The State of
Cybersecurity in Florida
2 | The State of Cybersecurity in Florida thefc2.org
TABLE OF CONTENTS
3 4 6
27 The Current State of Security Maturity 28 Change and Configuration
Executive Summary Introduction
The Current Landscape
6 7 9
29 Application Security 30 Service Continuity 32 Data Security 35 Security Analytics 36 Governance, Risk, and Compliance 38 Network Security 40 Physical Security 42 Vulnerability Management 45 Mobile Security 46 Identity and Access Management 48 Endpoint Security 50 The Future of Cybersecurity in Florida 51 Endnotes
Threats Forces Shaping the Threat Landscape Methods of Exploitation Targets
10 Key Industrial Sectors 12 The Economic Impact of Cybersecurity
14 The Cost of Information Protection 15 Estimated Costs to Mitigate Risks 16 Floridaâ€™s Cyber Workforce 21 Training and Education
22 Cybersecurity Applied Research
25 Survey Results 25 Security Maturity in the State of Florida
Primer on Security Maturity
$ $ $
Executive Summary The Florida Center for Cybersecurity (FC2) at the University of South Florida (USF) worked with Gartner Consulting to review and analyze the current cybersecurity landscape in Florida. Gartner leveraged an online survey, interviews, benchmark data, independent research and Florida-specific assessment information to develop insight into Florida’s evolving security landscape.
This comprehensive study has revealed the following critical security trends for the state of Florida: • Cybercrime will continue to increase due to Florida’s robust economic landscape; • Digital business and technological innovations will continue to challenge existing security approaches for the foreseeable future; • Florida’s senior, less cyber-savvy citizens are more likely to be victimized by cybercriminals and related fraud; • A long-term lack of security investment and an emphasis on compliance versus security place Florida slightly behind other states in security maturity; • The scarcity of trained cybersecurity professionals and increasing wages have resulted in a negative security-specific unemployment rate in Florida and nationwide.
The state’s positive economic outlook and abundance of data-driven systems make it an attractive target for cybercrime. Florida is currently third in the nation for cybercrime incidents, victims, and losses reported to the FBI. Cybersecurity will continue to shape the agenda in the IT services market because the convergence of the Internet of Things— linking people, computers, and things together—with the transformation of enterprises into digital businesses has increased the risk of damage caused by security breaches and lapses. As a result, the requirements for large-scale, real-time adaptive protection, safety, and privacy at the digital and physical levels among enterprises and governments continue to accelerate the drive for new cybersecurity skills, practices, and technologies. Specific to Florida is the added risk associated with the higher-than-average elderly demographic, who are more likely to be victimized when they interact with the digital world, and are more frequently targeted. Leveraging Gartner’s Security Reference Architecture, Gartner was able to conduct a high-level security resiliency evaluation of the organizations that participated in the survey, assessments, and interviews to establish a snapshot of the current state. When compared to Gartner’s data-rich security benchmark database, Florida is
Florida is well positioned to develop a strong workforce, with nearly 100 cybersecurity certificate and degree programs offered by institutions of higher education across the state. trailing the rest of the United States in cybersecurity maturity. From additional interviews and discussions, we have surmised that the lag is due to a period of insufficient investment in security capabilities and resources. However, federal and state legislative actions in 2013/2014 have driven a growing adoption of best practices across the state, and the number of initiatives documented as being “in progress,” when completed, will align the state with the rest of the country. Continued cybersecurity investment will be needed to remain in alignment and keep pace with digital business and technological evolution. Real-time resource challenges, however, could potentially hinder progress. The demand for cybersecurity professionals is currently outpacing the supply. At the close of 2017, CyberSeek, a nonprofit provider of cybersecurity job market data, noted a national shortage of more than 285,000 skilled workers in this space, with more than 12,600 openings in Florida, and the consensus across the industry is that the gap will continue to grow. Additionally, the Florida Department of Economic Opportunity is estimating additional growth of more than 17% by 2024 across all cybersecurity-related positions. Florida is well positioned to develop a strong workforce, with nearly 100 cybersecurity certificate and degree programs offered by institutions of higher education across the state. Florida currently ranks 6th in the nation for cybersecurity applied research grant funding by the National Science Foundation, and recent investments by higher education institutions in state-of-the-art facilities and labs as well as the hiring of recognized faculty and expert staff should result in additional future awards. Finally, several recent initiatives by the state show significant progress toward making Florida’s cyberspace a safer place. The passage of the Florida Information Protection Act of 2014 (Florida Statute 501-171) provides unprecedented transparency into cyber-related issues across the state. The formation of institutes, task forces, and centers, such as FC2 and the Agency for State Technology (AST), are providing a much-needed cybersecurity focus. The establishment of the Florida Cybersecurity Standards (Rule 74-2) combined with the integration of the Domestic Security Oversight Council, the Regional Domestic Security Task Forces, and the State Working Group on Domestic Preparedness evidence Florida’s ongoing commitment to becoming a national leader in cybersecurity.
4 | The State of Cybersecurity in Florida thefc2.org
The mission of the Florida Center for Cybersecurity (FC2) at the University of South Florida (USF) is to position Florida as a national leader in cybersecurity through education; innovative, interdisciplinary research; and community engagement. In support of that mission, this report provides a comprehensive, current view of the state of cybersecurity in Florida to serve as a shared, credible resource for Florida policymakers, industry, academia, and others. By assessing the current state and identifying gaps and opportunities, this report provides a common reference for all stakeholders and empowers readers to identify the actions they can take to help advance Florida’s leadership in this subject of national and global importance. Achieving and maintaining a position as a national leader in cybersecurity requires effective collaboration between Florida’s government, academia, and the private sector. The audience for this report includes:
Defining Our Terms
The survey focused on the preparedness and resiliency of Florida’s businesses and other organizations against corporate data breach. A data breach is the intentional or unintentional release of secure information to untrusted actors. Data breaches typically involve protected health information (PHI), personally identifiable information (PII), or intellectual property and trade secrets. Breaches are caused by either concerted attacks by bad (malicious) actors or by inappropriate or careless handling of data, computer equipment, or data storage media, often unintentionally perpetrated by an organizational employee or third-party vendor.
Figure 1 Survey Data: Response by Sector
• Policymakers in Florida’s executive and legislative branches; • Academic leaders seeking to develop programs to build the state’s skilled cybersecurity workforce; • Researchers looking for cybersecurity-related study topics that will fill existing gaps and help advance Florida’s position as a national leader; • Private-sector leaders looking for business and investment opportunities; and • Leaders in all areas, public and private, who seek to improve the cybersecurity of their enterprises.
The largest response was from government institutions with a 37% response rate. However, the data indicates that the majority are local government institutions, not state government respondents.
Data Gathering and Demographics
FC2 engaged Gartner Consulting (Gartner), the consulting arm of Gartner, Inc., a global provider of Information Technology (IT) research and advisory services to assist with the research and development of this report. Gartner embarked on six weeks of data collection and three weeks of analysis, gathering information from the following sources:
• A survey developed by FC2 and Gartner and sent to a variety of stakeholders in government, academia, and business
• Interviews conducted by Gartner with leaders in government, academia, and industry
• Industry reports, benchmarking data, and current studies and research on cybersecurity • Gartner and other independent research Gartner distributed the Gartner FC2 2017 State of Cybersecurity in Florida Survey to 2,253 opted-in members of (ISC)2, a global nonprofit membership association for information security leaders.
Government Healthcare Services Information Technology
Real Estate Financial Services and Insurance Education/ Educational Services
Retail Trade Manufacturing
Figure 2 Survey Data: Response by Region Region 1
Figure 3 Survey Data: Response by Geographic Footprint
Figure 4 Survey Data: Response by Organization Size
Gartner FC2 2017 State of Cybersecurity in Florida Survey
Response rate (rounded to nearest whole number)
25% 20% 15%
Number of employees
6 | The State of Cybersecurity in Florida thefc2.org
ENVIRONMENTAL THREATS Natural Disasters Unsecured Office
Disgruntled Employees Unassuming Employees Hackers / Hacktivists Malware
The Current Landscape Threats
It seems each week the headlines are rife with news of the latest data breach. Malicious external actors—hackers—tend to grab the most headlines with sensational acts involving celebrity photos, popular television shows, and even the presidential election. But hackers are far from the only cyber threat facing public and private organizations. The industry classifies the current cyber threat landscape into three primary categories: environmental, human, and social.
Forces Shaping the Threat Landscape
Environmental Threats Environmental threats consist of the full spectrum of non-human phenomena that can cause disclosure, delay, denial or distortion of critical information and digital resources. Environmental threats include natural disasters such as fires, floods, and earthquakes, but they can also be small-scale threats, such as a lack of temperature or humidity control in equipment spaces. Most often, environmental threats affect the availability of information and data resources, interrupting critical services at a time when they are needed most. Florida’s geography and topography make the state particularly vulnerable to weather events and flooding. A 2015 study by RealtyTrac1 placed Florida second in the nation—behind only California with its wildfires, mudslides, and earthquakes—for risk of environmental disaster based on the state’s weather threats alone. These natural forces can quickly and suddenly impact critical infrastructure, disrupting vital public services and suspending access to basic needs such as food and water for extended periods. Human Threats Engineers are fond of saying that any system engineered by a human can be reverse-engineered or exploited by another human. The human threat represents the most complex and adaptive element of the threat
SOCIAL THREATS Picketing Riots Social Unrest
landscape. Everything from global events to personal needs and desires motivates those who exploit public and private information resources. Human threats fall into two categories: humans who are inside the system, internal actors, and those who are outside, external actors. An internal actor may have malicious intent or may have unknowingly made a disastrous error. Most IT managers are aware of the dangers of disgruntled employees and corporate espionage; however, authorized system users, support personnel, and even developers also pose a significant internal threat. Breaches have resulted from the actions of well-meaning employees and contractors who were simply trying to do their job. In many cases, these workers employed a workaround intended to provide quicker and more efficient service. Those workarounds, however, unintentionally circumvented security controls and exposed sensitive data. The non-malicious insider is often the most overlooked threat to our critical assets and systems, despite accounting for nearly a third of breaches2. A decade ago, external malicious threats were mostly amateurs and researchers, blindly casting a wide net in search of a vulnerability to exploit. Today, paid professionals and teams of developers and attackers, many funded by nation-states, dominate the threat landscape. They target select victims with precision attacks, an approach that swings the technological advantage in favor of the attacker. Social Threats Social threats—potentially fueled by social media—are low-probability, high-impact scenarios driven by social, political, and economic tension. Political fervor in the U.S. reached a modern-day high with the 2016 presidential election, which resulted in both national and global protests. Recent investigations indicate that the seeds of unrest were, at least partly, sown by a foreign nation-state using social media to disseminate inflammatory content to both sides. During the past year, the Department of Homeland Security notified 21 states, Florida among them, that they had been targeted by Russian hackers during the 2016 presidential election. Social threats are the most difficult to
7 address from a risk-mitigation standpoint, as they usually stem from underlying issues that are both deep and systemic.
Methods of Exploitation
Cyber Tactics The common exploit methods of today include many popular methods of years past, coupled with new intrusion tactics for accessing systems and delivering malicious payloads. Emerging system intrusion and detection evasion tactics have combined with recurring operational challenges such as staffing shortages to put security leaders at a disadvantage in an ever-shifting threat landscape. While organizations have become resilient at some levels, the exploit methods outlined in Figure 5 continue to pose an imminent threat to organizations working in both public and private sectors.
Despite the advent of the newer, more advanced forms of attack described in Figure 5, the simpler methods of the past are still widely active. Viruses, worms, Trojans, spyware, adware, riskware, rootkits, and spam still play a role in cyberattacks, depending on the desired target and information sought. The Human Factor The emergence of new, highly sophisticated forms of social engineering has yielded some of the largest, most damaging data breaches to date. Social engineering is a process in which the attacker seeks to gain an individual’s trust to manipulate him or her into voluntarily—usually unwittingly—disclosing information. Social engineering takes many forms, such as simply searching for publicly disclosed information such as one’s birthdate or address. That alone may garner perpetrators the information they need to impersonate someone online or even in
Common Exploit Methods
Malicious software that infects a computer and restricts access to it until a ransom is paid to unlock it. Ransomware is typically spread through phishing emails containing attachments or when a user visits an infected website.
Advanced Persistent Threat
Network attack where unauthorized person gains access to a network and stays there undetected for a long period of time to steal information. This attack often spreads through phishing or social engineering with the intent of leveraging an authorized account to create access and spread malware.
Distributed Denial of Service (DDoS)
An attack in which multiple compromised computer systems attack a target, such as a server or website, overwhelming the system and causing a failure for authorized users. An intruder exploits a vulnerability (unpatched system, weak passwords, etc.) typically to plant a bot/ botnet to spread nodes used to execute the attack.
Malicious software that can run on any platform (iOS, Android, Windows). Typically spread through phishing emails that contain malicious attachments or when a user unknowingly visits an infected website.
Metamorphic and Polymorphic Malware
Malware packaged with code changers that can “change appearance” to avoid detection or eradication. Typically spread through phishing emails that contain malicious attachments or when a user unknowingly visits an infected website.
Email or instant message intended to expose sensitive information such as usernames, passwords, credit card details and indirectly, money. Authentic-appearing email with infected links or attachments to entice users to execute the malicious code by opening attachments or accessing the site.
8 | The State of Cybersecurity in Florida thefc2.org person. Quizzes on social media sites often solicit facts that are also requested to confirm a personâ€™s identity. Phishing emails are almost always designed to encourage the recipient to share personal login information or download an unknown attachment. A 2016 study by cybersecurity company PhishMe3 revealed that 91% of cyberattacks
start with a phishing email and that the top reasons people are taken in by phishing emails are curiosity, fear, and urgency. Social engineering attacks are especially insidious because they are often a prelude to the real attack. For instance, one of the largest data breaches to date, the Yahoo breach of 2013 that compromised three billion user accounts, is now attributed to foreign nation-state actors who were seeking personal information on official targets by accessing their non-official email accounts. In this case, the perpetrators looked specifically for government officials, cybersecurity experts, private equity firms, and even a Swiss Bitcoin wallet. Attackers use the wealth of personal information gathered in such a breach as fodder to craft sophisticated social engineering traps, as they have discovered it is far easier to exploit the trust of a single individual than to make a frontal assault on a network or brute-force a password. In addition to our ability to be psychologically manipulated, humans sometimes simply make mistakes. A 2016 study of small businesses by the Ponemon Institute4 found that negligent employees, third-party mistakes, and errors were the top three causes of data breaches. Poor business practices, poorly written code, incomplete security solutions, and unaware employees can all lead to data breaches.
Figure 7 What were the root causes of the data breaches your business experienced? More than one choice allowed.
Negligent employee or contractor Third-party mistakes
Error in system or operating process 32%
Donâ€™t know 27%
External (hacker) attacks 5%
Other 2016 State of Cybersecurity in Small- & Medium-Sized Businesses (Ponemon Institute)
Figure 8 Florida Information Protection Posture
Gartner FC2 2017 State of Cybersecurity in Florida Survey
Personally Identifiable Information (PII)
Protected Health Information (PHI)
Financial Information 4%
Criminal Justice Information
Organizational Reputation 8%
Other Nothing Percentages rounded to nearest whole number.
What types of information are you protecting?
Reports of corporate data breach in Florida increased 17.8% between 2015 and 20165. One of the largest data breaches recorded in Florida for 2016 was the theft of nearly 63,000 social security numbers and names of former and current students from the University of Central Florida6. Exploits, exposures, and weaknesses are becoming increasingly common. Forty-one percent of those surveyed for this report had recently suffered an incident that disrupted normal business. When asked to rank the severity of the disruption, 66% indicated the event was “moderate” in nature, while 16% rated it “high.”
2017 Cybersecurity Survey: Greatest Security Risks 18% Phishing Attacks
5% Web-based Malware
8% Uncontrolled Portable Devices
5% Email-based Malware
15% Insider Attacks
10% User Awareness
11% Hacking Attempts
11% Lack of Resources
(e.g., phones, tablets)
6% Malware brought into
the environment from the outside (e.g. USB drives)
A recent report from security vendor Gemalto7 noted that theft of personally identifiable information (PII) was the target of choice for attackers, accounting for an astonishing 74% of breaches worldwide. The next two targets trail far behind: financial access at 13% and general account access at 6%. Target sectors included healthcare insurers and providers, government agencies, technology firms, and of course, retailers. Malicious external actors were responsible for 74% of data breaches in the study, followed by accidental loss at 18% of reported incidents. Rounding out the threat actors are malicious insiders at 8% and state-sponsored actors at less than 1%. These numbers align closely with our survey respondents’ ranking of protected information, illustrated in Figure 8.
Gartner FC2 2017 State of Cybersecurity in Florida Survey
Only 32% of respondents are confident that they are prepared for a cyberattack.
10 | The State of Cybersecurity in Florida thefc2.org
Key Industrial Sectors Sector economic data supplied by Enterprise Florida. In 2013, President Obama signed Presidential Policy Directive 21, Critical Infrastructure Security and Resilience, stating that the federal government has a responsibility to secure and strengthen the resilience of the nation’s critical infrastructure. President Obama simultaneously issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which called on the federal government to work with critical infrastructure owners and operators to improve information sharing and develop and implement risk-based approaches to cybersecurity. The key industrial sectors designated in Directive 21 face a common set of threats, ranging from natural and human-made disasters to domestic and foreign malicious actors intent on stealing valuable information or disrupting commerce and services. Additionally, the rapid fusion of information technology into nearly every facet of business and consumer life has created a reliance on technology for the daily operations of each sector, presenting a host of new challenges and risks, including: • Increasing adoption of cloud computing by enterprises and consumers; • Massive growth in mobile computing and applications (smartphones and tablets); • Expanding awareness and deployment of the Internet of Things (IoT) and the trend in smart sensors/smart devices controlling physical systems; • Extensive organizational acceptance of Bring Your Own Device (BYOD) in the corporate environment, eroding traditional defense perimeters; • Increasing reliance on advanced analytics and big data; • Ever-increasing IT operational complexity; and an • Unrelenting, global rise in the demand for IT services and products. The following section examines areas of critical infrastructure in Florida that are not only among Florida’s leading industries but also have a particular susceptibility to cyber threats.
Defense Industrial Base/Transportation Florida is home to 20 military installations and three unified combatant commands, and virtually every major defense contractor in the world
has significant operations in Florida. The state is consistently a top-five recipient of Department of Defense contracts. Supporting this robust defense sector is one of the most extensive multi-modal transportation systems in the world, led by Florida’s unparalleled aerospace and aviation industry. Since 1950, when the first rocket launched from Cape Canaveral, Florida has been the world’s gateway to space. Likewise, the world’s first scheduled airline started in St. Petersburg, making Florida the birthplace of commercial aviation. Now, Florida is home to more than 2,100 aerospace and aviation companies that employ more than 85,000 and export more than $5.2 billion annually. Florida operates more than 100 public airports, several of which are hubs for major airlines, and is home to numerous flight schools as well. In 2016, PricewaterhouseCoopers reported that 85% of airline CEOs view cybersecurity as a significant risk, versus 61% in other industries8. Given that this industry regularly introduces new technologies to its operations and relies extensively on computer systems for both ground and flight operations, their concern is not unwarranted. Responsible for moving people and cargo all over the world, this industry serves both the transportation and defense critical infrastructure sectors and is an attractive target for cybercriminals who want to obtain critical, sensitive information, disrupt operations, and even endanger lives. Aerospace companies are a high-value target for foreign nation-state actors seeking intellectual property and confidential information. The commercial aviation industry, long the target of terrorist attacks, faces the unique and terrifying threat of a malicious actor accessing flight controls remotely.
Information Technology More than 27,000 high-tech companies operate in Florida, with more than 5,000 providing IT-specific services. Additionally, a variety of businesses and organizations employ information technology professionals, making Florida #4 for high-tech employment nationally with more than 237,000 IT jobs.
More than 27,000 high-tech companies operate in Florida, with more than 5,000 providing IT-specific services. Nationwide, the IT Sector has the highest job growth rate, with practically all other sectors being customers. Florida’s High Tech Corridor alone employs more than 43,000 people, generating a payroll of more than $3.4 billion annually. The IT Sector is central to the state’s security, economy, and public health and safety as businesses, governments, academia, and private citizens increasingly depend
on IT functions. These virtual and distributed functions produce and provide hardware, software, and information technology systems and services, and—in collaboration with the Telecommunications Sector— the Internet. Even nontechnological industries, such as tourism, invest in IT to enhance their customer experience. Take, for example, Walt Disney World’s launch of the RFID-embedded MyMagic wristbands that allow park guests to make purchases and reservations for attractions, dining, and more with just a wave of their hand. IT is at the heart of the cybersecurity struggle—a sector providing both the problem and the solution. IT is responsible for building and maintaining systems as well as for creating solutions to protect those systems against attacks. The cybersecurity sector of IT in particular suffers from a global talent gap. CyberSeek reports that 12,641 cybersecurity job openings were posted in Florida between October 2016 and September 2017, a number that is projected to increase as more and more businesses recognize the need for in-house cyber professionals.
Financial Services With no personal income tax and its proximity to Latin America and other global markets, Florida is an extremely business-friendly state. In fact, the state’s annual exports rival that of the entire New England region. Its in-state banking assets exceed $336 billion. If Florida were a country, it would be the world’s 18th largest global economy. These factors promote a booming financial services industry, and, indeed, Florida has the fourth-largest financial services industry and the third-largest insurance industry in the country. The very nature of the Financial Services Sector, centered on institutions that hold vast amounts of wealth, invites cyberattacks. In the first half of 2017, the financial services industry was the second-most-targeted industry for cyberattacks after healthcare7. The ease of digital monetary transfers and the lure of large financial gains make this sector a prime target. Fortunately, this sector has a long-standing history of monitoring exposure and mitigating risk. The Financial Services Sector was an early adopter of additional safeguards such as multifactor and biometric authentication as well as data encryption, making it a highly cyber-aware sector.
Healthcare and Public Health With the third-largest population in the nation and the second-largest senior population, Florida devotes significant resources to healthcare. In 2015, more than 46,000 healthcare establishments employed
more than 803,000 Floridians. Beyond that, Florida is a leader in the bioscience industry, which includes pharmaceutical and medical device manufacturing. Florida is home to more than 1,100 biotech companies and is ranked second in the nation for number of registered medical device manufacturing facilities by the U.S. Food and Drug Administration. Like the Financial Services Sector, the Healthcare and Public Health Sector is a prime target for cyber attacks due to the type and volume of data under its purview. Additionally, many people within the system can access this sensitive data, from doctor’s office administrators to insurance company employees, creating multiple points of vulnerability. It is not surprising, then, that the healthcare industry was the hardest hit by cyberattacks in the first half of 2017, accounting for 25% of all breaches. 2015 was a record year for healthcare data breaches, with more patient and health plan member records exposed or stolen than in the previous six years combined. 2016 took the record for greatest number of healthcare breaches, and, at the time of writing, 2017 was on track to beat 2016 in number of breaches9. In Florida alone, organizations reported 28 breaches of HIPAA-related information to the U.S. Department of Health and Human Services in 2016, with 2.8 million records extracted from Florida data centers in 2016. The biotech industry within the sector faces threats similar to the aerospace and aviation industry in that it possesses a wealth of attractive intellectual property and its products have the potential to be exploited to endanger human life. In summer 2017, the FDA recalled 465,000 pacemakers after researchers discovered security flaws that could allow hackers to reprogram the devices to run the batteries down or even modify the patient’s heartbeat10.
Manufacturing Florida ranks among the top 10 states for manufacturing, with more than 19,000 manufacturers producing a variety of goods. As the third most populous state in the nation, Florida has a large workforce to support manufacturing as well as the strong transportation infrastructure and logistics industry needed to move manufactured goods. Manufacturing was the third-most attacked sector in 2016, and the proportion of serious incidents were 40% higher than the average across all industries. Based on the type of attack, researchers surmised that threat actors see manufacturing as an easy target due to a lack of industry compliance standards like HIPAA and correlating a lack of cybersecurity investment11. Intellectual property is a key payload in a manufacturing cyberattack, with cyber espionage cited as the reason for 94% of breaches in 201612.
12 | The State of Cybersecurity in Florida thefc2.org
TH E E C O N O MIC IMPA CT OF
Cybersecurity in Florida
$ $ $ $ $ $ $ $ $ $ $ $ $ $
The Cost of Data Breach The true cost of a data breach can be difficult to estimate due not only to the number of variables involved but also to inaccurate reporting. The Ponemon Institute publishes its benchmark Cost of Data Breach Study annually and considers several factors when calculating the total cost of a breach. Those factors include unexpected and unplanned loss of customers following a breach; the size of the breach or the number of records lost or stolen; the time it takes to identify and contain a breach; the detection and escalation costs associated with the incident; and post-data-breach costs, such as the cost to notify victims13. Beyond the complexity involved in gathering and reporting that data, there are sociological hurdles to accurate reporting. For instance, some organizations are not aware of losses because their employees do not report incidents. One recent study reported that 59% of employees hit by ransomware at work paid the ransom out of their own pockets rather than face the embarrassment of telling their employers that they fell for a phishing scam14. Other organizations intentionally conceal the true costs of remediation to protect their corporate reputation or avoid punitive action. Because of these challenges, estimates on the cost of data breach vary significantly. In a 2014 benchmark report, the Center for Strategic and International Studies estimated the cost of malicious cyber activity
in the U.S. at 0.64% of the national gross domestic product15 (NGDP); approximately $124 billion based on the 2017 NGDP of $19.5 trillion. Applying the same rate to Floridaâ€™s Q2 2017 GDP of nearly $965 billion yields $6.1 billion in cybercrime costs for the state. While the Ponemon Institute estimates the average cost per compromised record has decreased to $141 on a global scale, the average cost in the U.S. continues to increase year over year and now stands at a record high of $225. Of that average cost, $146 pertains to indirect costs, including customer turnover, while $79 represents direct costs such as investments in technologies or legal fees16. The Ponemon Institute estimates the average total cost of a data breach to an organization in the U.S. to be $7.35 million, also a record high. Costs not only vary by country, but also by industry. The Ponemon Institute identifies the top U.S. industries with the highest average cost per compromised record as health, financial services, life science, and industrial. This is concerning news for Florida since healthcare/ life sciences, financial services, and manufacturing are among the largest sectors.
13 The Ponemon Institute report revealed several major trends in cybersecurity for U.S. businesses: 1. The cost of a data breach in the U.S. continues to increase, suggesting it is a permanent cost that organizations should incorporate into their data protection strategies. 2. Lost business is the biggest financial consequence facing an organization that experiences a data breach. 3. Most data breaches continue to be caused by criminal and malicious attacks. These breaches also take the most time to detect and contain. As a result, they have the highest cost per record.
6. Improvements in data governance programs reduce the cost of data breach. Incident response plans, the appointment of a CISO, employee training and awareness programs, and a business continuity management (BCM) strategy continue to yield significant cost savings. 7. Investments in certain data loss prevention (DLP) controls and activities such as encryption and endpoint security solutions are important for preventing data breaches. This year’s study revealed a reduction in cost when companies participated in threat-sharing and deployed data loss prevention technologies.
The Florida organizations surveyed for this report frequently cited a lack of funding as a challenge to achieving a strong cybersecurity posture. However, the Ponemon Institute’s 2017 Cost of Data Breach Study revealed that investment in cybersecurity before a breach significantly reduced the cost of the breach.
4. The longer it takes to detect and contain a data breach, the costlier it becomes to resolve. Over the years, detection costs have increased, suggesting organizations are investing in technologies and in-house expertise to reduce the time to detect and contain breaches. 5. Highly regulated industries, such as healthcare, have the costliest data breaches due to fines and a higher rate of lost business.
Impact of 20 factors on the per capita cost of a data breach
Incident Response Team
Extensive Use of Encryption
Extensive Use of DLP** Board-Level Involvement
Participation in Threat Sharing
Use of Security Analytics
Data Classification Schema
Provision of ID Protection
Extensive Use of Mobile Platforms
Lost or Stolen Devices
Rush to Notify
Extensive Cloud Migration
Compliance Failures Third-Party Involvement
—— Difference from Mean
*Business Continuity Management **Data Loss Prevention
14 | The State of Cybersecurity in Florida thefc2.org
$ $ $ $ $ $ Information Protection $ $ $ $ $ $ $ THE COST OF
The increase in cyberattacks and media coverage of large breaches have brought greater awareness of the devastating financial and reputational impacts of a breach. Cybersecurity is the foundation of digital business and innovation. IT groups must address a new reality in which they have little direct infrastructure and the biggest security concerns come from services outside their control.
Detection and remediation costs are at a record high. These costs include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and boards of directors. According to Gartner, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches by 2020, up from less than 20% in 2015. Such approaches include but are not limited to firewall logs, behavior analytics and fraud detection tools, managed security services, new SIEM (Security Information and Event Management) deployments, and network forensics. Average detection and escalation costs increased dramatically from $0.61 million to $0.73 million. In 2015, less than 5% of organizations knew their split of investment between prevention and detection/response17. Certain factors decrease the cost of data breach, including having incident response plans and teams in place, extensive use of encryption, employee training, business continuity management (BCM) involvement or extensive use of data loss prevention (DLP). Data breaches due to third-party error, extensive cloud migration, or a rush to notify increase the cost16. Notification costs increased slightly. Such costs typically include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside
$experts, postal $ $ mail contacts $ or email expenditures, secondary
bounce-backs and inbound communication set-up. The 2016 average notification costs increased slightly from $0.59 million in 2015 to $0.69 million16.
Gartnerâ€™s IT Security Analysis Framework is a high-level view of the non-personnel and personnel costs/FTEs associated with provisioning and managing all information technology security within an enterprise. This includes IT operational infrastructure security, vulnerability management and security analytics, application security, and governance, risk, and compliance (GRC). On average, annual IT security and risk management investment is roughly 5.9% of total IT spending. That can be broken down into approximately 3.3% for IT operational infrastructure security; 0.6% for vulnerability management and security analytics; 0.8% for application security; and 1.2% for governance, risk, and compliance17. Gartner expects that industry-driven security spending will double by 2020â€”as will the adoption of such transformation technologiesâ€”as organizations continue their journeys toward digitalization. We have already seen a shift to managed security services, evidenced by a 10.5% revenue growth in cloud computing in 2015. Opportunities will continue for managed security service providers (MSSPs)18. IoT will also drive demand for enterprise security. Survey respondents rank IoT-driven security spend as the third most important factor among industry-driven security spending. The total IoT security market is expected to reach $840.5 million by 2020, at a 24% compound annual growth rate (CAGR) between 2013 and 202019.
Estimated Costs to Mitigate Risks
Note that the survey did not list either funding or availability of skill sets among the factors to consider. Because Gartner uses a security maturity approach, security investment roadmaps are based on best practices as suited to an organization’s size, industry, and risk tolerance. While conducting assessments, Gartner works with the business, information technology, and information security representatives to make recommendations appropriate to the needs
Average Number of Remedial Recommendations by Domain Gartner Domain
Number of Findings
Number of In-Work Initiatives
Roadmap Capital Cost
Roadmap Effort in FTE
The total investment to reach security maturity—that is, the cost to remediate systems to achieve an appropriate level of cyber-risk mitigation—is subject to many variables, including obvious factors such as organization size, industry, services provided, and regulatory and compliance requirements, to name a few. However, Gartner has identified one factor that significantly influences an organization’s risk management and information security choices: the risk tolerance of senior leadership. Organizational leaders make the final investment decisions on risk remediation, and Gartner has observed that changes in leadership have led directly to changes in investment decisions and priorities, even in extremely cost-constrained environments.
Average Number of Remedial Recommendations
and capabilities of that organization. For example, if Gartner’s recommended approach is too costly, it will provide an alternative solution or set of compensating controls to achieve desired goals within an organization’s budget. Gartner’s experience in this area has yielded data from hundreds of security maturity assessments, providing insight into the national average cost of remediation. Figure 11 depicts the average number of remedial recommendations made per domain in Florida as compared to the U.S. overall. Note that most of the Florida recommendations are governance related, indicating an immaturity of state programming as well as a failure of compliance-driven industrial sectors to address information technology concerns comprehensively. While these areas are converging to some extent, compliance is not security. Figure 12 compares average remediation costs for the U.S. and Florida. Gartner uses a 4-year remediation roadmap to accommodate permit planning, funding, and implementation. It is important to conduct a midpoint re-evaluation of priorities 18 months to 2 years into the roadmap to ensure alignment with business objectives and priorities. Florida’s average remedial roadmap cost to date falls below the national average by almost $150,000, in part because the 2013 federal critical infrastructure directives have led many Florida organizations to begin addressing recommendations that Gartner would have made. Gartner has classified these agencies as “In Work.” In Work organizations have already allocated funding and resources for initiatives, and it does not consider those funds as part of the total roadmap costs. Finally, Gartner—because of skill sets, reprioritized labor, differing resource costs, and capped government resources—does not cost out labor. Instead, Gartner uses a man-year model that defines each full-time equivalent (FTE) as 2,080 hours per man-year. Also, it did not apply regional cost of living adjustments to this data.
16 | The State of Cybersecurity in Florida thefc2.org
Florida’s Cyber Workforce
Respondents to Gartner’s 2017 CIO Survey reported that obtaining
Security is a primary challenge for organizations of all sizes, and
information security objectives, as shown in Figure 13.
security and risk management leaders struggle to attract and recruit qualified personnel. As mentioned earlier, CyberSeek recorded 12,641 cybersecurity job openings posted in Florida between October 2016 and September 201720. That number reflects an ongoing national and global shortfall of cybersecurity talent. Gartner believes this dynamic will continue for at least the next three years as organizations accept and adjust to the realities of digital business, an adjustment that is compelling organizations to develop alternative approaches to
the right skills and resources is a major barrier to achieving their
Gartner’s 2017 CIO Survey indicates that the search for security and risk professionals is a challenge for most organizations (see Figure 14). While it was a national survey, Gartner found a direct correlation with the Gartner FC2 2017 State of Cybersecurity in Florida Survey, in which 68% of respondents reported staff recruitment challenges. These challenges are due to a combination of factors, including a lack of funding to hire experienced security and risk professionals.
recruiting and retaining cybersecurity talent.
Also, modern digital architectures require people who deeply understand
As the new realities of digital business sink in, the shortage of
technologies such as IoT implementations. However, in Florida and
cybersecurity professionals is exposing organizations to undue risk, increasing the likelihood of a breach that could result in data, financial, and brand reputation loss. Many would argue that the skills shortage is the biggest cybersecurity challenge we face today. According to ISACA—a global association that promotes the development, adoption, and use of globally accepted, industry-leading information systems practices—“The main problem of obtaining key talent in the realm of cybersecurity stems from a lack of qualified applicants.”21
logical security techniques and designs that support emerging across the nation, many of the experienced baby boomers with this deep technical security understanding are approaching retirement age. This impending loss of experience poses a particular challenge for the state of Florida, which continues to support legacy technologies, such as the COBOL mainframe programs used in Hillsborough County schools. Without the applied knowledge to manage these legacy systems safely, organizations risk creating vast new attack surfaces.
Gartner distributed respondents across three organizational categories based on a normal distribution of performance.
CIOs’ Biggest Barriers to Achieving their Objectives
Top 8 Barriers
Top Performers (n=162)
Typical Performers (n=1,976)
Trailing Performers (n=160)
Technology challenges (legacy, security, etc.)
Lack of leadership/planning/strategy
Lack of time/capacity
Culture/structure of organization
Gartner 2017 CIO Agenda: Seize the Digital Ecosystem Opportunity
Eighty-eight percent of survey respondents have dedicated full-time
meaning 31% of organizations operate outside Gartner’s identified
security staff. Half of the organizations surveyed indicated that they
best practice for this role to focus only on security.
have 10 or more staff members. However, 45% of survey respondents
As shown in Figure 15, survey respondents indicated that 40% of their
work for global organizations. In most of the Florida-based organizations
staffing challenges center on the hiring of technical security skills,
assessed, the average number of full-time, dedicated security personnel
with security analysts—considered to be a slightly broader skill set—
ranges from two to five FTE. These staff members are supplemented
following with 30%.
by multitudes of others—such as application developers, system administrators, desktop technicians, and help desk personnel—adding
up to an additional 20 part-time support staff with some level of
Survey Results: Staffing Challenges
security-specific responsibilities. Notably, 98% of respondents indicated that at least some of the staff hold recognized security certifications and often list certifications as part of hiring requirements.
Technical Security Skills/Staff
With more than half of survey respondents in leadership positions, one might assume that those organizations do not need leadership and governance staff. However, in Gartner’s experience, a security governance organization requires a unique mix of personal and technical
skills as the program’s success can hinge on a leader’s ability to communicate and champion security-specific efforts. Furthermore, only 69% of survey respondents had a full-time dedicated CISO/ISO,
Entry level Support Staff
Security Leadership/ Governances
Gartner FC2 2017 State of Cybersecurity in Florida Survey
Biggest Talent Gaps to Fill for Security and Risk Professionals across the U.S. 29%
Information/analytics/ data science/business intelligence
Overall lack of skills/knowledge
14% 14% 14%
Security and risk
Gartner 2017 CIO Agenda: Seize the Digital Ecosystem Opportunity
Digital business/digital marketing
l Top performers (n=153) l Typical performers (n-1,863) l Trailing performers (n=153) 14%
18 | The State of Cybersecurity in Florida thefc2.org As part of its nationwide analysis, CyberSeek has identified common job titles and descriptions to provide a consolidated view of 13 typically advertised cybersecurity positions: • Security Analyst: Analyzes and assesses vulnerabilities in the infrastructure, investigates available tools and countermeasures to remedy detected vulnerabilities, and recommends solutions and best practices. Analyzes and assesses damage resulting from security incidents, examines available recovery tools and processes, and recommends solutions. Tests for compliance with security policies and procedures. • Security Engineer: Performs security monitoring, security and data/logs analysis, forensic analysis to detect security incidents,
and mounts incident response. Investigates and uses new technologies and processes to enhance security capabilities and implement improvements. • Security Architect: Designs a security system or major components of a security system and may lead a security design team in building a new security system. • Security Administrator: Installs and manages organization-wide security systems. May also take on some of the tasks of a security analyst in smaller organizations. • Security Software Developer: Develops security software, including tools for monitoring, traffic analysis, intrusion detection, virus/spyware/malware detection, antivirus software, and so on. Also integrates/implements security into applications software.
Florida Cybersecurity-Related Occupational Employment
2016–2024 Total Job Openings
Annualized Income (2080 hours per year)
Total, All Occupations
Computer and Information Systems Managers
Computer System Analysts
Information Security Analysts
Software Developers, Applications
Software Developers, Systems Software
Network and Computer Systems Administrators
Computer User Support Specialists
Computer Network Support Specialists
Florida Department of Economic Opportunity, Bureau of Labor Market Statistics, 2017
19 • Chief Information Security Officer: High-level management position responsible for the information security division/staff. The position may include hands-on technical work. • Security Consultant/Specialist: Broad titles that encompass any one or all of the other roles/titles, tasked with protecting computers, networks, software, data, and information systems against malware, intrusion, unauthorized access, denial-of-service attacks, and hackers acting as individuals or as part of organized crime or foreign governments. • Intrusion Detection Specialist: Monitors networks, computers, and applications looking for events and indicators that signal intrusion. Determines the damage caused by detected events, identifies intrusion methods, and recommends safeguards against similar intrusions. Conducts penetration testing and recommends preemptive measures.
Survey Results: Pay Rates by Job Category in Florida
80% 70% 60% 50% 40%
• Computer Security Incident Responder: A team member that prepares for and mounts rapid response to security threats.
• Code Auditor: Reviews software source code to identify potential security issues and vulnerabilities that could be exploited by hackers.
• Virus Technician: Analyzes newly discovered computer viruses and designs and develops software to defend against them.
• Penetration Tester (aka Ethical Hacker or Assurance Validator): Scans for and identifies vulnerabilities and exploits them to provide hard evidence of vulnerability. • Vulnerability Assessor: Scans for, identifies and assesses vulnerabilities in IT systems, including computers, networks, software systems, information systems, and applications.
The combination of high demand for cybersecurity professionals plus low supply translates into high salaries for these highly skilled workers and—as the many “best paid” lists online make clear—cybersecurity can be a lucrative career with a continued positive outlook for the foreseeable future. Figure 17 depicts the average pay rates for the job categories listed in the cybersecurity survey. A review of the highest responses per job category shows that the overwhelming majority of entry-level/ junior resources are making less than $70,000 per year, while security analysts and senior technical staff have a broader salary range, likely based on organization size and type. Additionally, the CISO/ISO designation has a broad salary range as well, but the overwhelming majority are making more than $131,000 per year.
Less than $70K yearly CISO/ISO
$71K - $90K yearly
$91K - $130K yearly Security Analyst
Greater than $131K yearly Junior Resource/ Entry Level
Gartner FC2 2017 State of Cybersecurity in Florida Survey
Comparing the information in Figure 17 with data received from the Florida Bureau of Labor Market Statistics (Figure 16) reveals that survey respondents’ compensation levels correlate to the average compensation levels reported by the Bureau of Labor Market Statistics. However, Gartner identified through interviews that organizations are struggling to fill positions for mid- and junior-level resources and are increasing compensation by $5,000 to $10,000 to secure the desired resource. Note that nearly one-quarter of Junior Resource/Entry Level employees fall into the $71,000 to $90,000 per year category. Overall, the skilled staffing shortage has created a salary gap that many companies cannot overcome—especially in the public sector.
20 | The State of Cybersecurity in Florida thefc2.org
Figure 18 Floridaâ€™s Public and Private Higher Education Institution Degrees and Certificates Institution
Daytona State College
Eastern Florida State College
Embry-Riddle Aeronautical University (Daytona campus)
Florida A&M University
Florida Atlantic University
Florida Institute of Technology
Florida International University
Florida Memorial University
Florida Polytechnic University
Florida State University
Florida State College at Jacksonville
Gulf Coast State College
Hillsborough Community College
Indian River State College
Northwest Florida State College
Nova Southeastern University
Pasco-Hernando State College
Pensacola State College
St. Johns River State College
St. Leo University
St. Petersburg College
St. Thomas University
State College of Florida
Tallahassee Community College
University of Central Florida
University of Miami
University of South Florida-Tampa
University of Tampa
University of West Florida
12 Private, 23 public
3 1 1
Training and Education Fortunately, Florida is well positioned to address the growing cyber talent gap and has already made significant inroads. The Florida Center for Cybersecurity was established, in part, to help build a robust talent pipeline for the cybersecurity industry by working with institutions in the State University System of Florida (SUS) to establish new programs, develop curricula, and promote collaborative research initiatives. Since FC2’s inception in 2014, it has supported the development of cybersecurity programs across the state. The SUS currently has more than 40 undergraduate, graduate, and certificate programs in cybersecurity. Furthermore, eight SUS institutions hold the prestigious National Centers of Academic Excellence (CAE) designation by the National Security Agency and the Department of Homeland Security in cyber defense education or cyber defense research and, in some cases, both. Figure 18 shows a summary list of Florida colleges and universities that offer certificate and degree programs specifically in cybersecurity and related areas such as digital forensics and information security, as of Q4 2017.
Figure 19 Center of Academic Excellence Designated Institutions Institution
Daytona State College
Embry-Riddle Aeronautical University
Florida A&M University
Florida Atlantic University
National assessments indicate that professionals in the field currently value technical proficiency and critical analysis. However, these same professionals expect that, within the next five years, adaptability, innovation, and collaboration will become most valued. Moreover, Gartner has observed the growth of risk management as a security management driver. With this dynamic comes more reliance on interdisciplinary approaches related to legal, IT, and operational challenges in privacy, IP protection, and so forth. The best known and most broadly accepted standard for certification in the cybersecurity field is the Certified Information Systems Security Professional (CISSP), which many employers require or note as highly desirable in job descriptions. Training and preparation courses for the CISSP exam are available free of charge online and through intensive “boot camps” that may cost several thousand dollars. Administered by (ISC)², the CISSP exam covers eight domains: • Asset Security • Communications and Network Security • Identity and Access Management • Security and Risk Management • Security Assessment and Testing
CAE-R / CAE-R
Florida Institute of Technology
Florida International University
CAE-CDE 4Y / CAE-R
Florida State University
CAE-CDE 4Y / CAE-R
• Security Engineering • Security Operations • Software Development Security
Other relevant certifications administered by (ISC)², include:
Nova Southeastern University
Saint Leo University
University of Central Florida
In addition to college and university programs, technical and professional certification training is widely available from private providers, for-profit colleges, and industry associations, such as (ISC)2, which is headquartered in Clearwater. Many colleges and universities also offer Massive Online Open Courses (MOOCs) taught by faculty and available to the public at no cost. For example, at the time of writing, the University of Florida offers 79 cybersecurity-related MOOCs.
CAE-CDE 4Y / CAE-R
• Systems Security Certified Practitioner • Certified Cloud Security Professional • Certified Authorization Professional • Certified Secure Software Lifecycle Professional • Healthcare Information Security and Privacy Practitioner
ISACA also offers several highly regarded industry certifications, including:
• Certified Information Systems Auditor
University of South Florida
CAE-R / CAE-CDE 4Y
• Certified Information Security Manager
University of West Florida
University of Florida
• Certified Risk and Information Systems Control • Certified in Governance of Enterprise IT
22 | The State of Cybersecurity in Florida thefc2.org
Cybersecurity Applied Research in Florida
The unprecedented use of digital information and the growing sophistication of cyberattacks on critical information systems has brought cybersecurity into sharp focus. In response, investment in basic and applied research has also grown to unprecedented levels since 2011. For example, in 2015 the National Science Foundation announced a $74.5 million investment in cybersecurity research known as the NSF Secure and Trustworthy Cyberspace (SaTC) program. To date, SUS institutions have been awarded $12.2 million from that program in support of 45 research initiatives. The state of Florida dedicates significant resources to applied research in cybersecurity through investment in the SUS. Several SUS institutions have established centers dedicated to cybersecurity applied research, among them are Florida A&M University’s Center for Cyber Security; Florida Atlantic University’s Center for Cryptology and Information Security; Florida International University’s Applied Research Center; Florida International University’s Cyber-Physical Systems Security Lab; Florida State University’s Cybersecurity Center for Research, Education, Policy and Assessment; University of Florida’s Florida Institute for Cyber Security Research and Florida Institute for National Security; and University of Central Florida’s Center for Cybersecurity. Between these centers and the independent efforts of faculty, the scope of cybersecurity applied research in Florida is extensive. What follows is a summary of research areas at SUS institutions across the state.
In 2015 the National Science Foundation announced a $74.5 million investment in cybersecurity research known as the NSF Secure and Trustworthy Cyberspace (SaTC) program
Emerging research indicates that effective cybersecurity requires a variety of interdisciplinary skills. Information security professionals need to develop ‘soft skills’ to be effective, including: • Adaptability
• High EQ (emotional IQ)
• Analytical ability
• Innovative capability
• Business acumen
• Performance orientation
• Collaborative capability
• Team-building ability
• Technical adeptness
Florida International University • Sensory-channel attacks for CPS systems • Post-disaster network security • Wireless device fingerprinting • Secure source-based loose synchronization • Covert channels for wireless networks
Florida A&M University • Active learning approaches to cybersecurity education • Designing cybersecurity lab exercises • Digital forensic tools for mobile devices • Digital forensic tools for identifying fake pictures (stenography) • Mobile malware detection • Browser extensions for security vulnerabilities
• Cyberspace architecture and framework • Intrusion detection/prevention systems • Unified threat management • Cyber resilience • Time-based dynamic keying and en-route filtering • Virtual energy-based encryption and keying
• Smart trusted indicators for browsers (STIB)
Florida Polytechnic University
• Secure coding for mobile health
• Behavior-based security
• Secure electronic health records (EHRs)
• Intrusion and anomaly detection
• Computer systems security
• Mobile network security • Digital forensics
Florida Atlantic University • Cryptology • Cybercrime • Cyber forensics • Operational cybersecurity • Critical infrastructure security • Data analytics • Internet measurement • Quantum and quantum-safe cryptology • Secure systems • Security from an interdisciplinary perspective
• Autonomous vehicles • Health informatics
Florida State University • Human-computer interactions • Economic impacts on cyber events • Social and organizational models for cyber defense • Cybercrime reporting • Maritime cybersecurity • Cryptography • Human information communication
• Social perspectives of information security
• Information policy and ethics
Florida Gulf Coast University
• Privacy preservation
• Secure software engineering using security patterns
University of Central Florida
• Human signature verification • Health informatics • Outlier detection • Safety-critical real-time embedded systems
• Information assurance
• Distributed systems • Network forensics • IoT security • Protection-motivated behaviors • Insider computer abuse • Blockchain
24 | The State of Cybersecurity in Florida thefc2.org
University of Central Florida continued
University of South Florida
• Machine learning and data analytics
• Cyber-physical and IoT systems security
• Behavioral cybersecurity
• Distributed-denial-of-service attacks
• Cybercrime and terrorism analysis
• Mobile network security
• Cyber workforce development
• Privacy-enhancing technologies
• Side-channel attacks
• Big Data security and privacy
• Embedded systems
University of Florida
• Risk analysis • AI and machine learning for cybersecurity
• Integrated circuit design
• Cybersecurity education and workforce development
• Adaptive nanocomputing
• IoT security
• Reconfigurable hardware
• Smart sensor networks
• Extreme-scale computing
• Aviation security
• Nanomechanical computing
• Human factors and end-user error in cybersecurity
• Field-programmable gate array (FPGA) • Privacy-preserving computing • Interdomain routing security • Secure data provenance • Counterfeit detection and avoidance • Physically unclonable functions • Hardware Trojan detection and prevention • Reverse/Anti-reverse engineering • Biometrics • Radio-frequency identification (RFID) • Electronics supply chain security • Authenticated encryption systems • Hash functions • Censorship circumvention systems
University of West Florida • Malware analysis; digital forensics • Secure software development; Security and DevOps • AI and machine learning for cybersecurity; intelligent cybersecurity education and training tools • Cybersecurity education and workforce development • IoT security; security for smart sensor networks • Cyber physical systems security; critical infrastructure security; aviation security • Network security • Human factors and end user error in cyber security • Risk analysis
• Public-key encryption schemes • Digital signatures • Nanoscale integration challenges
FC2 Research Program FC2 promotes applied cybersecurity research through its Collaborative Seed
University of North Florida
Award Program. Launched in 2014, the Collaborative Seed Award Program
• Scalable trustworthy systems
encourages and supports cross-institutional research in emerging
• Combatting malware and botnets
cybersecurity issues by requiring that researchers from at least two different
• Situational understanding and risk mitigation
SUS institutions collaborate on each project. Furthermore, priority is given
• Secure protocol analysis and design
to projects that address industry needs and emerging technologies and threats.
• Survivability of time-critical systems • Cyber-physical diagnosis and security impact analysis • Defensive cyberspace • Secure web access to RFID and NFC data
Thus far, the program has awarded $1.6 million to 34 cybersecurity research projects involving 68 faculty members from across the State University System of Florida. Research topics have included fraud in online crowdsourcing, cognitive hacking, securing IoT, and defending the Smart Grid, to name a few.
that posture are nonexistent or very low. Obviously, an organization should avoid defaulting to this initial range of security maturity if possible. At the other end of the scale, Level 5: Optimized is a state of low risk but high cost and effort. Few organizations would be wise to invest the resources required to maintain an Optimized environment. Instead, Gartner focuses on defining the necessary security maturity required to achieve the appropriate level of assurance based on organizational risk tolerance.
Survey Results Security Maturity in the State of Florida Gartner uses a security maturity model similar to other industry-standard capability maturity models to measure an organization’s current state of cyber readiness and to define targets for improvement. Using a unique, weighted, best practice gap analysis methodology, Gartner measures various aspects of a security program and the underlying security architecture—composed of people, process, and technology—to identify criteria and actions required to achieve the desired security posture. Simply, Gartner measures an organization’s ability to defend itself in the event of an information security event and determines the appropriate level of security for that organization. The result is an approach to security that is not only defense-in-depth but also defense-in-context.
Primer on Security Maturity In Figure 20, the intersection of lines at Level 3: Defined is what Gartner refers to as the Due Diligence Standard or Basic Security Hygiene. This standard defines the minimum set of security best practices that should be deployed—regardless of industry alignment—to fundamentally address all aspects of security risk associated with an organization’s people, process, and technology. For many organizations, achieving the Due Diligence Standard provides adequate security maturity; but for others, more may be required commensurate with organization criticality, assurance, and compliance requirements, as well as to satisfy organizational risk tolerance needs. In this model, security maturity begins with basic blocking and tackling, matures through compliance, and targets risk-based decision making.
As demonstrated in Figure 20, levels of maturity range from Weak/Ad Hoc to Optimized on a five-point scale. At Level 1: Initial, composite risk across the organization is high while the cost and effort to maintain
Figure 20 Primer on Security Maturity Weak / Ad Hoc
Managed Info-centric approach
Policies and processes defined
Ad hoc activities
Initial executive awareness
User awareness outreach
Governance body established
Security organization defined
Cost & Effort
Formal program initiated
Improving user awareness
Optimized Level 5
Optimized Information owners accountable
Refinement for changes in business, technology, compliance and economic environments
Security organization working well
Gartner Research indicates that it typically requires 3–4+ years for government organizations to incrementally change maturity levels within their environments (e.g., level 2 to level 3). The Maturity Profile is composed of measures of Business Mission Impact; Mission Scope; Mission Assurance Requirements; Mission Protection Objectives; Industry Risk Exposure — as determined by Organization Type, Culture, Business Industry Alignment and Risk Tolerance.
26 | The State of Cybersecurity in Florida thefc2.org
The best practices required to achieve the Due Diligence Standard change and evolve in conjunction with technology. Gartner research has identified that generational changes to information technology occur every 9 to 18 months. Inherent in these changes are associated changes in vulnerabilities, which, in turn, drive threat changes as actors move to exploit these new vulnerabilities. This process often results in new and, potentially, higher risk to the organization. New technology may also inadvertently enhance the ability to exploit vulnerabilities in older technology still in use by organizations, again resulting in previously unknown or increased risks. The explosion of mobile device technology over the past two decades exemplifies this technological change process. As mobile device use increased, new security processes, tools, and resources were required to protect the information accessed using these devices. IT professionals faced the erosion of the traditional “hard perimeter” model of network security that was commonly used to protect information. Another example is the rapid adoption of encryption-at-rest. While this technology was available for some time—at a premium price—it was not widely used until several large breaches occurred in which
0 DAABYRSEAWCITHOUT H
this technology could have significantly reduced both the scope and impact of the breaches and the cost of the remediation. In the wake of these breaches, encryption of sensitive data-at-rest became part of several compliance frameworks, driving its adoption as a de facto standard. So, it is easy to see why, at any point in time, performing the status quo and not expanding services to keep up with technology changes can lead to reduced security maturity over time. Basic security hygiene is affected by four key drivers, each requiring constant vigilance. The first is the rapid generational changes in IT that typically occur every 9 to 18 months. The second is the addition of new services and capabilities that expand the scope of the organization’s security and risk mitigation requirements. The third is maturing solutions that become commonly adopted based on changing market forces, including broader availability and reduced pricing. The fourth driver is evolving best practices and compliance standards arising from new and emerging threats. Finally, while the minimum Due Diligence Standard establishes a basic set of best practices for all organizations, each organization’s target maturity will vary depending on factors such as business drivers, industry-specific compliance requirements, and the specific
risk tolerance of the organization. Typically, the normal distribution of target maturities ranges from 3.2 to 3.8.
The Current State of Security Maturity Gartner has reviewed results from the Gartner FC2 2017 State of Cybersecurity in Florida Survey and the first flight of the Florida Agency for State Technology (AST) Rule 74-2 Risk Assessment Program as well as conducted telephone interviews and other research to compile a statewide view of security maturity for Florida. Figure 21 depicts the compiled assessment of security maturity across the 12 Gartner Security Reference Architecture domains.
As illustrated in Figure 21, Florida falls below both the Due Diligence Standard and the national average for security maturity in most areas. The evaluation of security maturity takes into account over 1,600 weighted data points that cover people, process, and technology. While multiple factors contribute to these results, Gartnerâ€™s experience in Florida, as well as the survey results, point to a lack of funding and security-specific investment as primary causes of the shortfall. When asked, 51% responded that they do not have adequate funding to complete required security projects. Of those, 31% admitted to scraping by with inadequate funding, while 45% are losing funding to other organizational priorities. Of those with inadequate resources, 40% indicated it was purely an organizational financial constraint, while 36% lack skilled resources, and 22% lack management support.
Figure 21 Gartner 2017 â€” Gartner Proprietary
5 4 3 2 1 0
Florida Trends National Trends Minimum Due Diligence
28 | The State of Cybersecurity in Florida thefc2.org
Change and Configuration Management Requirements for change management in information technology come from a variety of sources. The level of risk associated with the system and, particularly, the level of consequence associated with system failure should determine the level of surety (low, medium, high) associated with each requirement source. For low-surety systems, only a relatively small number of techniques are critical. However, fewer and fewer organizations are subject to only low-surety requirements because their systems are involved in so many different things that they become medium-risk systems in the aggregate. Regulatory creep and threat escalations also push systems toward medium-risk. And, as surety needs increase, the risks associated with large-scale changes come to outweigh cost savings. Gartner views change control as both an environmental control to avoid system failures and a necessary first step to determine whether a change caused an environmental anomaly or if the organization is, in fact, under attack. To make the most of the relevant data and metrics gathered from a change management database, Gartner recommends having a single integrated system. Survey responses revealed that only 56% of organizations have a single, consolidated change management process. However, 74% of organizations report having formal Change Management Boards or structures and performing a security impact review as part of the change approval process. Based on Gartner’s Florida-specific assessment and follow-up interviews, the state’s change management maturity was rated 2.2, compared to the national average of 2.8. Many of the organizations assessed have multiple Change Management Boards that are neither integrated nor sharing information related to the environmental impacts of potential changes. This lack of communication creates the need to investigate potential causes of system anomalies and failures. Furthermore, for many organizations, a security-specific impact review
T H E
Survey responses revealed that only 56% of organizations have a single, consolidated change management process. is performed only when requested rather than being an inherent gate based on the scope and impact of a potential change, per best practice. Also, few organizations leverage change-management metrics to uncover a potential system, user, resource, or skill set issue. Likewise, few organizations have comprehensively populated the relevant asset and system configurations in control systems, although 66% of respondents do have asset discovery and configuration management capabilities at some level. Of greater concern is the ongoing failure of organizations to perform adequate configuration management. Fewer than half of the organizations assessed in Florida have adequate device configuration management processes and procedures for firewalls, routers, and other network devices. Configuration management helps ensure that devices haven’t been changed in an unauthorized manner. Technology is available to scan configurations for comparison with a configuration management database or similar initial-state capture as well as for detecting and reporting configuration changes. However, few small-to-midsize organizations deploy these capabilities. Instead of technological enforcement, manual compensating controls and processes are widely available. Unfortunately, Gartner typically sees a deploy-and-forget approach to configuration management. Device integrity checks—the primary compensating control—are performed only on an ad hoc or for-cause basis, not routinely. Another concerning trend is the continued use of shared or default device passwords, even though capabilities to centrally manage, control, and log device access have been available for many years and present an opportunity for efficiency for larger organizations.
T A K E A W A Y
Florida’s maturity score was 2.2 against the national average of 2.8 due to a lack of appropriate integration of security reviews into change and configuration management processes.
Application Security Ensuring adequate application security demands training, process, and tools. While Gartner has observed good functional code development and testing, security-specific processes are still lacking nationwide. Figure 22 summarizes several of the surveyâ€™s application security data points. While many organizations regressed in process-heavy maturity areas (like application security) following the 2008 recession, an increased awareness of the importance of application-specific security has yielded an uptick on the national maturity scale from a low of 2.0 in 2011. Development staff skilled in secure coding, the adoption of application-specific and pre-production code scanning tools, and a resurgence of other best practices have all contributed to this uptick. Florida scored just behind the national average in application security,
with 42.2% of organizations reporting they have neither trained their developers in secure-coding practices nor incorporated Transport Layer Encryption into their application development processes. Furthermore, the survey showed that only 70% of organizations maintain a comprehensive application inventory with identified system and data owners. It also showed that only 42% of organizations track application criticality requirements for any subset of applications within their infrastructure. Also, only 34% of survey respondents have defined data sensitivity requirements within their organizations, and 24% have identified application assurance requirements. An organization canâ€™t protect what it doesnâ€™t know it has. The lack of security-trained development staff and the other risk indicators noted above do not bode well for the future shift to application-specific zoning and controls that will come from changes in the security perimeter and best practice protections.
Figure 22 2017 State of Cybersecurity Application Security
Gartner FC2 2017 State of Cybersecurity in Florida Survey
Secure Coding Practices
Minimum Documentation Standards
Standard Authentication Mechansims
T H E
T A K E A W A Y
Florida scored 2.1 against the national average of 2.4. A lack of security-trained development staff, undefined application assurance requirements, and incomplete application inventories place the state at risk.
30 | The State of Cybersecurity in Florida thefc2.org
Service Continuity Business disruptions—natural and human-made—that turn into full-scale disasters have been occurring more frequently in recent years. Most organizations recognize that when an interruption or disaster occurs, following a well-defined plan and process that manages stakeholder expectations and meets business-defined recovery requirements ensures recovery and continuity of infrastructure and business operations. Conversely, trying to respond to an incident or disaster in “crisis mode”—without the benefit of planning, coordination, and exercising—results in more downtime, higher recovery costs (due to on-demand buying), and the possibility of a complete lack of recovery resource availability. The potential lack of resource availability is especially relevant under regional disaster scenarios in which many organizations—not just yours—are affected.
Planning ensures that organizational recovery and resilience is cost-effective and sustainable. Providing for continuity of operations following a disaster is a top-level concern for enterprises and vital to maintaining financial confidence and brand reputation. Therefore, disaster planning must address recovery of the entire organization, not only IT.
Figure 23 Typical Events, Scope of Recovery, Business Requirements, and Metrics Differ for High Availability vs. Disaster Recovery vs. Business Continuity
Gartner 2017 — Gartner Proprietary
Typical events requiring recovery
• Component failure (software, hardware) • System overload • Human-made events
• Power outage • Data center impacted • Natural disasters • Human-made/political disasters • Main building/facilities
• Power outage • Data center impacted • Natural disasters • Human-made/political disasters • Main building/facilities
Scope of recovery
• Accidental data deletion • Scheduled maintenance • Repair failed hardware • Extra capacity
Rebuild and recovery of infrastructure to support critical business functions and processing at an alternate location.
Business recovery of critical business functions and processing at an alternate location or into an alternate data center.
Meet Service Level Agreements (SLAs)
Meet Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPO)
Meet Maximum Allowable Downtime (MAD) metrics
Recovery Time Objective (RTOs), Recovery Point Objective (RPOs)
RTO, RPO, and MAD
• Technical recovery procedures • Business recovery procedures to to recover the infrastructure recover business processing and as defined by the BIA (platforms, resources after IT has recovered networks, applications, DBs, etc.) the infrastructure. • Recovery procedures to recover • Additional planning and resources work-area recovery for critical for work-area recovery to support end-users. critical end-users.
Best-practice disaster recovery and business continuity plans align recovery objectives with recovery capabilities, are well-defined and documented, and are tested regularly.
Disaster recovery and business continuity plans go hand-in-hand. The disaster recovery plan focuses on the restoration of infrastructure while the business continuity plan focuses on people, process, and business operations. Best-practice disaster recovery and business continuity plans align recovery objectives with recovery capabilities, are well-defined and documented, and are tested regularly. Figure 24 shows that recovery strategies have expanded beyond the traditional shared-risk subscription model with a disaster recovery service provider, with survey respondents employing a variety of options.
The 24/7 business model, increased regulation, and frequent natural disasters drive the growth of Business Continuity and Disaster Recovery Management (BC/DRM) programs, and continuously fluctuating dynamics among those drivers demand agile recovery strategies.
Whatever the strategy, plans should be exercised to confirm their effectiveness. Until an organization tests the plan, it is unclear if it is operational, meets business requirements, or will meet end-user expectations. Only 32% of survey respondents routinely exercise their plans to assess whether recovery objectives align with current capabilities.
Eighty-seven percent of survey respondents indicated they have a defined disaster recovery plan, and 86% have a defined business continuity plan. However, only 55% of respondents have conducted a Business Impact Analysis (BIA), which is required to define and prioritize recovery needs for both disaster recovery and business continuity. The BIA defines the tangible and intangible effects downtime may have on the organization, including metrics for Recovery Time Objective (RTO) and Recovery Point Objective (RPO), that is, the age of files recovered needed to resume normal operations.
The average Business Continuity and Disaster Recovery Management score in Florida is 1.9 against the national average of 2.8 due to a lack of realistic recovery practices and timelines.
Figure 24 2017 State of Cybersecurity DR Recovery Sourcing Strategy
Gartner FC2 2017 State of Cybersecurity in Florida Survey
40% 30% 20% 10% 0% Insource (on-prem)
32 | The State of Cybersecurity in Florida thefc2.org
1011$$011$011$1101 $ 010 1$
While many organizations have identified database encryption-at-rest as desirable and the adoption of this practice has increased, deployment continues to remain relatively slow. Only 22% of organizations have
0 11$$011$011$1101$ 01
Figure 25 illustrates the various types of data encryption employed in the state. As the trend toward securing the application and the data itself continues, requirements to encrypt internal websites should increase with the continued adoption of cloud services. Many of the Florida-based organizations assessed are not encrypting internal sensitive data-in-motion, despite the practice being a proven protection against environmental breaches. On a positive note, 90% of respondents report encrypting “All” or “Some” external websites, which aligns with the national trend.
10 $0 1
availability—the security triad, CIA. Confidentiality measures are designed to prevent sensitive information from reaching the wrong people while making sure that those authorized to view the data in question can access it. Data security encompasses a spectrum of processes and technologies, including encryption in all forms, data confidentiality, data integrity, data classification and discovery, and privacy. Confidentiality is a critical security objective for all organizations that create, manipulate, process, transmit/receive, or store sensitive or critical information. A systematic and comprehensive security program deploys confidentiality controls in addition to security controls for an organization’s major security objectives. Overall, Florida again trends behind the nation, scoring 1.7 in data security maturity versus the national average of 2.1. Despite this, survey respondents considered information disclosure to be the biggest threat, followed closely by disruption of operations and risk to brand and reputation.
$1101 $011$011 $ 1 1 0 1 0 The goals of data protection confidentiality, integrity, and 110include 010 $011$ 01
$$ 01 1
10 $1101$0101$0 10 1 1 0 $ 0 1 1 $ 0 011 $ 11 $0 $ 11 10
$ 0 1 0 1011$$01 0
110$01 10 1$
1$0101 110 $ 1 01 1$
10110 $ 0 1 $0
$0 0101 1 0 01 011 0 $0 1
deployed this capability, typically only in restricted zones. Eighty-eight percent have not yet initiated deployment, but many plan to do so. Interviews revealed that cost, complexity, and system dependencies (hardware and software) are all factors contributing to slow adoption. Additionally, several organizations feel that their data is not sensitive enough to warrant this level of protection.
End-User Access Points A tremendous number of breaches continue to occur at the endpoint, that is, end-users’ desktops and laptops. Fortunately, desktop encryption is on the rise with the adoption of Microsoft’s BitLocker full-disk encryption and advanced protection suites simplifying the deployment of encryption mechanisms on end-user machines. Survey responses show that 46% of organizations encrypt all desktops, while 34% encrypt only some. While full-disk encryption of all laptops is a recommended best practice, only 76% of respondents encrypt all laptops. The protection offered for the price makes it a worthy investment. History has also shown that organizations focus on encrypting the Microsoft Windows Platform, but neglect Mac OS, not even leveraging the built-in Fire Vault full-disk encryption. Twenty percent of organizations surveyed provide user-based, on-demand encryption mechanisms to all users. An additional 70% of organizations make it available to end users. However, application of user-based, on-demand encryption requires awareness and action on the part of the user, necessitating training and policy-based enforcement to make this a successful part of an integrated, in-depth security solution.
Encrypted email adoption remains relatively low, with 22% of respondents indicating that they had encrypted email. Interestingly, interviews revealed that although this capability is available in Office 365â€”widely used for email and other office productivity toolsâ€”it is not enforced or broadly used. Furthermore, interviews affirmed that many deployments still require users to take action to ensure the confidence of the communication. Several organizations indicated that 1$ would need additional training to increase use of encrypted email. 0 1 they 1 1$
Data integrity is the practice of maintaining the consistency, accuracy, and trustworthiness of data over its life cycle. Data must not be changed in transit, and steps must be taken to ensure that unauthorized people cannot alter data. These measures include file permissions and user-access controls. Version control may be used to prevent erroneous changes or accidental deletion by authorized users. Also, some controls must be in place to detect any changes in data that might occur as a result of non-human events. Some systems might include checksums, even cryptographic checksums, for verification of data integrity at the application or database layer. Gartner typically sees these type of integrity checks on financial systems or performed by skilled database administrators using native tools, but seldom as a standard construct of other types of systems or applications, indicating a missed opportunity for early detection.
2017 State of Cybersecurity Data Security Encryption Usage
Gartner FC2 2017 State of Cybersecurity in Florida Survey
70% 60% 50% 40% 30% 20% 10% 0% Internal websites
User-based on-demand (e.g. AxCrypt, PGP)
34 | The State of Cybersecurity in Florida thefc2.org
Removable Media Removable media extends beyond Universal Serial Bus (USB) thumb drives to include external hard drives, DVDs, and CD-ROMs. Modern endpoint protection suites provide organizations with the ability to control port-based access, limiting allowable media by brand, model, or type. These same suites provide policy-based encryption, including full audit and logging, for removable media so that, should a thumb drive go missing, an encryption log is available for compliance reporting. Twenty-eight percent of respondents encrypt all removable media, while 48% encrypt some. In Gartner’s experience, while many organizations have licensed these capabilities, less than half have them fully deployed.
Classification Many data security initiatives continue to struggle with data classification, notably because of accuracy and consistency issues and poor understanding of data flows in existing business processes. In many cases, data management processes and classifications could be used to address those issues, but these options remain untouched because they are either unseen or misunderstood. Ignoring these options is particularly insidious because many security layers rely on data classification to enforce policies and detect potential data breaches. Also, under-classification can result in security gaps, and over-classification can result in business process obstruction.22 In most environments, the data classification challenge goes well beyond detecting patterns such as credit card numbers or social security numbers. Every organization has intellectual property, data subject to regulations, and strategic documents to protect—whether it is a proprietary manufacturing process, quarterly financials-in-progress, or competitive bids that may be critical to the future of the organization. Survey results confirm that 70% of respondents classify data; however, only 36% had completed their data classification efforts, while 24% listed classification as “in progress.” More concerning was the 32% who currently have no plan for data classification. Gartner has identified a trend whereby organizations are investing in data loss prevention (DLP) capabilities before having completed data classification and discovery efforts. While some organizations have only deployed limited, suite-integrated DLP capabilities, the majority that have invested in full DLP toolsets are only using them to monitor traffic. Few have enabled the blocking and alerting of sensitive data based on data formats aside from social security numbers and credit card numbers. Data classification is difficult, first, due to the volume, propagation, and distribution of the protected information and, second, because it can
mean different things to different roles within an organization, leading to underused metadata from data management processes and missed opportunities. Furthermore, information security organizations have a difficult time identifying data owners and, once identified, getting them involved in the governance of their data, creating a different type of security gap. Finally, data classification and DLP projects often fail or are not fully effective because basic access management hygiene is not in place.
Information Privacy Information privacy describes the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding the data in question. While privacy is arguably an aspect of confidentiality, it is largely overlooked outside of the heavily regulated education, healthcare, and financial sectors. Only 14% of organizations have assigned privacy-specific roles, yet, a combined 37% of respondents fell into the education, healthcare, and financial sectors, indicating that not all of these organizations had fully embraced industry requirements. Also, Gartner has noted a significant uptick in the assignment of organizational chief data officers or similar roles nationwide, with many of these new appointees sharing responsibility with legal or compliance divisions for information privacy. On a final note, the CIA triad noted at the beginning of this section has now been expanded to include safety. The interconnectedness of devices permeates physical security and creates opportunities to leverage unsecured information, potentially leading to human harm. Recent examples include the leak of 760 human immunodeficiency virus (HIV) patient records, endangering patient privacy and safety; the Ashley Madison breach that led to reported suicides and extortion attempts for money; and breaches of children’s information by VTech that exposed names, IP addresses, birthdates, gender, and other personal information23.
Florida’s maturity score was 1.7 against the national average of 2.1 due to inconsistent application of best practices.
Security Analytics Overall, Florida scores slightly ahead of the nation in data security analytics at 2.5 versus the national average of 2.4. The traditional hardened perimeter can no longer secure the distributed and increasingly mobile set of end users and systems. Today’s security must rely on behavior analytics to determine if data is being accessed by an authorized user and for appropriate use. In this light, Gartner has coined the phrase, “monitoring is the new firewall.” Technical professionals focused on security and risk management are pursuing security analytics in search of improved threat detection, monitoring, and operations. Although not every organization is sitting on terabytes of log data and petabytes of network traffic captures begging to be analyzed for advanced threats, many organizations are drowning in data about their environments while lacking visibility of those same environments. Current analytic tools require processes for enrollment activity data— such as logs, flows, traffic, metadata, and endpoint data—as well as context data, such as user identity information, employee data, asset data, employee location data, and devices used. Some organizations have incomplete log aggregation systems (i.e., not including all critical resources) or have just begun implementing and tuning a SIEM system. More are seeking outsourced security monitoring. Fifty-two percent of survey respondents are performing automated log aggregation and alerting, while 36% perform it only on select systems and platforms. Many organizations mistakenly believe that traditional security tools, such as DLP and SIEM, will automatically adopt advanced security analytics approaches, but that ability is years away. While emerging tools make some tasks easier, they often demand skills that are not widely available. Sixty-six percent of survey respondents already have implemented a SIEM, while an additional 20% are in process. In addition, intrusion prevention remains a sound, network-centric approach for detecting and preventing vulnerability exploitation and helping with response actions. A best-of-breed intrusion detection system/intrusion prevention system (IDS/IPS) can address a wider range of network threats than legacy IPSs by using multiple detection and prevention techniques. Leading solutions leverage reputation and other contextual information to address fast-moving and transient threat classes, such as botnets and Distributed-Denial-of-Service (DDoS) attacks. Also, third-party technology, such as threat intelligence platforms, can update these solutions. IPSs also can have content-, application-, and identity-awareness capabilities to provide additional visibility and more granular detection and blocking. Gartner’s assessments indicate that, nationwide, states’ data center consolidation efforts have favored the implementation of IDS/IPS-capable devices.
Fifty-two percent of survey respondents are performing automated log aggregation and alerting, while 36% perform it only on select systems and platforms. Vendor sales reporting shows that many private enterprises are adopting IDS/IPS technologies as well. Many of these investments have been made in the last two to three years and could be the result of skipping a generational level of technology to make this investment. In addition to traditional network IPS protection against known attacks, host-based intrusion protection systems (HIPS) have become a valuable defense-in-depth control, shielding from zero-day vulnerability attacks by identifying and blocking unusual behavior on a server. Another benefit of HIPS is that IPS solutions are usually located at network perimeters, leaving the interior of a network vulnerable. HIPS provide protection regardless of server location. This type of protection may also be critical for protecting servers that are not easily patched or can no longer rely on vendor patches (such as Windows Server 2003, which Microsoft stopped supporting in 2015 despite ongoing use in many organizations). Gartner recommends host-based prevention for critical, externally-facing systems as an added advanced measure to provide defense-in-depth; however, few organizations have completed deployment of this capability. The survey did not cover the use of fraud detection capabilities or managed security services, though Gartner has seen a rise in the adoption of both in appropriate marketspaces. Both rely heavily on security data analytics to provide additional layers of security to the environment.
Florida’s maturity score was 2.5 against a national average of 2.4. Two-thirds of organizations have implemented SIEM and other analytics capabilities.
36 | The State of Cybersecurity in Florida thefc2.org
Governance, Risk, and Compliance The goal of security governance is to ensure an organization’s overall security program is effectively and efficiently meeting organizational needs. Because every organization has different people, structures, operational principles, locations, and processes, integrating security functions across the average organization can be a complex maze of arrangements to provide the necessary function, coordination, and control. Security governance must fit the broader organizational structure and existing governance processes to be effective. In governance, risk, and compliance maturity, Florida scored 2.5 against the national average of 2.6. While the Agency for State Technology has implemented NIST’s Cybersecurity Framework within state government—assigning cybersecurity governance responsibility to the information security managers (ISMs) at each of the state’s departments—Gartner continues to see a lack of accountability for cybersecurity in many organizations. In many cases, ISMs may be performing the role as one of multiple other job responsibilities and roles. Security demands an informed champion to ensure appropriate integration into organizational processes and culture.
Only 69% of organizations have a full-time chief information security officer. Only 61% of organizations surveyed have assigned both security and privacy roles, 35% have assigned security-specific responsibilities only, and 11% have not assigned either. While 85% of organizations surveyed have an overarching information security policy, Gartner still saw organizations that have failed to review and maintain policy structures aligned with organization-specific requirements. Again, compliance-driven sectors outperform others in this area due, in part, to the constant auditing of processes and procedures required for compliance. During this assessment, Gartner witnessed complete rewrites of policies to align with the NIST Cybersecurity Framework (CSF) requirements mandated by Rule 74-2, the Florida Cybersecurity Standards (FCS). The legacy policy structures were incomplete, poorly maintained, and, in several cases, did not reflect overall business requirements. While policy updates are a labor-intensive undertaking, institutionalizing processes and procedures will yield better long-term results. Only 12% of organizations surveyed do not have an overarching information security policy. Thirty-percent of survey respondents indicated that their policy framework aligns with NIST, while 33% align with industry standards, and 22% focus solely on compliance requirements.
Even in 2017, awareness training remains the best security measure. A comprehensive program includes employee training, contractor training, for specific technology-use cases, and role-based training. A resounding 80% of respondents require all personnel (employees, contractors, volunteers, and part-time personnel) to complete security or privacy training. Still, few organizations perform technology-specific (e.g., mobile or VPN user) or role-based training (e.g., manager, application developer, or privileged user). Only 10% of respondents feel that user awareness is an organizational risk. Also, 67% require employees and contractors to sign an acceptable use policy, while 32% indicated it was required only at onboarding. Based on legal precedent and the need to regularly update policies, Gartner recommends periodic reaffirmation. Aligning with best practice, 74% of respondents include security and privacy requirements in third-party vendor contracts. Third-party terms and conditions have become an increasing focus of security, with the increase in staff augmentation, outsourcing, and cloud-based services. The survey did not indicate why 26% do not follow this best practice, but, in Gartner’s experience, staff understanding, adequate staffing, and lacking compliance requirements contribute to this shortfall. Organizations should also prioritize, track, and integrate security risks into their closed-loop risk management process to empower leadership to prioritize security-specific risks appropriately among other organizational risks. Only 45% of respondents track and manage residual risks. Similarly, 45% reported that security funding suffers from a lack of priority over other projects. In cases where the items requested are low-priority, not real requirements, or the environment is overly cost constrained, loss of funding to other priorities is appropriate due diligence; however, loss of funding because of poor security awareness, a culture of denial, or lack of management support is problematic. Seventeen percent of organizations surveyed indicated that management support was a factor. The question to ask is, “Does the organization’s strategy meet its information protection requirements?” Survey responses reveal that 30% of organizations feel their current security strategies adequately
T H E
A resounding 80% of respondents require all personnel (employees, contractors, volunteers, and part-time personnel) to complete security or privacy training. address social media, mobile, and cloud services. Addressing IoT was a different matter, with less than 20% reporting adequate strategies in place. Nearly half of all survey respondents feel they need to modify strategies to address social media, mobile, cloud, and IoT impacts, with nearly half of those respondents wanting a better understanding of the risks. With these technologies present and introducing new risks every day, these responses do not instill confidence that security risks are mitigated adequately.
Compliance-driven sectors outperform others in this area due, in part, to the constant auditing of processes and procedures required for compliance.
T A K E A W A Y
Florida’s maturity score was 2.5 against the national average of 2.6. Florida organizations lack the necessary leadership, organization-specific policies, and processes required to advance security programmatically.
38 | The State of Cybersecurity in Florida thefc2.org
Network Security In today’s ever-evolving IT landscape, the traditional concept of perimeters—separating internal and external security zones—is challenged by the rapid adoption of cloud-based services. Many organizations have outsourced network services or moved critical business functions such as email, human resources, and business-specific processing to Platform-as-a-Service (PaaS) or to completely outsourced Software-as-a-Service (SaaS) offerings. In either case, the traditional perimeter, providing the “crunchy outer shell,” is no longer viable as the only line of defense. Organizations in this situation must consider creating logical security zones, aligned along application or service boundaries. In this new model, the logical perimeter now separates applications from each other, to limit exposure or attack surface. The challenge is balancing old and new architectures securely. To date, most organizations assessed have a relatively flat network, meaning they rely heavily on perimeter protections or have a limited number of
internal security zones. Still, 75% of survey respondents indicated that they have established and documented an internal zoning strategy—well above the national average. Overall, Florida scored above the national average of 2.5, with 2.6 in network security maturity. A solid zoning strategy has become more important as focus shifts from perimeter protections to application-, identity-, and data-specific protections. Figure 26 illustrates the specific zones created by survey respondents, showing continued low adoption of such best practices. While 31% of organizations separate users from resources, only 20% have a physical firewall separating the data center from users. However, 28% have created a high-value-asset-restricted zone, indicating the use of a separate firewall to secure specific internal resources. The trend has been to use virtual network zones and software-defined networking to build finer-grained security through micro-segmentation while maintaining agility. As cloud- and mobile-work scenarios increase, secure data communications are surpassing traditional Virtual Private Networks (VPNs) and premises-based gateways. Internet Protocol security (IPsec) VPN technology is a mature standard for secure network
Figure 26 2017 State of Cybersecurity Internal Network Zones Created
Separate Firewalled Zones for Users and Assets/Resources
High-Value Asset Restricted Zone
Data Center Zone Protected By Firewall
Gartner FC2 2017 State of Cybersecurity in Florida Survey
Adminstrative/ Management Zone
The trend has been to use virtual network zones and software-defined networking to build finer-grained security through micro-segmentation while maintaining agility.
39 connections, and it will continue to serve as the first choice for network-tunneled sites, branch and end-user access, and new solutions as cloud computing becomes more widely used. However, session-layer TLS (SSL) VPN technology is mature and provides the best choice for ad hoc and menu-driven portal access configurations, especially since it can work through a browser. While the technology is sound, Gartner continues to see VPN implemented in ways that introduce potential security risks. Nearly half of interview and assessment participants have split-tunneling enabled as a default setting. Many security professionals consider this practice risky for two reasons: first, some data traffic is kept separate from the secure VPN tunnel and not directed through the secure gateway and, second, users can access the organization’s network from unmanaged (personal) machines without first performing a health check on the system. The use of private VPN products, such as GoToMyPC, which permit users to access work machines remotely from home machines or mobile devices poses another risk. This type of “secure” product uses end-to-end encryption, bypassing perimeter security controls and essentially blinding organizational monitoring tools to the encapsulated traffic. In one incident, a system administrator accessing the internal network was bringing a seemingly endless string of bots into the environment. Network Access Control (NAC) restricts network resources to only those endpoint devices that comply with a defined security policy. Policies may be based on device and/or user authentication and the status of endpoint configuration. With the increase in wireless and mobile platforms, this capability not only provides a means to ensure only authorized devices are connecting to the internal network, but also an additional layer of visibility and reporting. As most organizations already know, a growing dependence on external services, partners, and contractors is part of a changing business dynamic. Further, consumerization of IT may soon lead to many employees having endpoint devices that are not managed by the organization and need to access the network on a regular basis. Ad hoc approaches may work in
T H E
Seventy-five percent of survey respondents indicated that they have established and documented an internal zoning strategy— well above the national average. a few cases, but they are generally too difficult to manage for large numbers of endpoints. Where managed endpoints must connect to an internal network, multiple alternative approaches are available to identify the device and the user and to monitor and enforce specific security controls, such as functional malware protection and security configuration. However, through assessments and interviews, Gartner has identified that—at least for city, county, and state departments—the adoption of NAC remains low due to complexity and cost. On a final note, even though the enterprise network firewall market is very mature, it is by no means immune to disruption. The ability to work and play well in new environments is a force for change today, with many products available and innovation on the horizon. Virtualized firewalls and software-defined networks are no longer considered bleeding edge. However, this disruption is just getting started, and its ultimate impact on the market is unknown. Roughly two years ago, the focus switched to advanced threat detection and whether vendors could incorporate features such as file sandboxing, threat intelligence, or other such security features into their firewall platforms. Yet, with varying degrees of functionality, most vendors have solutions for Next-Generation Firewalls and advanced threat protection in place already.
T A K E A W A Y
Florida’s maturity score was 2.6 against the national average of 2.5. Overall, 75% of organizations surveyed had established and documented a security zoning strategy.
40 | The State of Cybersecurity in Florida thefc2.org
Physical Security WARNING: NG:
RESTRICTED-ISH RICTED-ISH AREA
Here, we distinguish between physical protection of human lives and the physical aspects of protecting information. While performing an assessment, Gartner evaluates the physical aspects of facilities, typically those related to the protections provided to data centers, wiring closets, and physical endpoints in workspaces or office areas. Physical security was not a limited topic in the survey, but through interviews and independent assessments, Gartner has developed a general understanding of the current state of physical information protection and Florida-specific challenges. From a physical security maturity standpoint, Florida scored 2.5 versus the national average of 3.3. Several factors contribute to this gap. As with many other information security domains, Florida is trailing in hard-copy protections. Many organizations assessed lack a security policy that includes hard-copy protection guidelines. While several organizations have measures in place limiting smartphones and cameras in various work areas and other similar physical protections, they lack paper protection. In addition to handling guidelines and a â€œclean deskâ€? policy (securing sensitive hard copies prior to leaving a work area), Gartner typically seeks locking shred bins and printer-specific protections. While most organizations have readily available locking shred bins, printer protections are lacking. Additionally, many
organizations reported cost-cutting measures such as eliminating banner pages to cover the content of printed material in shared printing environments. While secure personal-identification-number (PIN)-based printing is usually mandated to secure documents on a shared printer, none of the organizations assessed are actively using it. Reasons for this lapse range from difficulty remembering PINs to the challenges of teaching users how to send a job to the printer with a code. While some organizations have enabled the functionality, they are not promoting its use. In another cost-saving measure, locally attached printers have been all but eliminatedâ€”even in the finance and human resources areas that routinely handle personally identifiable information and other sensitive data. Florida organizations largely focus physical security on limiting access to facilities and occasionally to specific elevators and floors. These are excellent perimeter controls but are circumvented easily by daily acts of courtesy, such as holding the door open. Some locations separate visitor entrances, forcing employees to scan badges as they enter and visitors to check in with security staff. Beyond the perimeter, inside the building, most organizations have positioned support staff in shared common areas without locking offices. Many of the organizations interviewed noted that most employees do not have locking storage. While cabinets
Florida organizations largely focus physical security on limiting access to facilities and occasionally to specific elevators and floors. Of the more mature organizations that have backup generation capabilities, few have pre-arranged emergency fuel contracts in place. Furthermore, many of the organizations are in co-located facilities sharing a computing backbone. In these scenarios, keys issued by local physical security departments control access to wiring closets. There are often no logs or other processes in place to document who accessed the closets and when. For state government institutions, Florida mandated the move and consolidation of data to state-hosted data centers. Also, the majority of state government facilities no longer use or are migrating away from shared locations where possible and necessary.
may have locked at one time, users frequently do not have the correct keys. Passing through these work areas, one finds unlocked computers and reams of sensitive information sitting atop desks. The absence of policy has led to a loss of situational awareness. Data centers are secured, but often lack the full environmental protections required for optimal computing environments, such as HVAC and humidity controls, raised floors, water and air alarms, an emergency shut off switch, emergency lighting, and fire suppression. Also, many organizations refer to them as “server rooms,” rather than data centers. Most data centers visited have backup Uninterruptible Power Supplies (UPS) in place. However, the majority of those power supplies provide just enough power to safely shutdown the system.
T H E
The biggest challenge to physical information protection, documented by multiple assessments and interviews, is the distribution of offices and equipment across the state. Organizations queried admitted having little to no knowledge of the true information security posture of remote locations. Local servers remain in use at many remote locations, typically to support local directory services and authentication or local file and print services. The challenges of remote administration leave all physical protection in the hands of the local resources. Notably, few of those resources are truly IT savvy or security aware. Still, training and simple self-audit and reporting processes to mitigate the risks are not in place. The risks are accepted as unknown. Florida benefits from a governance structure designed to encourage and facilitate “multi-jurisdictional” and “multi-disciplinary” participation across government to support the successful implementation of the state’s Domestic Security Strategic Plan24. The structure includes three major components: the Domestic Security Oversight Council (DSOC), Regional Domestic Security Task Forces (RDSTF), and the State Working Group on Domestic Preparedness.
T A K E A W A Y
Florida’s maturity score was 2.5 against the national average of 3.3. Securing legacy paper processes, enforcing policies, and addressing distributed facilities continue to present challenges across the state.
42 | The State of Cybersecurity in Florida thefc2.org
Vulnerability management is an extremely broad yet tactical component of cybersecurity. It is the frontline in the cybersecurity battleground. The elements of vulnerability management include detecting a weakness in a system, eliminating or at least reducing that weakness, protecting against software specifically designed to compromise systems, and, ultimately, responding once an incident has occurred. In the area of vulnerability management security maturity, Florida rated 2.2 as compared to the national average of 2.9. System weaknesses can originate in many ways, from misconfiguration of an operating system or application to pre-existing weaknesses in commercial or locally developed software packages. Custom applications developed in-house can be a source of vulnerabilities. Fixes designed to eliminate one weakness can create a new weakness. The key to managing these weaknesses is to detect and mitigate them before a malicious actor can exploit them. Vulnerability scanning uses specialized tools, skills, and training to detect weaknesses. Whether one employs an on-premises appliance or a cloud-based service, each scanning solution operates on similar
principles. Most vulnerability scanners discover network-attached devices; report on security configurations; identify configuration, platform, and asset vulnerabilities; and report and track remediation. Vulnerability scanning probes each system to identify the type of system and determine if known exploitable conditions exist on that system. Something as simple as running a legacy protocol or not changing the default password creates vulnerability. Even devices intended to protect systems, such as firewalls and security appliances, can be exploited if one has not applied patches for known vulnerabilities. If the environment is stable, then scanning does not have to occur frequently. However, any time a change occurs in the environment, a scan should be performed on affected systems to make sure that the change did not result in new vulnerabilities or reintroduction of previously mitigated vulnerabilities. Currently, 91% of survey respondents perform vulnerability scans on their systems. Application vulnerability scanning tools are also available that can detect weaknesses in web-based applications. Weaknesses such as cross-site scripting, SQL injection, and buffer overflow can be detected
Organizations often do not patch systems as frequently as they should. Only 18% of respondents have a fully automated patch management system and process, and 10% manually apply patches.
and turned over to developers to correct. Gartner research showed that in 2016, developers spent about 7% of their time removing software defects. Typical software defect rates can approach 5%, and previously mitigated defects reappear at a rate of about 5%. The flow of vulnerability intelligence is daunting. Multiple sources, including the Multi-State Information Sharing and Analysis Center (MS-ISAC), Microsoft, security vendors, the Department of Homeland Security (DHS), and the Agency for State Technology (AST) issue vulnerability alerts on a regular basis, resulting in several duplicate alerts per vulnerability each day. The key to handling the influx of intelligence is to maintain a robust dispositioning process to categorize and prioritize vulnerabilities for mitigation. Vulnerability mitigation can take many forms, including vendor-issued patches, software fixes from in-house or contracted developers, and network-based mitigation. Network-based mitigation can be the only way to mitigate zero-day vulnerabilities, for which no patch is available. Network-based mitigation usually takes the form of a specialized firewall that can detect the signature of a live attempted exploit of a vulnerability and dynamically block that attempt. A basic tenet of vulnerability management is the routine patching of systems. However, organizations often do not patch systems as frequently as they should. While 88% of survey respondents centrally manage system patching, only 18% have a fully automated patch management system with patch testing and documented processes, and 10% of respondents manually apply patches.
On the client-side, most organizations use client management tools to patch Microsoft Windows PCs. Typically, a process is in place for download, prioritization, and review and testing of the patches available from Microsoft’s ‘patch Tuesday’ before deployment. The timing of patch deployment, however, varies widely among organizations, with many taking 30 days or more to complete the distribution of the latest patches. Timely and consistent patching of third-party applications (that is, locally installed applications not provided by Microsoft or Apple) has become a greater focus for endpoint computing teams as software vendors do not provide a consistent method for producing software patches. Some vendors release patches frequently, while others release them rarely. Patch management vendors do offer a patch consolidation service at a price, providing a single tool to distribute patches and provide comprehensive reporting capabilities. Protection against malware is another key element of vulnerability management. Malware is any form of malicious software—not just viruses, worms, and key-loggers—but also nuisance programs like
Figure 27 2017 State of Cybersecurity Vulnerability Scanning Frequency
Gartner FC2 2017 State of Cybersecurity in Florida Survey
Frequency of internal scans performed on your IT systems
For New Production System
Frequency of external scans performed on your IT systems
Annually Quarterly Monthly 0%
44 | The State of Cybersecurity in Florida thefc2.org adware that add toolbars to your web browser, bombard you with pop-up windows, hijack your home page, and send your personal data to advertisers. Malware protection solutions frequently bundle multiple technologies. Security professionals must understand these technologies to prevent and detect malware and to balance the efficacy of new technologies against user impact. Protection technologies usually use a combination of signature-based intrusion detection and heuristics, which look for suspicious patterns indicative of malware. While 100% of Gartner’s clients use anti-malware products, not all organizations use products in all resources layers—or even to their fullest functionality. Organizations can deploy malware protection on desktops, laptops and mobile devices, servers, databases, and on network devices such as firewalls, web filters, and intrusion prevention systems. On client endpoints, 81% of survey respondents maintain their own solutions. However, only 73% manage alerts and notifications through a central console. In those organizations, alerts typically are emailed to a central mailbox, requiring both presence and attention of the alert recipient. Text alerts are more effective, as receiving a notification on a mobile device draws immediate attention. However, texting is prohibited for state agencies as it is considered an uncontrolled public record. Though mobile device malware infections reached an all-time high in 2016, only 45% of survey respondents provide malware protection on their mobile devices. The question is not whether security incidents will occur, but rather when they will occur. This troubling reality makes effective incident response—that is, reducing the risk of incidents and mitigating the damage they cause—a critical concern for security professionals. Incident preparedness is part of the standard of due care. Advanced preparation is crucial to effective incident response, but it is also extremely difficult, especially in complex, distributed enterprises. Incident response policies, processes, and procedures should be developed to fit the organizational context and culture. A security incident response procedure, written in clear, concise, actionable
T H E
Eighty-five percent of the organizations surveyed indicated that they have an incident response plan, while 9% indicated a plan was in development. language, is a key to dealing effectively with these incidents. It is equally important to exercise the incident response plan to ensure adequate preparation of those who have active roles in the response. Nine percent of respondents indicated a plan is in development. From assessments and interviews, Gartner has identified several shortcomings related to incident response management. Notably, organizations are not implementing and testing plans and procedures fully. Several organizations interviewed had recently updated plans drafted between 2008 and 2009, but the plans remain in ‘draft’ and are not institutionalized. In addition, testing—which is generally considered training as well—is not routinely conducted. Upon review, Computer Security Incident Response Team (C-SIRT) members will invariably identify shortcomings of the current plan including the incorrect naming of core team members in the plan or an undocumented change. Organizations typically cite resource constraints as the reason for the discrepancies.
T A K E A W A Y
Florida’s maturity score was 2.2 against the national average of 2.9. Necessary processes such as system patching, vulnerability scanning, and incident response required to mitigate the scope and impact of a threat are not yet mature.
Mobile Security Mobile devices such as smartphones, tablets, and even wearable technology like the Apple Watch, continue to challenge the boundaries of security thanks to both innovation and user demand. While mobile devices are not typically used as primary business devices, they are still widely used for business purposes. One Florida organization reported having a single user with fifteen registered devices, including multiple phones and tablets, approved for business use. Despite the widespread use of mobile devices, only 46% of respondents have a mobile device strategy. Of that group, just 36% feel that their mobile device strategy adequately addresses emerging technology concerns, and 41% indicated that strategy adjustments are needed. Overall, Gartner observed a several-year dip in mobile security maturity around the world with the migration from RIM’s BlackBerry model—which included the BlackBerry Enterprise Server to manage and enforce security policies on the device from the back end—to the Apple iPhone and Android-based devices. Yet, demand-driven advancements in mobile device management (MDM) are readily available and widely used. Of those surveyed, 68% indicated that they employ an MDM solution. Assessments and interviews revealed that numerous organizations use Microsoft’s ActiveSync technology to connect to local, on-premises Microsoft Exchange installations. ActiveSync is a client protocol that lets users synchronize mobile devices with their Exchange mailboxes. While ActiveSync now provides some security capabilities, many organizations do not implement those features fully. The newer Microsoft synchronization product, Intune, provides email synchronization with the cloud-based Exchange environment. Those interviewed who are considering Intune to replace ActiveSync are enticed by the affordable price but concerned about the need to integrate with Microsoft’s System Center Configuration Manager to achieve full functionality. One point of concern is that, while Microsoft’s built-in tools provide comprehensive security policies for Office 365, they provide limited integration with other common SaaS applications25. It is nonetheless reassuring that 68% of those surveyed have a full-blown, enterprise-class MDM solution or enterprise mobility management (EMM) solution in place. As the adoption of MDM/EMM solutions increases so does the tolerance for bring-your-own-device (BYOD) practices, now permitted by 42% of survey respondents, all of whom employ an MDM/EMM solution. Assessments and interviews further revealed that mobile malware, so far, has not been an issue in the eyes of enterprises; however,
$ $ $
$ $ $
Despite the widespread use of mobile devices, only 46% of respondents have a mobile device strategy. mobile attacks are increasing in both number and frequency. As a best practice, Gartner continues to recommend mobile anti-malware for all mobile platforms. Non-signature-based anti-malware solutions are increasingly effective and will soon displace local endpoint signature database maintenance. Finally, users readily sharing or copying business information to their mobile devices and cloud storage systems as a matter of effectively performing their job duties continues to be a worrying trend and point of vulnerability in mobile security.
Florida’s maturity score was 2.1 against the national average of 2.4. Many organizations indicated that they are not prepared to address security for the larger number of devices.
46 | The State of Cybersecurity in Florida thefc2.org
Identity and Access Management Controlling access continues to be a core tenet of information security. Operational risks, reputational risks, compliance risks, and legal and regulatory risks can all result from the failure to properly manage identities and access to networks and applications. Identity and access management (IAM) technologies are intended to mitigate these risks. The shift of users, applications, and management to the cloud—and the acceleration of IT innovation—has forever altered the IAM landscape. The expansion of the IoT is spurring changes in digital business and forcing IAM markets to adjust to common governance and technology interdependencies across IT, operational technology, and physical security. This diversity is challenging legacy systems and overly complex or incomplete IAM processes. At the same time, users are demanding easy access to accounts and information. Florida scored 2.3 in IAM maturity compared to the national average of 2.4, showing significant alignment with general market conditions. However, only 55% of respondents have a valid IAM strategy, while 23% indicated that their strategy does not apply to all systems and use cases. While many organizations have addressed the automation of birthright credentials, basic network access, and a core application set, many have not advanced further due to the cost of implementation and ongoing
maintenance. Increases in environmental complexity and the pressure to provide secure user access have driven organizations to revisit their legacy strategies. Also, the diverse skill sets required to design the system, maintain the platforms, and develop system interconnections are in high demand and not readily available. These challenges and the maturing Identity-as-a-Service (IDaaS) marketplace have led many organizations to turn to cloud services. Overall, 87% of survey respondents enforce strong passwords technologically. However 12% of that group do not leverage that capability for all systems, due, in part, to legacy technology changes or users not integrated with centralized directory services for pass-through authentication. However, passwords are inherently not secure, forcing the adoption of more secure credential management. From interviews and prior assessments, Gartner has seen an increased desire for and implementation of Privileged Access Management (PAM) capabilities. Fear of data breaches—frequently facilitated by theft or abuse of privileged accounts and credentials—growing regulatory and compliance mandates, integration with third parties and contractors, and adoption of cloud services are all driving the adoption of PAM. In addition, auditors have begun to recognize that PAM provides a strong hedge against risk. Companies with weak PAM programs are increasingly discovering vulnerabilities in audits26. Gartner predicts that by 2020 the maturation of best practices and PAM technology will enable more organizations to reduce the attack surface created by unsafe or incomplete remote privileged access processes; 30% of enterprises will be significantly exposed due to unsafe access, compared to 75% now27. Stronger credentials must be coupled with stronger credential management processes, including issuance processes, to ensure success. Identity proofing services, which verify a person’s identity before issuing account credentials, is a compensating control that ensures enrollment sessions provide password authentication. Identity proofing can include dynamic knowledge-based authentication, device identification, presentation of a government-issued photo ID, demonstration of account ownership and other techniques. In Florida, interview and assessment participants are just beginning to investigate these services. Managing the multitude of data sources required to automate account provisioning has been a long-standing organizational challenge to effective IAM, in part because of the reluctance of human resources to allow other systems to connect to the management system
Increases in environmental complexity and the pressure to provide secure user access have driven organizations to revisit their legacy strategies. and in part because of conflicts created by a lack of data standards or administrator error. One concerning emerging trend is descoping applications—that is, inappropriately listing applications as out of scope, so they are not subjected to the rigors of attestation reporting. While an organization cannot descope core functional applications, they can—and are—descoping data sources, including directory services, which often serve as the authoritative source of user information. This practice creates complex and conflicting user information, making verification and validation more difficult. In addition, the lack of well-managed identity data sources introduces risks related to legacy or inappropriate account access, valid user verification, data leakage, system and data integrity, and non-compliance. Improved data discovery and identity analytics are available to assist with these challenges, but adoption will require a change in management’s mindset. Blockchain, an emerging disruptive technology, is accelerating the movement toward a decentralized identity model that enables users to manage their own identity and profile attributes. Gartner believes a decentralized identity model, built on a common identity trust fabric like blockchain, will become feasible in the coming years. Blockchain separates trust management from central authorities and disaggregates risk by gradually reducing the role of identity providers in managing identity data. Following the introduction of federated identity management and mobile identity, this separation is a key evolutionary step to bringing identity management closer to users.
T H E
T H E
D I S R U P T I O N
With 69% of respondents leveraging cloud services of some type, the majority of survey respondents (87%) have implemented federated identity management (FIM): an arrangement made among multiple enterprises that lets subscribers use the same identification data to obtain access to the networks of all enterprises in the group. One widely used application that employs FIM is Microsoft Office 365, which continues to be a major disruptor for IT departments worldwide. Nearly half of those interviewed indicated that the move to Microsoft’s Azure/Office 365, as well as the expanding need to integrate more securely and effectively with business partners, drove their adoption of FIM. Overall, 78% of Gartner clients have either implemented Office 365 or plan to implement it soon. The most popular Office 365 services are Exchange Online, OneDrive for Business, SharePoint Online and productivity applications (Office 365 ProPlus), in that order. But adoption of Office 365 is disruptive to IAM because it shifts applications into a hosted environment, putting the organization in a hybrid-identity situation. In a 2016 Gartner survey, 20% of respondents cited identity integration with Office 365 as one of the top-three technical problems they encountered. Diodati, M., Farahmand, H., Rabinovich, P., Robinson, L., Ruddy, M., & Wahlstrom, E. “2017 Planning Guide for Identity and Access Management.” Gartner, Inc. Cannell, L. “Implementing Office 365: Gartner Survey Results and Analysis.” Gartner, Inc. 2016.
T A K E A W A Y
Florida’s maturity score was 2.3 against the national average of 2.4. Identity Access and Management is again a focus as systems and users become more diverse and distributed. Disturbingly, Florida displays a notable lack of strategy to address the relevant and changing-use cases.
48 | The State of Cybersecurity in Florida thefc2.org
HACK E KNOC RS:PLE AS K ENTE BEFOR E E RING
Endpoint Security Endpoint security is largely a trade-off between degrees of assurance and degrees of flexibility offered to users.
Endpoints (host computer systems) store and process sensitive business information and support vital institutional processes and activities. Endpoint controls must, therefore, manage the overall risk to the organization, and organizations must define those controls within the context of the environment in which the endpoint will exist and function. Simply put, endpoint security is largely a trade-off between degrees of assurance and degrees of flexibility offered to users. Areas affecting endpoint security include removable media; host-based data and DLP (discussed in Data Security); user identities (discussed in Identity and Access Management); and endpoint admission control (discussed in Network Security), to address a few. In this section, we will focus on the security of the device or platform itself. The stateâ€™s maturity for endpoint security was 2.2 compared to the national average of 2.7. For the organizations surveyed, 93.5% maintain their platforms, with 92% having documented server-side
Welco me build procedures, and 86% maintaining client-side build procedures. Interviews and assessments identified system hardening challenges for many organizations. In computing, hardening is the process of securing a system by reducing its surface of vulnerability (attack surface). The greater number of functions a system performs, the larger its surface of vulnerability. In principle, a single-function system is more secure than a multipurpose system. Numerous (sometimes vendor-supported) sources provide system hardening guidelines, but few organizations queried leverage them. For example, while Internet Protocol version 6 (IPv6) has near-zero adoption (although many organizations are investigating the technology), not many system administrators disable this service to reduce the attack surface. Another area plaguing organizations is the inability to upgrade legacy platforms due to application dependencies. While large organizations with a central IT department may appropriately plan for system refresh life cycles, small business owners may lack the funding and
the awareness of the implications to their applications to plan for and support upgrades. Gartner still sees many legacy technologies— including the now-unsupported Windows Server 2003—throughout the state, and many organizations lacking the technology standards that typically lead to the use of multiple platforms. While there are multiple contributing factors, Gartner has observed governance failures in both strategic planning and tracking of the technology insertion cycle, causing missed opportunities for notification and coordination of changes. Also, many of the Florida organizations indicated that, historically, they had done a poor job of including sustaining costs and ongoing maintenance in their planning cycles. Thus, replacement and upgrade planning is done in-the-moment or on an ad hoc basis. The private sector performs markedly better in this area. Finally, limited funding and skill sets are contributors as well. If an organization can obtain and implement the desired functionality, the mindset has been to implement now and figure out how to sustain it later, when finances improve. There are many cases, too, where the organization’s standard platforms are Microsoft Windows-based, but appliance and service servers use the low-cost alternative, Linux. Unfortunately, Gartner sees a set-it-and-forget-it approach to many of these appliance environments, with a failure to tie them into normal governance cycles. On the client side, the two predominant issues are continued provisioning of local administrative rights and lack of support and patching for non-core, non-Windows (Apple Macintosh and Linux) machines. The battle over local administrative rights has been long raging. Locking down the local machine can lead to expensive application remediation and increase user dissatisfaction. Many IT professionals find it easier to permit privileged access than to fight for the funding and backing required to make the change. That approach is in direct conflict with best practices, and compensating controls, such as temporary permissions, are documented and available but still not widely deployed. As it turns out, the number one defense against the spread of ransomware is to lock down the local desktop28.
T H E
Not many system administrators disable IPv6 to reduce the attack surface. It appears the lack of support for non-core clients, such as Apple Macintosh and Linux, is due to both governance challenges and a general lack of support skills. Linux machines have a higher probability of being maintained, though not routinely, centrally, or systematically. Macs, prevalent among students, executives, and graphic artists, tend to be set to perform automated updates and patching. As these machines are often procured by the business directly, the challenge is awareness and acknowledgment by central IT to ensure that the units are being patched and maintained. Often, a machine is purchased with factory default settings and not maintained until a vulnerability scan, assessment, or audit discovers it. The lack of widely available skills within business IT environments to support the platform is a contributing factor to this issue. Finally, advanced endpoint security solutions are emerging due to market demand. Most notably, the burgeoning market of endpoint detection and response (EDR) is expected to grow at an estimated compound annual growth rate of 45% through 202029. These tools can detect security incidents, assist with developing a historical timeline, contain incidents, and remediate endpoints by rolling back to a pre-infection state. None of the organizations queried had yet embarked on these capabilities, but several are investigating them.
T A K E A W A Y
Florida’s maturity score was 2.2 against the national average of 2.7. Endpoint security is challenged by failure to harden platforms adequately; inability to upgrade legacy platforms due to application dependencies; lack of enforced technology standards resulting in diversification of platforms and skill set constraints; failed planning for technology insertion; and limited funding and skill sets.
50 | The State of Cybersecurity in Florida thefc2.org
Cybersecurity in Florida Florida faces many of the same challenges as the rest of the nation when it comes to cybersecurity due to the rapidly changing threat landscape. The accelerating technological evolution driven by the rapid adoption of cloud computing and the growth of mobile computing, smart devices, and IoT has created a frenzied pace of growth and change. Of the organizations that participated in the Gartner FC2 2017 State of Cybersecurity in Florida Survey, only 32% were confident that they were prepared for a cyberattack—in part because of the challenges related to keeping pace with technology and in part due to the lack of available resources. However, many organizations already have begun taking steps to improve their security posture. If these in-progress initiatives are carried through to completion, Florida’s general cybersecurity posture soon will align with national averages. Hopefully, these initiatives signal a shift in organizational attitudes toward cybersecurity from reactive to proactive, where organizations plan for the changes, growth, and upgrades the continuously evolving cyber landscape demands.
About the Sponsors
Florida Center for Cybersecurity (FC2) Established by the Florida Legislature in 2014 and located on the campus of the University of South Florida (USF) in Tampa, the Florida Center for Cybersecurity (FC2), serves as a statewide resource.
FC2 key objectives include: • Position Florida as a national leader in cybersecurity through education, research, and community engagement. • Assist in the development of a highly-skilled cyber talent pipeline, enhance the existing cybersecurity workforce, support economic and workforce development, and attract new industry to the state. • Act as a facilitator for industrial, military, and higher education communities to share cybersecurity knowledge, resources, and training. FC2 has produced this first ever State of Cybersecurity in Florida report as a guide to facilitate decision-making for Florida’s policymakers, industry, academia, and others. The report presents an overview of the
cyber threat environment, workforce demand and supply, education and training needs, and cybersecurity research in the state of Florida. The Florida Center for Cybersecurity was established to position Florida as a national leader in cybersecurity through education and workforce development; innovative, interdisciplinary research; and community engagement. With a geographic footprint that spans Florida and encompasses all twelve State University System of Florida (SUS) institutions, the Center serves as a hub for creating connections, building partnerships, capitalizing on opportunities, and encouraging collaboration among stakeholders in industry, academia, government, and defense. The Center hosts events to engage a diverse audience base throughout the year and administers funding programs that support collaborative research and cybersecurity programming at SUS institutions.
Education • Facilitates a SUS Advisory Council on Cybersecurity to connect the 12 SUS institutions in Florida and create a forum for information-sharing and collaboration • Developed and launched a nationally recognized pilot program providing cybersecurity training for veterans; “New Skills for a New Fight” fast-tracked deserving veterans into the workforce, creating post-military career paths and addressing critical workforce shortages • Assisted USF with the development of its interdisciplinary Master’s Degree in Cybersecurity program, which offers four concentrations and boasts an enrollment of more than 400 students. • Led efforts to secure a federal grant to develop and launch a new training program for U.S. Army reservists as part of the U.S. Army Reserve P3 initiative • Supports cybersecurity programs for high school students to drive interest and support the development of a robust cybersecurity talent pipeline in Florida • Launched a Capacity Building Program in 2017 that awarded $720,000 to support SUS projects focused on curriculum development, lab/technology development and community engagement
51 Research • Awarded more than $1.6 million through the Collaborative Seed Award Program to fund cybersecurity research projects that link researchers from across Florida’s SUS to support cross-institutional collaboration and development of a cyber research ‘ecosystem’ in Florida • Supports the efforts of SUS institutions to secure National Center of Academic Excellence designations • Organizes and hosts an annual Research Symposium that brings together industry, academic researchers from across the SUS, and students to share their work, learn about new cybersecurity research, and connect with fellow researchers from across Florida
Community Engagement • Participates in and supports numerous events to build awareness and encourage dialogue on key cyber topics • Hosts an annual fall conference—FC2’s signature event—at the Tampa Convention Center to bring together stakeholders from industry, government, academia, and the military to share information, network, explore ideas, and learn about emerging trends and today’s hottest cyber topics
Endnotes 1. RealtyTrac. 2015 U.S. Natural Disaster Housing Risk Report. 2. Beazley. “Ransomware attacks steal headlines, but accidental data breaches remain a major cause of loss.” July 2017. 3. PhishMe. 2016 Enterprise Phishing Susceptibility and Resiliency Report. 4. Ponemon Institute. 2016 State of Cybersecurity in Small- and Medium-Sized Businesses (SMB). 5. Federal Bureau of Investigation Internet Crime Complaint Center. 2015 Internet Crime Report and 2016 Internet Crime Report 6. Orlando Sentinel. “Hack at UCF compromises 63,000 Social Security numbers.” February 4, 2016. 7. Gemalto. 2017 Poor Internal Security Practices Take a Toll: Findings from the First Half of 2017 Breach Level Index. 8. PwC. Aviation Perspectives. 2016. 9. HIPAA Journal. “Largest Healthcare Breaches of 2016.” January 2017. 10. The Hacker News. “FDA Recalls Nearly Half a Million Pacemakers Over Hacking Fears.” August 2017. 11. IBM Security. Security Trends in the Manufacturing Industry. 2017 12. Verizon. 2017 Data Breach Investigations Report. 13. Ponemon Institute. 2017 Cost of Data Breach Study. 14. Intermedia. 2017 Data Vulnerability Report. 15. Center for Strategic and International Studies. Net Losses: Estimating the Cost of Cybercrime. June 2014. 16. Ponemon Institute. 2017 Cost of Data Breach Study: United States.
Gartner Consulting Powered by the world’s most comprehensive collection of technology research and data, Gartner Consulting helps CIOs and IT leaders address mission-critical priorities to achieve stronger business outcomes in a digital world. Gartner Consulting is a unit of Gartner Inc., with more than 900 consultants serving clients around the world. Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. We deliver the technology-related insight necessary for our clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies to business leaders in high-tech and telecom enterprises and professional services firms and technology investors, we are the valuable partner to clients in more than 11,000 distinct enterprises worldwide. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, we work with every client to research, analyze, and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 13,000+ associates, including over 1,800 research analysts and consultants, and clients in more than 100 countries. For more information, email email@example.com or visit gartner.com
17. Gartner. “IT Key Metrics Data 2017: Key IT Security Measures: Multiyear.” 2016. 18. Kim, E., Deshpande, S. “Market Share: Managed Security Services, Worldwide, 2015.” Gartner, Inc. April 2016. 19. Proctor, Paul E., Tirosh, A. “Shift Cybersecurity Investment to Detection and Response.” Gartner, Inc. May 2017. 20. Cyberseek.org/heatmap.html 21. ISACA. State of Cyber Security 2017: Current Trends in Workforce Development. February 2017. 22. Meunier, M. “Take a Broader Look at Classification to Improve Data Security.” Gartner, Inc. 2016 23. Skaronis, P. “Safety - Part of Information Security.” Tripwire: https://www.tripwire. com/state-of-security/security-awareness/safety-part-of-information-security/ 24. Florida’s Domestic Security Oversight Council. 2016 Domestic Security Annual Report. December 31, 2016 25. Girard, J., Zumerle, D., Reed, B., Firstbrook, P., & Willemsen, B. “Predicts 2017: Endpoint and Mobile Security. Gartner, Inc. 26. Gardner, D. “Forecast Snapshot: Privileged Access Management, Worldwide, 2017.” Gartner, Inc. 27. Gaehtgens, F., & Girard, J. “How to Secure Remote Privileged Access for Third-Party Technicians. Gartner, Inc. 2016. 28. Braue, D. “Block 100% of Ransomware by Managing Admin Rights.” CSO: http:// www.cso.com.au/article/604516/block-100-ransomware-by-managing-admin-rights-applications-researches/. August 2016. 29. Marsala, F. “Invest Implications: Forecast Snapshot: Endpoint Detection and Response, Worldwide, 2017.” Gartner, Inc.
52 | The State of Cybersecurity in Florida thefc2.org
Florida Center for Cybersecurity • 4202 E. Fowler Ave., Tampa, FL 33620 • theFC2.org
The Florida Center for Cybersecurity is proud to share The State of Cybersecurity in Florida report. FC2 contracted with Gartner to conduct...
Published on Feb 8, 2018
The Florida Center for Cybersecurity is proud to share The State of Cybersecurity in Florida report. FC2 contracted with Gartner to conduct...