2018 ADOBE CYBER SECURITY SURVEY 1 GMUNK CYBERSECURITY PROFESSIONALS’ INSIGHTS ON PUBLIC POLICY
2018 ADOBE CYBER SECURITY SURVEY
1
GMUNK
C Y B E R S E C U R I T Y P R O F E S S I O N A L S ’ I N S I G H T S O N P U B L I C P O L I C Y
O B J E C T I V E SIn a first-of-its-kind study, we surveyed U.S. cybersecurity professionals to understand
their perceptions of cybersecurity and public policy issues
We explored topics such as:
• What are cybersecurity professionals’ top concerns today? • What are the most important privacy and security issues for governments to address?• How prepared do they feel for upcoming cybersecurity policy changes?
2
GMUNK
Government and Contractor n=76Non-government/Private n=452
MOE= ± 4.3%
M E T H O D O L O G Y
AUDIENCE MARGIN METHOD SAMPLE SIZE TIMING
Cybersecurity professionals nationwide
This report is a result of a U.S. nationwide survey of cybersecurity professionals (manager level or above) at a variety of different organization types and sizes
Survey fieldedSeptember 5-15, 2017
15-minute online survey
3
OF ERROR
n=528
GMUNK
Q12: How much do you agree or disagree with the following statement? Q25: In general, how well do you understand how these cybersecurity public policy developments will impact your job?
Cybersecurity professionals say policy has a great impact on their day-to-day jobs and they understand how upcoming developments can affect their roles
Agree that cybersecurity public policy
affects their job on a daily basis
85%Understand how
cybersecurity public policy
developments affect their job
90%
Impact of Public Policy on Day-to-Day Job
5
Top 2 Box
Q26: How prepared do you think you, your organization and your industry are for upcoming cybersecurity policy changes?
Level of Preparedness for Upcoming Policy Changes
Yet, only 37% feel completely prepared for upcoming policy changes, and even fewer are confident in industry preparedness overall
Say their industry iscompletelyprepared
Say theirorganization is completely prepared
37%Say they arecompletely prepared
36%28%
6
Top Box Only
“Regulations contribute to my company's ability toprotect our assets. We as a company need to be ahead of
the curve on all issues involving cybersecurity.”– Non-Government / Private
83%Agree that the
regulations in place are effective in making
things secure
An overwhelming majority of cybersecurity professionals feel government regulations have a positive impact on cybersecurity
Impact of Regulations on Security
Q6: How much do you agree or disagree with each of the following statements? Q13: How does cybersecurity public policy affect your job on a day-to-day basis?
7
Top 2 Box“Policy tends to be a driving force in how
companies/governments begin to react to various threats either before, or in some cases after, they begin to show up.”
– Government / Contractor
48%Follow cybersecurity policy issues very closely
However, less than half of cybersecurity professionals follow public policy issues very closely
Following Public Policy Issues
Q7: How closely do you follow cybersecurity public policy issues? 8
Top Box Only
45%
Almost all cybersecurity professionals agree that more common standards and frameworks are necessary
Attitudes toward Common Standards
“The most important issue is how to effectively share threat information and automatically detect and mitigate them in real-time as well as how to
motivate organizations to implement best practices.”– Government / Contractor
“[It’s important to] have some sort of uniform standards andcentralized resource relative to what constitutes a
cybersecurity event and how those issues are reported, responded to, and resolved.” – Non-Government / Private
Agree that the information security industry needs more
common security standards/
frameworks
92%
Q6: How much do you agree or disagree with each of the following statements?Q14: In your opinion, what are the most important cybersecurity issues for governments to address?
9
Top 2 Box
Q6: How much do you agree or disagree with each of the following statements?Q13: How does cybersecurity public policy affect your job on a day-to-day basis?
However, compliance is a current pain point for cybersecurity professionals
Agree that regulation makes organizations
focus more on compliance than on
security
86%Agree that their
organization spends too much of their time
and budget on compliance
64%“The lack of direction under regulation
causes us to continually change to try to stay compliant.”
– Non-Government / Private
“There are often conflicting reports and it is impossible to get anyone to confirm what
regulation or standard is the one to follow.”– Government / Contractor
Attitudes toward Compliance
10
Top 2 Box
37%
Respondents believe that modernizing technology is critical to effective government cybersecurity
Attitudes toward Modernizing Technology
Agree that modernizing
technology is critical to effective
governmentcybersecurity
96%
“The more archaic our defenses are ... the easier it is to break them down.”
– Non-Government / Private
“You have legacy systems with users who only know operational concerns, with no time to bring systems up-to-date. This alone forces people to be
concerned with more uptime than security.” –Government / Contractor
Q20: How much do you agree or disagree with each of the following statements?Q21: What are the greatest cybersecurity risks of not modernizing government technology?
11
Top 2 Box
Agree thattransitioning legacy systems to the cloud is critical to effective
governmentcybersecurity
88%
Cybersecurity professionals agree that transitioning legacy systems to the cloud is critical to effective government cybersecurity
Attitudes toward Legacy Systems and the Cloud
Q20: How much do you agree or disagree with each of the following statements? Q21: What are the greatest cybersecurity risks of not modernizing government technology?
“Legacy systems are easier to breach and have the greatest security vulnerability.”
– Non-Government / Private
“Open vulnerabilities in legacy hardware and software [are the greatest cybersecurity risks
of not modernizing government technology].”– Government / Contractor
12
Top 2 Box
Q3: How important is it for organizations to have each of the following cybersecurity measures in place? Q5: And which, if any, of the following cybersecurity measures does your organization have in place?
Cybersecurity professionals say monitoring to detect breaches and protect data at the file level is important, yet only half have tools in place to do so
Current Practice
88%Say it is important to monitor
to detect breaches and protect data at the file level
Currently in placeImportant
49%Say that monitoring to
detect breaches and protect data at the file level is
currently in place at their organization
Monitoring to Detect Breaches and Protect Data at the File Level
13
Percent SelectedTop 2 BoxImportance vs.
14
Automating system patching is another opportunity for more effective cybersecurity
Q3: How important is it for organizations to have each of the following cybersecurity measures in place? Q5: And which, if any, of the following cybersecurity measures does your organization have in place?
Say that automating system patching is
important
80%
Automating System Patching Importance vs. Current Practice
Say that automating system patching is a
measure that is in place at their organization
44%
Current Practice
Currently in placeImportant
Percent SelectedTop 2 BoxImportance vs.
The overwhelming majority of cybersecurity professionals say critical infrastructure is important for governments to address
Importance of Cybersecurity Issues for Governments to Address
Q15: How important are each of the following cybersecurity issues for governments to address?
91%Say that critical infrastructure is
important for governments to address
15
Top 2 Box
Respondents are most informed about cybersecurity policy developments at the federal level
Informed of Recent Public Policy Developments
77%
80%
87% Are informed about recent federal level policy
developments
Are informed about recentstate level policy developments
Are informed about recent international level policy
developments
Q22: How informed do you feel about the latest cybersecurity public policy developments that have occurred over the last six months at the…? 16
Top 2 Box