Foreword The 2011 SOUTH AFRICAN INFORMATION SECURITY THERMOMETER report is an independent national benchmarking exercise conducted with local companies by Wolfpack’s research team in Q4 of 2011. Our intention was to measure the maturity of information security management practices across a range of medium to large companies from different industries. Our survey asked IT and information security decision-makers 50 challenging questions across 10 areas: 1
Organisation & Industry Demographics
2
Information Security Governance
3
Information Security Risk
4
Information Security Compliance
5
IT and Information Security Budgets
6
Training & Awareness
7
Social Media & Mobile Security
8
Information Security Programme Management
9
Managed Services
10 Incident Management and Cyber Forensics. We hope you find this report useful to guide your own information security strategy and planning initiatives. I would like to extend my warmest thanks to all participating companies for taking the time and courage to respond with such honesty. It is through the commitment of a select few to improving security that the community as a whole will benefit. Secondly I would like to acknowledge the companies that sponsored the 2011 Thermometer report and never once attempted in any way to interfere with its independence. Thanks to your generous advertising sponsorship we were able to release the full version of the report to the information security community at no charge. Finally to my team for producing an outstanding piece of work. The quality of the report is on par with any international reports I have seen yet still so vibrantly South African. I am proud of what we have achieved and look forward to many more projects in the future.
If you require deeper insight or analysis:
Service
1 2
We will facilitate an interactive workshop with senior members of your IT, Information security or Privacy teams to compare your organisation to local statistics derived from the benchmarking exercise. More detailed quantitative data will be shared to provide valuable insight into your budgeting and strategic planning processes. As part of our mentorship offering we can provide independent input to your steering committee or oversight of key projects. For these and other services contact us at info@wolfpackrisk.com for more information.
Corporate contact details:
Craig Rosewarne Managing Director Wolfpack Information Risk (Pty) Ltd
Building 1 Prism Office Park Ruby Close, Fourways Johannesburg, 2055 Telephone: +27 11 367 0613 Email: info@wolfpackrisk.com Website: www.wolfpackrisk.com
Table of Contents Foreword
1
The Information Security Group of Africa (ISG Africa)
3
South African Chamber of Commerce and Industry (SACCI)
4
Research Domains
5
1
Organisation & Industry Demographics
5
2
Information Security Governance
8
3
Information Security Risk
13
4
Information Security Compliance
18
5
IT & Information Security Budgets
25
6
Training & Awareness
30
7
Social Media & Mobile Security
35
8
Information Security Programme Management
38
9
Managed Services
39
10
Incident Management & Cyber Forensics
41
Company Directory
44
The Information Security Group of Africa (ISG Africa)
(Association incorporated in terms of section 21 - 2006/001533/08)
About Us ISG Africa is a non-profit organisation formed in 2005 and was created in response to the increase of information security threats facing companies in Africa. This volunteer Group consists of over 4000 security professionals from Corporate, Government and IT / Legal firms within Africa. ISG Africa’s aim is to provide the mechanism for regular exchange of information security knowledge and to facilitate networking between members and the stakeholder community whilst raising awareness of vulnerabilities and global threats in the context of Africa.
Active chapters Gauteng Western Cape KwaZulu -Natal Nigeria
Special Interest Groups Privacy Payment Card Industry (PCI) Cybercrime Penetration testing / Vulnerability management
1
“The main object of the company as an association not for gain, is to carry on, establish, promote, manage and control, various interest and user groups, for the promotion of education, and awareness of information security.” (Source: ISG AFRICA MEMORANDUM OF ASSOCIATION)
Information Security Management Disaster Recovery
FOR MORE INFORMATION OR DETAILS ON HOW TO JOIN Please visit www.isgafrica.org or contact admin@isgafrica.org
www.sacci.org.za
As we enter 2012, the contributions of legitimate entrepreneurship and entrepreneurial activities will take on even greater economic significance. Although businesspersons have resigned themselves to dealing with the numerous challenges associated with a protracted economic recovery, they remain challenged by illegitimate activities and criminal activities. Such activities are not only an impediment to greater levels of international trade, as it fundamentally undermines the trust necessary to conduct business across borders, but it continues to erode both domestic businessto-business relationships and undermine business-consumer relationships. While South African authorities continue to meet these challenges with a growing spate of first world “protection legislation�, the pace of technological development, criminal ingenuity and lack of enforcement capacity currently contributes to this being a losing battle. As with any problem, the first step towards addressing or resolving the problem is to understand the problem, it is on this basis that the 2011 Information Security Thermometer was developed to provide specific insights into the scope, nature and trends relating to information protection and cybercrime. It is contemplated that the thermometer would inform and form the basis of both corporate strategies as well as national regulation in addressing this impediment to business. While the formulation of such strategies and regulations take shape, we can each look within our own enterprises and communities and address the ethical and conduct issues that spawn such criminal activity. We can each inculcate a culture premised on Doing No Harm.
Neren Rau Chief Executive Officer South African Chamber of Commerce & Industry
1
Organisation & Industry Demographics 1.1.1 Regional participation ee
St
at
KZ
N
ng
e 1% 2%
Total responses received 4% e1
Cap
Valid responses used
Gau te Nor ng th 10 %
120 88 77
Fr
Total number of companies approached
1.1.2 Role participation Answer
Count
IT Executive / CIO / IT Director
10
Chief Information Security Officer / GM IS
16
Information Security Officer
21
Risk Manager / Information Risk / Compliance
8
IT Manager / Network Manager
6
Enterprise Architect / IS Architect
2
IT Security Officer / IT Risk Officer
10
Security Admins / Security specialists
2
IT Audit Manager / Technology Audit Manager
2
ute
50%
Ga
1.1 Your company industry sector Answer
Count
Banking / Financial Sector
14
Insurance / Medical
9
Technology, Media, Telecommunications (TMT)
16
Mining & Metals
5
Manufacturing
6
Retail
6
Government / Parastatal / SOE
14
Hospitality
2
Pharmaceuticals
1
Other
4
TOTAL
77
1.2 Organisation size 1% Less than 100 1% 101-1,000
10,001-50,000
42%
32%
1,001-5,000 5,001-10,000
1.3 Number of computer users in SA supported by IT
24%
22%
16%
13%
24%
17%
More than 50,000 6% 5%
1.4 Number of IT staff % 17
1
15
M th or an e 50 0
1-
%
6% Other
14
Opinion
26-50 9%
7% 301-500
00
1-3
100
Ratio of IT staff to total employees
500 -1,000
1:25
101-150
1,000 to <5,000
1:23
5,000 to <10,000
1:25
20%
1
4%
Employee Size
51-
15
Ratio of IT Staff to Employees The table below shows that IT staffing levels can vary significantly according to the size of the company. (Source: workforce.com)
10,000 or more
s1:40
15%
1.5 Number of information security staff (who have more than 50% IS responsibility) 1.6 Number of part-time / contractor information security staff
47%
Interesting Observation There was no pattern as to which sector employed the most part-time or contractor IS staff â&#x20AC;&#x201C; The top 5 employers were spread across the financial, government, retail, mining and industrial sectors
61%
32% 9% 2% 12% None
1-5
6-10
10% 11-20
3%
21-30
9%
6%
3% 31-50
51-100
More than 100
Other
www.uniteddecisions.com
2
Information Security Governance
2.1 Do you have a dedicated Information Security Officer (ISO) or equivalent senior role devoted entirely to information security? Answer
Opinion
1
Percentage
Yes
69.14%
No
22.22%
In the process of appointing
8.64%
Despite the increase of threats facing companies today, it is difficult to believe that over 30% of medium to large SA companies still do not have a dedicated information security management position. What is even more concerning is the probable ratio in the small to mid-sized sector of the economy.
ecuti
ve
COO (Chief Operations Officer)
ve
Governance role 2% 1% 4%
uti
cture
ty ex
ec
1
6%
ecuri
ex
e
nt
ical s
tee
me
tiv
cu
ge
Archite
xe
ma
na
Phys
mit
sk
ee
Ri
nc
lia
com
mp
ring
Co
Stee
2.2 To whom does the head of information security directly report to?
5%
2%
From a participant – “The ISO role has been delegated by the CEO to an Executive as an additional function within their portfolio.”
6%
r ffice 5% ial O c n a n ef Fi xecutive) 1% (Chi CFOinancial E cer i f f or F eO tiv r) u c xe cto f E Dire e i h (C ing O anag E C M or
67%
C Of IO (C fic hi er ef or In rel for ev ma an tio t IT n ex ecu tiv e)
2.3 Do you have an information security charter in place? Answer
Percentage
Yes and signed by senior management
41.98%
Yes but not yet signed off
9.88%
Currently in development
28.40%
No
17.28%
No comment
2.47%
1
An IS charter is a clear communication of senior management’s expectation that information security and governance objectives are supported and achieved.
2.4 Do you have an established information security steering committee (ISSC)? Yes and represented by senior management across the business Yes but only represented by IT
3% 22%
26%
Not yet but plan to establish shortly No
23%
No Comment
Opinion
In my opinion this is one of the most effective ways of bridging the void between information security and the business. The typical committee may include senior representatives from: • HR / Procurement • Legal / Compliance • IT • Risk / BCM / Internal audit • Physical security • Key business areas • Outside information security specialists
26%
1
An ISSC consists of senior stakeholders that are focused on resolving information security and privacy challenges in the most effective way possible.
2.5 Do you have external expertise represented at the information security steering committee (ISSC)? Answer Yes – our ISSC is chaired by an outside subject matter expert
Percentage 2.47%
Yes - part of the committee only
11.11%
Not yet but plan to bring in someone shortly
12.35%
No
71.60%
No comment
2.47%
Opinion
It is interesting when one analyses advice from King III regarding the structure of a company’s board:
1 2
2.16. The board should elect a chairman who is an independent non-executive director. Why? The non-executive chairman can play a critical role in representing the different constituencies in the company with an impartial viewpoint. The chairman helps maintain continuity during times of management change; is independent of “company politics”; can play an effective role as mediator and can assist the CEO with difficult public relations issues. 2.18.1 The majority of board members should be non-executive directors. Why then is this wisdom forgotten when it comes to other important areas of the business – especially the structuring of the information security steering committee (ISSC)? Only a small percentage of SA companies utilise outside subject matter experts. If you are able to locate the correct person/s I can guarantee you that the small outlay to “beef up” your ISSC with hired expertise will help reduce risk and generally improve the maturity of your IS management capability.
www.netcure.com
2.6 Has your board assumed responsibility for the governance of information security as per KING III (Section 5.6 - The board should ensure that information assets are managed effectively)? Answer
Percentage
Yes â&#x20AC;&#x201C; documented evidence
41.98%
Not yet but plan to shortly
35.80%
No plans
8.64%
Donâ&#x20AC;&#x2122;t know
11.11%
No comment
2.47%
2.47% 11.11% 8.64% 41.98%
35.8%
www.partnersconsult.net
2.7 How often is information security an item on the board’s agenda? Answer
Percentage
It is a standing agenda item
29.63%
Seldom
23.46%
Only when you have an incident
24.69%
Never
4.94%
Don’t know
14.81%
No comment
2.47%
From participants –
1 2
“IT is on the agenda not information security”
3
“It is incorporated as part of IT, and only discussed if there has been an incident or there is a requirement to implement a security solution.”
4
“Not yet, getting there.”
“Enterprise Risk management has only recently extracted an Information Security Risk report from IT Risk report.”
o
N
From participants –
21% Fully aligned
2.8 In your opinion how aligned is information security to the business objectives of the organisation?
n’
en
tk
t
Do
m no
2%
2
“Information security is not considered specifically in business objectives.”
m co
1
“The group company policies are aligned to company business strategy but has not been reviewed lately for relevance.”
w
4%
Not at all aligned
14%
59
% So
m
ew
ha
ta
lig
ne
d
3
Information Security Risk
Enterprise risk management (ERM) can be described as a risk-based approach to managing an enterprise, integrating concepts of internal control and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organisations to ensure they are appropriately managed.
3.1 In your opinion how mature is your enterprise risk management (ERM) function? 3% 17% Extremely mature and functions efficiently
28%
Somewhat mature Immature and large room for improvement No ERM function Donâ&#x20AC;&#x2122;t know 53%
3.2 Do you have an established enterprise risk management (ERM) committee? Answer
Percentage
Yes and represented by senior management across the business
55.26%
Yes but not represented by business
14.47%
Not yet but plan to establish shortly
10.53%
No
10.53%
Donâ&#x20AC;&#x2122;t know
7.89%
Other
1.32%
www.mcafee.com
3.3 Does a representative from information security / information risk form part of the enterprise risk management (ERM) committee? Answer
Percentage
Yes
48.68%
Not yet but plan to shortly
11.84%
No
35.53%
Don’t know
3.95%
From participants –
1 2
“Information Security has been asked not to get involved with ERM” “An IT Risk Committee (chaired by the CIO) is held every quarter and tracks progress on IT Risks. Enterprise Risk Management team attends and challenges IT feedback.”
6%
More
than
Two Year s
Ev
ears wo Y ery T
13%
5%
nth so Mo Ev ery Six 14 %
nt)
4%
me
om
ec
as
ple
r(
now Don’t k
he
Ot
r le
ss
3.4 How often do you conduct a formal organisation wide information security assessment?
From participants –
1 2
“There has never been a review according to my knowledge”
3
“Security assessments and audits are done annually, however these are done in pockets and not organisation wide.”
“We do it when we are requested to do it, but there are regular ISSC meetings to discuss progress on various projects and Internal Audit are also very closely involved.”
www.citicus.com
3.5 Are all major information security risks reported to enterprise risk management (ERM)? 3.6 Are all major IT risks reported to enterprise risk management (ERM)? Yes â&#x20AC;&#x201C; IS risk forms an integral part of ERM
41%
More ad-hoc reporting for now
Not yet but plan to shortly
No
Donâ&#x20AC;&#x2122;t know
50%
36%
9%
11%
4% 4%
30%
7%
9%
Opinion
Having reviewed the feedback above there certainly appears to be a higher priority to report IT related risks to the Enterprise Risk function than information security risks. Why is this? It is probably due to the fact that the IT function has existed for longer than information security and is therefore more engrained in the business.
www.barnowl.co.za
3.7 Which tool do you currently use to capture & report on risks within the organisation? Answer
Percentage
Microsoft Office (Excel / Word)
46.59%
ERM vendor tool (please specify)
27.27%
Internally developed tool (i.e. using Sharepoint)
13.64%
A combination of the above
14.77%
No tool yet but currently investigating
4.55%
None
2.27%
Other
5.68%
Interesting Observation A list of some of the popular ERM tools used by SA companies in the survey: • BarnOwl • Cura • KnowRisk • Openpages • TeamMate
Opinion
Traditional Excel and Word it seems are still the preferred methods of capturing and reporting risk for most SA organisations. I often find companies begin this way and as the risk process matures they migrate to an ERM tool. This I believe is a better approach to rushing out and buying a tool without a working process in place.
4
Information Security Compliance
4.1 Please confirm your organisations readiness to comply with the following: 1 = Fully compliant
2 = Somewhat compliant
3 = About to start
4 = Not applicable
5 = Unsure
Regulation of Interception of Communications Act 70 of 2002 (RIC Act)
36.49%
20.27%
13.51%
12.16%
17.56%
Payment Card Industry Data Security Standard
10.81%
33.78%
6.76%
36.49%
12.16%
KING III Code of Governance for SA 2009
17.57%
50.00%
13.51%
5.41%
13.51%
Electronic Communications and Transactions Act 25 of 2002 (ECT Act)
28.38%
48.65%
5.41%
5.41%
12.16%
Protection of Personal Information Bill (PoPI)
9.46%
36.49%
32.43%
2.70%
18.92%
â&#x20AC;&#x153;It was interesting to note that nearly one third of participating companies are yet about to embark on a project to meet the requirements of the Protection of Personal Information Bill (PoPI). I firmly believe that most local companies are still not aware of the full magnitude of meeting the requirements of PoPI and other privacy-related laws. If they think this is simply another project for IT or information security to handle they are in for a rude awakening. Once enacted PoPI will fundamentally change how a business manages personal information. Expect a major revamp to the following processes within your business as a start - Sales and marketing, IT, HR, Risk and compliance and of course Information security.â&#x20AC;?
Opinion
4.2 Which standards or best practice guidelines do you currently use in your information security practice?
1 = Fully utilised
2 = Somewhat utilised
3 = About to start
4 = Not applicable
5 = Unsure
ISO 27002 (Previously ISO 17799)
31.08%
44.59%
5.41%
10.81%
8.10%
Cobit 4.1
29.73%
44.59%
8.11%
9.46%
8.10%
ITIL 3.0
25.68%
51.35%
8.11%
5.41%
9.46%
Information Security Forum (ISF)
14.86%
29.73%
6.76%
31.08%
17.56%
www.exponant.com
www.kpmg.co.za
4.3 What is your position on achieving external ISO 27001 certification for your company?
W g e IS ap a hav co O na e c ns 27 ly on id 00 sis du er 1 a ct ce an ga ed rti d ins a fic ma t 22 ati y % on
46% We are not convinced of the business benefits and are not considering certification
14
%
4%
sur e
dy n e alrea We haved certificatio achiev
8%
Un
We are s considerieriously ISO 270 ng obtaining 01 certif ication
Number of Certificates Per Country Japan
3862
Russian Federation
10
India
526
Sweden
10
China
492
Canada
9
UK
477
Switzerland
9
Taiwan
431
Bahrain
8
Germany
174
Egypt
5
Korea
106
Oman
5
Czech Republic
103
Peru
5
USA
101
South Africa
5
Spain
75
Sri Lanka
5
Hungary
68
Dominican Republic
4
Italy
68
Lithuania
4
Poland
58
Morocco
4
Malaysia
55
Chile
3
Ireland
42
Gibraltar
3
Thailand
41
Macau
3
Austria
39
Qatar
3
Romania
35
Albania
2
Hong Kong
32
Argentina
2
Greece
30
Belgium
2
Australia
29
Bosnia Herzegovina
2
Singapore
29
Cyprus
2
Mexico
27
Isle of Man
2
France
26
Kazakhstan
2
Turkey
24
Luxembourg
2
Brazil
23
Macedonia
2
Slovakia
23
Malta
2
UAE
20
Ukraine
2
Slovenia
19
Mauritius
2
Bulgaria
18
Armenia
1
Croatia
17
Bangladesh
1
Netherlands
16
Belarus
1
Philippines
15
Denmark
1
Iran
14
Ecuador
1
Pakistan
14
Jersey
1
Vietnam
14
Kyrgyzstan
1
Iceland
13
Lebanon
1
Indonesia
13
Moldova
1
Saudi Arabia
13
New Zealand
1
Colombia
11
Sudan
1
Kuwait
11
Uruguay
1
Norway
10
Yemen
Portugal
10
Total
1 7346
Source http://www.iso27001certificates.com/Register%20Search.htm
Comment
www.jtwo.co.za
I believe with stricter privacy compliance requirements and mounting third party assurance pressures on South African companies we are going to see an increase in the number of local ISO 27001 certifications. If we compare ourselves to other developing countries such as India (526) and China (492) we still have a long way to go. If we as a continent wish to attract foreign investment this will highlight our good governance in providing independent assurance to our investment partners that we take information security seriously.
www.titus.com
www.7daystech.com
www.securingthehuman.org www.securingthehuman.org www.securingthehuman.org
23
24
5
IT & Information Security Budgets
5.1 What was your companyâ&#x20AC;&#x2122;s annual IT Budget for FY2010? Budget per company employee size
Average amount
101-1,000
32,6M
1,001- 5,000
112M
5,001 - 10,000
138,4M
10,001-50,000
443,4M
More than 50,000
586,7M
(All figures quoted in Rands ZAR)
5.2 What is your companyâ&#x20AC;&#x2122;s annual IT Budget for FY2011? Budget per company employee size
Average amount Comment
101-1,000
34,7M
1,001- 5,000
122,9M
5,001 - 10,000
155,2M
10,001-50,000
434,1M
More than 50,000
650M
(All figures quoted in Rands ZAR)
The above figures are averages for each of the category sizes. For an analysis of individual budgets per industry sector please contact us to arrange a more detailed report and feedback session.
bu dg et en tag eo fI T A
6%
pe rc
Other
19%
e of
tag rcen
risk
11% B ased on in
cidents
25%
35% d
ove
ppr
ts a
jec
pro on r sed yea Ba r the fo
5.4 What was your annual information security budget for FY2010? Budget per company (employee size)
Operational / Business as Usual (BAU)
Special projects / Consulting fees / Hardware / Software purchase
Other
TOTAL Amount (All figures quoted in Rands ZAR)
101-1,000
1,2M
1,4M
1,2M
3,8M
1,001- 5,000
4,6M
5,2M
938K
10,7M
5,001 - 10,000
2,4M
660K
1,2M
4,2M
10,001-50,000
15,7M
2,9M
5,4M
24,1M
More than 50,000
16,5M
5,5M
2,7M
24,7M
5.5 What is your annual information security budget for FY2011? Budget per company (employee size)
Operational / Business as Usual (BAU)
age man
A pe
6%
et defined Based on a budgrmation security fo in by head of
Special projects / Consulting fees / Hardware / Software purchase
Other
t
men
17 %
d ine def but ts get en bud irem cial requ offi ess No busin by
5.3 How are information security budgets typically determined in your organisation? (select those that apply)
TOTAL Amount (All figures quoted in Rands ZAR)
101-1,000
1,6M
2,2M
900K
4,8M
1,001- 5,000
4,9M
5,6M
2,5M
13M
5,001 - 10,000
3,7M
900K
880K
5,5M
10,001-50,000
20M
17,6M
4M
41,6M
More than 50,000
24,5M
19,1M
3M
46,6M
5.6 What change do you envisage to your FY2012 information security budget?
2012 22%
45%
Large increase
Small increase
1 2 3
15% No change
Small decrease
Large decrease
2%
3%
Don’t know 6%
No Answer 8%
From participants – “PoPI Compliance is a major driver.” “We have a requirement for encryption and two factor authentication.” “Focus areas - ISO 27001 gap analysis / Improve education and awareness / 1 additional resource for e-mail management / Further network vulnerability testing.”
5.7 What is the typical annual salary scale (excluding bonuses) for the following professionals in your organisation CIO or IT Exec? 6.15%
More than R1,5M per annum Between R1M to R1,49M
29.23% 23.08%
R750K to R999K R500k to R749k Less than R500k Don’t know No answer
1.54% 4.62% 9.23%
26.15%
www.telspace.co.za
5.8 What is the typical annual salary scale (excluding bonuses) for the following professionals in your organisation CISO or Information Security Exec? More than R1,5M per annum
5%
Between R1M to R1,49M
8%
R750K to R999K
32%
R500K to R749K
18%
Less than R500K
5%
Don’t know
28%
No answer
5%
M ,49 R1 to M
7%
6%
ow kn ’t on
D
Be
tw
een
R1
No Answer
5.9 What is the typical annual salary scale (excluding bonuses) for the following professionals in your organisation – IS Officer or IS Manager?
%
22
22%
k
15%
t
31%
Less
500 han R
K
999
R
K 750
to R
00k
R5 to R7 49k
6
Training and awareness
Training 6.1 What is your typical professional training budget per information security staff member per annum? (including classroom / onsite / e-learning / conferences) Percentage
More than R50,000
13.56%
Between R25,000 to R49,999
11.86%
Between R10,000 to R24,999
32.20%
Less than R10,000
18.64%
No training budget
8.47%
Donâ&#x20AC;&#x2122;t know
15.25%
6.2 What are the current or preferred methods of training used by your information security team? 1 - Popular
2 - Busy investigating
3 - Seldom use
4 - Never use
5 - Unsure
6.2.1 Classroom based – offsite
59.32%
11.86%
13.56%
11.86%
3.39%
6.2.2 Classroom based - onsite
32.20%
10.17%
28.81%
23.73%
5.08%
6.2.3 Self study
54.24%
16.95%
18.64%
6.78%
3.39%
6.2.4 Virtual classroom / Webinar (With remote human instructor)
23.73%
23.73%
28.81%
18.64%
5.08%
6.2.5 e-Learning / Computer based only
33.90%
16.95%
28.81%
13.56%
6.78%
6.2.6 Simulations / Serious gaming
10.17%
10.17%
23.73%
44.07%
11.86%
Awareness 6.3 What percentage of your information security budget was spent on awareness in FY2010?
2010
From participants –“While we do run awareness campaigns, there is little budget dedicated to this. We try to use existing resources and technologies”.
46%
22% 12% 7%
12%
2% “It is amazing that a company is willing to spend millions on the latest security technologies but not have a formal budget to run an awareness programme. Employees are still getting caught out with planted USB flash drives, are still clicking on dangerous links or attachments and are still giving out sensitive information to social engineers.”
www.mistieurope.com 6.4 What percentage of your information security budget will be spent on awareness in FY2011?
2011 41%
20% 14% 1% 2%
14%
"What percentage of security budget should be spent on security awareness?" A good question, which deserves more than the obvious answer of â&#x20AC;&#x153;a lot moreâ&#x20AC;?. My immediate response was that it depends where you are in terms of process maturity and other factors that might shape your priorities, but in my view it should be 10-20% of security budget, i.e. at least 10% and no more than 20%. This might sound a lot to many organisations but it reflects the importance of the subject, the need to do it properly and the substantial return on investment from reducing the numerous incidents caused by ignorance and bad practices. (CISO.com)
www.securingthehuman.org
33
6.5 Do you envisage a change to your FY2012 information security awareness budget?
2012 20%
42%
31%
Large increase
Small increase
No change
Large decrease 0%
Small decrease 0%
From
There are many reasons why security awareness initiatives fail to make an impact. Often the material is dull, people have difficulty relating to it, it’s poorly designed and presented, and the consequences of following (or not) the advice are not sufficiently personal, immediate or certain. Security managers and in-house communications staff are not the best designers of educational material. It normally pays to get external professional assistance.
1
Don’t know 7%
participants
“We are not allowed to be "in your face" with our users around awareness, so there is no budget for this.”
6.6 Awareness programmes - How effective have the following methods of raising overall awareness been in your organisation? Very effective
Somewhat effective
Not very effective
6.6.1 Formal security induction training
22.03%
37.29%
10.17%
20.34%
10.17%
6.6.2 Compulsory e-learning / CBT sessions
11.86%
20.34%
11.86%
25.42%
30.51%
6.6.3 Designated formal briefing sessions at staff gatherings
18.64%
27.12%
15.25%
16.95%
22.03%
6.6.4 Ambush theatre (i.e. actors play out a “live” scenario in canteen)
3.39%
3.39%
11.86%
23.73%
57.63%
6.6.5 Messages in company newsletters
15.25%
28.81%
25.42%
13.56%
16.95%
6.6.6 Distributing small gifts with security reminders
11.86%
18.64%
16.95%
18.64%
33.90%
6.6.7 Awareness linked to staff performance measures (KPIs)
20.34%
10.17%
15.25%
23.73%
30.51%
6.6.8 Using social media tools
11.86%
13.56%
11.86%
28.81%
33.90%
34
Investigating this option
Unsure
7
Social Media & Mobile Security
7.1 Please indicate the current status of the following social media platforms in your company Facebook 22%
61%
17% 0.00% 1.69% 8.47%
7.2 LinkedIn Blocked – no corporate access allowed Certain staff allowed access based on role
49.15%
or during certain hours No restrictions – full access Don’t know 40.68%
7.3 Twitter 29%
46%
22%
3%
35
7.4 You Tube 3.39%
Blocked – no corporate access allowed
3.39%
Certain staff allowed access based on role or during certain hours No restrictions – full access Don’t know 47.46%
45.76%
From participants
1 2
“The marketing and communication department have access to all social media sites as part of their role.” “We allow limited time on social media sites that don’t have an adverse effect on bandwidth to all users. We limit bandwidth intensive sites to authorised users only where there is a specific business need.”
www.sevendaystech.com 36
7.5 Please indicate which mobile devices your staff are allowed to use to access their corporate emails and calendar functionality (select all that apply) 60.23
45.45 42.05 Blackberry / RIM platform 32.95
IOS platform (Apple iphone / ipad)
29.55
Android platform
22.73
Windows platform Symbian (Nokia) platform All platform access allowed - No centralised mobile management solution currently in place All blocked â&#x20AC;&#x201C; no corporate calendar / email access allowed on mobile devices
www.sevendaystech.com
37
1.14
8
Information Security Programme Management
Which parts of managing your information security programme do you find challenging? Major frustration 8.1 Overall lack of commitment from senior management to information security
Very challenging
Room for Working well improvement
Unsure
26.79%
32.14%
16.07%
23.21%
1.79%
8.2 Enforcing policy / standard requirements across all users
32.14%
33.93%
14.29%
17.86%
1.79%
8.3 Information security compliance management
17.86%
48.21%
19.64%
10.71%
3.57%
8.4 Running an original and effective awareness campaign
21.43%
41.07%
16.07%
14.29%
7.14%
8.5 Insufficient budgets to do a thorough job
44.64%
21.43%
17.86%
14.29%
1.79%
8.6 Constantly evolving threat universe to manage effectively
23.21%
37.50%
23.21%
12.50%
3.57%
8.7 Complex security programme management
14.29%
35.71%
26.79%
17.86%
5.36%
8.8 Attracting & retaining suitably qualified staff
30.36%
26.79%
12.50%
23.21%
7.14%
8.9 Complexity of technologies to manage
10.71%
51.79%
23.21%
12.50%
1.79%
8.10 Managing risk introduced through social media
10.71%
35.71%
26.79%
16.07%
10.71%
8.11 Managing data expansion knowing where my data resides / classification
25.00%
50.00%
12.50%
8.93%
3.57%
8.12 Policy and standards lifecycle management – ensuring documents are updated, signed, communicated
19.64%
30.36%
28.57%
19.64%
1.79%
8.13 Endpoint & mobile protection
26.79%
37.50%
17.86%
16.07%
1.79%
8.14 Preventing data leakage
44.64%
32.14%
14.29%
7.14%
1.79%
8.15 No national SA information security incident response centre (CIRT) to assist in case of crisis
25.00%
28.57%
25.00%
7.14%
14.29%
8.16 Identity and Access management
32.14%
23.21%
21.43%
19.64%
3.57%
“Whilst many companies are finding it difficult to run an effective information security programme in the current climate, things are only going to get tougher. There is a global increase in threats and compliance requirements facing companies. The two biggest headaches for local information security decision-makers are insufficient budgets and data leakage management. The challenge - trying to safeguard expanding information assets with fewer resources. I like to use the analogy of a farmer attempting to protect his fields from 360 degree attacks – from birds above, from bugs below and other neighbourhood threats. Information security “farmers” have the same challenges but on a far larger scale – every single “bird”, “bug”, “thief”, “crop disease” and so forth on the entire planet has the potential to become a major threat.” 38
9
Managed services
How do you currently manage the following information security components? Already outsourced
Investigating Shared outsourcing responsibility
Managed in-house
Unsure
9.1 Entire Information security function
3.57%
3.57%
32.14%
57.14%
3.57%
9.2 Vulnerability management
12.50%
5.36%
42.86%
37.50%
1.79%
9.3 Identity and access management
5.36%
0.00%
25.00%
62.50%
7.14%
9.4 Email hygiene & content filtering
26.79%
1.79%
30.36%
39.29%
1.79%
9.5 Web application security
19.64%
1.79%
33.93%
37.50%
7.14%
9.6 Network firewall management
23.21%
0.00%
28.57%
48.21%
0.00%
9.7 Endpoint security
12.50%
0.00%
30.36%
51.79%
5.36%
9.8 Compliance monitoring
7.14%
1.79%
16.07%
64.29%
10.71%
9.9 IDS / IPs management
19.64%
0.00%
28.57%
44.64%
7.14%
9.10 Log monitoring
10.71%
8.93%
25.00%
44.64%
10.71%
9.11 Data leakage protection
5.36%
5.36%
25.00%
48.21%
16.07%
9.12 Policy management
0.00%
3.57%
10.71%
80.36%
5.36%
â&#x20AC;&#x153;Apart from firewall and email management, it appears South African information security decision-makers are not all that comfortable yet with outsourcing. Policy and compliance management are on the opposite side of the spectrum as those least likely to be outsourced. What does this spell out to local managed security service providers? Maybe their value proposition does not provide a sufficient enough return on investment (ROI) to justify a move or perhaps corporates still believe they can do the job better themselves?â&#x20AC;?
39
www.reportstar.net
40
10
Incident Management & Cyber Forensics
A formal privacy and information security incident management capability is essential. Aspects to include involve funding and cost models; analysis, containment and recovery responsibilities; decision making authority for notifications; legal and/or law enforcement involvement; forensic investigations; responsibility for after-incident debriefing; communication process; testing and process improvements.
10.1 We have an information security & privacy incident management plan Yes – defined, approved by top management and tested regularly Yes – defined, approved by top management but not tested
30% 14%
Yes – defined, but not approved by top management & not tested
21%
Informal / Ad hoc 21% No defined information security & privacy incident management plan
13%
“Talk to any security or privacy professional who has experienced a major incident and they will highlight the importance of having a tried and tested incident management capability in place. Over one third of local companies analysed have no incident management plan (or at minimum an informal one) implemented which puts their company at risk. Forewarned is forearmed I say.”
41
10.2 We have a defined cyber forensics / computer forensics first responders team? Yes – defined and efficient 13% Yes – somewhat established but not yet put to the test
18%
Ad hoc / informal 25% No – we outsource this capability 7% Nothing yet in place 36% Unsure 2%
1 2
10.3 Incidents
From participants “We have no computer forensic capability as yet. This is being investigated.” “Our Forensics unit claim to be responsible for investigating and responding to cyber threats, but our Information Security policy states otherwise.”
Rate the occurrence of the following incidents in your company over the last 12 months On the increase
No change
On the decrease
No reports of this
Unsure
10.3 Online fraud
21.43%
10.71%
5.36%
50.00%
12.50%
10.4 Identity theft
12.50%
12.50%
8.93%
53.57%
12.50%
10.5 Intellectual Property theft
10.71%
19.64%
8.93%
48.21%
12.50%
10.6 Laptop / computer theft
26.79%
42.86%
14.29%
5.36%
10.71%
10.7 Industrial espionage
5.36%
17.86%
1.79%
51.79%
23.21%
10.8 Customer records / data loss
12.50%
19.64%
10.71%
46.43%
10.71%
10.9 Third party lost our customer information
5.36%
14.29%
1.79%
66.07%
12.50%
10.10 Extortion from syndicates
12.50%
12.50%
3.57%
57.14%
14.29%
“What is the cost of cybercrime to the South African economy? Whilst cybercrime is still a crime and needs to be reported as such to the South African Police Services there is no specific indication of the true cost of cybercrime to our country. Upcoming legislation (the Protection of Personal Information act) will go a way to force companies to disclose breaches of personal information but for now most companies are tight-lipped on the full extent and cost of these types of incidents. A recent 2011 UK Cabinet Office report “The Cost of Cybercrime”, produced by Detica in partnership with the Office of Cyber Security and Information Assurance estimates the cost of cybercrime to the UK economy at £27 billion a year, and growing.”
We plan to undertake a South African Cybercrime Barometer study in 2012 to analyse the true extent of cybercrime activity in the South African environment. Hopefully this will better equip all relevant stakeholders to ensure the correct measures are in place to deal with this scourge threatening our country. 42
www.drs.co.za
43
www.TheInternetPassport.com Single Signon solution with 100% Non-repudiation.
www.barnowl.co.za
Integrated Enterprise Risk Management, Internal Audit & Compliance Software.
www.citicus.com
Risk and compliance management software. In-house or Saas implementation.
www.drs.co.za
IT security, security solutions, data protection, managed security services, forensics.
www.tscm-za.com
TSCM, technical surveillance countermeasures, sweeping & debugging, countersurveillance, technical security, information security, risk management.
www.netcure.com
Security Health Checks, Education, Awareness, Information Security Management, Consulting, Dashboards, Data Assurance Services.
www.exponant.com
Specialist Solutions for SIEM, Log Management, Security Monitoring and Control.
www.focalcommunications.co.za
Telephone voice recording equipment, call monitoring software, trunk radio loggers.
www.gtsp.co.za
Penetration Testing, Vulnerability and Risk Assessment, CEH & CHFI Training.
www.ifacts.co.za
Employee screening, Credit checks, Educational Qualifications, ID Verification, CCMA Cases, Criminal Checks.
www.isolvtech.com
Public key infrastructure, biometrics, identity management, secure communications, lawful interception.
www.itcompliance.co.za PCI DSS & ISO 27001 Compliance Framework (SAAS), Technical & Operational Due Diligence.
44
www.jtwo.co.za
Policy enforcement, Unified email management, Security Audits.
www.kpmg.co.za
Focuses on the risks specifically pertaining to the technology systems used to support clientsâ&#x20AC;&#x2122; business objectives through providing advice and solutions that assist in releasing value from information technology.
www.lawtrust.co.za
PKI Solutions, SSL Certificates, Biometric Solutions, Signature Solutions, Symantec CCS, Strong Authentication, Consulting Services, Training, Non-Repudiation Solutions.
www.maxtec.co.za
Network Solutions, Security Solutions, Storage Solutions, Repairs & Support.
www.mcafee.com
Information protection, software & hardware products to protect infrastructure, information, systems, databases, identity management.
www.michalsons.co.za
ICT Legal Specialists.
www.mimecast.co.za Mimecast delivers email security, continuity, archiving to simplify email management. www.mistieurope.com
The Global Leader in Audit, Risk, Fraud and Security Training.
www.netsecurity.co.za
Secure network design and systems implementation.
www.outpost24.com
Proactive security solutions in Vulnerability Management - Security Made Easy.
www.pandasecurity.co.za Antivirus, security, enterprise solutions, perimeter security, spam protection, network security.
www.partnersconsult.net Information Security Management Systems, Governance, Architecture and Technology Leadership, Advisement Services.
45
www.remoteq.com
Antivirus, Firewalls, WAN Optimization.
www.reportstar.net
Unified Threat Management,Data Loss Prevention,SIEM,Compliance, Internet/Email Analysis,Managed Security Services, SOC services, Security Systems Monitoring.
www.sacci.org.za
South African Chamber of Commerce and Industry.
www.sensepost.com
Security Assessments, Managed Vulnerability Scanning, Security Training and Consulting Services.
www.sevendaystech.com
Data Classification, Data Leakage Prevention, Data Encryption, Social Media Security & Compliance, Unified Communications Security & Compliance, Sharepoint Security and classification, Mobile Device Security, Endpoint Risk Assessments, Data Risk Assessments, PCI & PPI Risk Assessments and Solutions.
www.symantec.com
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world.
www.technoblegy.co.za IT Training, Security Awareness, Networking, Support. www.telspace.co.za
Attack and Penetration testing, Web Application Assessments, Security Consulting and Service Level Agreements.
www.sans.org
The most trusted and by far the largest source for information security training in the world.
www.thinksmart.co.za
Application (software) security: assessments; design; training. Pentests. PCI/SAS70. Security policies.
www.uniteddecisions.com SIR10T, is aimed at business leaders with a desire to gain better control over projects in their drive to achieve returns on their strategic investment.
www.wolfpackrisk.com Awareness, online & classroom training, simulations, mentorship, research, toolkits & programme management.
www.zenithsystems.co.za QRadar SIEM: Log, Threat and Compliance Management.
www.ziliant.com
46
Consulting (PKI, Authentication, Cryptography). InfoSec Product Development.
www.symantec.com
www.symantec.com
47
www.wolfpackrisk.com