Draft Data Security Survey for Review

By Rich

Hey everyone,

As mentioned the other day, I’m currently putting together a big data security survey to better understand what data security technologies you are using, and how effective they are.

I’ve gotten some excellent feedback in the comments (and a couple of emails), and have put together a draft survey for final review before we roll this out. A couple things to keep in mind if you have the time to take a look:

  • I plan on trimming this down more, but I wanted to err on the side of including too many questions/options rather than too little. I could really use help figuring out what to cut.
  • Everyone who contributes will be credited in the final report.
  • After a brief bit of exclusivity (45 days) for our sponsor, all the anonymized raw data will be released to the community so you can perform your own analysis. This will be in spreadsheet format, just the same as I get it from SurveyMonkey.

The draft survey is up at SurveyMonkey for review, because it is a bit too hard to replicate here on the site.

To be honest, I almost feel like I’m cheating when I develop these on the site with all the public review, since the end result is way better than what I would have come up with on my own. Hopefully giving back the raw data is enough to compensate all of you for the effort.

No Related Posts


Okay- I didn’t make all of the suggested changes, but I made many of them.

In terms of the numbers of incidents, I set the thresholds based on advice from someone who has surveyed similar content in the past. Many of the people taking the survey won’t have a good idea of actual numbers of breaches, which is why he recommended the more general scale.

I think that was the only big change I skipped. I also restructured the survey to focus more on effectiveness, reduced the number of options (to 18, mostly because I *really* want those DLP numbers as well as the split between entitlement and access management).

By Rich

This is long, sorry, but I think the survey needs a lot of work in formatting, not necessarily the questions you ask.

A) Amichai is right ... the first series of questions in the text boxes should be numbered. I also wanted to say that open text boxes, as opposed to drop downs, means a lot more manual processing on your part. You get more diverse and interesting information, but not easy to compile.

B) The third page is big and scary. That means you will lose the people who are not serious, which is good in some ways. In my estimation, you will lose a lot of respondents, but that is why you are offering the iPad. Use your best judgement.

C) Formatting. You have 12, TWELVE columns. Too many. Granularity helps you but hinders the survey.  I don’t think it is too many technologies—except possibly for DLP which you have differentiated into three functional areas—but it is hard to read. Use bold for the name of each -row- or technology name so it is easier on the eye. Use normal text for your explanations. Same goes for the question you pose. For example I would say

1. What do you use? Please identify which data security controls your company uses.


1. Please identify your usage of the following data security controls. This is not meant to be a complete list, but represents the more commonly used controls.

Hard to read. Similarly ...
2. Why did you choose it? What was the primary driver for implementing these data security controls?

2. What was the primary driver for implementing these data security controls?

See the difference? And yes, move the definitions to the bottom. That is supplementary/supporting information not every respondent will need, so move it to the bottom.

D) Page four is long, but you are actually not asking for as much information, so it is easier to fill out. One again, use

Regulated Data (credit card numbers, HIPAA information, Social Security Numbers, bank account numbers)

... instead of ...

Regulated data (credit card numbers, HIPAA information, Social Security Numbers, bank account numbers)

E) Do you really need major and minor, or can you give them a single drop down for them to choose, with major as the default? That would eliminate a section. Shorter is good.

F) Do you see any issue with people answering this—even if you are giving away and iPad—for fear of it getting back to their employer? It was not clear when going through this my information would be kept confidential and results anonymized.

1. Please estimate the following **major** incidents you have experienced for these different data types

By Adrian

I think that we should set a more focused goal for the survey, namely effectiveness of various security controls. Based on this goal, the structure of the survey should probably be the following:


By Amichai

This is a terrific idea.  I am very curious about the results you see from this.

My suggestions:
In the regulation questions I would include some reference to the financial regulatory agencies like FINRA, SEC, NYSE, etc. to cover the banking and financial sector better.

I would also be curious about the level of implementation and the accuracy confidence.  Where a data security implementation has been completed what level of confidence do you have in the results (maybe a 1-10 rating)?  And are there any user interactions for any data?  I assume the confidence level feeds the willingness to interact with an end user.

Best of luck with the survey.

By DMcElligott

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.