Login  |  Register  |  Contact

The Securosis 2010 Data Security Survey Report Rates the Top 5 Data Security Controls

Over the summer we initiated what turned out to be a pretty darn big data security survey. Our primary goal was to assess what data security controls people find most effective; and get a better understanding of how they are using the controls, what’s driving adoption, and a bit on what kinds of incidents they are experiencing.

The response was overwhelming – we had over 1,100 people participate from across the IT spectrum. The responses were almost evenly split between security and regular IT folks, which helps reduce some of the response bias:

I try to be self critical, and there were definitely some mistakes in how we designed the survey (although the design process was open to the public and available for review before we launched, so I do get to blame all you a bit too, for letting me screw up). But despite those flaws I think we still obtained some great data – especially on what controls people consider effective (and not), and how you are using them.

Due to an error on my part we can’t release the full report here at Securosis for 30 days, but it is available from our sponsor, Imperva, who is also re-posting the survey so those of you who haven’t taken it yet can run through the questions and compare yourselves to the rest of the responses. We will also be releasing the full (anonymized) raw data so you can perform your own analysis. Everything is free under a Creative Commons license. I apologize for not being able to release the report immediately as usual – it was a mistake on my part and won’t happen again.

Key Findings

  • We received over 1,100 responses with a completion rate of over 70%, representing all major vertical markets and company sizes.
  • On average, most data security controls are in at least some stage of deployment in 50% of responding organizations. Deployed controls tend to have been in use for 2 years or more.
  • Most responding organizations still rely heavily on “traditional” security controls such as system hardening, email filtering, access management, and network segregation to protect data.
  • When deployed, 40-50% of participants rate most data security controls as completely eliminating or significantly reducing security incident occurrence.
  • The same controls rated slightly lower for reducing incident severity (when incidents occur), and still lower for reducing compliance costs.
  • 88% of survey participants must meet at least 1 regulatory or contractual compliance requirement, with many needing to comply with multiple regulations.
  • Despite this, “to improve security” is the most cited primary driver for deploying data security controls, followed by direct compliance requirements and audit deficiencies.
  • 46% of participants reported about the same number of security incidents in the most recent 12 months compared to the previous 12, with 27% reporting fewer incidents, and only 12% reporting a relative increase.
  • Organizations are most likely to deploy USB/portable media encryption and device control or data loss prevention in the next 12 months.
  • Email filtering is the single most commonly used control, and the one cited as least effective.

Our overall conclusion is that even accounting for potential response bias, data security has transitioned past early adopters and significantly penetrated the early mainstream of the security industry.

Top Rated Controls (Perceived Effectiveness):

  • The 5 top rated controls for reducing number of incidents are network data loss prevention, full drive encryption, web application firewalls, server/endpoint hardening, and endpoint data loss prevention.
  • The 5 top rated controls for reducing incident severity are network data loss prevention, full drive encryption, endpoint data loss prevention, email filtering, and USB/portable media encryption and device control. (Web application firewalls nearly tied, and almost made the top 5).
  • The 5 top rated controls for reducing compliance costs are network data loss prevention, endpoint data loss prevention, storage data loss prevention, full drive encryption, and USB and portable media encryption and device control. These were very closely followed by network segregation and access management.

We’ll be logging more findings throughout the week, and please visit Imperva to get your own copy of the full analysis.

—Rich

No Related Posts
Previous entry: Incite 9/15/2010: Up, down, up, down, Repeat | | Next entry: Monitoring up the Stack: Introduction

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Alex  on  09/15  at  10:11 AM

Great Job, Rich & crew.

Mucho Kudos

By Matt Summers  on  09/15  at  12:13 PM

I was interested to see that all the effective controls and least effective controls were technical ones, where is user awareness etc? One thing about the report though is that it lists “Other (list in comments)” and doesn’t list them.

By Rich  on  09/15  at  03:03 PM

All the other comments will be released when I put the raw data out- it was just too much to include in the main report.

As mentioned in the report, “User awareness” was the most often other control people wrote in.

By LonerVamp  on  09/16  at  09:10 AM

I had to re-re-read the Top Rated Controls section a few times. I’m a little surprised, maybe even confused, at how high various DLP pieces rated, as well as WAFs.

I’m also a bit confused on the “to improve security” driver. I know that is a goal, but I’d expect there are other reasons why a budget may have finally gotten approval. Then again, maybe such decisions are being made lower in mgmt when carving up departmental budgets…

Guess this means I’ll definitely be checking out the results! Good job!

By Rich  on  09/16  at  09:19 AM

I’m not surprised- most of the people using DLP properly get great results (it’s why I’ve been a proponent for so long).

most of the people who crap on DLP don’t use it, from what I can tell. Or work someplace where they set stupid, overly-generic policies on overly-limited deployments.

Or they use a crappy tool :)

By Anton Chuvakin  on  09/22  at  10:30 AM

Was there / could there have been a bias due to calling it “DATA security”?  Looks like all of the controls mentioned are data-focused (not, say anti-DDoS, not even anti-malware etc)

AT the same time, the survey is defined as: “Our primary goal was to assess what data security controls people find most effective”  , but it doesn’t add “... for data protection”

What’s the story with that?

By Rich  on  09/22  at  11:06 AM

Anton, I’m confused… “data security” seems to be the term most people use to describe “data protection”. Why would I need to add that?

Name:

Email:

Remember my personal information

Notify me of follow-up comments?