The purpose of this research is to understand what affects an organization’s security technology investment decision-making. Sponsored by Intel, Ponemon Institute surveyed 1,875 individuals in the US, UK, EMEA and Latin America who are involved in securing or overseeing the security of their organization’s information systems or IT infrastructure. In addition, they are familiar with their organization’s purchase of IT security technologies and services. The full report is available from Intel at this website.
A key finding from this research is the importance of technology providers being transparent and proactive in helping organizations manage their cybersecurity risks. Seventy-three percent of respondents say their organizations are more likely to purchase technologies and services from companies that are finding, mitigating and communicating security vulnerabilities proactively. Sixty-six percent of respondents say it is very important for their technology provider to have the capability to adapt to the changing threat landscape. Yet 54 percent of respondents say their technology providers don’t offer this capability.
“Security doesn’t just happen. If you are not finding vulnerabilities, then you are not looking hard enough,” said Suzy Greenberg, vice president, Intel Product Assurance and Security. “Intel takes a transparent approach to security assurance to empower customers and deliver product innovations that build defenses at the foundation, protect workloads and improve software resilience. This intersection between innovation and security is what builds trust with our customers and partners.”
Key findings from the study include:
- Seventy-three percent of respondents say their organization is more likely to purchase technologies and services from technology providers that are proactive about finding, mitigating and communicating security vulnerabilities. Forty-eight percent say their technology providers don’t offer this capability.
- Seventy-six percent of respondents say it is highly important that their technology provider offer hardware-assisted capabilities to mitigate software exploits.
- Sixty-four percent of respondents say it is highly important for their technology provider to be transparent about available security updates and mitigations. Forty-seven percent say their technology provider doesn’t provide this transparency.
- Seventy-four percent of respondents say it is highly important for their technology provider to apply ethical hacking practices to proactively identify and address vulnerabilities in its own products.
- Seventy-one percent of respondents say it is highly important for technology providers to offer ongoing security assurance and evidence that the components are operating in a known and trusted state.
Part 2. The characteristics of the ideal technology provider
The characteristics are broken down into three categories: security assurance, innovation and adoption. Following are the most important characteristics of a technology provider and its ability to have this capability. As shown, there is a significant gap between the importance of these features and the ability of many providers to have this capability.
The ability to identify vulnerabilities in its own products and mitigate them. Sixty-six percent say this is highly important. Only 46 percent of respondents say their current technology provider has this capability
The ability to be transparent about security updates and mitigations that are available. Sixty-four percent of respondents say this is highly important. Less than half (48 percent) of respondents say their technology providers have this capability.
Ability to offer ongoing security assurance and evidence that the components are operating in a known and trusted state. Seventy-one percent say this is highly important.
Ability for the technology provider to have the capability to apply ethical hacking practices to proactively identify and address vulnerabilities in its own products. Seventy-four percent of respondents believe this is highly important.
Protecting distributed workloads, data in use and hardware-assisted capabilities to defend against software exploits are highly important. The protection of customer data from insider threats is considered highly important by 79 percent of respondents. Organizations prioritize protecting data in use over data in transit and data at rest. Similarly, 76 percent of respondents say hardware-assisted capabilities to defend against software exploits and 72 percent of respondents say protecting distributed workloads are highly important.
Interoperability issues and installation costs are the primary influencers when making investments in technologies. The top five factors that influence the deployment of security technologies are interoperability issues (63 percent of respondents), installation costs (58 percent of respondents), system complexity issues (57 percent of respondents), vendor support issues (55 percent of respondents) and scalability issues (53 percent of respondents).
As part of their decision-making process, organizations are measuring the economic benefits of security technologies deployed by their organizations. Forty-seven percent of respondents use metrics to understand the value of their technologies. The measures most often used are ROI (58 percent of respondents), the decrease in false positive rates (48 percent of respondents) and the total cost of ownership (46 percent of respondents).
Organizations are at risk because of the inability to quickly address vulnerabilities. As discussed, a top goal of the IT function is to improve the ability to quickly vulnerabilities. Thirty-six percent of respondents say they only scan every month or more than once a month.
While 30 percent of respondents say their organizations can patch critical or high priority vulnerabilities in a week or less, on average, it takes almost six weeks to patch a vulnerability once it is detected. The delays in patching are mainly caused by human error (63 percent of respondents), the inability to take critical applications and systems off-line in order to patch quickly (58 percent of respondents) and not having a common view of applications and assets across security and IT teams (52 percent of respondents).
Organizations’ IT budgets are not sufficient to support a strong security posture. Eighty-six percent of respondents say their IT budget is only adequate (45 percent of respondents) or less than adequate (41 percent of respondents). Fifty-three percent of respondents say the IT security budget is part of the overall IT budget.
Responsibility for security is still uncertain across organizations. Twenty-one percent of respondents agree the security leader (CISO) should be responsible for IT security objectives, while 19 percent of respondents believe the CIO/CTO and 17 percent of respondents think the business unit leader should be responsible. The conclusion is that there is uncertainty in responsibility.
To read the rest of this study, visit Intel’s website at https://newsroom.intel.com/wp-content/uploads/sites/11/2021/03/2021-intel-poneman-study.pdf (PDF)