CompTIA Security Research Study 2007

Trends and Observations on

Organizational Security

Carol Balkcom, Product Manager, Security+

Goals of this session

To share some trends and observations related to

security policy, training and spending over

time

To discuss with session participants

(anonymously) the security policies in their

organizations

�Are we making any headway?

About the annual CompTIA security research

The CompTIA Security Research database is comprised of 5,692 responses.

639 in 2002 (Members = 50, Non-members = 589)

896 in 2003 (Members = 74, Non-members = 822)

489 in 2004 (Members = 101, Non-members = 388)

574 in 2005 (Members = 20, Non-members = 554)

1070 in 2006 (Members = 32, Non-members = 1038)

2024 in 2007* (Members = 63, Non-members = 1,961)

This report is focused on 2007 data. Results are broken down by country, with US results

supported by trending data from 2005 and 2006 where relevant. International results include

Canada, UK and China and are not trended (this is the first year).

Surveys were sent to CompTIA association members and 3rd party list sources representing

professionals associated with IT Security. Surveys were fielded in January and February 2008 via

the web. TNS designed the questionnaire with assistance from CompTIA.

* 2007 represents total countries, including US, Canada, UK and China.

About the survey

Objectives

TNS and CompTIA jointly designed a Web-based questionnaire to concentrate on certain focus areas and issues surrounding IT security training and certification, including:

• Identify key trends associated with IT security

• Quantify current and future spending on IT security

• Assess the costs associated with IT security breaches

• Understand the causes of IT security breaches and the impact of those incidents

• Identify trends associated with information security training for remote/mobile employees

• Determine the impact and effectiveness of information security training and certifications

• Understand future security issues and challenges that organizations will face

• Develop comparisons across industries and company size

Administrator

32%

Manager

31%

Engineering

15%

Director

10%

Executive

12%

Administrator

33%

Manager

30%

Engineering13%

Director

12%

Executive

12%

Administrator

31%

Manager

28% Engineering

8%

Director

8%

Executive

25%

Administrator

36%

Manager

30%

Engineering

11%

Director

12%

Executive

11%

Administrator

24%

Manager

38%

Engineering

29%

Executive

7%

Director

2%

n = 131

USTotal *

Canada China

Respondent Profiles 2007: Role Within IT Organization

Question: What is your role within the IT organization and with regard to IT and network security?

UK

Roles among respondents are widely distributed, with Managers and Administrators making up the bulk in all countries. However, Managers and Engineers tend to be more common among Chinese respondents, while Executives are more

prevalent among Canadian respondents.

n = 413 n = 373

n = 2024 n = 1107

* Represents respondents in this study only; does not reflect the universe of IT

organizations within the 4 markets measured.

1-99

34%

100-999

32%

1,000-9,999

20%

Don't know/

refused

3%

10,000 or more

11%

1-99

30%

100-999

33% 1,000-9,999

20%

10,000 or more

14%

Don't know/

refused

3%

1-99

69%

100-999

9%

1,000-9,999

9%

10,000 or more

10%

Don't know/

refused

3%

1-99

52%

100-999

20%

1,000-9,999

14%

10,000 or more

10%

Don't know/

refused

4%1-99

18%

100-999

46%

1,000-9,999

30%

Don't know/

refused

1%

10,000 or more

5%

Respondent Profiles 2007: Organization2007 Number of Employees

Question: Number of employees at your entire organization.

n = 107

USTotal *

Canada ChinaUK

In the US, respondents come from organizations of all sizes, though there is a slight skew toward mid-size companies of 100-999 employees. Echoing revenue distribution, Canadian and UK respondents are heavily skewed toward small companies of less than 100 employees while Chinese respondents tend to be employed in mid-sized to large organizations of 100 to 9,999 employees.

n = 320 n = 305

n = 1743 n = 1011

* Represents respondents in this study only; does not reflect the universe of IT

organizations within the 4 markets measured.

Question: What percentage of the IT budget is currently spent on computer security at your organization?

Percentage of IT Budget Spent on Computer Security

Percentage of IT Budget Spent on Computer Security by Year*

Respondent Profiles: Organization – US TrendIn the US, more and more respondent organizations are investing in computer security with more dedicated funds than ever before. In fact, 95% of organizations allotted some amount of their IT budget to computer security in 2007, representing an 8% growth over 2005. Additionally, funds earmarked for computer security has been on an upswing

since 2005, suggesting a greater reliance on technology and processes to keep security breaches at bay.

5%

21%

20%

11%

39%

4%

3%

25%

21%

11%

37%

3%

12%

35%

18%

9%

23%

3%

0% 10% 20% 30% 40% 50%

2007 2006 2005

0

5

10

15

20-50

51-100

Range of Responses: 377-992

% of Responses

19%

18%

13%

0% 10% 20% 30%

2007 2006 2005

* Means were calculated differently last year, so trended data differs from 2006 report.

94%

94%

49%

38%

32%

28%

4%

0%

0% 20% 40% 60% 80% 100%

No. of Respondents = 1053

2006

91%

96%

43%

29%

19%

25%

1%

0% 20% 40% 60% 80% 100%

No. of Respondents = 574

2005

IT Security Overview: Security Enforcement, US Results

Question: What technologies are being employed at your organization to enforce security requirements? (Check all that apply)

Nearly all US companies use firewalls, proxy servers and/or antivirus software to enforce security requirements, and this

has remained consistent over time. Though much less popular, multi-factor authentification and penetration testing have experienced growing usage during the past year.

Firewalls/Proxy Servers

Antivirus software

Intrusion Detection

Systems

Physical access control

Multi-factor

authentication

Penetration Testing

Other

None of the above

93%

92%

50%

39%

36%

32%

3%

1%

0% 20% 40% 60% 80% 100%

No. of Respondents = 1091

2007

n/a

Increased significantly compared to 2006

Decreased significantly compared to 2006

US companies

are top users

of firewalls/ proxy servers

In China multi-

factor

authentificationis used more

than in US

(45%)

Yes

62%

No

38%

Yes

59%

No

41%

Yes

66%

No

34%

IT Security Overview: IT Security Policy, US Results

Does your organization have a comprehensive written IT security policy in place?

2006

n = 1005*

2005

n = 572

2007

n = 1031*

Does that written IT Security Policy include specific information that covers remote/mobile employees?

Yes

81%

No

14%

Don't know

5%

2006

n = 617

In a positive trend, a growing proportion of organizations is putting into place comprehensive written IT security policies,

most of which cover remote/mobile employees.

*Responses in 2006 and 2007 exclude “don’t know”, which was not an option in 2005

Question: Does your organization have a comprehensive written IT security policy in place?

Question: Does that written IT Security Policy include specific information that covers remote/mobile employees?

Yes

81%

No

13%

Don't know

6%

2007

n = 673

Canadian

companies less

likely to have

written policies

(44%)

Fewer UK

companies

cover remote

employees in

policy (73%)

Yes; current

employees

5%

Yes; new

employees

6%

No

74%

Yes; current/

new employees

15%

No. of Respondents = 1019

2006

Yes; current

employees

2%

Yes; new

employees

2%

No

86%

Yes; current/

new employees

10%

IT Security Certification: Certification Requirements, US Results

Required security certification for employees has significantly increased since 2006 and 2005, with about one-third of all

organizations now requiring security certification for employees.

Question: Is IT security certification a requirement at your organization?

No. of Respondents = 533

2005

Yes; current

employees

8%

Yes; new

employees

6%

No

68%

Yes; current/

new employees

18%

No. of Respondents = 1015

2007

Chinese

organizations are

much more likely

to require

certification (78%)

Yes, for current

non-IT

employees

16%

No

46%

Yes, for new

non-IT

employees

8%

Yes, for current

and new non-IT

employees

30%

No. of Responses = 1028

Non-IT employees are often provided some security training, as over half of organizations offer it for new and/or current

staff. However, only one-quarter of organizations offers it to everyone.

IT Security Training: Non-IT Staff Security Related Training, US Results

Is information security training available for non-IT employees at

your organization?

Questions added in 2007

0% - No non-IT

employees at

my org

3%Less than 25%

22%

25 - 49%

20%50 - 74%

15%

75 - 99%

14%

100% - All the

non-IT

employees at

my org

26%

No. of Responses = 551

What percentage of non-IT employeesat your organization has had

computer security-related training?

US is less likely than

UK or China to offer

training to non-IT staff

(UK=34%

China = 8%)

55%

54%

49%

44%

40%

41%

39%

32%

31%

36%

33%

21%

24%

22%

23%

16%

3%

0% 20% 40% 60% 80% 100%

58%

64%

42%

47%

48%

39%

24%

27%

35%

31%

27%

22%

24%

1%

0% 20% 40% 60% 80% 100%

53%

52%

51%

43%

43%

42%

41%

35%

31%

31%

30%

23%

23%

23%

22%

16%

2%

0% 20% 40% 60% 80% 100%

IT Security Overview: Security Issues, US Results

Spyware, the lack of user awareness, and the existence of viruses and worms are the most compelling security issues

faced by US organizations. In a positive trend, a lack of security policy enforcement is affecting significantly fewer

organizations compared to last year. However, denial of service has become a threat among significantly more

organizations compared to 2006.

Spyware

Lack of user awareness

Virus / Worm

Authorized user abuse

Remote access

Browser-based attacks

Wireless networking security

Data theft

Weak authentication practices

Lack of enforcement of security policy

Lack of written security policy

Denial of Service

Social engineering

Use handheld devices for data transfer

Change control tracking

Voice over IP

Other

No. of Respondents = 1066

2006

Question: In general, what types of security issues are currently being faced by your organization? (Check all that apply)

No. of Respondents = 567

2005

n/a

n/a

n/a

Increased significantly compared to 2006

Decreased significantly compared to 2006No. of Respondents = 1100

2007

Virus/ worm is

the #1 issue in

China and UK

4.8

0 2 4 6 8 10

2.3

0 2 4 6 8 10

5.3

0 2 4 6 8 10

IT Security Breach: Severity Levels of Security Breaches,

US Results

Average Severity Level (0-10), Not at All Severe

to Very Severe

2005

No. of Responses: 379

Average Severity Level (0-10), Not at All Severe

to Very Severe

2007

Severity level of security breaches

last 12 months

Although the average number of security breaches hasn’t budged in the past three years, breaches themselves have grown in severity, suggesting an amplified impact on organizations facing security violations.

No. of Responses: 551

Average Severity Level (0-10), Not at All Severe

to Very Severe

2006

No. of Responses: 352

Question: Please rate the average severity level of all of your security breaches in the past 12 months.

(Use a 0-10 scale where 0 is not at all severe and 10 is very severe.)

5.79

5.67

6.32

6.57

5.83

4.72

0 2 4 6 8 10

Range of Responses: 23-290

IT Security Breach: Severity Levels of Most Severe Breach, US

Results – by Industry

The most severe security breaches experienced by US companies in the past year have been relatively moderate (average ratings are less than 6 on a 10-pt. severity scale), with the education sector reporting the least extreme

violations.

Question: Please rate the most severe security breach in the past 12 months. (Use a 0-10 scale where 0 is not at all severe and 10 is very

severe.) Your answer must be <greater than or equal to the average severity level of all your security breaches in the past 12 months>.

Total

Government

IT

Financial

Manufacturing

Education

Average Severity

Don't know/

Not sure

4%Refused/No Answer

9%

Other

27%

Warning(s) -

Written/Verbal

10%

Fire them/

Termination

13%

Training/Retraining

16%

No policies/

actions

5%Review

policies/actions

4%

First - Warning;

Second - Termination

8%

First-Training;

Second-Warning;

Third-Term

4%

No. of Mentions = 397

Sample Verbatim Comments:

IT Security Breach: Unintentional Internal, US Results

No set policy.

Training, system scans for possible breaches, interaction with security specialists at the control point.

Disciplinary action up to and including termination of employee.

Termination

Retrain but eventually fire if no change in employees behavior.

Retraining, warning, disciplinary action up to termination.

Warning, probation, termination.

Security Awareness training, 2nd, 3rd offenses = formal reprimand leading to possible termination.

We attempt to set up new policies to make sure employees are aware of the proper procedures to take to make sure these mistakes do not happen again.

Employees responsible for unintentional security breaches are dealt with in a variety of ways, most commonly by

receiving additional training/retraining. Termination is the second most common response to unintentional breaches.

Question: How does your organization address employees responsible for unintentional internal security

breaches? In your response include any standard policies/action dealing with first, second or

third offenses, such as retraining, warnings and terminations.

*Question added in 2007

None

3%

< 25%

20%

25 - 49%

19%

50 - 74%

20%75 - 99%

12%

All non-IT staff

26%

None

2%

< 25%

25%

25 - 49%

16%50 - 74%

13%

75 - 99%

21%

All non-IT staff

23%

None

1%

< 25%

23%

25 - 49%

30%

50 - 74%

14%

75 - 99%

13%

All non-IT staff

19%

None

4%

< 25%

21%25 - 49%

11%

50 - 74%

14%

75 - 99%

14%All non-IT staff

36%

1-99 Employees 100-999 Employees

1,000-9,999 Employees 10,000 or More Employees

Range of Responses: 92-173

IT Security Training: Non-IT Staff with Computer Security Related

Training, US Results – by Company Size

Smaller companies (1-99 employees) tend to provide security related training for all their staff while larger companies are

less prone to doing so – likely a reflection of higher costs associated with training more employees.

Question: What percentage of non-IT employees at your organization has had computer security training?

5.79

5.22

5.84

6.41

5.86

0 2 4 6 8 10

Range of Responses: 51-290

IT Security Breach: Severity Levels of Most Severe Breach, US

Results – by Company Size

Smaller companies are less likely than larger ones to have very severe security breaches, possibly a result of their fewer

connections to outside entities and their narrower reach. On the other hand, companies having between one-thousand

and ten-thousand employees appear to be the most vulnerable to severe breaches.

Question: Please rate the most severe security breach in the past 12 months. (Use a 0-10 scale where 0 is not at all severe and 10 is very

severe.) Your answer must be <greater than or equal to the average severity level of all your security breaches in the past 12 months>.

Total

1-99 Employees

100-999 Employees

1,000-9,999 Employees

10,000 or More Employees

Average Severity

86% 84%

16%14%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2007

(807)

2006

(791)

Yes No

80% 79%

21%20%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2007

(1014)

2006

(1015)

Yes No

IT Security: Training for Mobile/Remote Workers, US Results

Allow Data Access for Remote/Mobile Employees*

Encrypt Data Transmissions Via Remote Access**

Most US organizations allow data access for remote/mobile employees, with the majority using encryption to secure data

transmission via remote access. Trends have remained consistent since 2006.

*Question: Does your company allow data access for remote/mobile employees?

**Question: Do you encrypt data transmissions via remote access?

( ) = No. of Responses

Access for remote

employees is much less

available in Canada

(50%) and UK (52%)

IT Security: Awareness Training for Mobile/Remote Workers, US Results

No. of Responses = 808

Question: Has your company considered, or implemented, its own security awareness training specifically for mobile/remote employees?

Yes, we have implemented

security awareness

training/education

Half of organizations have implemented security awareness training/education to remote employees or are planning to in

2008. However, this means that half either haven’t considered it or have no immediate plans to implement it.

34%

16%

13%

37%

No, we have not considered

implementing security awareness training/education

Yes, we have considered implementing security awareness

training/education, but have no immediate plans to implement

Yes, we plan to implement

security awareness training/education during 2008

Chinese companies are much more likely

to implement security awareness

training in 2008 (42%)

Natalie Fishman takes great care to protect her personal

information. Unfortunately, she's discovered the third parties she

shares it with don't have the same interest in keeping it safe.

Just recently, she received a letter from the city Financial

Information Services Agency informing her about the loss of a

laptop loaded with financial information on as many as 280,000 city

retirees. Someone stole the computer in August from a consultant who took it to a restaurant.

New York Daily News – Tuesday Oct. 2nd, 2007

The CompTIA Security Trustmark accredits those Solution Providers

who promote security business practices that invoke the trust of end-

users. It is a baseline standard of security practices and

competencies as agreed upon by the service and support industry.

The CompTIA Security Trustmark requires Solution Providers to keep

a comprehensive report of internal security processes and processes

at customer sites. It also requires reports of their security level

skills/certifications, security vendor product training/knowledge, and

overall IT capabilities that relate to security practices.

In development: CompTIA Security Trustmark

Yes

88%

No

12%

No. of Responses = 297

IT Security: Reduction of Major Security Breaches Since Implementation of Security Awareness Training for Remote/Mobile Workers, US Results

Organizations that offer security awareness training for remote/mobile employees overwhelmingly experience fewer major security breaches.

Question: Do you think the number of major security breaches in your organization have been reduced since your organization’s security

awareness training/education for remote/mobile employees? (A major security breach is one that causes real harm, has confidential information

taken, or causes business interruption.)

All respondents in Canada

and China believe the number

of breaches have been

reduced

Group Discussion:

How does YOUR organization fit

the statistics?

• Written policy

• General employee training

• Mobile devices