In 2015, enterprises will spend more than $71.1 billion on information security – more than they have ever spent before, according to Gartner Group figures. Yet, the incidence of major data breaches – as evidenced by compromises at corporations such as Anthem, Sony, and many others – shows no signs of abating. As enterprises continue to struggle with online attacks and data leaks, many are asking one common question: What are we doing wrong?
This year, we decided to put this question – and many more – to one of the most security-savvy audiences in the industry: those who have attended the annual Black Hat USA conference. Black Hat, a forum that features some of the most advanced security research in the world, is a destination for discussion among top security minds, including leading ethical hackers, IT security management, and technology developers.
The 2015 Black Hat Attendee Survey includes responses from 460 top-level security experts, including some of the most IT security-savvy professionals in the industry. More than 61 percent of the respondents carry a full-time “security” job title, and 25 percent are managers of the security effort in their organization. Nearly two-thirds of the respondents have received credentials as Certified Information Systems Security Professionals (CISSP), and many also hold other advanced credentials. Nearly half (47 percent) of the respondents work in organizations that have 5,000 employees or more.
Clearly, these are the individuals who make information security happen in large organizations – the people who spend their days examining online exploits and data leaks and who develop and implement enterprise defenses. Yet, the 2015 Black Hat Attendee Survey reveals a disturbing gap between the priorities and concerns of these security-savvy individuals and the actual expenditure of security resources in the average enterprise.
In short, the survey indicates that most enterprises are not spending their time, budget, and staffing resources on the problems that most security-savvy professionals consider to be the greatest threats.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program