ISACA and RSA CSX Presentation from the RSA 2015 Conference
•
4 j'aime•1,654 vues
Presentation delivered at the 2015 RSA Conference on the joint RSA \ ISACA state of Cybersecurity survey. The full report is available at www.ISACA.org/cyber
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à ISACA and RSA CSX Presentation from the RSA 2015 Conference
Similaire à ISACA and RSA CSX Presentation from the RSA 2015 Conference (20)
Dernier
Dernier (20)
ISACA and RSA CSX Presentation from the RSA 2015 Conference
- 1. #RSAC SESSION ID: Robert E. Stroud Fahmida Y. Rashid State of Cybersecurity: Implications for 2015 Editor-in-chief RSA Conference @zdFYRashid International President ISACA @RobertEStroud
- 2. #RSAC Topics Professionals Want to Know About RSA Conference submissions tell the story: The industry has matured significantly in regards to discussing identity, insider threat risk and assessing user behavior. “Information sharing” has been a trending topic for the past three years. This year, “threat intelligence” appeared in submission titles and abstracts four times as much as last year. Skills and training are key to addressing global cyber issues. 2
- 3. #RSAC Global Survey State of Cybersecurity: Implications for 2015 An ISACA and RSA Conference Survey Conducted in January 2015. 1,500 ISACA and RSA constituents participated in the survey and 649 completed it. 3 Demographics Budgets, hiring and skills Hacks, attacks and flaws Threats Social media Internet crime and fraud Organizational security and governance
- 5. #RSAC Breakdown of typical respondents: Demographics 5 80% An ISACA member 44% North America European/African 32% Employed in an enterprise with at least 1,000 employees 29% Working in technology services/ consulting 23% Financial services 66% Someone whose main function is in cybersecurity or information security
- 6. #RSAC Hacks, Attacks and Humans Successful attack types: 6 Total Respondents: 704 Hacking attempts 50% 67% 47% 11 % 8% 68% Malware Social engineering Phishing Watering hole Man-in-the-middle attacks SQL injections Insider theft Loss of mobile devices 22% 25 % 44%
- 7. #RSAC Financial gain the highest motivation 7 Total Respondents: 842 390 609 355
- 8. #RSAC Training is Good… Right? Security awareness programs: 8 87% Having an awareness program in place Believed it to be effective72%
- 9. #RSAC Counter-Intuitive Results Organizations with training in place have MORE human-dependent incidents. Especially troublesome: non-malicious insiders impacting enterprise security are 12 % higher in enterprises that have an awareness program in place. 9
- 10. #RSAC Monitor and Identify Monitoring and identifying attacks and exploits remains a strong concern: 10 20% Responded that they do not know if they had been made vulnerable 23% Do not know whether they had any corporate assets hijacked for botnet use or if they had any user credentials stolen in 2014. 30% Do not know if they had become victimized by an advanced persistent threat (APT)
- 11. #RSAC How likely do you think it is that your organization will experience a cyber attack in 2015? Attacks are Expected 11 Total Respondents: 766 Very likely 39% 44%Likely 16%Not very likely 1%Not at all likely 293 339 124 10
- 12. #RSAC Skills Need to Be Sharpened Are you comfortable with your security team’s ability to detect and respond to incidents? 12 Total Respondents: 842 Technical skills 46%390 72%Ability to understand the business 609 42%Communications 355
- 13. #RSAC 63% of security positions take 3 months or longer to fill 13
- 14. #RSAC The majority of applicants are not qualified 14
- 15. #RSAC The majority of security professionals still don’t understand their business 15
- 16. #RSAC Security reporting to the CIO 16
- 17. #RSAC Taking security more seriously – testing security controls more frequently 17
- 18. #RSAC Over 10% of security budgets declining in 2015? 18
- 19. #RSAC Boards of Directors concerned with Cybersecurity 19
- 20. #RSAC Boards demonstrating support for Cybersecurity 20
- 21. #RSAC Global Skills Gap and Shortage 21 An increase in cyber attacks has created global need for more cybersecurity professionals and for greater hands-on, real-world experience among those professionals.
- 22. #RSAC Who is Watching the Shop? 22
- 23. #RSAC Training, Certification and Career Management Cybersecurity Nexus™ (CSX) – Addressing the Skills Gap CSX skills-based training and performance- based certifications CSX Fundamentals Certificate Ongoing education & events Career management resources 23
- 24. #RSAC Threats and Gaps 24 Cybersecurity is everyone’s business. Let’s move forward by building the skills for a trained cybersecurity workforce. Cyber- Security
- 25. #RSAC 25 Thank you for attending WWW.ISACA.ORG/CYBER
Notes de l'éditeur
- RSA Conference is where the world comes to talk security. Every attendee should leave having learned something new and brimming full of ideas on what they can do once they get back to their organizations. The State of Cybersecurity survey, conducted jointly by ISACA and RSA, delves into complex business and cyber issues and approaches.
- In early 2015, RSA Conference and ISACA conducted a joint survey to gain the latest insights into the fast-moving field of cybersecurity. Results offer a unique view into global activity and perceptions--and reveal some areas of concern and some bright lights regarding this exciting profession and the people who are involved in it.
- * Survey sent to RSA Conference constituents and ISACA certification-holders, including cybersecurity and IT managers or practitioners.
- Attack types that most frequently exploited enterprises in 2014 were (in order) Phishing, Malware, Hacking attempts and Social engineering. This indicates that the human factor is still a very weak link.
- Survey data show that 95% of respondents’ enterprises have staffs that average at least three years’ experience, and 70 percent average more than five years of experience. Yet, 41 percent are confident with their security team’s ability to detect and respond to incidents only if the incident is simple. And less than half feel their security teams are able to detect and respond to complex incidents.
- Most agree that technical and administrative controls can help prevent or at least delay many of these attack types. Plus, training people on how to detect and react to potential security attacks is widely believed to decrease the effectiveness of attacks. As expected, a majority (87 percent) of the survey respondents say they have an awareness program in place. 72 percent believe their security awareness program is effective.
- Surprisingly, enterprises that are NOT doing awareness training are actually faring better than the ones that ARE. Results show that the enterprises that HAVE an awareness program in place actually have a HIGHER rate of human-dependent incidents such as social engineering, phishing and loss of mobile devices. Awareness training is important, but it isn’t enough. We need a trained, skills-based workforce to be able to proactively and reactively address threats and hacks. Clear cause for concern also is the percentage of nonmalicious insiders that are impacting enterprise security. Increasing recognition of the weakness of the human factor: RSA Conference analyzed the submissions received and noticed a lot of interest in topics related to the human factor. The “Human Element” track is the most diverse it has been in its 3-years of existence.
- Monitoring and identifying attacks and exploits is also a point of concern in the findings It’s clear this is something the community is very concerned about. We generated a word cloud out of the submission titles and abstracts received as part of the RSA Conference 2015 call for speakers. We found that “attacks,” “threat,” and “data” were among the most common used. The words “breach” and “response” also appeared prominently in the word cloud.
- It is no surprise that the cyberthreat is real. Enterprises are finding cyberattacks to have increased in both frequency and impact. More than three-quarters of the survey respondents (77 percent) reported an increase in attacks in 2014 over 2013. Even more—82 percent—predicted that it is “likely” or “very likely” they will be victimized in 2015.
- Survey data show that 95% of respondents’ enterprises have staffs that average at least three years’ experience, and 70 percent average more than five years of experience. Yet, 41 percent are confident with their security team’s ability to detect and respond to incidents only if the incident is simple. And less than half feel their security teams are able to detect and respond to complex incidents.
- To understand how the business of defense is adapting to the increased persistence and frequency of attacks, it is important to understand how enterprises are leveraging resources. Global reports indicate that cybersecurity is faced with a skills crisis. Many factors, including increased attention to cybersecurity by governments and enterprises as well as an evolving threat landscape, are combining to create an expected exponential increase in cybersecurity jobs that will require skilled professionals. Two prongs: there is an increased need in the NUMBER of cybersecurity professionals AND a need for greater hands-on EXPERTISE.
- Historically, cybersecurity training was a generalist level of high-level concepts. There wasn’t a clear focus on career progression. Lately we’ve seeing specializations in the industry—e.g., disaster recovery, forensics, data breaches. Through the Cybersecurity Nexus, ISACA looked at the state of cybersecurity from the angle of what is the lifecycle of cybersecurity professionals throughout their careers? What are the skills needed at an apprentice level? What do I need to grow and manage my career? What if I want an intensely technical track or what if I want to progress into management? CSX is a strong step toward providing training that includes real-world, real-time labs that identify a professional’s strengths and weaknesses, and certifications that are performance-based. Many business leaders have been feeling that we’re falling behind the cyber attackers, and this is addressing those concerns. Why ISACA for this cybersecurity program? There are many great organizations out there working on cybersecurity issues, but ISACA blends the membership strength, vision, global reach and reputation, integrity, and ties to global governmental entities No one else is offering the complete holistic program that is provided through the Cybersecurity Nexus. CSX is responsive to current risks and business needs. CSX certifications Performance-based certifications with three different competency levels—Practitioner, Specialist and Expert. Relevant for security professionals who have technical cybersecurity responsibilities in an enterprise. The Specialist level enables professionals to verify skills in : identify, protect, defend, respond and recovery responsibilities CSX Fundamentals Certificate Knowledge-based certificate relevant for recent college/university graduates and those looking for a career change to cybersecurity. Aligned with the National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education (NICE), which is compatible with global cybersecurity issues, activities and job roles. Also aligned with the Skills Framework for the Information Age (SFIA).
- Results support the horror stories that haunt organizations relative to cybersecurity. Enterprises continue to struggle with traditional security threats such as lost devices, insider threats, malware, hacks and social engineering, while simultaneously trying to keep sophisticated attacks by nontraditional threat actors at bay. In such an environment, it is important to understand how enterprises are staffing and managing security. What challenges are security professionals having hiring and retaining strong candidates? How are organizations supporting their security professionals?