2018 Adobe Cybersecurity Survey

2018 ADOBE CYBER SECURITY SURVEY

1

GMUNK

C Y B E R S E C U R I T Y P R O F E S S I O N A L S ’ I N S I G H T S O N P U B L I C P O L I C Y

O B J E C T I V E SIn a first-of-its-kind study, we surveyed U.S. cybersecurity professionals to understand

their perceptions of cybersecurity and public policy issues

We explored topics such as:

• What are cybersecurity professionals’ top concerns today? • What are the most important privacy and security issues for governments to address?• How prepared do they feel for upcoming cybersecurity policy changes?

2

GMUNK

Government and Contractor n=76Non-government/Private n=452

MOE= ± 4.3%

M E T H O D O L O G Y

AUDIENCE MARGIN METHOD SAMPLE SIZE TIMING

Cybersecurity professionals nationwide

This report is a result of a U.S. nationwide survey of cybersecurity professionals (manager level or above) at a variety of different organization types and sizes

Survey fieldedSeptember 5-15, 2017

15-minute online survey

3

OF ERROR

n=528

GMUNK

S U R V E Y R E S U L T S

4

Q12: How much do you agree or disagree with the following statement? Q25: In general, how well do you understand how these cybersecurity public policy developments will impact your job?

Cybersecurity professionals say policy has a great impact on their day-to-day jobs and they understand how upcoming developments can affect their roles

Agree that cybersecurity public policy

affects their job on a daily basis

85%Understand how

cybersecurity public policy

developments affect their job

90%

Impact of Public Policy on Day-to-Day Job

5

Top 2 Box

Q26: How prepared do you think you, your organization and your industry are for upcoming cybersecurity policy changes?

Level of Preparedness for Upcoming Policy Changes

Yet, only 37% feel completely prepared for upcoming policy changes, and even fewer are confident in industry preparedness overall

Say their industry iscompletelyprepared

Say theirorganization is completely prepared

37%Say they arecompletely prepared

36%28%

6

Top Box Only

“Regulations contribute to my company's ability toprotect our assets. We as a company need to be ahead of

the curve on all issues involving cybersecurity.”– Non-Government / Private

83%Agree that the

regulations in place are effective in making

things secure

An overwhelming majority of cybersecurity professionals feel government regulations have a positive impact on cybersecurity

Impact of Regulations on Security

Q6: How much do you agree or disagree with each of the following statements? Q13: How does cybersecurity public policy affect your job on a day-to-day basis?

7

Top 2 Box“Policy tends to be a driving force in how

companies/governments begin to react to various threats either before, or in some cases after, they begin to show up.”

– Government / Contractor

48%Follow cybersecurity policy issues very closely

However, less than half of cybersecurity professionals follow public policy issues very closely

Following Public Policy Issues

Q7: How closely do you follow cybersecurity public policy issues? 8

Top Box Only

45%

Almost all cybersecurity professionals agree that more common standards and frameworks are necessary

Attitudes toward Common Standards

“The most important issue is how to effectively share threat information and automatically detect and mitigate them in real-time as well as how to

motivate organizations to implement best practices.”– Government / Contractor

“[It’s important to] have some sort of uniform standards andcentralized resource relative to what constitutes a

cybersecurity event and how those issues are reported, responded to, and resolved.” – Non-Government / Private

Agree that the information security industry needs more

common security standards/

frameworks

92%

Q6: How much do you agree or disagree with each of the following statements?Q14: In your opinion, what are the most important cybersecurity issues for governments to address?

9

Top 2 Box

Q6: How much do you agree or disagree with each of the following statements?Q13: How does cybersecurity public policy affect your job on a day-to-day basis?

However, compliance is a current pain point for cybersecurity professionals

Agree that regulation makes organizations

focus more on compliance than on

security

86%Agree that their

organization spends too much of their time

and budget on compliance

64%“The lack of direction under regulation

causes us to continually change to try to stay compliant.”

– Non-Government / Private

“There are often conflicting reports and it is impossible to get anyone to confirm what

regulation or standard is the one to follow.”– Government / Contractor

Attitudes toward Compliance

10

Top 2 Box

37%

Respondents believe that modernizing technology is critical to effective government cybersecurity

Attitudes toward Modernizing Technology

Agree that modernizing

technology is critical to effective

governmentcybersecurity

96%

“The more archaic our defenses are ... the easier it is to break them down.”

– Non-Government / Private

“You have legacy systems with users who only know operational concerns, with no time to bring systems up-to-date. This alone forces people to be

concerned with more uptime than security.” –Government / Contractor

Q20: How much do you agree or disagree with each of the following statements?Q21: What are the greatest cybersecurity risks of not modernizing government technology?

11

Top 2 Box

Agree thattransitioning legacy systems to the cloud is critical to effective

governmentcybersecurity

88%

Cybersecurity professionals agree that transitioning legacy systems to the cloud is critical to effective government cybersecurity

Attitudes toward Legacy Systems and the Cloud

Q20: How much do you agree or disagree with each of the following statements? Q21: What are the greatest cybersecurity risks of not modernizing government technology?

“Legacy systems are easier to breach and have the greatest security vulnerability.”

– Non-Government / Private

“Open vulnerabilities in legacy hardware and software [are the greatest cybersecurity risks

of not modernizing government technology].”– Government / Contractor

12

Top 2 Box

Q3: How important is it for organizations to have each of the following cybersecurity measures in place? Q5: And which, if any, of the following cybersecurity measures does your organization have in place?

Cybersecurity professionals say monitoring to detect breaches and protect data at the file level is important, yet only half have tools in place to do so

Current Practice

88%Say it is important to monitor

to detect breaches and protect data at the file level

Currently in placeImportant

49%Say that monitoring to

detect breaches and protect data at the file level is

currently in place at their organization

Monitoring to Detect Breaches and Protect Data at the File Level

13

Percent SelectedTop 2 BoxImportance vs.

14

Automating system patching is another opportunity for more effective cybersecurity

Q3: How important is it for organizations to have each of the following cybersecurity measures in place? Q5: And which, if any, of the following cybersecurity measures does your organization have in place?

Say that automating system patching is

important

80%

Automating System Patching Importance vs. Current Practice

Say that automating system patching is a

measure that is in place at their organization

44%

Current Practice

Currently in placeImportant

Percent SelectedTop 2 BoxImportance vs.

The overwhelming majority of cybersecurity professionals say critical infrastructure is important for governments to address

Importance of Cybersecurity Issues for Governments to Address

Q15: How important are each of the following cybersecurity issues for governments to address?

91%Say that critical infrastructure is

important for governments to address

15

Top 2 Box

Respondents are most informed about cybersecurity policy developments at the federal level

Informed of Recent Public Policy Developments

77%

80%

87% Are informed about recent federal level policy

developments

Are informed about recentstate level policy developments

Are informed about recent international level policy

developments

Q22: How informed do you feel about the latest cybersecurity public policy developments that have occurred over the last six months at the…? 16

Top 2 Box