Upload
co3sys
View
215
Download
0
Embed Size (px)
Citation preview
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
1/27
Privacy & Data Breach ManagementBenchmarks, Informal Survey, Solutions
Presentation by Dr. Larry Ponemon
Webinar sponsored by Co3 Systems
September 13, 2012
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
2/27
Agenda
Benchmark Analysis
Cost Benchmarks
Informal Influencer Survey
Market Need For Breach Management Solutions
11/21/2012 Ponemon Institute: Private & Confidential Information 2
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
3/27
About Ponemon Institute
Ponemon Institute conducts independent research on cyber security, data protectionand privacy issues.
Since our founding 11+ years ago our mission has remained constant, which is toenable organizations in both the private and public sectors to have a clearerunderstanding of the practices, enabling technologies and potential threats that willaffect the security, reliability and integrity of information assets and IT systems.
Ponemon Institute research informs organizations on how to improve upon their dataprotection initiatives and enhance their brand and reputation as a trusted enterprise.
In addition to research, Ponemon Institute offers independent assessment andstrategic advisory services on privacy and data protection issues. The Institute alsoconducts workshops and training programs.
The Institute is frequently engaged by leading companies to assess their privacy anddata protection activities in accordance with generally accepted standards and
practices on a global basis.
The Institute also performs customized benchmark studies to help organizationsidentify inherent risk areas and gaps that might otherwise trigger regulatory action.
11/21/2012 Ponemon Institute: Private & Confidential Information 3
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
4/27
Benchmark Analysis
Analysis is based on Ponemon Institutes 2012 benchmark on corporate privacy management (n=89 companies)
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
5/27
Background
Ponemon Institute has conduct detailed benchmark surveys of corporate privacy
program activities for the past 10 years (starting in January 2003).
Ponemon Institute has conducted more than 500+ separate benchmark studies.
A total of 89 large, US-based organizations in various industries participated inthis 2012 study (fieldwork concluding in August).
The primary contact in these organizations was the chief security officer, the chiefinformation security officer, the chief privacy officer or another individual who hasoverall responsibility for privacy & data protection.
All results were gathered by the researcher. All individual and company-identifiable information was removed to protect the confidentiality of respondingorganizations.
Caveats Benchmarks provide descriptive information that may not berepresentative of all corporate privacy initiatives.
11/21/2012 5Ponemon Institute: Private & Confidential Information
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
6/27
Industries
11/21/2012 Ponemon Institute: Private & Confidential Information 6
21%
12%
12%
8%7%
7%
6%
6%
6%
6%
3%2% 4%
Financial services
Health & pharma
Retail
Public sector
Industrial
Services
Consumer products
Technology & software
Transportation
Energy & utilities
Communications
Education & research
Other
A total of 89 companies participated in this 2012 research
Minimum headcount of participating companies is > 1,000
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
7/27
Overall Benchmark Score
11/21/2012 Ponemon Institute: Private & Confidential Information 7
61%
47%42%
53%
0%
10%
20%
30%
40%
50%
60%
70%
> 25,000 FTE 5,000 to 25,000 FTE < 5,000 FTE Overall
The benchmark scores for the 2012 sample of 89 companies are presented in a percentage form.
These scores are compiled from a proprietary instrument containing 130 items presented in seven(7) sections. Each section is weighted equally for purposes of comparison.
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
8/27
Overall Benchmark Score
11/21/2012 Ponemon Institute: Private & Confidential Information 8
The benchmark scores for the 2012 sample of 89 companies are presented in a percentage
form. These scores are compiled from a proprietary instrument containing 130 items presentedin seven (7) sections. Each section is weighted equally for purposes of comparison.
79%
56%
42%
70%
61%
33%29%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Policy% Com% Mgmt% Security% Compliance% Choice% Redress%
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
9/27
Benchmarks on Privacy Policies
11/21/2012 Ponemon Institute: Private & Confidential Information 9
38%
41%
43%
49%
0% 10% 20% 30% 40% 50% 60%
Acceptable use policies for mobile devices (BYOD)
Acceptable use policies for social media
Harmonized approach to global policies
Centralized version control procedures
56%59% 60%
63% 62%65%
68%71%
76%79%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
10/27
Benchmarks on Training & Communications
11/21/2012 Ponemon Institute: Private & Confidential Information 10
12%
15%
29%
30%
37%
41%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Privacy awareness for customers
Privacy awareness for business partners
Incident response training for readiness
Metrics for assessing training effectiveness
Specialized training for high risk employees
Mandatory training for all employees
46% 47% 45%48% 46%
50% 52% 50% 52%56%
0%
10%
20%
30%
40%
50%
60%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
11/27
Benchmarks on Privacy Program Management
11/21/2012 Ponemon Institute: Private & Confidential Information 11
17%
21%
29%
33%
35%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Independent audit or assessment
Data inventory for sensitive PI
Formal privacy or data governance strategy
Adequacy of program resources
Centralized authority
40% 41% 39% 40%
46%50%
52%48%
44%42%
0%
10%
20%
30%
40%
50%
60%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
12/27
Benchmarks on Data Security
11/21/2012 Ponemon Institute: Private & Confidential Information 12
24%
27%
29%
31%
33%
0% 5% 10% 15% 20% 25% 30% 35%
Privileged user visibility
Extensive use of data loss prevention tools
Controls over PI data in cloud environments
Extensive use of encryption for data at rest
Alignment of privacy and cyber security strategy
50%53%
59%64% 66% 65%
68% 66% 68%70%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
13/27
Benchmarks on Privacy Compliance & Monitoring
11/21/2012 Ponemon Institute: Private & Confidential Information 13
21%
21%
22%
25%
29%
0% 5% 10% 15% 20% 25% 30% 35%
Evaluation of information theft upon employee termination
Board level reporting
Advanced assessments of marketing compaigns
Mock regulatory audits or assessments
Compliance monitoring over contract and temporary
employees
39% 41% 40%43%
46% 45%48%
54%59% 61%
0%
10%
20%
30%
40%
50%
60%
70%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
14/27
Benchmarks on Consent & Choice
11/21/2012 Ponemon Institute: Private & Confidential Information 14
18%
18%
22%
23%
26%
0% 5% 10% 15% 20% 25% 30%
Readiness for do not track
Global harmonization of consumer preferences
Rigorous monitoring of secondary uses of sensitive PI
Testing that customer preferences are honored
Exclusive use of permission-based lists for
customer/consumer contact
35%33%
28%
33% 34% 32% 33%30%
35%33%
0%
5%
10%
15%
20%
25%
30%
35%
40%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
15/27
Benchmarks on Redress & Enforcement
11/21/2012 Ponemon Institute: Private & Confidential Information 15
20%
21%
24%
26%
27%
0% 5% 10% 15% 20% 25% 30%
Enforcement actions reported to executive management
Specific timeline to investigate incidents
Escalation procedures
Redress process involves the privacy leader
Whistle blowing protection
27% 28%
32% 33%34% 35%
36%33%
31%29%
0%
5%
10%
15%
20%
25%
30%
35%
40%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
16/27
Net change over 10 years
11/21/2012 Ponemon Institute: Private & Confidential Information 16
The benchmark scores for the 2012 sample consists of 89 companies. The benchmark scoresfor the 2003 sample consist of 68 companies. Please note that both samples were matchedby organizational headcount (size), industry sector and geographic footprint. Certain items inthe proprietary benchmark instrument were edited or updated over this 10-year period.
79%
56%
42%
70%
61%
33%29%
56%
46%
40%
50%
39%35%
27%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Policy% Com% Mgmt% Security% Compliance% Choice% Redress%
FY 2012 FY 2003
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
17/27
Cost Benchmarks
Analysis is based on Ponemon Institutes 2012 benchmark on corporate privacy management (n=265 companies)
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
18/27
Extrapolated cost of privacy programs$US millions (000,000 omitted)
11/21/2012 Ponemon Institute: Private & Confidential Information 18
3.92
3.12
2.92 2.53
4.84
3.27
1.70 1.65
8.75
6.39
4.614.18
-
1.00
2.00
3.00
4.00
5.00
6.00
7.00
8.009.00
10.00
Quartile 1 (SES 1.1) Quartile 2 (SES .71) Quartile 3 (SES .35) Quartile 4 (SES -.11)
Direct cost Indirect cost Total
This graph reports the average direct and indirect program spending for FY 2012 based on SES quartilesfrom 1 = highest to 4 = lowest. The SES is a metric ranging from -2 (lowest) to +2 (highest) that attempts tomeasure the effectiveness of an organizations information security posture. The SES was developed by
Ponemon Institute and his been validated in more than 50 studies conducted over nearly eight (8) years. Ascan be seen, organizations with a higher SES spend more direct and indirect costs on privacy programs.While not shown in this graph, the average privacy program cost for our benchmark sample of companiestotals $5.98 million.
Analysis is based on Ponemon Institutes 2012 benchmark on corporate privacy management (n=265 companies)
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
19/27
Extrapolated cost of privacy programs$US millions (000,000 omitted)
11/21/2012 Ponemon Institute: Private & Confidential Information 19
This graph reports the average direct and indirect program spending for FY 2012 based on six expenditureor spending categories totaling $5.98 million. As can be seen, the two highest spending categories are datasecurity ($1.55 million) and program management ($1.50 million). In contrast, the two lowest spendingcategories are redress and enforcement ($.30 million) and policies and procedures ($.60 million). While notshown separately, our benchmark sample of companies spend approximately 25% of budget on programmanagement activities, which includes all costs associated with data breach incident management.
Analysis is based on Ponemon Institutes 2012 benchmark on corporate privacy management (n=265 companies)
$0.60
$0.90
$1.50$1.55
$1.14
$0.30
$-
$0.20
$0.40
$0.60
$0.80
$1.00
$1.20
$1.40
$1.60
$1.80
Policies &procedures
Training &communication
Programmanagement
Data security Compliancemonitoring
Redress &enforcement
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
20/27
Informal Influencer Survey
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
21/27
Benchmark study of 107 privacy influencers
Results in this report are based on Ponemon Institutes proprietary
database of privacy practices in US organizations.
Examined perceptions about data breach incident response management.
Purpose of analysis is to determine the value privacy leaders place on an
automated tool or system to deal with the data breach incident managementprocess.
The results indicate that privacy leaders believe automated managementtools are important to deal with the data breach incident managementprocess due to the numerous separate incidents that require ongoingtracking.
11/21/2012 Ponemon Institute: Private & Confidential Information 21
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
22/27
Is there a need to have an automated tool or systemto deal with the data breach incident managementprocess?
11/21/2012 Ponemon Institute: Private & Confidential Information 22
81%
15%
4%
Yes
No
Unsure
Benchmark question posed to 107 privacy leaders in U.S. based corporations
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
23/27
Do you have an automated data breach managementtool or system today?
11/21/2012 Ponemon Institute: Private & Confidential Information 23
62%
36%
2%
No
Yes, homemade
Yes, commercial
Benchmark question posed to 107 privacy leaders in U.S. based corporations
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
24/27
What is your companys primary focus for data
breach management issues?
11/21/2012 Ponemon Institute: Private & Confidential Information 24
50%
31%
10%
6%2%
US
Global
North America
Europe/EU
Latin America
Asia-Pacific
Benchmark question posed to 107 privacy leaders in U.S. based corporations
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
25/27
Approximately, how many separate incidentsrequire tracking over a 12-month period?
11/21/2012 Ponemon Institute: Private & Confidential Information 25
5%
10%
36%
24%
15%
9%
0% 5% 10% 15% 20% 25% 30% 35% 40%
> 2
2 to 4
5 to 10
11 to 20
21 to 40
< 40
Benchmark question posed to 107 privacy leaders in U.S. based corporations
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
26/27
Need for a Data Breach Management Tool
Ponemon Institutes tracking study of the cost of privacy programs reveals the
potential market demand data breach incident management tool for the followingreasons:
Cost effective TCO of the tool versus labor costs and professional fees
A comprehensive and accurate repository of summarized privacy and data
breach laws reduces research costs and legal services.
Benefits SMBs that cannot afford a fully-dedicated privacy staff.
Secures (lock-down) sensitive and confidential information concerning data
breach incidents and events.
Avoid redundant or inconsistent operating practices and reduce operational
complexity.
Ponemon Institutes proprietary benchmarks on corporate privacy spending for larger-sized organizations (headcount > 1,000) reveal a substantial spending level for
program management (which includes incident response) and data security
measures.
11/21/2012 Ponemon Institute: Private & Confidential Information 26
7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements
27/27
Questions?
Ponemon Institutewww.ponemon.orgTel: 231.938.9900
Toll Free: 800.887.3118Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA