeguard
JPMorgan Chase, follow-
there’s only a 50-50 continuity
& compliance
28% ing multiple distributed
chance that their organi- denial of service (DDoS)
zation will experience a attacks on the financial
Secure
breach, while another 36 digital
interactions
28% sector in 2012-2013, the
percent say that it’s un- company announced
likely their organization plans for annual cyber-
Detect
will be hacked. Only 10
percent felt that a breach
& manage
breaches
26% security expenditures of
$250 million by the end
was very likely, while just of 2014. And after the
Understand
three percent believed
that it was pretty much a
the threats
better
18% company experienced a
breach in 2014, JP Mor-
certainty. gan’s CEO Jamie Dimon
Only three percent of say he would probably
the respondents believe that a breach is a certainty? double JPMorgan’s annual computer security budget
In fact, a breach is a near certainty, according to within the next five years.
the Ponemon Institute’s “2015 Cost of Cyber Crime There is one caveat to all this apparent confidence
Study: Global report.” The study says an average on the part of respondents. Mark Painter, security
company will experience 1.9 successful breaches per evangelist at HPE, says it is important to point out
company each week, based on a review of 477 at- that the survey answers change when people are
tacks in 252 organizations during fiscal 2015. What asked how confident they are about stopping known
would the security professionals at Office of Person- threats as opposed to unknown threats.
nel Management, Sony, Target or JPMorgan Chase Painter says while it’s true that a full 90 percent

2 • www.HPE.com
of the respondents say they are either somewhat and another 49 percent say they are somewhat con-
confident or highly confident they can stop known fident they could stop unknown threats.
threats, only eight percent of respondents says they “What this tells me is that people have to move
are highly confident they can stop unknown threats away from the silver bullet approach,” Painter

How confident are you in the effectiveness of your current security program?

Application security Network security

NOT CONFIDENT NOT CONFIDENT

5% 3%
LITTLE
LITTLE VERY CONFIDENCE
VERY
CONFIDENCE CONFIDENT 11% CONFIDENT
16% 22% 36%

SOMEWHAT SOMEWHAT
CONFIDENT CONFIDENT
57% 50%

Security monitoring and analytics Data security

NOT CONFIDENT NOT CONFIDENT

7% 7%
VERY
CONFIDENT LITTLE VERY
LITTLE CONFIDENCE
CONFIDENCE 20% 13%
CONFIDENT
25%
21%

SOMEWHAT SOMEWHAT
CONFIDENT CONFIDENT
52% 55%

www.HPE.com • 3
explains. “It’s just not How well do you feel you understand the real things, yet their company
possible to block every cybersecurity threats your enterprise faces? could still be hacked.
single attack.” “A company could be
Kerry Matre, solutions doing patch manage-
marketing manager for ment, configuration
data privacy at HPE, management, applica-
ADVANCED BASIC
adds that people should tion security, deployed
not throw up their hands 20% 25% firewalls and an IDS/
and give up. They need to IPS, content filtering and
change focus. “Moving threat analysis and still
forward, detection has be hacked,” Shackleford
become more important,” says.
she says. The goal of the Larry Ponemon, chair-
security team should be MODERATE man and founder of the
to create an environment
where once an attack is
55% Ponemon Institute, has
two explanations for the
spotted, there is a way to survey’s optimistic out-
contain the malware so it look. First, people often
does not lead to a com- exaggerate their true
plete system compromise. feelings and don’t want to be caught on the record
Dave Shackleford, owner and principal consultant saying that their organization’s security program has
of Voodoo Security and a SANS Institute analyst, flaws. Second, many of the respondents were higher-
senior instructor and course author, says the most level CISOs and CIOs, and they often don’t have
successful chief information security officers know the same information as the hands-on people in the
all too well that they could be doing all the right trenches of the security industry.

5 action items for security pros

HPE’s Mark Painter, security evangelist,
and Kerry Martre, solutions marketing
manager for data privacy, offer five tips
for CISOs and IT managers looking to
bolster their security programs.
1. Move away from the silver-bullet
mentality. The days of deploying firewalls
and assuming the organization is secure
doesn’t cut it in today’s era of mobility
and the cloud. IT departments have to
understand that malware will get through
and they need to focus on detection and
remediation.
2. Attract and retain good people.
Published reports report that there are
now 200,000 security jobs unfilled in the
United States alone and that by 2019
there will be a global security worker
shortage of 1.5 million jobs. Attracting
new staff with high salaries, stock options
and flexible working conditions is a good
start. But it’s also important to make sure
these people feel that there is a career
path for them at your organization. Don’t
let them burn out in six months staring at
log data on a computer screen. Get them
involved in data investigations and make
sure they have plenty of time to research
and read about the latest developments
in security technology and study for valu-
able security certifications.
3. Focus on applications. As Larry
Ponemon of the Ponemon Institute
reports, the vast majority of breaches
take place in applications. Companies
can start by building security into ap-
plications from the start, but if that’s not
possible they need to look at tools that
can detect, quarantine and remediate
malware.
4. Bring in analytics. Because so much
of the focus moving forward will be on
unknown threats, organizations need to
deploy analytics so they can run real-time
analysis and make correlations on what
in the past may have been seemingly
unconnected data.
5. Implement a layered approach. No one
appliance or software package will save
the day. Start with firewalls and an IDS/
IPS, but the organization will also need
content and web filters, an endpoint solu-
tion to cover the growing mobile work-
force, and detection and threat analysis
software.

4 • www.HPE.com
 “Last year, we did a study and asked people if a of the term “record” includes medical records that
cyberattack had evaded their IPS,” says Ponemon. contain personal data, financial records that could
“We found that less than five percent of the senior include account or other personal data, and other
managers believed there was a penetration, while similar documents that contain protected and non-
60 percent of the people in the trenches believed it protected information. The chances of an organiza-
happened. The hands-on people see these problems tion experiencing a data breach of 100,000 records
everyday and may not always communicate them to are less than one percent.
the higher-level people.” However, while the Ponemon report looks at a
two-year period when determining a percentage
No more perimeter defenses for a potential breach, a large number of security
There were other signs of a disconnect between the professionals say it is not a question of if a company
high anxiety of the threat landscape and the cau- will be breached but rather when. The breach might
tious calm among respondents. be in one month, one year, three years or perhaps it
While 30 percent of respondents to the SC Maga- already happened and the victim company has yet
zine survey say their current priority for securing the to discover it. This study might not take all those
enterprise was encryption and data protection, 35 variables into consideration.
percent say advanced perimeter defenses were their One possibility for the relative calm is that more
top priority. This goes against the conventional wis- than half of the 264 survey respondents work for
dom that in an era of mobility and cloud computing, small- to medium-sized businesses with revenues of
perimeter defenses alone are not enough. And another fewer than $100 million, so the executives at those
telling statistic: Only 13 percent say application secu- companies are potentially less apt to think that they
rity is a priority for securing their enterprise. would be hacked.
Ponemon found this last statistic problematic But with the odds being more than one in five
because research has that your company can
found that 70 percent What do you use most to understand the cyber be hit, Ponemon warns
of vulnerabilities reside security threats you face as an enterprise? that the optimism among
in applications. “It’s a the respondents may be
problem if people are
Industry analyst
reports 25% dangerous.
not doing application “There are a lot of
security because they are small business people
more apt to be hit in that
Security
consultants 18% who don’t worry about
area,” Ponemon adds. being hacked, but I think
Just what are the it’s a lot of false bra-
chances that your orga-
Internal
research 18% vado,” Ponemon says.
nization will be hit? In “All our research finds
its “2015 Cost of Data that while the bad guys
Breach Study: Global
Breach
headline articles 13% look to large corpora-
Analysis,” the Ponemon tions, they also look to
Institute found that easy targets and a lot
there’s a 22 percent
Peer
discussions 12% of small businesses are
chance over a 24-month easy targets. People need
period than an organi-
zation will experience
Industry
trade articles 9% to understand that they
need more than a pe-
a breach involving a rimeter control strategy
minimum of 10,000
records. Ponemon’s use
Vendor
papers
research
7% today.”
Cybersecurity experts

www.HPE.com • 5
To protect your digital enterprise what do you In the event of a breach today, who knows
consider your current highest priority? how to respond immediately?

73%
Advanced
perimeter
defenses
35% IT team

Security team
69%
Encryption and
data protection 30%
Identity and
Executives
and board 23%
access
22%
management
Crisis and PR
22%
Software security
assurance 13% Line of business
managers 18%

recommend that companies use a layered approach
today. With companies becoming more reliant on
mobility and the cloud, there’s no going back to
building a moat around the perimeter. While as
a group the respondents are confident, as HPE’s
Painter and Matre point out, they are really only
confident about known threats the industry has
managed for several years. Expect much more of
the focus moving forward to be on using analyt-
ics to detect and contain unknown threats. The
CISOs, CIOs and IT managers who understand
that will be the ones who will get sleep at night –
and more to the point – have a better shot of not
winding up in the news as the victim of the latest
security breach.
Here are some additional takeaways from the
SC Magazine survey:
One in four respondents relies on regular security audits. A full
25 percent of respondents say their primary tool for
detecting a breach is a regular security audit. An-
other 17 percent use advanced protection services,
16 percent say they use advanced security analytics,
14 percent use penetration testing, 11 percent event
correlation and 9 percent say security spot testing.
Respondents were all equally self-confident. The confidence
of the respondents in their security programs was
pretty much equal across company size and gross
revenues. For example, 48 percent of companies

Identifying the bad guys

In public testimony released to Congress in September 2015, Director of National Intelligence James Clapper outlined the main
threat actors involved in cybersecurity incidents. They included the following:

1. Nation-states with highly sophisticated cyber programs. One approach from nation-states is to establish their own cyber command
that is responsible for conducting offensive cyber activities. Other nation-state approaches include targeting intellectual property at
companies worldwide.
2. Nations with lesser technical capabilities, but possibly more disruptive intent. Nation-state hackers have been implicated in the 2012-
2013 DDoS attacks against U.S. financial companies and in the February 2014 cyberattack on the Las Vegas Sands casino
company.
3. Profit-motivated criminals. These cybercriminals rely on loosely networked online marketplaces, referred to as the cyber under-
ground, that provide a forum for the merchandising of illicit tools, services, infrastructure, stolen personally identifiable information
and financial data. Top targets are the data networks of retail businesses and financial institutions.
4. Terrorists. Various groups continue to experiment with hacking, activities that could serve as the foundation for more advanced
capabilities down the road.

6 • www.HPE.com
In terms of recovery, what do you think is the
most likely threat to destroying your key data?
MALICIOUS
INTERNAL
ACTIVITY INTERNAL
ACCIDENT
21% 29%
NATURAL
DISASTER
22% CYBERSECURITY
INCIDENT
28%
with 1,000 or fewer employees were somewhat con-
fident in their security programs, while 54 percent
of companies with 1,001 to 5,000 employees were
somewhat confident and 49 percent of companies
with more than 5,000 employees were also some-
what confident. On the revenue front, 49 percent
of companies earning less than $100 million were
somewhat confident while 52 percent of companies
with revenue of $100 million to $1 billion were
somewhat confident and 48 percent of companies
with $1 billion or more in revenue were also some-
what confident in their security program.
Professional research has clout. When asked what sources
they use to understand the cybersecurity threat
respondents listed industry analyst reports at 25 per-
cent, security consultants at 18 percent and internal
research at another 18 percent. Further down the list
were breach headline articles at 12 percent, peer dis-
cussions at 11 percent, industry trade articles at nine
percent and vendor research papers at seven percent.
Companies rely on the IT staff rather than the security team.
When asked who knows how to respond to a
breach immediately, 73 percent say the IT team,
while 69 percent say the security team. The ex-
ecutives and board were at 23 percent, the crisis
How well prepared are you to respond
to an internal compliance request or audit?
AUTOMATED
PROCESSES UNPREPARED
15% 18%
CLEARLY
DOCUMENTED
PROCESSES, BUT
MOSTLY MANUAL
67%
and PR teams at 22 percent and line of business
employees came in at 18 percent.
Internal threats are the most dangerous. When asked what
is the most likely threat to destroying key data, 29
percent of the respondents say an internal accident
and 21 percent say malicious internal activity. An-
other 28 percent say a cybersecurity incident, while
22 percent say a natural disaster.
Manual processes still prevail. When asked how prepared
they were to respond to an internal compliance re-
quest or audit, 18 percent say they were unprepared,
but 67 percent say they have clearly documented
processes, but they are mostly manual. Only 15
percent say they are using automated processes to
respond to an internal compliance request or audit.
Methodology
This survey was based on 264 responses from a
broad cross-section of company sizes and revenues
and eight industry verticals, including federal and
state and local government, technology services, fi-
nance, education, manufacturing, medical and health
care, legal/real estate and retail and wholesale distri-
bution. The survey was conducted in November 2015
by C.A. Walker Research Solutions, Glendale, Calif.
www.HPE.com • 7
HPE’s approach to enterprise security disrupts the lifecycle of an attack with prevention and real-time threat
detection, from the application layer to the hardware and software interface. HP Enterprise Security enables
organizations to take a comprehensive approach to security, delivering actionable security intelligence while
providing insight into the future of security and the most critical threats facing organizations today.

For more information, visit www.HPE.com

This supplement was commissioned by Hewlett Packard Enterprise and produced by SC Magazine, a Haymarket Media, Inc. brand.