The 2011 Threat Management Survey found that:
1) Enterprises were not confident in their security posture and many were struggling with timely analysis and response to threats. Their top concerns were security intelligence, visibility, and analysis.
2) 57% of respondents lacked confidence in their IT security staff's ability to respond to new threats due to staffing issues like not having enough staff, staff lacking time, and staff lacking the right skill sets.
3) 66% rated their staff as less than effective at security tasks, with only 4% rating their staff as completely effective due to challenges with recruiting, retention, and ensuring staff have the right skill sets.
2. Methodology
• Survey performed by Applied Research
• 1,025 global enterprises
• Tactical IT, Strategic IT and
C-level professionals
• Cross-industry
2
3. Key Findings
• Enterprises not confident in their security posture
• Organizations struggling with timely analysis and response
• Top concerns are security intelligence and visibility
• Staffing problems top list of issues impacting ability to respond to new and
emerging threats
3
4. Security Confidence
• 57% lack confidence in IT security staffs’ ability to respond to new threats
• Why? Several of the factors tied to staffing
– Not enough staff
– Staff lacks time
4
5. Staffing Issues
• 66% rate staff as less than effective
• Only 4% rate staff as completely effective
• Why?
– Recruiting
– Retention
– Right skill sets
8. Symantec Recommendations
• Build a comprehensive incident management program
• Be vigilant about the changing threat landscape
• Broaden the visibility across your infrastructure
• Evaluate systems for managing security information and alerts
11. Q2: How many employees does your organization have in all
locations worldwide?
1,000 to 2,499 33%
2,500 to 4,999 33%
5,000 or more 34%
0% 5% 10% 15% 20% 25% 30% 35% 40%
11
12. Q3: What is your organization's primary industry?
Advertisement 1%
Media 2%
Living-related and personal services and amusement services 2%
Legal 2%
Energy 2%
Transport and freight service (cover such as Airline/railway industry) 3%
Internet 3%
Eating and drinking services, accommodations 3%
Real estate and goods rental and leasing 4%
Government 4%
Education, Learning and Support 4%
Construction 5%
Medical, Health Care and Welfare 6%
Manufacturing 9%
Other 10%
Wholesale and Retail 10%
Scientific research, professional and technical services 10%
Information Technology and Communications 10%
Finance and Insurance 10%
0% 2% 4% 6% 8% 10% 12%
12
13. Q4: What is your primary role?
Manage our computing resources 25%
Management role in IT, primarily focused on tactical/operational
25%
issues
Management role in IT, primarily focused on strategic issues 25%
C-level or business owner 25%
0% 5% 10% 15% 20% 25% 30%
13
14. Q5: What is your title?
President 2%
Owner 3%
Partner 1%
CIO 25%
CTO 5%
CISO 1%
Vice President or Senior Vice President in a computing area 4%
Director in a computing area 9%
Manager of Information Systems or Computer Systems 22%
Systems analyst 12%
Systems architect 3%
Systems designer 3%
Other 11%
0% 5% 10% 15% 20% 25% 30%
14
15. What is your age?
50 or older (Boomer)
10% 30 or less (Millennial)
22%
31 to 49 (Gen-X)
68%
15
16. Q7: What is your gender?
Female
19%
Male
81%
16
17. Q8: How many years have you been working in computer systems
and technology?
14
12.88
12
12
10
8
6
4
2
0
Mean Median
17
18. Q9: What are your company's annual revenues?
Less than $500,000 2%
$500,000 to $2,000,000 3%
$2,000,000 to $7,500,000 4%
$7,500,000 to $30,000,000 5%
$30,000,000 to $100,000,000 9%
$100,000,000 to $500,000,000 15%
$500,000,000 to $1,500,000,000 16%
$1,500,000,000 to $5,000,000,000 16%
$5,000,000,000 to $25,000,000,000 16%
$25,000,000,000 to $100,000,000,000 7%
More than $100,000,000,000 7%
0% 2% 4% 6% 8% 10% 12% 14% 16% 18%
18
19. Q10: Characterize your company's year-over-year annual growth
rate in terms of annual revenue:
Decline to state 3%
Growing at 100% per year or more 0%
Growing at 50 to 99% per year 5%
Growing at 25 to 49% per year 7%
Growing at between 10 to 24% per year 29%
Growing at between 1 to 9% per year 31%
Flat: Neither growing nor declining 11%
Declining at between 1 to 9% per year 4%
Declining at between 10 to 24% per year 9%
Declining 25% per year or greater 1%
0% 5% 10% 15% 20% 25% 30% 35%
19
21. Q213: How confident are you that your IT security staff can handle
new security threats in a timely and effective manner?
Very confident 19%
Somewhat confident 25%
Neutral 19%
Somewhat concerned 18%
Very concerned 20%
0% 5% 10% 15% 20% 25% 30%
21
22. Q214: What are the top three factors that are keeping you from
being completely confident in your ability to handle new security
threats in a timely and effective manner?
(Ranked 1, 2, or 3)
No access to latest information about new threats, vulnerabilities, etc. 36%
Security staff lacks necessary experience/skill sets 39%
Trouble responding to security incidents in a timely/effective manner 43%
Staff doesn't have enough time 45%
Trouble correlating/analyzing security alerts as they are happening 45%
Not enough visibility into security across entire infrastructure 45%
Insufficient security staff 46%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
22
24. Q215: Please review the following aspects of security and rank
them in terms of what concerns you the most.
100%
90% 17% 18%
24%
80% 41%
20%
70% 28%
25%
60%
1
50% 25% 2
27% 3
40% 28%
28% 4
30%
19%
20% 38%
27%
10% 23%
13%
0%
Security intelligence Security visibility Attack analysis Security response
24
25. Q215: Please review the following aspects of security and rank
them in terms of what concerns you the most.
(Average Ranks)
Security intelligence Security visibility Attack analysis Security response
0
1
2 2.04
2.50
2.64
2.82
3
4
25
27. Q216: Please rank these aspects in terms of your organization's
ability to execute.
(Average Ranks)
Security intelligence Security visibility Attack analysis Security response
0
1
2.10
2
2.44
2.62
2.83
3
4
27
28. Q217: When it comes to keeping up with the latest cyber-security
vulnerabilities and threats, please rate how you are doing in the
following areas:
1 - Extremely poor 2 - Somewhat poor 3 - Neither poor nor well 4 - Somewhat well 5 - Extremely well
100%
90%
24% 27%
80%
70%
60%
41%
40%
50%
40%
30%
25%
20% 26%
10%
7%
5%
0% 3% 1%
Acquiring such intelligence in a timely fashion The quality of intelligence you gather
28
29. Q217: When it comes to keeping up with the latest cyber-security
vulnerabilities and threats, please rate how you are doing in the
following areas.
(Somewhat/Extremely well)
The quality of intelligence you gather 68%
Acquiring such intelligence in a timely fashion 65%
0% 10% 20% 30% 40% 50% 60% 70% 80%
29
30. Q217: When it comes to keeping up with the latest cyber-security
vulnerabilities and threats, please rate how you are doing in the
following areas.
(Somewhat/Extremely poorly)
The quality of intelligence you gather 6%
Acquiring such intelligence in a timely fashion 10%
0% 2% 4% 6% 8% 10% 12%
30
31. Q218: When it comes to maintaining visibility into security across
the entire company's infrastructure, please rate how you are doing
in each of the following areas:
1 - Extremely poor 2 - Somewhat poor 3 - Neither poor nor well 4 - Somewhat well 5 - Extremely well
100%
90% 21% 22%
27%
80%
70%
60%
44% 42%
39%
50%
40%
30%
20% 27% 27% 27%
10%
6% 7% 7%
0% 1% 1% 1%
The quality of that visibility Acquiring such visibility in a timely fashion How comprehensive the visibility is
31
32. Q218: When it comes to maintaining visibility into security across
the entire company's infrastructure, please rate how you are doing
in each of the following areas.
(Somewhat/Extremely well)
How comprehensive the visibility is 65%
Acquiring such visibility in a timely fashion 65%
The quality of that visibility 66%
0% 10% 20% 30% 40% 50% 60% 70%
32
33. Q218: When it comes to maintaining visibility into security across
the entire company's infrastructure, please rate how you are doing
in each of the following areas.
(Somewhat/Extremely poorly)
How comprehensive the visibility is 8%
Acquiring such visibility in a timely fashion 8%
The quality of that visibility 7%
0% 1% 2% 3% 4% 5% 6% 7% 8% 9%
33
34. Q219: When it comes to your organization's ability to correlate and
analyze security alerts across the enterprise, please rate how you
are doing in each of the following areas:
1 - Extremely poor 2 - Somewhat poor 3 - Neither poor nor well 4 - Somewhat well 5 - Extremely well
100%
90%
25% 27%
80%
70%
60%
42% 41%
50%
40%
30%
20% 27% 26%
10%
5% 5%
0% 1% 1%
The timeliness of correlation and analysis The quality of the correlation and analysis
34
35. Q219: When it comes to your organization's ability to correlate and
analyze security alerts across the enterprise, please rate how you
are doing in each of the following areas.
(Somewhat/Extremely well)
The quality of the correlation and analysis 68%
The timeliness of correlation and analysis 67%
0% 10% 20% 30% 40% 50% 60% 70% 80%
35
36. Q219: When it comes to your organization's ability to correlate and
analyze security alerts across the enterprise, please rate how you
are doing in each of the following areas.
(Somewhat/Extremely poorly)
The quality of the correlation and analysis 6%
The timeliness of correlation and analysis 7%
0% 1% 2% 3% 4% 5% 6% 7%
36
37. Q220: When it comes to your organization's ability to respond to
security events, please rate how you are doing in each of the
following areas:
1 - Extremely poor 2 - Somewhat poor 3 - Neither poor nor well 4 - Somewhat well 5 - Extremely well
100%
90%
25% 28%
80%
70%
60%
45% 42%
50%
40%
30%
20% 24% 25%
10%
5% 5%
0% 1% 1%
Ability to respond in a timely fashion The effectiveness of your response
37
38. Q220: When it comes to your organization's ability to respond to
security events, please rate how you are doing in each of the
following areas.
(Somewhat/Extremely well)
The effectiveness of your response 69%
Ability to respond in a timely fashion 70%
0% 10% 20% 30% 40% 50% 60% 70% 80%
38
39. Q220: When it comes to your organization's ability to respond to
security events, please rate how you are doing in each of the
following areas.
(Somewhat/Extremely poorly)
The effectiveness of your response 6%
Ability to respond in a timely fashion 7%
0% 1% 2% 3% 4% 5% 6% 7%
39
41. Q221: How would you characterize your security staffing levels at
the current time?
We are extremely overstaffed 4%
We are somewhat overstaffed 11%
We have just enough security staff 41%
We are somewhat understaffed 32%
We are extremely understaffed 11%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
41
42. Q222: Overall, how would you rate the effectiveness of your IT
security staff?
Completely effective 10%
Mostly effective 42%
Not as good as we would like, but not horrible 24%
Somewhat ineffective 15%
Completely ineffective 10%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
42
43. Q223: What is keeping you from rating your security staffing as
"completely effective?" Rank the following areas of cyber security
staffing in terms of difficulty for your organization.
100%
6%
17% 16% 14%
90% 19% 10%
29%
80% 14%
18% 18% 20%
70% 23%
17% 16% 1
60% 13%
18% 16% 2
50% 15% 14% 3
18% 16% 4
40% 19%
21% 5
18% 15%
30% 6
15%
22%
20%
17% 15%
12% 27% 29%
10%
15%
10% 9% 11%
0%
Recruiting Retention Skill sets Experience Staff retirement Awareness
43
44. Q223: What is keeping you from rating your security staffing as
"completely effective?" Rank the following areas of cyber security
staffing in terms of difficulty for your organization.
(Average Ranks)
Recruiting Retention Skill sets Experience Staff retirement Awareness
0
1
2
2.93
3.18
3 3.29
3.56
3.85
4 4.19
5
6
44
46. Q224: What managed security service provider vendors are you
considering using or do you currently use?
(Mark all that apply.)
Other (Please specify) 5%
BT/Counterpane 16%
We don't use a managed security service provider 17%
Verizon Business 24%
Dell/SecureWorks 29%
AT&T 30%
IBM/ISS 39%
Symantec 40%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
46
47. Q225: How much influence does your managed security service
provider have over which security products your company
purchases?
Complete influence 13%
A moderate influence 35%
Neutral 28%
Very little influence 14%
Absolutely no influence 10%
0% 5% 10% 15% 20% 25% 30% 35% 40%
47
49. Q226: What Security Information and Event Management (SIEM)
vendors do you currently use?
(Mark all that apply.)
Other (Please specify) 1%
Q1 Labs 16%
We don't use a SIEM 19%
EMC/RSA (enVision) 22%
HP/ArcSight 34%
Symantec 55%
0% 10% 20% 30% 40% 50% 60%
49
50. Q227: How do the following challenges impact your ability to realize
the full value of your Security Information and Event Management
(SIEM) solution?
1 - Extreme impact 2 - Moderate impact 3 - Some impact 4 - Slight impact 5 - No impact whatsoever
100%
9% 10% 12% 11% 12% 11% 14% 14%
90%
80% 25%
27% 23% 24% 26% 26% 22%
24%
70%
60%
50% 28% 30% 30% 31% 28% 29% 29% 31%
40%
30%
17%
23% 23% 22% 20% 19% 21% 22%
20%
10% 19%
13% 13% 12% 14% 15% 12% 11%
0%
Insufficient staff to Trouble Staff doesn't have Trouble Insufficient staff to Trouble Insufficient Insufficient
set up integrating latest enough time maintaining SIEM maintain responding to training to set up training to
information on rules to incidents in maintain
new threats, correlate/analyze timely/effective
vulnerabilities, etc. alerts in real time manner
50
51. Q227: How do the following challenges impact your ability to realize
the full value of your Security Information and Event Management
(SIEM) solution?
(Moderate/Extreme impact)
Insufficient training to maintain 33%
Insufficient training to set up 34%
Trouble responding to incidents in timely/effective manner 34%
Insufficient staff to maintain 34%
Trouble maintaining SIEM rules to correlate/analyze alerts in real time 34%
Staff doesn't have enough time 35%
Trouble integrating latest information on new threats, vulnerabilities, etc. 36%
Insufficient staff to set up 36%
0% 5% 10% 15% 20% 25% 30% 35% 40%
51
52. Q227: How do the following challenges impact your ability to realize
the full value of your Security Information and Event Management
(SIEM) solution?
(Slight/No impact)
Insufficient training to maintain 36%
Insufficient training to set up 38%
Trouble responding to incidents in timely/effective manner 37%
Insufficient staff to maintain 38%
Trouble maintaining SIEM rules to correlate/analyze alerts in real time 35%
Staff doesn't have enough time 35%
Trouble integrating latest information on new threats, vulnerabilities, etc. 35%
Insufficient staff to set up 36%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
52