NEW YORK and FRAMINGHAM, Mass., Sept. 15, 2006 (PRIMEZONE) -- Organizations are increasingly integrating physical and information security as they become more aware of the impact of privacy breaches, according to the Global State of Information Security 2006, a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers. Forty percent of respondents state their physical and IT security functions report to the same executive leader versus 31 percent last year. Further, only 25 percent say the two functions are separate, down significantly from 47 percent in last year's survey. The survey, the largest of its kind, represents the responses of almost 7800 senior executives at companies in more than 50 countries across all industries. Findings also show a sizable information security gap exists between India, the rest of the world and the United States.
"It is increasingly important for these functions to be integrated as part of the overall IT security strategy," says Allan Holmes, Washington Bureau Chief, CIO magazine. "By not only making it more difficult to physically steal items such as laptops but also protecting the information stored on them, it becomes very difficult for unauthorized users to access private customer information."
The third annual survey also shows a noticeable shift in priorities. In 2006, IT executives list the top three priorities on their to-do list as technological fixes including data backup, network firewalls and application firewalls. This is a departure from 2005 when the number one priority was disaster recovery and business continuity, followed by employee awareness and training programs, and data backup third on the list.
"We were particularly surprised that in the aftermath of Hurricane Katrina, business continuity and disaster planning dropped from the top priority in 2005 to fourth on the list in 2006," says Mark Lobel, Advisory partner, PricewaterhouseCoopers. "IT executives have a lot of uncertainty, and that uncertainty is driving them to fall back on what they know best, which is technology rather than strategy. For information security to be most effective, organizations must align their security policies and spending with their business process. Organizations that do this experience fewer financial losses and experience less network downtime than those that do not."
India Working to Close the Security Gap
This year's survey uncovers some major deficiencies in security measures for organizations responding to the survey from India. As India continues to make enormous gains in the world economy, the security infrastructure is clearly lagging behind. Thirty-five percent of India-based respondents report they use secure remote access (vs. the rest of the world at 56 percent and the U.S. at 62 percent). Only half of organizations in India employ the basics such as user passwords (vs. the rest of the world at 73 percent and the U.S. at 78 percent), and 50 percent admit more than half their users are not in compliance with their information security policies.
As a result, extortion, fraud and intellectual property theft occurred last year at one in every five or six India-based companies -- rates that are double and even quadruple those of the rest of the world. Compared with the United States and the total world survey population, 15 percent of organizations in India report that breaches resulted in extortion (vs. world: five percent and U.S.: two percent), 16 percent report breaches resulting in fraud (vs. world: nine percent and U.S.: six percent), 20 percent report IP theft (vs. world: 12 percent and U.S.: eight percent), and 29 percent report financial losses (vs. world: 19 percent and U.S.: 14 percent). Furthermore, 10 percent of organizations in India experience cyber attacks that shut down networks for more than two days. The U.S. rate is just five percent.
Despite the lag in security practices, the survey findings show some positive signs that India is proactively working to remediate the gaps. India-based companies are outspending other nations on information security with 70 percent of India-based respondents indicating they have increased security spending since 2005 (vs. world at 46 percent and U.S. at 49 percent). Fifteen percent report increasing spending by more than 30 percent (vs. world at eight percent and U.S. at five percent).
Another positive sign of India taking a more strategic approach to security is that the number of organizations in India employing a CISO or CSO is 58 percent -- significantly higher than that of the total world survey respondents at 43 percent and the U.S. at 44 percent. Of those India-based CISOs and CSOs, 44 percent report to the CEO (vs. 31 percent for the rest of the world and 27 percent for the U.S.).
Some Signs of Information Security Maturity
Survey findings show several signs that the role of security is maturing. This year's survey reveals 38 percent of respondents have been in their jobs for five years or more, indicating that security positions are becoming established within most organizations. Furthermore, security executives appear to be moving up the reporting chain with security heads most frequently reporting to the CIO (35 percent), CEO (31 percent) and the company board (24 percent).
Despite positive steps, survey responses also reveal critical deficiencies. Only 37 percent of respondents report having an overall security strategy in place -- exactly the same percentage that reported this last year. In addition, while senior security executives are moving up the organizational ladder, the number of organizations hiring CSOs and CISOs has stagnated. Sixty-six percent of respondents have yet to hire a CSO or CISO (compared to 65 percent in 2005).
Effects of Regulations and Compliance
Both U.S. organizations and their international colleagues continue to struggle with applicable information security laws and regulations that govern their industries -- particularly those in the area of privacy. Of those U.S. respondents responding they were noncompliant with current applicable regulations, 18 percent are noncompliant with California security breach notification law CA 1386 (a slight increase from 15 percent in 2005) and 35 percent report that they are still not in compliance with Sarbanes-Oxley (down from 38 percent in 2005). Forty percent of healthcare respondents do not meet the requirements of HIPAA (up from 38 percent in 2005) and 41 percent of all respondents are noncompliant with other state/local privacy regulations (up from 13 percent in 2005).
The struggle to meet compliance requirements extends beyond the U.S. with a high percentage of non-U.S. firms reporting similar challenges. Half of the Australia-based respondents report not being in compliance with Australian Privacy Legislation; 42 percent of France-based respondents are noncompliant with CNIL; 31 percent of U.K.-based respondents are noncompliant with the Data Protection Act of 1998; 45 percent of European-based respondents are noncompliant with the European Union Data Privacy Directive, and 30 percent of Canada-based respondents are noncompliant with the Canadian Privacy Act.
"There is a marked lack of enforcement of these laws and regulations and the cost of non-compliance is currently not as high as the expense of complying. To improve compliance with these regulations, security laws need to have more meaningful repercussions," says Lobel. "Additionally, companies need to enforce compliance with their own security policies. This is one of the most critical factors for reducing network downtime and yet respondents report that only a little more than two-thirds of all users are compliant -- a statistic that has remained unchanged over the past three years."
Confidence Lacking in Third Party Security Measures
The level of confidence in security measures has risen slightly from last year with 33 percent reporting that they are very confident in their own organization's security (up from 28 percent in 2005). Likewise, the perception of the CEO's level of confidence is up slightly with 39 percent indicating that they are very confident as compared with 35 percent last year.
However, many organizations rely on third parties for various business reasons -- including outsourcing arrangements of financial, HR, and IT functions -- which in turn impacts the effectiveness of their own organization's security measures. Of those who use third parties, only 22 percent report they are "very confident" in their partner/supplier's security.
Other Survey Highlights
-- Alignment to Business Objectives -- Findings show limited
improvement in organizations' alignment of security to business
objectives. Twenty-eight percent of respondents report their
security policies are completely aligned with business objectives
(slightly up from 26 percent in 2005).
-- IT Security Budgets -- Almost half of the survey respondents (46
percent) indicate their IT security budgets will increase this
year, with more than one out of five saying the rate of increase
will be in the double digits -- a faster increase than the overall
IT budget.
-- Return on Investment (ROI) -- Survey results also show the ability
to prove ROI remains a challenge. When asked how their
organizations measure the effectiveness of security investments,
more respondents chose "professional judgment" (46 percent) than
"ROI" (25 percent).
Industry Specific Highlights
Financial Services/Banking
-- Financial services firms are more inclined to have a business
continuity/disaster recovery plan (75 percent compared to 50
percent across industries), and conduct personal background checks
(67 percent versus 51 percent).
-- One of the biggest security challenges for financial services firms
is protecting data across the entire information lifecycle. The
survey found that while 68 percent of financial services firms
encrypt data in transmission, only 43 percent encrypt stored data
and 42 percent keep an accurate inventory of user data.
-- More than half (53 percent) of financial services organizations do
not yet address data protection, disclosure and destruction in
their security policies.
Healthcare
-- More than a third (36 percent) of healthcare respondents report
their organization now has a privacy officer -- well above the
cross-industry average of 16 percent.
-- Healthcare organizations are more likely than last to have reviewed
their privacy policies at least once in the past 12 months (61
percent versus 59 percent in 2005) and posted these policies on
their external website (46 percent compared to 43 percent last
year).
-- The biggest factor driving security spending in the healthcare
industry is business continuity. The survey finds 70 percent of IT
executives in the healthcare industry report business continuity as
the biggest factor driving spending versus 57 percent of the total
population.
-- When asked about strategic initiatives for next year, IT executives
in the healthcare industry report more focus on centralized
information security management -- 32 percent in 2006, up from 17
percent in 2005; business continuity/disaster planning -- 59
percent in 2006 versus 38 percent in 2005; and employee security
awareness training -- 49 percent in 2006 compared to 19 percent in
2005.
Government/Public Sector
-- Public sector organizations in countries around the world are
spending more than they ever have on security -- 15.2 percent of
their IT budgets, which is a clear increase over 2005 and 2004
levels (12.6 percent and 8.7 percent respectively).
-- Compliance with privacy regulations continues to be the driving
force behind many public sector security initiatives. However,
only about half of all public sector entities protect privacy
through practices such as securing web transactions (56 percent)
and posting privacy policies on their internal (53 percent) and
external (43 percent) websites.
-- More than three quarters (76 percent) of public organizations have
still not established security baselines for external suppliers and
vendors, and 62 percent do not yet require third parties to comply
with their privacy policies.
Pharmaceuticals
-- Executive confidence in the effectiveness of security practices is
higher than it has ever been (91 percent) and half of industry
respondents expect to increase security spending in the next twelve
months.
-- Pharmaceutical companies are more likely this year than last to
encrypt data in transmission (59 percent vs. 54 percent) and post
privacy policies on their external web site (42 percent vs. 37
percent). They're also more likely to secure web transactions (56
percent vs. 53 percent) and employ a chief privacy officer (19
percent vs. 16 percent).
-- Only 46 percent of pharmaceuticals have an overall security
strategy and 73 percent do not integrate information security
safeguards with privacy and compliance plans.
Technology
-- This year, technology companies are more likely to have an overall
security strategy (39 percent vs. 32 percent), and they are
significantly more likely to have measured and reviewed the
effectiveness of their information security policies and procedures
in the prior 12 months (58 percent vs. 43 percent).
-- Most technology respondents (70 percent) admit that their security
policies do not address classifying the value of data and 47
percent report that their organization does not have policies
governing data protection, disclosure, and destruction.
-- Only 52 percent of technology respondents report that their
organization encrypts data in transmission and only 41 percent say
they encrypt data in storage.
Survey results will be covered in-depth in the September 15th issue of CIO magazine and the September issue of CSO magazine. The coverage will also be available online at www.cio.com and www.csoonline.com. Information about the survey will also be available at www.pwc.com/security.
Methodology
The Global State of Information Security 2006, a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers, was conducted online from April 5 through May 22, 2006. Readers of CIO magazine, CSO magazine and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results shown in this report are based on the responses of more than 7,791 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from more than 50 countries. The margin of error for this study is +/- 1 percent.
Note to Editors: Please reference the study as "The State of Information Security 2006, a worldwide study by CIO, CSO and PricewaterhouseCoopers." Source line must include CIO, CSO and PricewaterhouseCoopers.
About PricewaterhouseCoopers
PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 130,000 people in 148 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.
"PricewaterhouseCoopers" refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
About CIO and CSO Magazines
CIO and CSO magazines are produced by CXO Media Inc., producer of award-winning media properties and executive programs for corporate officers who use technology to thrive and prosper in this new era of business. Launched in 1987, CIO magazine addresses issues vital to the success of chief information officers (CIOs) worldwide. The CIO portfolio includes a companion website www.CIO.com, CIO Executive Programs, a series of face-to-face conferences providing educational and networking opportunities for pre-qualified corporate and government leaders, and the CIO Executive Council, a professional organization of CIOs created to achieve lasting change in critical industry, academic, media and governmental groups. The U.S. edition of the magazine and website are recipients of more than 160 awards to day, including two Grand Neals from the Jesse H. Neal National Business Journalism Awards and two Magazine of the Year awards from the National Society of Business Publication Editors.
Launched in 2002, CSO magazine, its companion website (www.CSOonline.com) and the CSO Perspectives(tm) conference provide chief security officers (CSOs) with analysis and insight on security trends and a keen understanding of how to develop successful strategies to secure all business assets -- from people to information and financial value to physical infrastructure. The U.S. edition of the magazine and website are the recipients of 80 awards to date, including the American Society of Business Publication Editor's Magazine of the Year award as well as eleven Jesse H. Neal National Business Journalism Awards. CXO Media is a subsidiary of International Data Group (IDG).