Benchmark Research of IT Security

Leaders in the U.S. and Europe

Cybersecurity
Readiness
Study
Executive
Summary

Sponsored by HP
Independently Conducted by
Ponemon Institute LLC
30 September 2010
Table of contents

Executive summary................................................. 1
What is the current state of cybersecurity readiness in
participating organizations?.................................... 2
Are you ready to defend your organization against a
cyber attack?........................................................ 3
Why HP?............................................................. 4
Ponemon Institute research has shown that
many organizations are experiencing cyber
attacks on a daily and even hourly basis.1
These attacks pose great risks to sensitive
and confidential information and can result in
costly disruption of services.

Based on the potential for great economic harm to • The cyber landscape: what makes cyber crime
both private and public sector organizations, we different from other security attacks
believe it is important to understand what is being • The severity of the threat
done to address cybersecurity threats.
• The value of public and private partnerships to
With sponsorship from HP, Ponemon Institute protect the national critical infrastructure
conducted the Cybersecurity Readiness Study to • How to build a stronger defense against cyber
learn how organizations are responding to cyber crime
crime. The issues covered in this benchmark study
• Predictions about the future
are:
• What IT security leaders believe constitutes a In this study, we also profile organizations that can
cyber attack be characterized as cyber-ready based on their
awareness of cyber threats, vulnerabilities and
• How capable they believe their organizations are
attack vectors. The majority of these organizations:
in preventing or detecting a cyber attack
• Use SIEM or network technologies (76 percent)
• What actions they need to take in order to be
ready for a cyber attack • CISO has background in intelligence or law
enforcement (75 percent)
• The impact of a cyber attack on their organizations
and how the cyber threat landscape will change in • CISO is a highly positioned executive (72 percent)
the future. Also profiled are organizations with a strong critical
This is a benchmark study of organizations and national infrastructure (CNI) strategy. Many of these
highly experienced senior-level cybersecurity experts organizations have the following characteristics:
located in the United States, United Kingdom • Are in the public sector (60 percent)
and five other European nations. The majority of • Have inadequate budget and resources (54
respondents are at the director level or higher percent)
with a direct reporting relationship to the CEO,
• Have a high level awareness of the threats posed
CIO, CTO and CSO. We deployed a diagnostic
by cyber crime (54 percent)
interview method involving the candid opinions and
experiences of these 131 senior-level security leaders
from 89 separate organizations located in several
industry sectors. Our query focused on the following
critical issues:

1
See The Business Case for Data Protection, Ponemon Institute, July 2009 1
 What is the current state of 4. Concern about the security of the critical
national infrastructure in their countries drives
cybersecurity readiness in the need to partner with others in industry and
participating organizations? possibly government. Eighty percent of US and
We believe the following key findings from the study 89 percent of European respondents believe
indicate that in some areas organizations are or will they are part of the critical national infrastructure
be prepared to deal with cyber attacks. However, (CNI) and a problem in their company could
there is also evidence that there are gaps in their have serious consequences for their country.
preparedness. We first start with five indicators of Based on this perception and an understanding
readiness: of the severity of the problem, they do not think
1. Aware of the potential disastrous consequences their organizations should “go-it-alone.” Seventy-
of a cyber attack, respondents acknowledge nine percent of US and 70 percent of European
the importance of building a stronger defense respondents support a global CERT program
against cyber crime. Eighty-four percent of as important to mitigating cyber attacks that
US respondents and 80 percent of European threaten the CNI.
respondents believe cyber attacks are more 5. Respondents understand what technologies,
severe than criminal attacks in frequency, processes and expertise will reduce the risk
magnitude or both. Both US and European of cyber attacks. Ninety-six percent of US and
respondents agree that what makes cyber 100 percent of European respondents believe
crime more dangerous than other white collar firewalls are important to stopping cyber crime
crimes is the greater threat to the interruption of followed by 99 percent of US and 97 percent
services, theft of information assets, corruption of European respondents who believe anti-virus
of information and destruction of information and anti-malware solutions are critical. Eighty-
assets. two percent of US and 68 percent of European
2. Holistic and integrated cybersecurity solutions respondents believe network and traffic
are preferred. Respondents do not see enabling intelligence systems are important.
technologies as the one solution. Rather, it is a Ninety-six percent of US and 92 percent of
problem that will be solved by involving people, European respondents believe expert security
process and policies. Accordingly, 79 percent personnel are critical to thwarting cyber crime.
of US and 89 percent of European respondents This is followed by policies and procedures
believe a holistic approach to creating a strong (97 percent of US and 89 percent of European
cybersecurity posture is important. respondents).
3. Respondents believe defensive measures
will improve and they will become better at
detecting and preventing threats. Fifty-seven
percent of US and 52 percent of European
respondents believe defensive measures will
improve over the next two years. Only 6 percent
of US and 11 percent of European respondents
say they will become less effective.
The special features necessary are: provide
advance warning about threats and attackers
(100 percent for both US and European
respondents), enable adaptive perimeter
controls (88 percent US and 100 percent
European respondents) and provide intelligence
about threat landscape (100 percent US and 97
percent European respondents).

2
We believe the following responses indicate that has a collaborative strategy that includes other
organizations are not ready to deal with cyber organizations in their industry. Similarly only
attacks. Here are five indicators that they are not 19 percent of US and 11 percent of European
ready: respondents have a collaborative strategy
1. Inadequate budgets threaten organizations’ that includes other organizations and the
efforts to deal with cyber attacks. Sixty-eight government.
percent of US and 70 percent of European 5. A difficult challenge is the immediate need to
respondents see an increase in successful create a strategy to deal with nation-sponsored
intrusions. However, only 38 percent of both attacks from powerful sources. More than
US and European respondents have seen an half of US respondents (56 percent) and 38
increase in investment to mitigate or curtail percent of European respondents believe
cybersecurity threats. they have been victims of a nation-sponsored
Further, Sixty percent of US and 46 percent cyber attack. They believe that most likely the
of European respondents say their budget is attacks have come from powerful nations as
inadequate to manage cyber threats. Ninety- China, according to 91 percent and 87 percent
one percent of US respondents say the budget followed by the Russia Federation according to
deficit is in their ability to invest in enabling 51 percent of and 48 percent of respondents.
technologies. Eighty-one percent of European The motivation was theft of confidential
respondents say it is in their ability to hire information, according to 37 percent of US
professional and competent staff. respondents and 54 percent of European
2. There is a shortage of existing technologies and respondents. This is followed by the belief that
expertise to be able to respond and contain the motive is disruption of critical infrastructure,
threats. Both US and European respondents according to 16 percent of US respondents and
say cyber attacks are difficult to detect (US 81 33 percent of European respondents.
percent and European 96 percent), correct
quickly (US 83 percent and European 90 Are you ready to defend your
percent) and lack a solution or patch (US organization against a cyber attack?
89 percent and European 76 percent). Until
The findings of the Cybersecurity Readiness Study
organizations have technologies to address
reveal that many organizations have been the
these problems, they will see more successful
victim of a cyber attack. Moreover, the experts
intrusions.
who responded to our survey believe cyber crimes
3. Respondents are wary about mandated are more difficult to prevent and detect than other
programs that force collaboration across computer crimes. They agree that new approaches
industries. Collaborative efforts may fail if to information security and greater technical
government mandates programs. While they expertise are needed to defend an organization.
understand the need for collaboration, 66
To help organizations determine their readiness
percent of US and 32 percent of European
to respond to an attack we have developed the
prefer a voluntary program operated by
Cyber Readiness Tool. This tool helps organizations
government and 35 percent of US and 60
identify risk areas that might hamper their ability to
percent of European respondents prefer a
prevent or quickly detect cyber attacks to endpoints,
voluntary industry-led program. Only 31
networks and enterprise systems.
percent of US and 29 percent of European
would prefer a government mandated program. Our study shows that cyber crimes are pervasive and
Only 9 percent of US and 24 percent of costly events for organizations in the United States
European respondent would prefer a multilateral and Europe. While most participating companies
organization to operate a mandatory program. in our benchmark study appear to take reasonable
steps to ensure cyber attacks do not infiltrate corpo-
4. In the short-term, respondents believe a cyber
rate networks and systems, our benchmark findings
attack could cripple the CNI. In the next two
suggest resources may not be sufficient to achieve a
years, 78 percent of US respondents and 60
high level of cybersecurity readiness.
percent of European respondents believe a
cyber attack will significantly disrupt on their Despite good efforts, many organizations acknowl-
country’s mission critical operations. Despite edged their vulnerabilities and weakness to a
recognition that their organizations are part of growing number of sophisticated and stealthy cyber
the CNI, only 12 percent of US and 21 percent attacks, including automated agents such as botnets,
of European respondents say their organization malware and others. They also perceive the dangers
of the cyber threat landscape as getting worse and,
hence, enterprise systems more difficult to defend.
On a more positive note, a majority of respondents

3
 truly believe the state of enabling security technolo- cybersecurity solutions into the most critical
gies, especially network and traffic intelligence sys- and sensitive environments including military
tems, is improving. Thus, many individuals expressed organizations, governments, stock markets, banks,
optimism about their organization’s longer-term utilities, and healthcare organizations for more
abilities to defend itself from criminal syndicates and than four decades. With more than 3,000 security
nation-sponsored attackers. and privacy service professionals worldwide,
HP has the expertise and resources to meet the
On a final note, we wish to thank the 131 IT security
security needs of your organization.
leaders who participated in this inaugural benchmark
study. We respect their views and greatly appreciate HP believes that an effective security posture is one
their keen insights on the state of cyber readiness. that permeates an organization’s culture, including
people, processes, technology and governance. Our
portfolio of services offers solutions that allow govern-
Why HP? ments to deliver on their missions, and enterprises
As the world’s largest information technology to achieve their business goals, with confidence.
company, HP has shaped the fabric of cyberspace Accordingly, our clients are well-prepared for today’s
through building, operating, and advancing the evolving cyber threats. Continuing their operations
domain since its inception. Applying this broad per- with minimal disruption, they move forward to gain
spective in today’s challenging environment, HP now service and competitive advantage and THRIVE in
provides access to unique security services, products, uncertain environments.
and partnerships through the HP Secure Advantage
More detailed analysis of the study results and findings
portfolio- an integrated and holistic approach to cy-
is available under separate cover. Please contact
bersecurity meeting the unique requirements of public
your HP Enterprise Services representative for a copy
and private organizations.
of those documents or visit:
HP’s cybersecurity solutions are backed by industry-
www.hp.com/services/security.
leading technologies and uniquely capable opera-
tional expertise:
• Innovation. Our commitments to advanced Ponemon Institute
research and operational expertise transcend Advancing Responsible Information Management
many industries and translate into a consistent, Ponemon Institute is dedicated to independent
best practices approach to solving customer research and education that advances responsible
problems. Backed by a diverse and talented information and privacy management practices
workforce drawn from all elements of our global within business and government. Our mission is to
organization, cybersecurity is a core focus of our conduct high quality, empirical studies on critical
investment at HP Labs. This work is furthered by issues affecting the management and security of
the experience we gain with our many clients in sensitive information about people and organizations.
the field developing specialized next-generation
As a member of the Council of American Survey
approaches to cybersecurity
Research Organizations (CASRO), we uphold strict
• Holistic approach. HP employs a holistic data confidentiality, privacy and ethical research
approach through our integrated cybersecurity standards. We do not collect any personally
reference model that reduces complexity, cuts identifiable information from individuals (or organiza-
costs, and manages overall risk to organizations tion identifiable information in our business research).
and their dynamic business processes. As a world Furthermore, we have strict quality standards to
leader in technology, we offer a complete range of ensure that subjects are not asked extraneous,
cybersecurity solutions that deliver real benefits to irrelevant or improper questions.
critical business and mission functions.
For more information, please contact Ponemon
• Global reach. HP has been delivering
Institute by email [email protected] or visit:
www.ponemon.org.

4
5
© Copyright Hewlett-Packard Development Company, L.P. The information contained herein is
subject to change without notice. The only warranties for HP products and services are set forth
in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not be liable for technical or
editorial errors or omissions contained herein.

Created September 2010