Anton Chuvakin

A member of the Gartner Blog Network

Anton Chuvakin
Research VP
2+ years with Gartner
14 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Coverage Areas:

Security Incident Response Survey Results

by Anton Chuvakin  |  October 22, 2013  |  6 Comments

At the very end of my incident response research project, I did a quick survey on incident frequency perception. I asked one simple question: how many incidents have your organization had in the last 12 months?

Note that I did not force any particular definition of an incident on the respondents, but pointed to a couple of examples.

Here are the results:

IR-chart

What can we learn from this?

  • The world view that “incidents are rare” (well, “1-2 a year” is rare to me) rules the roost. Does this motivate you to invest into improving your IR program capabilities?
  • The shape of the curve is interesting and also rational: the popularity of the choice smoothly drops off from the most popular choice of 1-2 down to high numbers.
  • There are still organizations that think they had no incidents. Have they failed to detect? Or chose not to declare an incident? Or are they incredibly lucky?
  • In such a survey, respondent organization size would have been very handy; after all, 1 incident/year per 10 systems is not the same as 1 incident/year per 100,000 systems (the latter will stress my belief system beyond breaking point :-) ).

There you have it!

Posts related to the same research project:

6 Comments »

Category: incident response security     Tags:

6 responses so far ↓

  • 1 Matthew Gardiner   October 22, 2013 at 8:42 pm

    In my anecdotal experience (talking to many dozens of organizations over the past couple of years) the # of incidents detected is directly proportional to the level of looking. If you don’t look, you won’t see. If you look a little, you see a little. If you look deeply, you will see a lot. Most incidents of course aren’t that dangerous, but how do you know which are the dangerous ones if you don’t look?

  • 2 Anton Chuvakin   October 22, 2013 at 11:27 pm

    Matt, thanks for the insightful comment! Indeed, if you “look with your eyes closed” you find NO incidents – or “The Big One” (that 1 per year) that comes and kicks you in the balls. Everything else is invisible.

    So, all the invisible but bad stuff likely stays invisible until the time comes for it to explode…

  • 3 Erik Mintz   October 23, 2013 at 6:01 am

    I would love to see an overlay the same question directed to third party CERT teams with org size data. Commercial and/or state sponsored IR teams in an oversight role should be eye opening to self policing organizations.

  • 4 Anton Chuvakin   October 23, 2013 at 2:32 pm

    Indeed, I’d love to see such data and compare/contrast to enterprise own data

  • 5 Tamer Ibrahim   October 27, 2013 at 6:19 am

    you may aware of this report ?

    http://www.inforisktoday.com/handbooks/need-for-speed-2013-incident-response-survey-h-44

  • 6 Anton Chuvakin   October 28, 2013 at 4:48 pm

    Yes, I’ve seen this vendor-conducted survey; and picked a few interesting (if not unexpected) things from it.