Jonathan Raymond, TELUS Security Solutions

Why a Rotman-TELUS Study?

Why Canada?

Canada has its own security culture. Decisions should be made using our own experiences

Why Rotman?

Security is a business issue; Rotman is a business thought leader

Why TELUS?

We continue in our commitment to security research through TELUS Security Labs

2

Why this study matters

The study answers key questions like:

What’s happening to my peers?

What issues should I be concerned about?

How do I compare to top performers?

What best practices should we adopt?

What does “secure enough” look like?

3

Study enhancements

Focused questions Explored topics that were likely to change year-on-year

Focus on funding and staffing “post recession”

Examined concerns around social media, virtualization, cloud computing and mobile devices

Looked at the impact of outsourcing on security effectiveness

Consolidated questions to improve response rates

4

5

The threat landscape continues to grow

Breaches have grown 29% from 2009

Getting better at keeping out malware

Breach costs are down by 78%

0

4

8

12

16

2010 2009 2008

TELUS Security Labs

www.telussecuritylabs.com

30 researchers, $3M budget

Security threat research and outsourced development for security product vendors

Primary customers are 45 of the world’s leading security product vendors

6

7

$$$: Financial malware have started looking beyond Internet Explorer to steal credentials. Code Reuse: Master Boot Record (MBR) infector rootkits are making a comeback and those already there are also infecting newer architectures such as IA-64. (Zimuse, Alureon/Tidserv, Mebratix, Yonsole) We think with HTML5 exploit attacks will increase in 2011. Look out for PDF attachments to email!

8

Attacks are more focused

Getting better at keeping out malware and common attacks (21% drop)

Breach costs are down by 78%

Attackers are apparently becoming less opportunistic

1. Malware and spam2. Device theft3. Phishing4. Unauthorized access to

information by employees5. Bots within the

organization / Denial of Service attacks

Top Breach Types

Insiders continue to be a problem

1 in 3 breaches originates internally

• Accidental or innocent

• Deliberate and malicious

• Device theft or loss

9

10

Data loss and compliance top of mind

Contracts are an effective mechanism for managing third party security compliance

Publicly traded organizations more concerned about new technology, less concerned about user accountability

1. Loss of sensitive data 2. Compliance with

Regulations 3. Managing security of new

technologies 4. User understanding and

accountability of access 5. Managing business

partner risks

Ranked Concerns

A pattern of under investment

Budgets cut on average by 10% in 2009

Less investment in 2010 with average budgets moving to 6.5% of the IT budget

Use of outsourcing has increased

11

0%

10%

20%

30%

< 1 % 1% - 2% 3% - 4% 5% - 6% 7% - 9% 10% -15% 16% - 25% 25% plus

Government Private Public

Average Optimal

12

Security leadership in demand

$70,000

$90,000

$110,000

$130,000

$150,000

CIO CSO Director

2010 2009

The business is increasingly directing how security risks should be managed

Half of respondents have 10+ years of experience

Most top earners had 6+ years in IT security

13

Watch for security employee satisfaction

Managers and below are seeing slight salary reductions

Individual security professionals are tasked with more

Team sizes have shrunk

As the economy recovers staff retention will be an issue

$70,000

$90,000

$110,000

Manager Security Analyst

System Admin

2010 2009

A note of caution

Reduced budgets and increased security workloads are laying the ground for long

term erosion of our security posture

14

Outsourcing and Security Incidents

Outsourcing appears to have no significant negative impact on an organization’s security incident rate

• Consistent with the 2009 study, no correlation between breach rates and the decision whether or not to outsource could be found.

15

Secure development practices are lagging

No significant increase in the number of companies using secure development practices

1 in 4 respondents just assume secure development will happen

A concern as respondents are reporting more data centric attacks

However, those that are already include security into their development practices are increasing their investment

• Twice as likely to adopt preventative practices

• ~90% test their system security

16

17

The company that owns the Nasdaq Stock Market confirmed over the weekend that its computer network had been broken into, specifically a service that lets leaders of companies, including board members, securely share confidential documents.

Wall St Journal 7 Feb 2011

Dozens of military, government and education websites have been hacked and are up for sale, according to researchers from Imperva's Hacker Intelligence Initiative (HII).The list includes defence, state and university sites in Europe and the US that have been hacked exploiting SQL injection vulnerabilities, the researchers said. Administrator access to these sites is being sold at $55 to $499 each, said Noa Bar Yosef, senior security strategist at Imperva.In some cases, hackers are selling personally identifiable information (PII) from infiltrated sites at $20 for 1,000 records.

Computer Weekly 24 Jan 2011

18

Invest in prevention

1. Integration of security into development

2. Business partner security policy compliance

3. Business partner privacy policy compliance

4. Creating a vulnerability management process

5. Developing a security policy

1. SSL VPN 2. Firewalls 3. IPSEC based VPN4. Anti-Virus 5. Email Security (anti-spam,

anti-malware)

Top 5 Initiatives Top 5 Technologies

19

Challenge of new technologies

Organizations that block social media experienced marginally more breaches than those that allow it

The dilemma of smart phones: how to secure them without making them dumb phones

20

Complexity undermines initiatives

Complex technologies, such as encryption, are failing to deliver value

Technology integrators are not addressing requirements management

20. Security Information & Event management (SIEM)

21. Data Leakage Prevention 22. Application Security

Assessment Tools (web/code)

23. Database Encryption 24. Email Encryption

Lowest ranked technologies

21

The obligatory cloud slide

1. Data location2. Outside the business3. Multi-tenancy4. Ability to audit5. Remove data form the

cloud6. Difficult to perform

forensics7. Availability

1. Malicious control of the hypervisor

2. Keeping VM images patched

3. Shared resource dependencies

4. Monitoring inter-VM communications

5. No visibility into host system security

2009 Concerns 2010 Concerns

22

The key concerns of government

1. Disclosure or loss of sensitive information

2. Compliance

3. User accountability

4. Security risks from new technology

5. Managing risks from third parties

NB: these logos do not representresponse rates to this survey

Top performers

Building capabilities to manage the vulnerability lifecycle from start to finish

Investing in senior leadership

Integrating security into their development lifecycle

And our advice from 2008 and 2009 still holds true today

Invest in the right level of staff and give them authority

Focus on training for IT, business and external partners

If you don’t plan on enforcing a security policy be prepared for breaches

23

24

telus.com/securitystudy

Available online

Jonathan.raymond@telus.com

(+1) 416 882 7683