| The global state of information security
According to the survey, the majority of organizations now have a CSO or CISO in place (60 percent in 2007 vs. 43 percent in 2006), as well as an overall information strategy (57 percent in 2007 vs. 37 percent in 2006), and results show the majority are also heavily invested in technology safeguards such as network firewalls (88 percent), data backup (82 percent), user passwords (80 percent), and spyware (80 percent). However, the investment of time in practical measures remains low. For example, sixty three percent of respondents state they do not audit or monitor user compliance with security policies, and less than half (48 percent) measured and reviewed the effectiveness of security policies and procedures in the last year. "Clearly, there is greater awareness of the threats, as well as the tools and safeguards available to offset threats and protect against attack. But sound infrastructure is only half of the solution," says Mark Lobel, a principal in the Advisory practice of PricewaterhouseCoopers. "Security leaders and practitioners need to create and enforce internal policies in order to help ensure appropriate use and protection of corporate information systems." The study also finds that most companies do not document enforcement procedures in their information security policies. Less than one-third (31 percent) include enforcement mechanisms while only 28 percent include collection of security metrics. "Uncertainty about the business value of security investments will continue to be high as long as companies fail to monitor user compliance or measure the impact of information security safeguards," says Lobel. IT TAKES THE LEAD Survey results show the majority (65 percent) of information security budgets now come directly from the IT department, a jump from only 48 percent in 2006. Other department budgets for information security are down this year, including compliance/regulatory (9 percent in 2007 vs. 18 percent in 2006), finance (15 percent in 2007 vs. 19 percent in 2006), and other business lines (4 percent in 2007 vs. 18 percent in 2006). Additionally, security reporting and IT bounced back for the first time in four years with survey results showing more split reporting lines and security reporting to multiple departments. GAPS IN ALIGNMENT OF SECURITY SPENDING TO BUSINESS OBJECTIVES Currently there are gaps in the alignment of security spending to business objectives. According to the survey, only 30 percent of respondents report their organization's information security policies are completely aligned to business objectives, and even less (22 percent) believe security spending is completely aligned. This is up only slightly from 2006 when 28 percent of respondents reported their security policies were completely aligned with business objectives. And although 42 percent of respondents report regulatory compliance has significantly increased security spending, 58 percent report they do not link security - either through organizational structure or policy - to privacy and/or regulatory compliance. "Gaps in alignment of security policies and spending to business objectives will shrink when compliance practices become more tightly aligned with broader risk management objectives," says Lobel. Interestingly, the study also reveals a lack of agreement between CEOs, CIOs and CSOs on security priorities and spending. For CEOs and CIOs, business continuity and disaster recovery are the top priorities for information security spending. However, for CISOs, the number one priority is regulatory compliance. Ironically, given the common business objective of lowering risk, most respondents (78 percent) report their organizations do not continuously classify data and information assets by risk level. Seventy-three percent do not include classifying the business value of data in their security policy. PRIVACY HIGH PROFILE BUT NOT NECESSARILY HIGH PRIORITY Other survey results show that privacy continues to be high profile but not necessarily high priority for security executives. Most companies report gains in privacy safeguards, however there are a few key areas in which companies still tend to be weak. Only one-third (33 percent) of respondents keep an accurate inventory of user data or the locations and jurisdictions where data is stored. Similarly, only one-quarter (24 percent) keep inventory of all third parties using customer data. Encryption of data at rest also remains a low priority even though it is the source of many data leakage issues. Less than half of respondents report encrypting data residing on databases and laptops (50 percent and 42 percent respectively). INDIA IMPROVES INFORMATION SECURITY SAFEGUARDS, CHINA LEAVES ROOM FOR IMPROVEMENT India made major gains since 2006 with information security practices and safeguards such as hiring CSOs and CISOs (87 percent in 2007 vs. 58 percent in 2006), implementing an overall security strategy (62 percent in 2007 vs. 34 percent in 2006) and using passwords (69 percent in 2007 vs. 54 percent in 2006). However, both India and China report higher rates of extortion, fraud, IP theft and financial losses than in the US. EMPLOYEES ARE THE MOST LIKELY SOURCE OF AN INFORMATION SECURITY EVENT For the first time, employees took over the number one spot as the most likely source of an information security event. The majority (69 percent) of respondents cite employees and former employees as the likeliest source of attacks, surpassing hackers at 41 percent. This is up significantly from 2005 when only 33 percent of respondents cited employees as the most likely source versus 63 percent for hackers. E-mail and abused valid user accounts and permissions are reported as the primary methods for such attacks yet only about half (52 percent) of respondents employ routine people-related information security safeguards. Simple safeguards such as personnel background checks (52 percent), monitoring employee use of Internet/information assets (48 percent) and dedicating human resources to employee awareness programs for internal policies and procedures (47 percent) remain uncommon. In addition, the majority of respondents (63 percent) still do not have an identity management strategy in place. NEED FOR IMPROVEMENT IN THIRD PARTY SECURITY The study also shows continued corporate struggle with extending security to third parties. One in five respondents (21 percent) don't know if their users are in compliance with information security policies. Furthermore, 70 percent are only somewhat or not at all confident in their partners and suppliers' information security and 55 percent are only somewhat or not at all confident in their outsourced vendor's security. Survey results will be covered in-depth in the September 15th issue of CIO magazine and the October issue of CSO magazine. The coverage will also be available online at www.cio.com and www.csoonline.com. Further information about the survey is also available at www.pwc.com/security
•Date: 11th Sept 2007• Region: World •Type: Article •Topic: ISM
|
