Your industry’s biggest threats – and allies

Finance, Healthcare, Middle East, Public Sector, Research, Retail, Travel/Hospitality November 19, 2018June 12, 2019 Angharad Gilbey

One of the most important parts of cybersecurity is knowing what your company’s biggest assets and threats are, and allocating resources accordingly. A certain amount of that will be exclusive to your company – for truly effective (and efficient) cybersecurity, precise tailoring is crucial. At the same time though, knowing which threats are most prevalent in your industry, and what your industry peers are prioritising, can be a solid foundation.

We published the ‘Who Secures The UAE’ report’s findings on the finance sector separately, due to both the high number of responses and the industry’s maturity when it comes to information security. However, we also thought it would be useful and interesting to see how other industries compared. Therefore, this post features a breakdown of our findings by industry, and an analysis of the trends.

Banking/Finance

The full analysis of our financial sector findings can be found here. For purposes of comparison with findings from other sectors, however, some of the main points were:

  • Large information security teams: almost half said that their team had more than 5 members, compared to just over a quarter in other sectors.
  • More likely to say the CISO’s risk knowledge was appreciated by the board – over 1/3 said it was fully appreciated, compared to 1/5 in other sectors. Only 3% in the banking industry did not think it was appreciated, compared to 20% of participants in other sectors.
  • More likely to say they had enough board support – 72% of participants said they received mostly or completely sufficient support, compared to 56% of participants in other sectors.
  • Top priorities in a solution: ‘ease of implementation’, ‘integration with existing systems’, ‘reputation / client testimonials’.
  • Best fit for priorities: Fortinet.
  • Solution provider most mentioned overall: Cisco.
  • Security area with most votes: Network security.
  • Security area with fewest votes: IoT security.

Oil/Gas

  • Information security teams tend to be larger: most common size is 3-5 members, but 29% report teams of more than 10 members.
  • Highly experienced: 63% say they have worked in cybersecurity for over a decade, compared to 26% of participants overall.
  • However, they are less likely than average to say that CISOs’ knowledge of operational risk is fully appreciated by the board – only 13% believe this to be the case, compared to 25% of all participants.
  • Top priorities in a solution: ‘quality of customer support’, ‘integration with existing systems’, ‘reputation / client testimonials’.
  • Solution provider to best fit priorities: McAfee.
  • Solution provider most mentioned overall: McAfee.
  • Security areas with most votes: Network security, endpoint security.
  • Security areas with fewest votes: IoT security, payment security, identity and access management.

Government

  • Large information security teams: while the most common size reported is 1-2 members, which is consistent with our findings in the region, 23% said their information security team had 21+ members, compared to 8% of participants from other sectors.
  • More likely to say the CISO’s knowledge of operational risk is fully appreciated – 36%, compared to 24% of participants in other sectors.
  • More likely than participants from other sectors to say that they receive completely sufficient board support (21%, compared to 15%).
  • Almost two thirds think that prices in the solution provider ecosystem are inflated
  • Top priorities in a solution: ‘quality of customer support’, ‘speed of response to new developments’, and ‘integration with existing systems’.
  • Two thirds would not be willing to use an MSSP, compared to a roughly 50:50 split among participants overall. This is likely to be because using an MSSP, many if not all of which rely on cloud storage of data, could result in sensitive information being transmitted outside the UAE, which is forbidden under certain government information security policies.
  • Solution provider to best fit priorities: Cisco.
  • Solution provider most mentioned overall: Cisco.
  • Security area with most votes: Email/messaging security.
  • Security areas with fewest votes: Payment security, IoT security.

Education

  • A much higher than average proportion of ‘0 member teams’, perhaps meaning that information security is considered just one of many IT functions, or that it’s outsourced. However, the sector also has a higher than average percentage of 6-10 and 11-20 member teams (36% and 9% respectively, compared to 17% and 4% in other sectors). This suggests that there is still a lot of disparity between how invested institutions are in cybersecurity.
  • The split in team size is reflected by a split in participants’ roles. Two fifths described their position as ‘IT Director’ or equivalent, while only half as many said they worked exclusively in information security. Only 10% identified themselves as CISOs. However, 73% of participants said they had been working in cybersecurity for five years or more – 27% said they had over a decade’s experience. Combined with the above point, this suggests that though cybersecurity is a serious concern, it’s considered just one of the IT department’s many responsibilities.
  • Significantly less likely to think that the CISO’s knowledge of operational risk is appreciated by the board. 27% said that it was ‘somewhat’ appreciated, and only 9% said that it was fully appreciated. That’s compared to 41% and 27%, respectively, in other sectors.
  • Vastly more likely than other participants to report insufficient board-level support – over half of education sector participants say they do not receive as much support as they need, compared to 1/4 of participants in other industries.
  • Half report that security solutions available on the market are overpriced and ineffective
  • 80% said they would prefer to use an MSSP, compared to 43% of participants from other sectors.
  • Best fit for priorities: Cisco.
  • Solution provider most mentioned overall: Cisco.

Retail

  • Although participants reported their companies were larger than average in terms of employee count (all had over 500 employees, and half had more than 5000), and retail companies hold large amounts of customer data, information security teams were small. No participant from this sector reported a team of more than 5 members.
  • 63% said that the board appreciated the CISO’s knowledge of operational risk, and 88% said that they mostly had enough board support to effectively safeguard the company’s assets. However, none said that the support they received was completely sufficient.
  • The number one problem participants in this sector reported concerning cybersecurity solutions was a lack of transparency.
  • Top priorities in a solution: ‘quality of customer support’, ‘integration with existing systems’, ‘speed of response to new developments’.
  • Solution provider to best fit priorities: Palo Alto Networks.
  • Solution provider most mentioned overall: Palo Alto Networks.

Travel/Hospitality

  • Typical information security team has 3-5 members; no participants reported more than 10 information security staff.
  • 83% of participants described themselves as IT Director or an equivalent title, rather than CISO. However, 67% said they had worked in cybersecurity for 5 years or longer.
  • 60% said they felt CISOs’ knowledge of operational risk was at least somewhat appreciated by the board.
  • Almost two thirds said they had mostly sufficient board support, though 20% said they did not have as much as needed.
  • Top priorities in a solution: ‘speed of response to new developments’, ‘quality of customer support’.
  • Four fifths said they would prefer to use an MSSP, compared to 46% of participants from other sectors.
  • Solution provider to best fit priorities: Fortinet.
  • Solution provider most mentioned overall: Fortinet.

Healthcare/Pharmaceuticals

  • Typical information security team has 3-5 members; no participant reported an information security team larger than 10 people.
  • Fairly good level of board appreciation for CISO’s risk knowledge – 57% said it was ‘somewhat’ appreciated, and 14% said it was fully appreciated.
  • More likely than average to say their board support is completely sufficient – 29% reported this to be the case, compared with 15% in other sectors. However, the same proportion said they did not receive as much support as needed, which is worrying in the health sector, where the consequences of a cyberattack could be lethal.
  • Two fifths of participants from this sector reported that inflated prices and lack of transparency are major problems with the cybersecurity solutions market.
  • Health sector participants were far more likely than others to prioritise scalability when choosing a security solution – 40% said it was among their top three priorities, compared to just 14% of participants from other sectors.
  • When asked which solutions provider best fit their priorities, participants from the healthcare sector answered ‘none’.
  • However, in response to questions about specific areas of security, the most mentioned provider was Gulf Business Machines (GBM). Forcepoint and Darktrace also received multiple votes from participants in this sector.

Trading/Manufacturing

  • Two thirds of participants said their company’s information security team had just one or two members.
  • 14% said they don’t think CISOs’ knowledge about operational risk is appreciated by the board at all. However, the majority (71%) said that it is at least somewhat appreciated.
  • 33% said they do not have enough board support to effectively safeguard against the threats their company faces.
  • Most said they would prefer to use an MSSP, though a slight majority of participants overall said they would not.
  • Top priorities in a solution: ‘quality of customer support’, ‘reputation / client testimonials’.
  • Solution provider to best fit priorities: IBM / Palo Alto Networks (tie).
  • Solution provider most mentioned overall: Symantec.
  • Security areas with most votes: endpoint security, email/messaging security.
  • Security area with fewest votes: cybersecurity training.

We also had participants from a range of other industries, including construction, electronics/telecommunications, agriculture, media, real estate and more. However, trying to establish industry trends for these based on a very limited pool of responses would be misleading, so we have not included the results here. Hopefully in future years we will see more responses from sectors such as these, which will allow us to provide further useful information.

Sharing

Tags

, , , , , , , , ,

Researcher, writer, recovering medievalist. Currently particularly interested in the cybersecurity solutions market, cyber insurance/risk modelling, and IoT security.

Related posts

Your thoughts