451 Alliance


Information Security Trends


GDPR Drives Compliance to Top of Security Project List for 2018

By Tracy Corbo

June 27, 2018


Compliance requirements vary from one industry to the next. In an ideal world it would be nice if compliance was simply the byproduct of a good security program, but things rarely work that perfectly, compliance and security each represent their own set of diverging requirements.


The attention around GDPR, with its timelines for notification, new requirements for identity and privacy, and significant potential fines, has added to substantial industry requirements already present and pushed compliance requirements to the top of the list of pain points and security projects.


May survey of 552 members of the 451 Alliance looks at the trends and factors affecting security teams and project prioritization.


Report Highlights


  • Top Pain Points – While end-user behavior continues to be a top pain point for companies with fewer than 10,000 employees, respondents from very large organizations are struggling with cloud security.
  • Compliance Jumps the Queue – The EU enactment of the General Data Protection Regulation (GDPR) in May has pushed compliance to the forefront of security project priorities for the coming year.
  • Endpoint Security – Endpoint security remains relevant. Endpoint security (91%) is still the most widely adopted security technology across organizations of all sizes.
  • Compromised Endpoints – On average, companies with fewer than 1,000 employees spend 5.2 hours a week cleaning up compromised endpoints. Larger organizations with many more endpoints to manage are spending 8.5 and 13.5 hours a week.


Top Security Pain Points


User behavior continues to be a top pain point for companies with fewer than 10,000 employees. A closer look at the top three security pain points by company size shows that for 39% of very large organizations, cloud security is their top paint point.


chart1_top_pain_points.png


Compliance Jumps the Queue


What constitutes compliance is very industry-specific (e.g., Gramm-Leach-Bliley Act, HIPAA, Hitech, etc.), but the breach notification timelines and fines associated with the European Union (EU) GDPR enacted May 25 has gotten many security managers’ attention.

The GDPR not only applies to organizations located within the EU, but it will also apply to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location. Companies out of compliance can face steep fines.


Although compliance has been an ongoing concern, GDPR is causing a reprioritization of security project plans, and in some cases, has derailed them – especially in Europe. Instead companies are focusing on inventorying systems against new concepts of identity and remediating identified gaps.


Consequently, regulatory compliance (PCI compliance, GDRP, PSD2, NIST) is the top security project for 35% of respondents over the next 12 months, and this is true for organizations of all sizes. That number jumps to 40% for very large organizations with more than 10,000 employees.


chart2_top_security_projects.png



Project Approval Drivers. For the last three years, some manner of risk assessment has been the most common driver moving security projects forward. In 2018, compliance requirements (23%) edge out risk assessment (22%) as the top factor in security projects being approved and prioritized.


chart3_key_factors_projects.png



Endpoint Security


Endpoint security remains relevant – even as new architectures come further into play, protecting users’ endpoints remains a concern. Endpoint security (91%) is still the most widely adopted security technology across organizations of all sizes. This is followed closely by firewall (86%) and email security (86%).


chart4_security_in_use.png

Compromised Endpoints. Endpoints are critical points of vulnerability. When endpoints are compromised, that device transforms from a secure endpoint on the corporate network to an exploitable access point vulnerable to external cyberattacks. Exposing not just the device, but the entire corporate network to the threat.


On average, companies with fewer than 1,000 employees spend 5.2 hours a week cleaning up compromised endpoints. Larger organizations with many more endpoints to manage are spending 8.5 and 13.5 hours a week, on average.


chart5_endpoint_cleanup.png


Dealing with Compromised Endpoints. The remediation process is time-consuming because it is highly manual – 52% of respondents are forced to reimage the system if other forms fail, and another 50% manually clean the compromised system.


chart6_endpoint_remediation.png


Push to Decrease Endpoint Tools. Organizations are pushing back against the number of tools they’re running on each endpoint. On average, organizations have three (2.8) endpoint security solutions running. Larger enterprises (10,000-plus employees) have closer to four.


chart7_endpoint_tools.png


Primary Users of Endpoint Security Tools. The primary user of endpoint security tools varies by company size. For half of very large organizations with more than 10,000 employees, the security operations team is the primary user. However, for smaller enterprise with fewer than 1,000 employees, the desktop/IT team are the primary users.


chart8_endpoint_users.png


Appendix

Security Definitions

Cloud Infrastructure Security

Any number of a host of software-defined security solutions specifically designed to provide security capabilities in cloud virtualized environments.

Endpoint Security

Any of a set of solutions including antivirus, anti-spyware, personal firewalls, application control, host intrusion detection, and anti-malware techniques including behavioral blocking or anomaly detection used to protect endpoints (PCs, laptops, mobile devices, servers) on a network by detecting, protecting, remediating or aiding in the investigation of attacks.

Dynamic/Static Application Security Tools (DAST/SAST)

Software that is used to search for security vulnerabilities in an application, either by inspecting the source code directly or by running the application from the outside as an external attacker would.

Identity as a Service (IDaaS)

An authentication system built, hosted and managed by a third-party provider, generally to provide single or reduced sign-on for cloud-based services.

Intrusion Detection/Prevention Systems (IDS/IPS)

Network security appliances that monitor network links for potential malicious activity, and either alert or alert and block on that activity.

Security Information and Event Management (SIEM)

Technology providing real-time analysis of security events or information gathered from logs generated by hardware and applications.

Vulnerability Assessment

Tools that assist in the identification, quantification and prioritization of vulnerabilities within a system.