UK CYBER SECURITY STANDARDS Research Report November 2013 Survey conducted by Commissioned by: The Department for Business, Innovation and Skills (BIS) is building a dynamic and competitive UK economy by creating the conditions for business success; promoting innovation, enterprise and science; and giving everyone the skills and opportunities to succeed. To achieve this it will foster world-class universities and promote an open global economy. BIS - Investing in our future. For further information, see www.gov.uk/bis. Conducted by: PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with close to 169,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.co.uk. Our security practice, spanning across our global network, has more than 30 years’ experience, with over 200 cyber security professionals in the UK and 3,500 globally. Our integrated approach recognises the multi-faceted nature of cyber security and draws on specialists in process improvement, value management, change management, human resources, forensics, risk, and our own legal firm. The PwC team was led by Andrew Miller and Ben Emslie. We’d like to thank all those involved for their contribution to this research. 2 Foreword The Department for Business, Innovation and Skills (BIS) recognises the importance of cyber security to the UK economy. Without effective cyber security, we place our ability to do business and to protect valuable assets such as our intellectual property at unacceptable risk. A vital prerequisite for driving forward our collective maturity and confidence in this area is the timely availability of relevant and appropriate cyber security standards with which organisations can develop and demonstrate their cyber security abilities and credentials. BIS is therefore committed to collating information about cyber security standards and making it available publicly. As part of this initiative, BIS commissioned a research project into the availability and adoption of cyber security standards across the UK private sector. This report combines the responses to an extensive and wide-ranging online survey, the findings of a series of in-depth one-to-one interviews with a broad range of UK business leaders, and an analysis of the current cyber security standards landscape in order to provide an insight into the current levels of both supply and demand in this area. It also, and perhaps more importantly, aims to identify the prevailing motivators and constraining factors for organisation’s adoption of cyber security standards in order to inform the Government’s efforts in coordinating and ensuring the nation’s collective cyber security. David Willetts Minister for Universities and Science 3 Executive Summary internal controls and the procurement of new The number of standards relating to cyber products and services. Standards sometimes security in some form exceeds 1,000 supported these approaches but generally only publications globally. This makes for a complex indirectly. standards landscape. Despite the quality and general applicability of most individual of organisations implemented new standards, there was no comprehensive 48% policies to mitigate cyber security standard identified that provided a ‘one size fits risks all’ approach. Conversely the complex conducted cyber security risk landscape made it difficult for organisations to 43% assessments and impact analysis to identify the standards relevant to their quantify these risks organisation and business activities. of organisations investing in BYOD implemented a related standard of publications focus on organisational (covering security) to some level. 10% cyber security standards, adding This also showed a particular 67% complexity to this over-represented interest in this technology over section of the landscape others of publications focus on people cyber of organisations who purchased security standards, showing a clear certified products or services did so 3% 34% lack of representation and focus in purely to achieve compliance as an this area outcome of cyber security publications covered in this report were able to be defined An increase in products and services standards 56% as a ‘standard’ e.g. rather than a since 2005 suggests a trend in organisations framework or certification seeking externally provided security services and off the shelf products. Despite this of these publications were sector increase, the supply of standards fails to match 89% agnostic and therefore targeting the the levels of investment across the categories. general market Products Organisational The awareness of cyber security threats and % of standards the importance placed on them was generally 16% 67% relating to this high; but organisations mitigate cyber security V category risk differently depending on the size of the s % of organisations organisation and its sector. This affects the 69% 42% investing over £1k importance placed on the use of standards and p.a. in this category certification as an approach. of organisations believe people 25% standards to be ‘not important at all’ business priority for organisations is th 8 the safeguarding of information While many organisations implement cyber assets security standards to some degree, the majority was the average level of importance partially implement the controls deemed placed on cyber security certification 7/10 relevant and self-certify this compliance. Only a with 10/10 representing the highest small proportion invests in gaining external importance certification. of organisations plan an increase in 35% cyber security spending of organisations implement a 52% standard to some level Some organisations questioned the relevance of organisations invest in full of cyber security standards to directly mitigate 25% implementation of at least one their organisation’s cyber security risk. As a standard result they often focussed on establishing 4 of the 25% of organisations above barrier is that there appears to be no 1in4 that fully implement a standard 3rd discernible financial incentive to invested in external certification invest Organisations stated predominantly commercial The average current investment in cyber and business reasons for their lack of adoption security and cyber security standards was of cyber security standards and the investment generally low but many had plans for the future, in external certification. This suggests a showing a potential rise in future adoption. perceived lack of clarity surrounding the business case for cyber security standards. No of organisations invest less than 5% standard reviewed as part of this research 54% of their cyber security budget on incorporated a business case element. cyber security standards compliance of organisations plan to develop an main barrier to cyber security 34% Information Security Management 1st standards is that they are too System in the future expensive plan to achieve certification to a 39% most commonly stated barrier is the cyber-security standard in the future 2nd difficulty in calculating a return on investment 5 Table of Contents Research approach....................................................................................................................... 7 The cyber security standards landscape....................................................................................... 9 Adoption of cyber security standards by UK Industry ................................................................. 21 Annex A – Survey and Interview Approach and Demographics ................................................. 34 Annex B – High-Level Mapping Definitions and Dimensions ...................................................... 36 Annex C – High-Level Cyber Security Landscape (Tabulated)................................................... 49 Annex D – Detailed Mapping Definitions and Criteria ................................................................. 77 Annex E – Detailed Mapping....................................................................................................... 83 6 Background and purpose The standards landscape for cyber security is highly complex, with various Government and industry-led standards and schemes in existence and in development, domestically and internationally. Without a clear understanding of this landscape, and the current and potential uptake of standards, Government is unable to identify and develop evidence-based policies to close the gaps in the landscape or support the uptake of good standards for cyber security products and services. The purpose of this report is to inform the understanding of the cyber security standards landscape, and the current and potential uptake of standards in the UK. This has been achieved via research to identify what standards organisations have adopted, why they have chosen such an approach and how they have used these standards to support their organisation. Research approach In order to produce this report a number of research methods were applied. These included: 1. The identification of the prevalent cyber security standards in the UK, determined by the respondents and contributors to this research. 2. Gathering information on existing standards, and documenting their coverage and content. This was corroborated and enhanced by subsequent cross referencing with the information gathered in the steps below. 3. Engagement