Key findings from The Global State of Information Security Survey 2017
Please find the first report here. It is definitely worth reading, but in case you like things short & sweet, here are my key takeaways from this year's GSISS.
Organisations increasingly move away from fear, uncertainty and doubt (FUD) and adopt approaches to cyber security and privacy that make them protectors and enablers of business.
This tells me that organisations are recognising that doing it all yourself on site is too expensive and/or in the end not effective.
So they turn to specialised solution providers for authentication (64%), data loss prevention (61%), identity and access management (61%), real-time monitoring and analytics (55%) and threat intelligence (48%). And 63% of our survey respondents already run certain functions in the cloud !
With regards to threat intelligence there is a notable rise of the use of Security Operations Centers (SOCs) and (structural) information sharing - which is explored more in depth in this report.
Remarkable is also the number of organisations already investing in security of the Internet of Things (not that that is not desperately needed, cfr the events of Oct 21, 2016, see this article / map), 46% ! A separate survey report on that is in the making.
Interesting is also is the evolution towards advanced authentication (multifactor and risk-based) and the use of open-source software (in which I see an analogy with the information sharing referred to above):
The survey also shows there is an increasing global risk for data privacy, and this is not just linked to GDPR in Europe and Privacy Shield in the US, but many more countries are coming up with new regulations and legislation. It will be hard to manage the differences between such regulations (eg see Data Breach Notification: 10 Ways GDPR Differs From the US Privacy Model). What most new regulations have in common though, is tougher penalties.
Hence, many organisations are putting privacy related training and awareness, policies and procedures and assessments high on the agenda.
And all this drives spending priorities for the next 12 months:
To end on a (somewhat) positive note, in 2008, 42% of our survey respondents did not know the source of detected security incidents. This year that was down to 13%.