cybersecurity futurewatch 2018...introduces significant business risk. these emerging technologies,...
TRANSCRIPT
Cybersecurity FutureWatch 2018SECURITY MUST EVOLVE TO MATCH ACCELERATING PACE OF EMERGING TECHNOLOGY ADOPTION
02
Table of Contents
Executive Summary
Key Drivers
Current Landscape
Security Maturity
Risk Review
Future View
Methodology
03
04
06
09
11
13
15
KEY FINDINGS
• Only 30 percent of respondents are confident their business will avoid a major security event in the coming two years.
• Respondents identified that operational disruption and reputational damage are more concerning than regulatory penalties should a
significant security event occur.
• Firms using proactive and predictive security approaches reduced
their risk profile by 30 percent.
• 55 percent of respondents are actively planning to replace their
incumbent MSSP providers.
• 72 percent of respondents are currently using or plan to deploy cloud services.
• Firms are adopting threat detection and response, identity access management and cloud security services to support a boom in the
adoption of emerging technologies.
A firm’s participation in higher-risk industries and, in conjunction, its adoption of emerging technologies creates a
measurable risk profile. IT teams are often trapped in the innovator’s dilemma of meeting business demands through
the adoption of new technologies. But, they also are held accountable for the risks and damaging costs associated
with the exploitation of emerging technologies like IoT, cloud-based services and artificial intelligence.
Line of sight from the IT team to the board provides the greatest vantage point to risk identification, coupled with risk
mitigation in the form of budget and resources. Firms with lower multiple-hop reporting structures and limited board
visibility often struggle to articulate security risks and the required resources to mitigate those risks, leaving the firm
with greater vulnerability to cyberattacks.
Security maturity and the willingness to leverage industry-best security services can offset the risks associated with
threats, such as external attacks and insider risks. Companies that are mature in their cybersecurity approach also
can meet the demands of internal risk management programs, report and demonstrate value to senior management,
and meet client and regulatory requirements.
Firms that rely solely on prevention technologies and managed security service providers (MSSPs) offering device
management services, are more susceptible to a broad spectrum of risks. They struggle to demonstrate value to
fiduciary officers and show a strong willingness to switch vendors.
On the other hand, companies that adopt a more proactive and predictive security model are freed from the “catch-
up” adoption gap of traditional security approaches. They can adapt to new technologies, while assuring security
measures that meet legal requirements of the firm’s officers and board.
Cloud-based services simultaneously introduce risk into an organization, but also offer industry-leading security
services in either full cloud or hybrid models. Firms that adopt cloud-based security report lower risk and higher
management and scalability capabilities.
03
METHODOLOGY
This report highlights responses
from more than 1,250 senior
executives, management and
security practitioners located
in the United States, Canada
and the United Kingdom. Those
surveyed predominately hold
titles of vice president of IT, CIO,
CISO/CSO, CFO and CEO, and
are responsible for direct buying
decisions. This primary research
was conducted by FastForward
Strategix Research in June 2018.
Cybersecurity FutureWatch 2018, © eSentire, October 2018
EXECUTIVE SUMMARY
04Cybersecurity FutureWatch 2018, © eSentire, October 2018
KEY DRIVERS
KEY FINDINGS
• 60 percent of firms believe an attack will hit in the next few years.
• 77 percent of CEOs and boards are optimistic in their firm’s ability to cope with a breach, but only 33 percent are confident that high-value assets are adequately protected.
• Fiduciary line of sight to security is at an all-time high with over half of boards familiar with security spend, strategy and cyber risks.
• 60 percent of firms rank operational disruption as the top concern, well above the 43 percent who indicate a significant security event as a top concern.
While the adoption of emerging technology can provide a competitive advantage, deploying newer technologies
introduces significant business risk. These emerging technologies, such as cloud, IoT and artificial intelligence,
constantly evolve, and place a double burden on the IT department. The IT department is also held accountable for
business disruption due to an expanded threat surface resulting from these new technologies, and ever-increasingly
sophisticated and creative attacks.
EMERGING TECHNOLOGIES POSE THE LARGEST SECURITY RISK
The majority of organizations actively adopt emerging
technologies, with cloud leading the charge (72 percent),
followed by mobile applications (53 percent), big data
analytics (52 percent), IoT/IIoT (49 percent) and artificial
intelligence (44 percent).
While cloud services top the adoption chart, the overall risk
posed by cloud over the next three years drops by nearly 20
percent; whereas, the risks posed by the adoption of artificial
intelligence doubles over the next three years, and IoT/IIoT
risks also rise nearly 30 percent. With cloud now in its second
decade, companies are adopting more mature and proven
methodologies to secure cloud. This is not the case with IoT
where the adoption curve is outpacing the development of
suitable security practices and solutions.
Cloud leads technology adoption over the next six months
Which technologies pose the greatest risk today and in three years
Cloud
Mobile Apps
Big Data
Social Media
20% 40% 60% 80% 100%
IoT / IIoT
AI
BYOD
Cloud Mobile Apps Big Data Social Media
Today
In 3 Years
10%
20%
30%
-11%
-12%
0%
-18%
+9% +25%
+2%40%
50%
60%
IoT / IIoT AI BYOD
05
MAJOR CYBER ATTACK: WHEN, NOT IF
Unanimously, business leaders such as the CEO, board members and
technical executives (CIO) alike predict a major cyber attack in the next
two – five years. Over 60 percent of respondents assume a major event
will occur. Interestingly, 77 percent of CEO and board respondents
consider their organization prepared for such an event. As expected,
technical leaders are approximately 20 percent more likely to predict
an attack and are 10 percent less optimistic than their business peers in
their organization’s preparedness.
CYBERSECURITY IS A BUSINESS OPERATIONS ISSUE
Operational disruption (66 percent), reputational damage and significant financial losses (54 percent) lead
regulatory penalties (40 percent) as top consequences of a major security event. This trend away from mandated
self-government to a more business integrity focus is also reflected in a shift from compliance-centric security to
newer strategies that detect active attacks, and reduce the risk of a business-altering outcome.
Results also indicate that the adage, “the CISO is the
least interesting person to the board, until they are
the most important person” is a thing of the past. Over
half of respondents indicate their board is very familiar
with the security budget (51 percent), overall strategy
(57 percent), policies (58 percent), technologies
(53 percent), and currently review current security and
privacy risks (51 percent). These numbers increase into
the 90th percentile when considering boards that are
somewhat familiar.
Moreover, line of sight from the CISO to the board is more direct. Forty-five percent of security officers
report to the board or CEO, 33 percent continue to report to the CIO and a small handful (10 percent) report to
a privacy or data officer.
THE CYBER ATTACK PREPAREDNESS PARADOX
Business leaders show a majority confidence in their ability to
manage a major security breach, yet when asked in detail about
their preparedness a quite different picture emerges. Only a third of
respondents are confident that their cybersecurity programs match
that of their peers (33 percent), that their security teams have access
to the appropriate resources (30 percent), and that the organization
is spending adequately on security (29 percent). Similar confidence
rates are associated with the organization’s ability to monitor and
report on cybersecurity programs (34 percent), confidence that
cybersecurity programs align to business objectives (33 percent), and
that high-profile assets are adequately secured (33 percent). In fact, 29
percent of respondents indicated that their high-value or high-profile
information is not adequately protected.
Cybersecurity FutureWatch 2018, © eSentire, October 2018
Executives expect and feel prepared for a major cyber attack
Top risks of a cybersecurity event
Reporting detailed cybersecurity preparedness
Expect a major cyber attack in the next five years
Executives that feel prepared for a cyber attack
Operational Disruption
Adequate Spending
Appropriate Resourcing
Match Peer Programs
Reputational Damage
Ability to Report
Financial Losses
Align to Business Goals
Regulatory Penalties
Assets Are Protected
10%
10%
30%
30%
40%
20%
20%
50% 60% 70%
06
KEY FINDINGS
• 64 percent of security budgets are set to rise in 2019, with only five percent predicting a reduction in spend.
• In 2017, companies spent between $110,000 and $750,000 on security.
• A 45 percent customer loyalty rating implies a majority dissatisfaction with incumbent security vendors.
• Emerging technologies pose a significant risk, with cloud-based risk leading at 72 percent.
BUYING IS STILL REACTIONARY
Regulatory requirements (41 percent)
are no longer the singular driver for
companies to implement security posture
changes. A major technology purchase
(41 percent) driven primarily by the use
of emerging technology like cloud, IoT,
mobile apps and artificial intelligence,
is closely followed by the ever-present
security event or near miss (40 percent),
and budgeting cycle (40 percent).
These four drivers scored nearly equal
and all, with the exception of budget
planning, can be seen as externalities
that cause an reactionary response to
a security program.
SPENDING CONTINUES TO INCREASE
Not surprisingly, 64 percent of respondents predict a year-over-year increase in security budgets; while only five
percent predict a reduction. The average firm spent $1 million – $2.5 million on information technology, with one-
third spending more than that. The majority of firms spend 11 – 30 percent of that budget on security, with a wide
spending range between $110,000 and $750,000.
Cybersecurity FutureWatch 2018, © eSentire, October 2018
CURRENT LANDSCAPE
Primary drivers of new security initiatives
Budget Planning / Project Prioritization
Requirement of New Client
Enterprise Risk Assessment and Action Plan
Regulatory Requirement
Major Technology Purchase
Security Event or Near Miss
Data Breach
10% 20% 30% 40% 50%
Audit Event
M&A Event
New CEO
Security budget predictions
Expect an increase in security budget year-over-year Average percentage of budget spent on security
11% 30%
07
CLOUD ADOPTION LEADS THE CHARGE
On average, 72 percent of surveyed respondents are currently using cloud services or plan to deploy cloud services
in the next six months, with financial services, manufacturing and healthcare leading the adoption rate. Mobile
applications (53 percent), big data analytics (52 percent), IoT/IIoT (49 percent) and artificial intelligence (44 percent)
round out the top five. Only law firms lag in their adoption of cloud services (55 percent), equalling 24 percent less
than others on the cloud adoption journey.
Risk associated with emerging technologies becomes more concerning as adoption rates accelerate, compressing
the time in which organizations and vendors can adapt and develop appropriate security controls and deploy
protective solutions. Artificial intelligence and IoT/IIoT illustrate this growing problem. While cloud adoption is in its
second decade, AI and IoT/IIoT will likely catch up in three years. This diffusion of innovation leaves a small margin in
which to mitigate the potential risk resulting from these new technologies.
SECURITY ADOPTION PRIORITIES MIRROR EMERGING TECHNOLOGY
Cloud security adoption tops the list of priorities at 50 percent, followed closely by identity and access management
(47 percent), threat detection and response (44 percent) and endpoint detection and response (41 percent). Security
Information and Event Management (SIEM) moves beyond a compliance tool and now plays a role in the greater
detection and response portfolio.
Telecom, information technology, financial
services and manufacturing outpace other
industries on securing their cloud services (56
percent). Financial services, healthcare and
manufacturing also emphasize threat detection
and response investments (48 percent). These
industries are equally investing in identity and
access management as a response to a more
distributed workplace. Law firms are 24 percent
less likely to adopt these technologies.
Cybersecurity FutureWatch 2018, © eSentire, October 2018
Top security adoption priorities
The pace of technology adoption is increasing by 2.25 times
Cloud Security
Diffusion of Innovation
12 Years
11 Years
7 Years
4 Years
Laggards 16%
Late Majority
34%
Early Majority
34%
Early Adopters
13.5%Innovators
2.5%AWS introduces S3
Apple introduces iPhone
Tensor Flow released
McKinsey Predicts Data Scientist shortage by 2018
# of mobile devices and machines exceeds world population
3 Years
Identity and Access Management
10% 20% 30% 40% 50%60%
Threat Detection and Response
Endpoint Detection and Response
Security Information and Event Management
Time Today
2006
2007
2011
2014
2015 AI
IoT
Big Data and Analytics
Mobile Apps
Cloud Computing
08
BRAND IS BOTH A BLESSING AND A CURSE
When it comes to selecting an on-premises security vendor, technical capabilities (63 percent) outweighed vendor
loyalty (44 percent) or price and total cost of ownership (44 percent). The buying priorities and decision drivers
when selecting a managed security services vendor varied from this trend where technical capabilities was
tied for third with total cost of ownership (39 percent each). In the case of MSSP contracting, brand (50 percent)
and ability to deliver full response to events, including detection, containment and resolution (50 percent)
were the key decision drivers.
Loyalty to these managed service vendors is perhaps
the most concerning finding in the report. Pre-existing
relationships accounted for one-third of purchases.
And, more than half (55 percent) of the respondents are
willing to consider switching from their primary managed
security vendor. In other words, managed security
service providers (MSSPs) can only muster a meager 45
percent customer loyalty rating. This is a disturbing number considering 90 percent of respondents use an MSSP
or plan to use some form of security service vendor within a year, and might explain the two-year downward trend
in firms basing their security programs
on a managed service provider.
The use of MSSPs to provide either prevention technology management or basic compliance reporting is
predicted to drop 24 percent collectively over the next two years. Security outsourcing in the next two years
puts emphasis on building out proactive threat hunting and predictive response capabilities, with these areas
showing a 24 percent predicted growth over the coming years. Moreover, respondents using managed services
to provide predictive response are the least likely to switch from their incumbent vendor, which implies a
higher loyalty rating.
Cybersecurity FutureWatch 2018, © eSentire, October 2018
Customer loyalty to incumbent MSSP vendors
09
As noted earlier in this report, respondents see a correlation between security maturity and susceptibility to risk,
appetite to adopt emerging technologies, and willingness to blend contracted services to augment in-house
capabilities.
KEY FINDINGS
• Firms using proactive and predictive approaches reduced their risk profile by 30 percent.
• More mature firms are faster to adopt threat detection and response, identity access management and cloud security services to support a boom in the current adoption of cloud-based services (77 percent), mobile applications (60 percent), and IoT (five percent).
• More mature firms aggressively leverage SaaS and are 35 percent more likely to adopt 100 percent cloud-based security services than firms using a device-centric model.
One way to classify this change is to think of three levels of advancement in risk management. Unlike traditional
maturity models designed to codify a range of expected capabilities and practices across core functions of
cybersecurity, the Disruptive Security Maturity model (DSMM) takes more of a macro view to assist companies in
quickly and easily identify their evolutionary stage of security. This is meant to assist companies in zooming out from
the technology treadmill and daily activities like patch warfare to easily take stock of their maturity level.
Firms that rely solely on prevention technology and MSSPs providing device management services are more
susceptible to a broad spectrum of risks. Firms that have established a proactive or predictive security model
leverage threat intelligence, machine learning, and device analytics to identify never-before-seen threats and have
near real-time response capabilities to reduce the risk of a business-altering event.
MOVING FROM COMPLIANCE TO BUSINESS INTEGRITY
At a macro level we have witnessed security approaches move through
three distinct stages of focus: device-focused, alert-focused and
threat-focused. This research shows a market transition from
regulatory and compliance-driven security focused on reactionary
response with tit-for-tat prevention technology, to a later stage
driven by the need to maintain business integrity and continuous
operations through proactive and predictive threat management.
Over 50 percent of respondents identified their primary
security posture as leveraging prevention technology or device
management. This number is predicted to drop to 32 percent in two
years. As organizations move along the evolutionary curve, the 17
percent of respondents leveraging proactive hunting or predictive
response today will more than double to 40 percent over the next
two years. The trend is consistent across all industry segments with
financial services and healthcare services leading the charge and
law firms lagging behind.
SECURITY MATURITY
Cybersecurity FutureWatch 2018, © eSentire, October 2018
Prevention Technology
Device Management
Compliance Management
Alert Monitoring
10% 20% 30%
Proactive Hunting
Predictive Response
Technology maturity today and in two years
Today In 2 Years
This trend certainly correlates with the shift in business drivers away from regulatory dominance toward business-
centric considerations such as operational disruption, reputational damage, and, of course, financial losses.
For decades the security industry focused on prevention technology designed to stop various attacks from
hitting their mark, but that approach was woefully inadequate. As devices grew in number and complexity,
and few replaced their predecessor, the demand on security teams increased in terms of patch and policy
management. This friction created the demand for outsourced management and log aggregation, and managed
security services were born. In most cases, MSSPs were more about devices and post-event aggregation of
logs and reports.
Heavily regulated industries also grappled with compliance requirements which created the first generation
of log management tools, such as SIEM. This compliance 1.0 stage advanced the industry from device-centric
thinking, to a focus on logs and alert management to satisfy external parties such as regulators and state or
federal agencies. Compliance and security overlapped to some degree, but were not synonymous.
The most recent evolutionary 2.0 stage to emerge focuses on full life-cycle threat identification and containment,
predicated on the notion that only a subset of threats are detectable by various sensors that rely on signatures,
and that the rest must be inferred through non-alert based approaches such as behavioural analytics, machine
learning and artificial intelligence. Threat-focused solutions combine rapid algorithmic analysis of extremely
large data sets with human intuition to verify machine identified threats through detailed investigation, and take
containment or disruption actions as required.
SECURITY SERVICES DRIVE MATURITY
Mature firms are more aggressive in their use of outsourced security services to deliver best available security
approaches and augment in-house capabilities. Over 50 percent of organizations self-identified as predictive
are moving to cloud-based or hosted security offerings over the next three years. Moreover, outsourced
security adoption is strongest for proactive hunting and predictive response services such as managed
detection and response.
These firms are also more apt to adopt emerging security technologies such as endpoint, threat detection and
response, identity access management, and cloud security. Moreover, more mature firms aggressively leverage
SaaS and are 35 percent more likely to adopt 100 percent cloud based security services than firms using a
device-centric model. Outsourcing is a palatable alternative to recruiting and retaining threat hunting talent from
a pool that cannot support the growing demand.
10Cybersecurity FutureWatch 2018, © eSentire, October 2018
11
KEY FINDINGS
• Only 30 percent of respondents are confident that their business will not suffer a major security event in the coming five years.
• Over 50 percent of organizations are struggling to show value to senior management and meet internal and regulatory requirements.
• Firms using proactive and predictive approaches reduced their risk profile by 30 percent.
Almost half of the respondents (48 percent) assume a major event will occur in the next two years and only 30
percent are confident that their business will not suffer a major security event in the coming five years. Yet spend
and corporate line of sight to security predict a growth trend over the next few years. In short, spending alone
cannot eliminate external and internal risks to the business.
MALWARE AND MANAGEMENT COMPLEXITY ARE TOP RISKS
Unknown malware attacks are the top risk to
the organization (55 percent), followed by
non malware-based attacks, managing
malware-born attacks (52 percent) and insider
risks, either malicious or non-malicious
(49 percent).
The majority of organizations are struggling
to show the value of IT security spend to senior
management (55 percent), including status
reporting difficulties (53 percent). Over 50
percent struggle to manage third-party vendors.
The complexity of aligning to risk management
(52 percent) and the growing complexity of
regulatory compliance (47 percent) round out
top risk concerns.)
LESS MATURE FIRMS ARE MORE SUSCEPTIBLE TO RISK
Firms that rely on prevention device-centric approaches report they are more susceptible to cyber risks.
Unknown and known malware attacks caused operational disruption in over 60 percent of firms, and financial
losses in over 55 percent of firms. Firms using proactive and predictive approaches reduced their risk profile
by 30 percent. Interestingly, more mature firms have less issue with risk when it comes to external attacks and
internal management complexity. For example, firms deploying threat hunting and predictive technologies reduce
the risks associated with malware and non-malware attacks by 26 percent. Moreover, they report 50 percent less
risk associated with security status reporting, demonstrating value to senior management (38 percent), a halving
of risks associated with third-party vendors, and 37 percent reduction in risk associated with aligning to risk
management efforts and remaining compliant with regulators. (See graph on the following page.)
Cybersecurity FutureWatch 2018, © eSentire, October 2018
RISK REVIEW
Top challenges managing cyber complexity
Non Malware-based Risks
Insider Risks
Managing IT Security Spend
Unknown Malware Risks
Reporting Program Status
40% 45% 50% 55% 60%
Managing Third-party Vendors
Aligning to Risk Management Programs
Managing Regulatory Compliance
12
The only common risk element both less mature (prevention technology only) and more mature firms (predictive)
share is their ability to bare the costs associated with a growing number of security devices.
MOST SUSCEPTIBLE TO RISK: LAW FIRMS, TRANSPORTATION AND IT
Law firms lead when it come to risks associated with external actors and attacks, and their ability to report status,
show value and meet internal risk standards and regulatory requirements. Transportation and IT firms report higher
than average levels of risk. Financial services tend to run just below industry averages across both external attacks
and internal or industry requirements.
EMERGING TECHNOLOGIES POSE THE LARGEST SECURITY RISK
The majority of organizations adopt emerging technologies, with cloud leading the charge (72 percent), followed by
mobile applications (53 percent), big data analytics (52 percent), IoT/IIoT (49 percent) and artificial intelligence (44
percent). While cloud services top the adoption chart, the overall risk posed by cloud over the next three years drops
by nearly 20 percent, whereas, the risks posed by the adoption of artificial intelligence doubles over the next three
years, and IoT/IIoT risks also rises nearly 30 percent.
Cybersecurity FutureWatch 2018, © eSentire, October 2018
Risk reported across emerging technologies
Risk reported by maturity stage
Cloud
Unknown Malware Risks
Mobile Apps
Non Malware-based
Risks
Big Data
Insider Risks
Social Media
Managing IT Security
Spend
Today
Prevention
In 3 Years
Predictive
10%
5%
20%
10%
30%
15%
40%
20%
50%
25%
60%
IoT / IIoT
Reporting Program Status
Managing Regulatory Compliance
AI
Managing Third-party
Vendors
BYOD
Aligning to Risk Management
Programs
13
KEY FINDINGS
• Expect that traditional device-management MSSPs will attempt a shift to providing proactive hunting services.
• Cloud adoption will continue to pervade organizations and become the foundation of ERP services and a key enabler in digital transformation.
• Risk associated with artificial intelligence is set to outpace the risk associated with cloud in three years.
PIVOT TO PROACTIVE PRACTICES
With a wilting 45 percent customer loyalty rate and focus on less mature security offerings, traditional MSSPs
must shift toward the mature end of the evolutionary path to include proactive threat hunting and predictive
technologies such as machine learning. The adoption of device and alert management will drop by 24 percent
over the next two years, while proactive hunting and predictive services will grow by the same amount in this
period. This will create a crisis of faith for MSSPs welded to commodity alert management offerings. These
vendors will attempt to shift to full life cycle threat management, which will not align to their traditional a la carte
approaches.
CLOUD AS THE BASIS OF SECURITY SERVICES
The majority of firms have deployed and will continue to expand at least hybrid cloud security services, if not full,
cloud deployments. Today, only 15 percent of respondents manage a pure on-premises security stack, and this
level remains consistent for the coming three years. Aside from this laggard group, the strong majority will deploy
hybrid (49 percent) or pure cloud security stacks (36 percent).
CLOUD ADOPTION EXPANDING TO ERP
Along with mobile applications, big data analytics, IoT/IIoT, and artificial intelligence, cloud will continue to
dominate technology adoption over the coming few years. Unlike other technology, cloud has the greatest
propensity to expand beyond application-level services to offer a foundation for enterprise-wide systems.
Today, 52 percent of respondents have deployed cloud for software-as-service; whereas only 37 percent
have deployed cloud-based infrastructure-as-a-service or 34 percent have deployed platform-as-a-service.
Within twelve months, infrastructure-as-a-service and platform-as-a-service will rival software-as-a-service
cloud deployments at around 95 percent adoption, creating a panacea adoption with no corner of a modern
ecosystem not connected to the cloud.
Cybersecurity FutureWatch 2018, © eSentire, October 2018
FUTURE VIEW
ARTIFICIAL INTELLIGENCE IS TOMORROW’S SECURITY HEADACHE
While today cloud-based services top the risk list, artificial intelligence will rank number one in three years. This is
true across all industries, with the exception of manufacturing. This is likely the result of two factors. The first is the
continued adoption, familiarity and integration of cloud services, which brings a greater sense of trust and comfort,
and the assumption that cloud security will harden over time. The second is that artificial intelligence will grow in
applications across legal services for monotonous activities such as contract creation and interpretation, high-
performance trading in buy-side financial funds, flow management in transportation, and detection or diagnosis in
medical practices. It’s less understood how pervasive artificial intelligence will become and where it will take hold
within specific industries. As artificial intelligence is a nebulous offering today as an industry, we are less confident
in identifying the risks scenarios, let alone developing mitigation strategies and regulatory boundaries.
COMPLIANCE 3.0: CLIENT-DRIVEN REQUIREMENTS
Organizations are moving from a compliance 1.0 model based on meeting prescriptive regulations reporting toward
a more business operations 2.0 model, where preserving brand, protecting operations, and avoiding financial
losses are the drivers. In most cases, these forces outpaced customer requirements in most buying scenarios. In
the future, organizations will likely move to a compliance 3.0 mode, driven by a focus on the client. In this state,
brand and reputation will form the barometer by which a company’s security performance is ultimately measured.
Protecting the client will mean by extension, protecting their data and services, avoiding operational disruption and
resulting financial losses.
14Cybersecurity FutureWatch 2018, © eSentire, October 2018
15
eSentire engaged an independent analytics firm (FastForward Strategix) to conduct an online survey of 1,250
security and information technology executives, in varying organizations and core industry segments in the U.S.,
Canada and the United Kingdom. Respondents provided independent responses to questions about budget,
reporting structure, board awareness, adoption of security technology, adoption of IT services, external risks,
and regulatory concerns.
We make no claims that the findings of this report are representative of all organizations at all times;
however results are fairly consistent across the sample set and we consider many of the findings appropriate
for generalizations.
KEY FINDINGS
• Respondents : 1,250 directors, vice president of information security or technology, CTO, CIO, CFO, CEO and board members.
• Countries : United States: 60 percent / Canada: 20 percent / United Kingdom: 20 percent
• Company size : <1,000: 34 percent / 1,000-5,000: 38 percent / >5,000: 28 percent.
• Key Industries : Financial Services 14 percent, Healthcare 14 percent, Legal Services 13 percent, Manufacturing 14 percent, Transportation 13 percent, Telecommunications 15 percent,
IT 15 percent.
• Influence : Decision Maker: 40 percent / Financial Approver: 13 percent / Buying Process Lead: 24 percent / Internal Stakeholder: 19 percent / P&L Owner: 4 percent.
Cybersecurity FutureWatch 2018, © eSentire, October 2018
METHODOLOGY
eSentire is the largest pure-play Managed Detection and Response (MDR) service provider, keeping organizations safe
from constantly evolving cyberattacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC),
staffed by elite security analysts, hunts, investigates, and responds in real-time to known and unknown threats before
they become business-distrupting events. Protecting more than $6 trillion in corporate assets, eSentire absorbs the
complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory
requirements. For more information, visit www.eSentire.com and follow @eSentire.