in association with SPECIAL REPORT
MIXED STATE OF READINESS FOR NEW CYBERSECURITY REGULATIONS IN EUROPE French, German and UK organisations need more clarity on compliance requirements for 2015-2017
Survey conducted by IDG Connect on behalf of FireEye
Role: Decision Maker Segment: European Organisations Orientation: General Education Region: UK, France, Germany SECURITY REIMAGINED in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
Organisations Better Prepared for NIS than GDPR Cost and Complexity Remain Significant Challenges
2. NIS GDPR 8%
EXECUTIVE 50% 44% 18% 39% SUMMARY 23%
27% 37% 23% 25% 12%
20% 11% 18% 9% 5% 6% 0% A B C D Incident Reporting Process Requirements
Policy Complexity A - All Required Measures are in Place Implementation Costs B - Most Required Measures are in Place New Hardware/Software Investment Requirements C - Some Required Measures are in Place Sourcing Sufficient Expertise
D - No Required Measures are in Place Pre-enforcement Confirmation of Systems, Processes and Policies Incident Reporting Timeframe Requirements The majority of those in France, Germany and the UK still have work to do in implementing sufficient security measures to meet new requirements Investment in new hardware and software to support mandated by new EU Networking and Information NIS/GDPR compliance initiatives is seen as the biggest Security (NIS) and General Data Protection challenge to IT departments, closely followed by Regulation (GDPR) which will come into force in the implementation costs and more complex next two to three years. security policies. in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
2a. Responsibility for NIS/GDPR Planning EXECUTIVE SUMMARY Member of the IT Department Member of the Legal Department
Outside IT Consultant
Dedicated Cyber Security Specialist
External Legal Advisor
External Cyber Security Advisor 62% 36% 34% 31% 29% 26%
In-house IT departments are widely expected to bear the brunt of responsibility for assessing NIS/GDPR compliance requirements and formulating appropriate policies and reporting frameworks. in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
ew European Community (EC) laws governing (CERT) which will represent a ‘single point of contact’ data protection set to be implemented in the if not necessarily the only competent authority in each N next two to three years will have a fundamental member state. 3. impact on the way that most organisations in European Union (EU) member states implement security policies The original framework proposed extending these INTRODUCTION and report breaches. The Network and Information security and reporting requirements to ‘key providers of Security (NIS) ‘cybersecurity’ directive is set to be information society services’ (app stores, cloud service finalized in 2015 depending on how long it takes for the providers, e-commerce platforms, Internet payment EU Council and Parliament to agree on a final version. gateways, search engines and social networks, for Member States will then need to immediately begin example). This idea has since been put on hold following preparing for compliance and complete implementation objections from various industry groups and after by approximately the end of 2017. In addition, there the European Parliament deemed it ‘disproportionate is a separate plan to unify existing data protection and unmanageable’ although these companies will be regulations in force within the different EU countries encouraged to voluntarily report incidents. under a single law – the General Data Protection Regulation (GDPR) – currently set to be finalised in early Several aspects of the NIS Directive are aimed at member 2015, compliance with which will become mandatory in state governments themselves, requiring that they adopt 2017. a national NIS strategy, implement the aforementioned NIS competent authority and create a ‘cooperation When finalised, the NIS Directive will impose new mechanism’ to share security information and best security and incident reporting requirements on a practice across the European Union and circulate broader range of private sector companies. It will demand early warnings on security risks and incidents. The NIS that ‘operators of critical infrastructures’ or ‘critical Directive is now being finalized and is expected to be national infrastructure (CNI) market operators - which adopted by the EU government in the first half of 2015. include those working in the energy, financial services, health and transport sectors, alongside public sector bodies - adopt appropriate steps to manage security risks and report serious incidents to a national competent authority, such as a computer emergency response team in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
he GDPR proposes a single law for data protection to cover the entire EU in place of current data protection regulations which have ended up being implemented differently in each member state. It will extend to organisations operating in T Europe irrespective of whether the data they handle is stored within the boundaries of the EU or not, broadening the a definition of personal data to include email addresses, computer IP addresses and posts on social media sites. Besides proposals 3 . which mirror NIS Directive calls for bigger fines and the establishment of ‘one stop shop’ national authorities in each member state, the GDPR calls for specific regulations to govern the way that EU citizens’ personally identifiable information (PII) is INTRODUCTION handled. Those organisations must:
- Inform users of data breaches without undue delay (within 72 hours) after they become aware of it - Give end users the right to request a copy of their PII in a portable format which can also be transmitted electronically from one processing system to another. - Provide the right to erasure: the end user can request all PII be deleted if there are no legitimate grounds for retaining it. - Obtain valid consent to collect PII, consent which can also be withdrawn. - Obtain regulatory approval to transfer PII outside of the EEA to countries not approved as having adequate data protection measures in place. - Appoint a data protection officer to ensure compliance (likely applicable to companies with more than 250 employees and/or those who process more than 5,000 data subjects within 12 months, and all public bodies). - Publish contact information for the data controller. - Build data protection into business process, product and service development (Privacy by Design).
IDG Connect surveyed 260 people working for organisations based in France, Germany and the UK each of which employ over 500 staff. Of those polled, an aggregate of 31% were IT managers and 20% IT directors, with a further 27% occupying specific IT related executive positions such as chief information officer, chief technology officer or chief security officer. The largest contingent (20%) worked in the software and computer services industry, with 11% employed in electronics, 8% engineering and 7% in financial and healthcare sectors respectively.
This paper assesses respondents understanding and expectations of the NIS and GDPR legislation being proposed, gauges the scale and importance of the impact they expect new regulations to have on their business, and attempts to predict how organisations within France, Germany and the UK are most likely to prepare themselves for compliance. in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
espondents demonstrate a slightly criticised for being too vague (a finding felt that their employers currently had higher degree of preparedness which is reinforced in the responses to no required measures in place to meet R for the NIS Directive than they Question 5 documented in Tab 8) some anticipated GDPR requirements - 6% do for the GDPR, with 76% reporting IT departments may either be guilty compared to 12% for France and 8% for that either all or most measures were of a little too much complacency when the UK – indicating slightly higher levels 4. already in place to meet NIS compliance it comes to assessing their current of confidence in existing provision. compared to an equivalent figure of understanding of requirements, and/ 64% for the GDPR. Of those, many or that they have adopted an all too This may be due to the strict ORGANISATIONS more (39%) felt they had ticked all common attitude to data protection requirements of existing data anticipated NIS boxes compared to just regulation which demands outward protection regulation in Germany BETTER PREPARED 20% for the GDPR. confidence towards compliance which is which is already mature. The only punctured once breaches occur. Bundesdatenschutzgesetz (BDSG) FOR NIS THAN In both cases, however, there is clearly is a federal data protection act first still a lot of work to be done - 18% and The findings indicate that organisations implemented in 1970, for example. GDPR 27% reported that only some required within Germany consider themselves Each individual German state also measures had been put in place with 6% better prepared for the NIS directive has its own separate data protection and 9% believing that either the two than those in other European countries laws, applicable to all companies proposed cybersecurity frameworks with 46% believing that all required operating within its borders (except for do not apply to them or that their measures are in place compared to telecommunications companies which organisations have not put any required France (38%) and the UK (34%) with a are directly supervised by the federal measures in place as yet. further 36% reporting most required regulator) and overseen by regional With the precise terms of both the NIS measures were in place (roughly equal commissioners. and the particularly the GDPR yet to to those in France and the UK). Fewer finalised and the existing proposals numbers of German respondents also
Majority Are Not Currently Fully Prepared for Compliance with Either Framework
50% 44% NIS GDPR 39% A - All Required Measures are in Place 27% 37% B - Most Required Measures are in Place 25% 20% C - Some Required Measures are in Place
18% 9% D - No Required Measures are in Place 6% 0% A B C D in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
orries about potential fines one EU member state to another, There was little regional variation levied by regulators for however, and depends greatly on the across the three countries in these W admissible breaches of the local legislation in place. With some findings, though organisations in France new regulations are understandably countries reporting far more data were slightly more worried about the high (rated as a concern at 58%). This is breaches and imposing far fewer fines impact of financial penalties (61%) 5. not least because the GDPR proposals than others, the impact of the NIS than elsewhere whilst appearing to suggest that the highest penalty could Directive in these territories could be place less emphasis on security audit ORGANISATIONS be increased to a maximum of €100m or far more hard hitting. requirements (32%). 5% of annual, global turnover whichever FEAR FINES, is the greater, which dwarfs the fines Nor is the prospect of much larger fines imposed in the past. seen as the only element of financial LEGAL COSTS loss – the majority of respondents rate Damage to Reputation and In the UK, the Information damage to their business reputation Customer Confidence Also Causing AND LOST Commissioners Office (ICO) has issued (57%) contributing to lost business Consternation multiple fines where breaches have or revenue (58%) as equal concerns. led to data loss in the past, including The possibility of decreased customer BUSINESS Loss of Business and/or Revenue £250,000 to Sony in 2013 after its confidence and/or loyalty and the legal PlayStation Network was hacked and costs associated with the judicial and/ 58% £200,000 to the British Pregnancy or auditing process are also perceived Advice service in March 2014. The same as negative consequences, rated at Potential Fines year saw regional privacy regulators in an importance level of 54% and 53% 58% Hamburg penalise Google €145,000 for respectively. recording signals from WiFi networks Damage to Reputation whilst collecting photographs for its Another indication that most of the 57% Street View service, arguably little fallout of any breach is more likely be deterrent for a company whose 2013 handled in-house can be seen in the Decrease in Customer Confidence revenue was estimated at $58bn lower level of criticality attributed to and Loyalty and one reason why the EU is keen increased consultancy costs and the 54% to increase the maximum penalty. requirement to perform extensive France’s data protection authority, the security audits (both given concern Legal Costs Commission Nationale de l’informatique ratings of 40%), suggesting that the job 53% et des Libertes (CNIL) also fined Google will be left to internal IT staff rather €150,000 in 2014 after ruling that its than external advisors. Interestingly, new privacy policy did not inform users those legal costs are expected to Increased Consultancy Costs to exactly how their personal data was become more of a concern in three Deal with Fallout being used or collected, years’ time than they are today (38% 40% vs 32%), indicating that respondents The European Union Agency for feel either that the chances of having to Requirement to Carry Out Network and Information Security report a breach are higher and/or that Extensive Security Audits (ENISA) has noted that the number of lawyers will look to capitalise on the 40% data breaches reported to regulatory situation through higher fees. authorities varies significantly from in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
wo thirds (66%) of respondents Just over half (53.4%) originated in the business sector, followed by government believe that their organisations (19.3%), healthcare (11.5%) and education (8.2%). A survey commissioned by the T fully understand the impact that UK Department of Business Innovation and Skills in 2013 also found that 93% the new NIS and GDPR regulation will of large organisations and 87% of small businesses suffered security breaches 6. have in terms of any additional measures in 2013. With so many organisations already required to notify regulators of TWO THIRDS BELIEVE which may be required to maintain cyber breaches, it is clear that the more onerous reporting requirements demanded by security compliance and an incident NIS/GDPR compliance will present a bigger burden to IT departments. THEIR ORGANISATIONS reporting framework, again suggesting a degree of complacency amongst some FULLY UNDERSTAND of those polled. Those in the UK appear THE IMPACT OF less certain than respondents elsewhere however, with only 60% believing their Current Lack of Clarity Suggests Some Complacency for Many PROPOSED NIS/GDPR organisation fully understands the REGULATIONS requirements compared to 69% in France and 68% in Germany.
The third of respondents (33%) which 1% said that their organisations only partly Does Not understood the potential impact appear Understand At All to have a more realistic view of the situation with anecdotal evidence also suggesting that much confusion around NIS/GDPR requirements, the extent 66% of their overlap and whether they are Fully applicable to every organisation remains. Understands
The scale and diversity of recently reported data breaches suggests most organisations suffer regular incidents. A study published by the Risk Based 33% Security and Open Security Foundation Partially Report estimates that 2,164 data loss Understands incidents were reported worldwide in 2013, in which 822m personal records were exposed. The majority of breaches (75%) involved external hackers with the remainder caused mainly by human error and accidents. in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
art of the NIS remit is to set a Things are perceived very differently 17% in Germany, the country which saw minimum required level of data for the GDPR however, which looks set the most number (7%) believing that P security protection and encourage to continue in its requirement that data the proposed GDPR legislation would more European companies to implement protection impact assessments have have a strong, negative impact on their a one stop ICT security policy which to be conducted when specific risks organisations compliance policy and 7. can be regularly reviewed. It is not yet occur to the rights and freedoms of data procedures. clear how, when or by whom that review subjects, with the prior approval of the NIS PROPOSALS should be carried out though the EC has national data protection authority for That those in Germany anticipated called for an ‘NIS competent’ national high risks and data protection officers that the GDPR will have either a strong authority to be appointed in each to ensure compliance within public positive or negative impact on current SEEN AS MORE member state. authorities and companies processing procedures may again be related to the more than 5,000 data subjects within policies theyalready have in place in POSITIVE The proposed requirement for 12 months. In contrast to the NIS order to comply with more stringent European organisations to move beyond proposals, only 22% of respondents and mature federal and regional data voluntary reporting and security thought the GDPR would have a strong protection rules already being applied assessments and towards regular positive impact, with 17% believing it in that country. In general though, reviews yielded mixed reactions from would be yield a negative impact. aggregate levels of optimism (those respondents to the IDG survey, with predicting either a strong or some many (45%) seeing the measure as There was some slight regional positive impact) and pessimism (strong having a strong, positive impact if variation in these findings. Relatively or some negative impact) concerning it does actually result in less formal high numbers of respondents in the GDPR were roughly equivalent across security assessments which are easier UK (26%) and France (24%) felt that all three European countries. to perform and simpler to report (only the GDPR in particular would yield a 16% believed it would have either a strong positive impact, compared to negative impact or no impact at all).
Mixed Expectations Around Compliance and Policy Procedures NIS GDPR 45% 43% 39%
22% 18% 10% 12% 6% 5% 0%
Strong, Positive Some Positive No Impact Some Negative Strong, Negative Impact Impact at All Impact Impact in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
aving approved the draft NIS infrastructure – energy, healthcare, With so many aspects of the both the directive in March 2014, the transport and financial services have NIS and GDPR proposals still to be H European Parliament is currently been named specifically – its remit may finalised, and so little practical advice negotiating the exact terms of the be extended to other organisations on compliance requirements either text with representatives of the 28 at a later stage. The legislation could currently on offer, or likely to be in the 8. EU member states. The draft GDPR also potentially apply to any industry future, it is no surprise that 42% of the legislation has been adopted by the which, under EC terms ‘the disruption survey feel they have little or no (20%) NO CLEAR European Parliament following a first or destruction of which would have a clear guidance on what they need to do reading in March 2014, but not yet significant impact in a member state’, to meet the terms of legislation which UNDERSTANDING approved. It will need to be discussed for example. is still open to debate. This situation further by the Parliament, the EC may effectively hamstring those IT OF NIS/GDPR and European Council prior to its Even when both the NIS Directive departments which are either already in finalisation over the next two years and GDPR framework are finalised, the process of upgrading data security REQUIREMENTS with exact timings for ratification still the European Parliament will only provisions, or are planning to do so in uncertain. issue associated policy guidelines and the near term, because they cannot be is unlikely to either set out specific sure the processes solutions they are Whilst for now, the NIS Directive can be technical standards required for implementing will deliver compliance at said definitely to apply to organisations compliance, or propose any associated a later date. involved in the supply of critical certification scheme.
Continuing Confusion on What Specific Security Upgrades Will be Needed
42% 40% 38%
30% Clear Guidance on All Aspects of Compliance 20% 20% Clear Guidance on Some Aspects of Compliance
No Clear Guidance 10%
0 in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
The EU has estimated that the total or upgraded hardware, software and the anticipated complexity which the costs of compliance that would have services, but also additional costs for implementation of those compliance to be borne across different industry legal and consultancy advice. Almost policies is likely to present (with 18% sectors to meet proposed requirements two thirds (64%) of respondents to the seeing this is the most important 9. for the NIS directive alone could reach IDG survey cited additional expenditure challenge). between one and two billion Euros, on security related hardware and with each small to medium enterprise software as a challenge, with 23% rating And 47% reported that sourcing COST OF (SME) paying out between 2,500 and this as the single most important barrier sufficient legal and security expertise 5,000 Euros. By way of justification, they believed they would face. to understand the definitions and COMPLIANCE the European Parliament has said requirements would create problems, that it expects that cost would be Implementation costs, cited as a indicating that many will look to MEASURED IN matched by stimulated demand for challenge by 58% rated equally as external consultants to help them secure ICT products and services in the highly in terms of criticality, again cited certify the systems, processes and BILLIONS member states which would also serve as the most significant challenge by policies they put in place. Whilst to increase business and consumer 23% - IT departments are seemingly incident reporting process and confidence and investment in digital under no illusion as to the extent timeframe requirements were rated services. of the evaluation, procurement, as the least important challenges testing, deployment and maintenance compared to the other options, an Certainly, the impact of those overheads they are likely to encounter aggregate of 42% still saw them as cost requirements is not lost on when ensuring adequate systems, significant. European businesses who face not processes and policies are put in place. only potentially large bills for new Over half (56%) are also daunted by
Purchase and Installation of Security Hardware and Software Is Most Significant Challenge
44% Pre-enforcement Confirmation of Systems, Processes and Policies 58% Implementation Costs 64% New Hardware/Software Investment Requirements 56% Policy Complexity 47% Sourcing Sufficient Expertise 39% Incident Reporting Timeframe Requirements in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
learly most organisations (62%) As ever, the availability of those Significant regional variations across expect that members of their own in-house staff is likely to be a key the three territories are apparent, C IT department will be tasked with determining factor, a metric also with Germany (76%) the most likely assessing NIS/GDPR requirements and applicable to those who expect to assign responsibility to internal formulating appropriate compliance and their organisations to contract IT staff compared to roughly half of 10. reporting policies, though this is likely outside IT consultants (34%).Fewer organisations in France (49%). This to vary significantly depending on the organisations are likely to turn to appears to suggest a higher degree of INTERNAL IT size of the business and the availability dedicated cyber security specialists self confidence in the data protection of dedicated staff, irrespective of (31%) or external cyber security compliance knowledge within German STAFF BEAR whether current knowledge or skills is advisors (26%). This finding may organisations, which may again considered up to the job. indicate that IT departments associate derive from a greater familiarity and BRUNT OF these job functions with practical experience with Germany’s more Over a third (36%) also anticipate knowledge of hardware/software mature regulatory frameworks. COMPLIANCE that members of the internal legal security implementation rather than The conclusion is reinforced by the department will be responsible for understanding of data protection slightly higher number (39%) of those the project, with previously indicated compliance requirements, but is in Germany which would also trust a BURDEN expectations of high legal and costs perhaps also a symptom of an ongoing member of their own internal legal perhaps surfacing again in the smaller skills shortage which affects their department to assess NIS/GDPR number (29%) who expect external legal ability to source and hire suitably requirements compared to the UK advisors will be given the responsibility. qualified cyber security staff or (35%) and France (34%). consultants.
Who Within Your Organisation Will Be Assigned the Task of Assessing New NIS/GDPR Requirements and Formulating Compliance and Reporting Policies?
62% 36% 34% 31% 29% 26% Member of the IT Department
Member of the Legal Department
Outside IT Consultant
Dedicated Cyber Security Specialist
External Legal Advisor
External Cyber Security Advisor in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
ew types of cyber security APTs usually involve the covert aggregate) as the threats most likely attacks are constantly emerging insertion of malicious code into systems to require protection against both now N as hackers develop and expand without being picked up by existing and in two years’ time. the diversity of malware they can throw security tools, with malware remaining at existing data protection defences, active and undetected over long periods External exploitation of trusted 11. so it is no surprise that respondents in order to maximise its spread and the connections - APTs which see hackers cannot predict anything beyond the volume and diversity of information gain entry to an organisation’s network ADVANCED most common types of threats in being collected whilst simultaneously by using hijacked end user, employee evidence today which will also present laying a foundation for future exploits. or business partner credentials - were INTERNET BASED the same threat levels in two years’ given a slightly lower importance time. Various types of APT are in evidence, rating of 24%. And zero day attacks with advanced Internet based malware characterised by vulnerabilities MALWARE Advanced persistent threats (APTs), (delivered via email, phishing or social which are identified and exploited defined as stealthy and continuous engineering, for example) seemingly by hackers within a 24 hour period – EXPECTED TO hacking processes which direct considered the most dangerous (rated recent examples of which include the carefully orchestrated attacks at at 31% importance by respondents on Heartbleed bug affecting the OpenSSL PROLIFERATE specific entities, usually large public aggregate). Advanced physical malware web security protocol and a flaw or private sector organisations for infections (those which involve cyber affecting all versions of Microsoft’s business or political reasons (of which criminals breaking into the premises Internet Explorer web browser Stuxnet is perhaps the most famous to gain physical access to systems such discovered in April 2014 - were given a example) are increasingly prevalent. as bank ATMs or retail point of sale importance rating of 23% (21% in two systems) also scored highly (24% on years’ time).
Common Attacks Today Expected to be the Same in Two Years’ Time
Today In Two Years
30% Advanced Internet Based 31% Malware Infection
23% Advanced Physical Malware 25% Infection
24% External Exploitation of 23% Trusted Connections
23% Zero Day Attacks 21% in association with
SPECIAL REPORT Mixed State of Readiness for New Cybersecurity Regulations in Europe
he results of the survey demonstrate a mixed state What most organisations do consider a certainty is that of readiness amongst organisations in France, additional spending on security hardware, software T Germany and the UK, many of which do not appear and policy implementation will be needed to achieve fully prepared to meet the compliance requirements compliance with the new regulations, and that these 12. of the forthcoming NIS and GDPR regulations, or projects will present them with significant challenges. comprehend the true extent of their potential impact on Deployment and upgrade initiatives are expected to be CONCLUSION current security policy and reporting procedures. both complex and difficult to support due to a lack of in-house knowledge and expertise in the relevant data The EU’s proposal to increase the maximum penalty for protection definitions and requirements. serious breaches of its new data protection regulation to either €100m or 5% of an organisation’s annual income Nevertheless, the burden for assessing company security clearly taps into extant fears of the consequences requirements to ensure NIS and GDPR compliance and associated with data loss. Fines and loss of business are reporting policies is expected to fall predominantly on seen as the major concerns, slightly ahead of damage to non-specialist IT staff rather than internal or external reputation/customer confidence and legal costs which advisors and lawyers, though an ongoing global cyber are perceived to have an equally damaging effect on security skills shortage and fears of high consultancy profitability and/or financial survival. costs may present many firms with little alternative. Despite these barriers, most (84%) believe that the But despite fears of being hit hard in their pockets, only NIS Directive will have a strong positive impact on 39% of organisations in France, Germany and the UK their existing data protection compliance policy and indicated that they have all required measures in place procedures, indicating it is perceived as a constructive to guarantee NIS compliance. The remainder exhibit a measure overall. This is less true of the GDPR however, more piecemeal approach which is even more widely with 17% forecasting a strong negative impact – a clear apparent when it comes to the GDPR though this is more indication that a sizeable portion of IT departments understandable considering that the requirements of the fear the legislation will be overly prescriptive in its latter are yet to be finalised by the European Parliament. requirements. A third of respondents admitted that they only partially understand the impact that the new NIS/GDPR regulation will have on their existing data protection and security provision, whilst a similar number (38%) currently believe About IDG Connect that the EU is currently providing sufficiently clear guidance on all aspects of the compliance requirements. IDG Connect is the demand generation division of International Data With the EU unlikely to either set out specific technical Group (IDG), the world’s largest technology media company. Established in 2005, it utilises access to 38 million business decision makers’ details to standards required for compliance, or propose any unite technology marketers with relevant targets from any country in the associated certification scheme, that confusion is likely to world. Committed to engaging a disparate global IT audience with truly be exacerbated when it comes to assessing current data localised messaging, IDG Connect also publishes market specific thought security systems and planning upgrades. leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. www.idgconnect.com