2021 industrial security benchmark study - threatswitch

222 South Church Street, Charlotte NC 28202 • 877-449-3220 Confidential / 1222 South Church Street, Charlotte NC 28202 • 877-449-3220 Confidential / 1

2021 INDUSTRIAL SECURITY BENCHMARK STUDYLeaders and practitioners weigh in on what’s in store for 2021

What do 100 of the most active and influential industrial security leaders and practitioners have to say about what’s in store for 2021? From the impact of the Cybersecurity Maturity Model Certification (CMMC) to the rewrite of the National Industrial Security Program Operating Manual (NISPOM), this report shares their views with the security community.

222 South Church Street, Charlotte NC 28202 • 877-449-3220 Copyright 2021 ThreatSwitch / 2

Executive Summary With all the talk about changing regulations, new regulations, advances in security and compliance technology, it’s natural to wonder whether these topics will have any measurable impact on corporate security and compliance programs in 2021.

So we asked some of the most active and knowledgeable industrial security executives, leaders, and practitioners how they expect the landscape to change in 2021, focusing on members of two top organizations: the National Classification Management Society (NCMS) and the Intelligence and National Security Alliance (INSA).

ThreatSwitch aimed to record and collate, with this survey, the expected weaknesses and opportunities in security compliance created by the severe market disruption of 2020. It also aimed to record the expected reprioritization of risks following this disruption, the quantity of legacy budgets available, and the re-allocation of said budgets following the reprioritization of risks.

What did these leaders tell us? Our survey indicated that macroeconomic, strategic, and operational risks were severely stressed on a global scale during 2020 and that stress directly affected industrial security. This came, broadly, in the form of technical security staffing shortages, accelerated and unplanned technological needs, new and dynamic regulations and compliance requirements, and the continued rise of persistent emerging threats.

The multi-faceted risks to security resultant from COVID-19 shutdowns, however, overshadow other challenges by large percentages. Respondents indicated that they had to rethink corporate policies and procedures, not just to accommodate remote work, but also to migrate their industrial security program to one that can handle distributed people and assets.

In the heavily regulated Defense Industrial Base (DIB), there are deeply complex, far-reaching laws and regulations where non-compliance may result in costly remediation activities, the inability to renew existing contracts or secure new contracts, and in more egregious cases, civil or criminal penalties. Survey respondents were clear in their focus on emerging policies, especially the Cybersecurity Maturity Model Certification (CMMC) and Controlled Unclassified Information (CUI).

Finally, respondents indicated that their companies intend to spend money necessary to comply with new requirements including the technology to support it. The vast majority expect industrial security budgets to increase, with particular emphasis on requisite technology, third party audits, and training activities.

222 South Church Street, Charlotte NC 28202 • 877-449-3220 © 2021 ThreatSwitch / 3

Survey Focus and Respondent ProfileIn this survey, we asked respondents what they expected to see in industrial security in 2021, how much they plan to spend on key activities, what obstacles they believe they will face, and what they plan to do about it. We inquired about their attitudes toward key trends, technology, and practices in industrial security and how they see COVID-19 affecting those attitudes.

The survey targeted diverse industries which included Aerospace and Defense, Consulting and Professional Services, Information Technology and Services, Software, Engineering, and many others.

In all, 107 professionals responded to this survey, representing organizations from all over the U.S., ranging in size from large organizations with more than 5,000 employees to smaller organizations with less than 100 employees. To ensure that the respondents had well-informed views, we specifically sought the input of active members of the National Classification Management Society (NCMS) and the Intelligence and National Security Alliance (INSA).

Survey Demographics:The industries approached for this survey are represented in the following graph as well as their weighting withing the overall representation of the results:

Aerospace & Defense, 30%

Consulting & Prof Svcs, 16%

Info Technology & Services, 13%Other, 7%

Computer Software, 6%

Engineering, 5%

Electronics, 4%

Higher Ed, 4%

Computer & Network Security, 3%

Manufacturing, 3%

Facilities O&M, 3%

Construction, 2%

Gov't Contracting, 2%

Banking & Finance, 1%

Healthcare, 1%

Oil & Energy, 1%

Semiconductors, 1%

IndustryBreakdown


The size of the companies were measured on quantity of employees as well as size of revenue.

Less than 100, 26%

100 - 500, 29%

500 - 1,000, 80%

1,000 - 5,000, 14%

Greater than 5,000, 23%

Number ofEmployees

AnnualRevenue

$0 - $50MM, 39%

$50MM - $100MM, 12%$100MM - $500MM, 12%

$500M - $1B, 9%

Greater than $1B, 28%


The titles and authority levels of the respondents and their weighting in the survey outcomes is represented in this graph. Respondents were requested to state their functional area, seniority level, size of the corporate section team, and the reporting structures. The majority, by a significant margin, of contributors were corporate security officers with 65% of contributors having a manager, vice president, or director title.

Role / Functional

Areas

Accounting & Finance, 1 Complianceand Risk, 4

CorporateSecurity/FSO, 69

Human Resources, 1

Technology / CIO / InformationSystems Security, 6

Operations, 9

Research, 3

Executive/Administrative, 5

Other, 8

C Level, 9%

Vice President, 3%

Director, 21%

Manager, 41%

Analyst/Specialist, 7%

Contractor, 5%

Other, 13%

Seniority


Top Risks for 2021: Phishing, Social Engineering, and Remote WorkThe security compliance and risk prioritization outcomes of the survey matched our expectations: companies are concerned about remote work and the vulnerability of their employees to social engineering and manipulation. While we expect those to be at the top of the list every year, one result was surprising: the relatively low concern on supply chain security. Only 7% of respondents indicated that supply chain security posed the most risk, despite the recent Russian cyberattacks that exploited supply chain vulnerabilities. However, when the data is analyzed by company size, we find that larger companies are far more concerned about supply chain security, suggesting a gap in understanding between supply chain tiers.

Greatest Risks going into 2021:The observations from respondents from small to large organizations shows that the biggest threats to their business are cyber-related, with phishing and social engineering emerging as the top factors. With most of the workforce operating remotely and more vulnerable to cyber-related threats, remote employee security practices was the second leading threat for 2021 as indicated by our respondents. Intellectual property theft which is typically the consequence of insider threats, was also top of mind for security professionals.

Threats posing the greatest risk to your organization for 2021: (LEAST) (Most)1 2 3 4 5

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Cyber-Related

Remote Employee Security Practices

Intellectual Property Theft

Privacy, PII, PHI Spills or Leakage

Insider Threat

Organizational Espionage

Third Party/Vendor Risk

Covid/Pandemics

Employee Selection and Screening

Supply Chain Security

State-Sponsored Espionage

Unethical Business Conduct

Natural Disasters

Political Unrest

Fraud/WhiteCollar Crime

Inadequate Security

Workplace Violence

5% 7% 26% 33% 29%

5% 14% 33% 29% 19%

17% 15% 28% 22% 18%

10% 23% 27% 25% 15%

10% 23% 26% 25% 16%

22% 23% 22% 20% 13%

11% 29%24% 26% 10%

26% 25%27% 15% 7%

11% 27%34% 21% 7%

28% 23% 21% 21% 7%

27% 29% 22% 16% 6%

25% 33% 27% 12% 4%

43% 29% 21% 5% 2%

1%29% 17%51% 2%

1%26% 25%36% 12%

41% 34% 18% 1%6%

37% 40% 17% 1%5%


CMMC Dominates Priorities for 2021 The Cybersecurity Maturity Model Certification (CMMC), introduced in January of 2020, is a new regulation that aims to measure a company’s capabilities, readiness, and sophistication in the area of cybersecurity. While the framework includes existing processes and protocols from standards such as NIST 800-171, it will require certification from Third Party Assessment Organizations (3PAOs). Our survey indicates that companies are very concerned about CMMC: 74% believe that it will require more time and resources in 2021. CMMC has been the subject of high profile promotion by the Department of Defense over the last year, so this focus doesn’t come as a great surprise.

Security Executive Agent Directive (SEAD) 3, which stands to have a larger near-term impact on federal contractors, received surprisingly little attention from our respondents. Only 13% expect SEAD 3 to consume more time and resources in 2020, even though SEAD 3 dramatically increases the scope of reporting requirements for contractor employees who hold security clearances at any level.

The security compliance priorities that came out of the survey are headed by CMMC by a huge margin followed by CUI and NIST. Insider threat comes in at number 4. The full list is as follows in list of priority:

Security Resource Allocation by Regulation Compared to 2020

74%

54%

41%

32%

29%

26%

21%

23%

14%

13%

8%

8%

9%

6%

0%

17%

39%

52%

61%

57%

56%

55%

48%

81%

64%

53%

51%

38%

46%

60%

3%

3%

3%

3%

4%

3%

3%

3%

1%

1%

3%

3%

8%

7%

11%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

CMMC

CUI

NIST

Insider Threat

DFARS Security Clauses

Trusted Workforce

Supply Chain / DeliverUncompromised

RMF

General NISPOM / IC

SEAD 3

FedRAMP

SOC 2

SAP

ISO 27001

PCI

SecurityResourceAllocation by Regulation Comparedto 2020More Time& Resources

SecurityResource Allocation by Regulation Comparedto 2020 Same Time& Resources

SecurityResource Allocation by Regulation Comparedto 2020 Less Time& Resources


COVID-19 Spawns New and Revised Company PoliciesThe impact of COVID-19 can not be overstated, the “black swan” event severely disrupted nearly every facet of society. Businesses faced significant staff reductions, revenue loss, increasing bad debt risk, forced, high-speed migration into digitalization, an ambiguous regulatory landscape, accelerated endpoint security demands, and the explosion of cloud computing in most organizations.

The below graph shows that 60% of all participating organizations were impacted by COVID in the form of new policies and procedures to handle a remote / distributed workforce. 32% of the organizations invested in new tech hardware for a remote / distributed workforce, and interestingly, 32% had no impact on their security program.

COVID’s Impact

0% 10% 20% 30% 40% 50% 60%

New policies and procedures to handle a remote /

distributed workforce

Invested in new tech hardware for a remote /


COVID has had no impact on our security program

Invested in cloud technology to handle a remote /


Reprioritized our corporate risk /threat assessments to reflect

the impact of COVID

Struggled with balancing federalsecurity rules with adapting

to COVID

Increased overall security spending

Hired additional security personnelas a result of COVID

60%

32%

32%

30%

30%

21%

20%

6%


Obstacles in 2021: The Government is the ProblemThe industrial security community has long held concerns about the clarity of federal communications on security compliance, ranging from the appropriate use of systems to reporting requirements to inspection and audit methodologies. As evident by the continuing changes within required systems and the implementation of a new NISPOM, ambiguity remains a top concern; 28% of survey respondents cited lack of regulator clarity as the primary obstacle to industrial security success in 2021.

Secondly, there was a tie (16% each) of a lack of internal support for the security program in conjunction with silos between internal departments that must cooperate on security (HR, Legal, IT, Security, etc). Participation and engagement of employees in the security program is also cited as a key concern (15%).

Lack of participationand engagementof employees in thesecurity program15%

Lack of clarity bygovernment andregulators on how tocomply with rulesand regs28%

Lack of internal support for the security program16%

Lack of security cultureawareness in my

company, 8%

Silos between organizations that must

cooperate on security ,HR, Legal, IT)(Security, etc

16%

Inadequate or outdated technology internal to

my company3%

Inadequate or outdated technologyrequired by government and regulator

5% Other, 8%

BiggestSecurityProgram

Obstacles


Rising Budgets Expected to Support Software, Audits,and TrainingSurvey respondents indicated a clear expectation that budgets will increase in 2021. This is perhaps unsurprising given the rapidly changing regulatory environment but is still not what one might expect from budgets coming out of an election year. Nearly 50% of respondents expect their budgets to increase more than 5% in 2021, and 11% expect their budget to increase by 25% or more.

2021 Corporate Security Program Budget

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

IncreasingSignificantly

(>25%)

IncreasingSlightly

(5%-25%)

Staying aboutthe same

DecreasingSlightly

(5%-25%)

DecreasingSignificantly

(>25%)

11%

38%

43%

6%3%


Estimated Budget Allocation for 2021

Increasing No Change Decreasing

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

SecurityCompliance

Software

Training

Third Party Audits

Other Software /Applications

AdditionalHeadcount

Security Hardwareand Equipment

Physical SecurityEquipment& Facilities

Consulting

49%

49% 46%

49% 2%

5%

42% 51% 7%

23% 70% 7%

39% 60% 1%

39%

36%

57% 3%

61% 3%

32% 67% 1%

Given the ever-increasing volume and complexity of regulations, 49% of companies indicated they were increasing their 2021 budget for software to better manage their security compliance program. With 60% of all respondents indicating the pandemic's impact resulted in new policies and procedures, it comes as little surprise that nearly half of respondents are devoting more resources to training in 2021. Considering that CMMC requires third-party certification, 42% of respondents indicated they would be increasing budget for training and third party audits are 49% and 42% respectively.


One Size does not Fit All: Priorities Differ for Small & Large CompaniesIn analyzing the top threats based on organization size, we discovered that smaller organizations, relative to larger organizations, were most concerned by employee selection and screening and negligent hiring/supervision. Larger organizations indicated that supply chain security and crisis management and response: Pandemics(COVID) were among their top concerns.

Personnel:Employee Selection& Screening

Supply ChainSecurity

Companies with fewer than 500 employees cite employee selection and screening.

54%Companies with more than 1,000 employee cite supply chain security.

56%


Budget Trends by organization size(# of employees):As demonstrated in the previous graph '2021 Security Program Budget Expectations,' nearly half of respondents indicated their organizations would be increasing their budgets. Generally speaking, smaller organizations have fewer resources to combat the variety of threats and regulations; however, our survey findings indicate that additional budget is expected in 2021 to address these issues.

Notable in the sized-based budget responses is how CMMC certification may be disproportionately burdensome on smaller companies. Smaller organizations are allocating more budget and resources to consulting and third-party audits, while the majority of larger organizations are adding additional headcount. Since audits often have a minimum cost at which they can be conducted – regardless of organization size – CMMC’s audit costs may act like a regressive “grocery tax” – they will consume a higher portion of small companies’ budgets.

2021 Budget Expectations by Org Size(# of employees)

0% 10% 20% 30% 40% 50% 50% 70% 80% 90% 100%

Less than 100

500 - 100

1,000 – 500

5,000 – 1,000

Greater than 10,000

Significant Increase (>15%) Moderate Increase (5%-15%) Staying about the Same

Moderate Decrease (5%-15%) Significant Decrease (>15%)

19%

9% 32% 54%

14%

50%

7% 36% 36% 14% 7%

38% 12%

43% 43%

5%

38% 38% 5%


• Back to work won’t mean remote is going away:With the impact of COVID-19 likely lasting well into 2021, securityteams should consider ongoing threat assessments, reevaluatingexisting policies relating to remote access and facility securityonce employees return to their respective workplaces. Evenwhen we are all allowed back into the office, that doesn’t meanwe will; permanent changes in work dynamics, and theassociated effects on security practices, are here to stay.

• Manual processes and legacy technology won’t cut it:As evident by our survey findings, more businesses plan oninvesting in security compliance management software. This islikely in response to the vast increase in regulatory requirementsand the need for additional automation to handle the load.Security compliance software provides greater efficiency, reducesrisk of compliance and security gaps, and allows security personnelto focus on more meaningful tasks. Additionally, modern,workflow-centered compliance software can serve as a ‘system ofrecord’ ensuring that all compliance obligations and controls arevisible and accessible not only to security teams but also toemployees, auditors, and regulators.

• Blurred lines between traditional security and informationsecurity:The significant expected increases in budget and focus on CMMC,and rapidly shifting cybersecurity threat landscape means thatthe distinction between industrial security and cybersecurity isfading away. Just like every job is becoming a tech job, everysecurity issue is becoming a cybersecurity issue. That means thattechnology specialists need to become better versed in policy,personnel, and physical security issues and traditional securityprofessionals need to focus more on cybersecurity.

Key Lessons from the Front Lines of Industrial SecurityWe are still in the early stages of understanding the full effect of recent regulatory change and COVID-19 on industrial security. What works five years from now may look very different from our initial response in 2021. Following are some of the key lessons from this year’s industrial security benchmark survey:

Learn MoreTo learn how ThreatSwitch can help you improve security and reduce costs, please visit: www.threatswitch.com/demo

AuthorsJohn DillardCEO, ThreatSwitchRANE AdvisorMember, NCMS, [email protected]

ContributorsAdam MitchellCEO, Global Solutions, Inc Member, [email protected]

Jaime WaggonerSecurity Specialist, ThreatSwitch Member, [email protected]

/ 15© 2021 ThreatSwitch

222 South Church Street Charlotte NC 28202

877-449-3220

2021 industrial security benchmark study - threatswitch

Documents