Proven Security Results
Your Organization + pcit Security Excellence = measurable benefit over benchmarks
Real world results at below average rates
Can great security results come hand in hand with lower than average spending?
Benchmark data PCIT has gathered over 2015 and 2016 points to this conclusion.
Referencing a recent global survey by the Osterman group looking at global 2015 results we find our clients had significantly less malware and less downtime from malware. According to the survey of hundreds of Canadian organizations 72% of the time respondents PAID a malware ransom to get their data back. Compare that to our clients where 0% of our clients paid a ransom and 0% lost data. Some have wondered is it because our client size is smaller than the respondents and therefore a less ‘attractive’ target? We don’t think that premise is true. According to the survey 70% were affected by malware where over the same period 60% of our clients were affected. It appears our clients were just as targeted. We also believe the severity of the threats were just as deceiving and just as malicious as larger organizations receive. If we kept score the results would look something like this.
Typical Canadian organization surveyed
- 5400 staff
- Responsibility for security – CIO, IT Director, Security Officer
- Suffered security attack last 12 months - 72%
- Percent who last data due to ransom ware and PAID between $1,000 - $50,000 to get it back - 72%
- Percent who lost data when they refused to pay the ransom - 82%
- Severe downtime – It took more than a day trying to restore endpoint functionality - 63%
- More than 9 hours to remediate - 60%
- High Risk - 43% lost revenue, 25% stopped operations
- 250 or less staff
- Responsibility for security – PCIT
- Suffered security attack last 12 months - 60%
- Percent who last data due to ransom ware and PAID between $1,000 - $50,000 to get it back - 0%
- Percent who lost data when they refused to pay the ransom - 0%
- Severe downtime – It took more than a day trying to restore endpoint functionality - 0%
- More than 9 hours to remediate - 0%
- High Risk - Data not complete, very limited impact to operations
These results highlight a few things. First, we have great clients who have been diligent in working with PCIT to manage their security profile. Very few push back and ask us to own the security results when we say we need everyone’s help. Second, our ‘secret sauce’ appears to be working. In early 2015 we began providing very clear benchmark data to each of our clients on how they were doing managing security. This was a key contributor to the results experienced and it was surprisingly low cost.
A thoughtful analysis of the two lists also raises the suspicion that good to great security results are independent of budget, quantities of internal resources or even titles of internal resources. It is easy to estimate that with an average of 5,400 staff and dedicated security specialists on staff most of the survey respondents operate with a much bigger security spend and a larger IT spend overall. Instead of requesting large security budgets PCIT strives to deliver clear information regarding risk exposure and best steps in managing the downside. Given the right information executive teams will typically make the right decision.
Further examination also points to the conclusion that no matter how smart, how helpful, how well trained, and how well intentioned internal resources are most Canadian organizations have NO IDEA how large their security exposure is. The results experienced point to persistent failure.
Actually the conversation in most boardroom’s is more likely sympathetic to internal IT resources after a security breach. Even after having to pay a $20,000 ransom like the University of Calgary just did what can a management team do except put more money to the problem? Executive’s not knowing how to manage IT try to get results by hiring, providing budget and gauging results by how well they ‘feel’ about the work that is being done. To most managers having to pay a ransom can be excused because the bad guys are ‘getting to a lot of others‘ and they just know their ‘guy(s)’ or ‘gal(s)’ are good.
If there are organizations who want to manage technology results by more than a ‘feeling’ we would love to discuss if our approach would be a fit.