India Improves Information Security Safeguards,
China Leaves Room for Improvement
Global State of Information Security Study by PricewaterhouseCoopers,
CIO and CSO Magazines Finds IT Taking Budgetary Control;
Data Breaches Driving Privacy Concerns
FRAMINGHAM, Mass. and NEW YORK, Sept. 10, 2007 (PRIME NEWSWIRE) -- Organizations worldwide are investing in infrastructure but lagging in implementation, measurement and review of security and privacy policies according to the 5th annual Global State of Information Security Survey 2007, a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers. The study, which is the largest of its kind, represents responses of 7,200 IT, security and business executives in more than 119 countries across all industries. Results show India has made major gains since 2006 with information security practices and safeguards while China lags behind the rest of the world in almost all privacy safeguards. Other findings show that IT is taking budgetary control in 2007, with the majority of information security budgets now coming directly from the IT department. Additionally, data breaches are driving privacy concerns, but encryption of data at rest remains a low priority despite it being the source of many data leakage issues.
According to the survey, the majority of organizations now have a CSO or CISO in place (60 percent in 2007 vs. 43 percent in 2006), as well as an overall information strategy (57 percent in 2007 vs. 37 percent in 2006), and results show the majority are also heavily invested in technology safeguards such as network firewalls (88 percent), data backup (82 percent), user passwords (80 percent), and spyware (80 percent). However, the investment of time in practical measures remains low. For example, sixty-three percent of respondents state they do not audit or monitor user compliance with security policies, and less than half (48 percent) measured and reviewed the effectiveness of security policies and procedures in the last year.
"Clearly, there is greater awareness of the threats, as well as the tools and safeguards available to offset threats and protect against attack. But sound infrastructure is only half of the solution," says Mark Lobel, a principal in the Advisory practice of PricewaterhouseCoopers. "Security leaders and practitioners need to create and enforce internal policies in order to help ensure appropriate use and protection of corporate information systems."
The study also reveals most companies do not document enforcement procedures in their information security policies. Less than one-third (31 percent) include enforcement mechanisms while only 28 percent include collection of security metrics.
"Uncertainty about the business value of security investments will continue to be high as long as companies fail to monitor user compliance or measure the impact of information security safeguards," says Lobel.
IT TAKES THE LEAD
Improving internal protocol and alignment of security spending to business objectives will likely fall to IT leadership in the coming years. Survey results show the majority (65 percent) of information security budgets now come directly from the IT department, a jump from only 48 percent in 2006. Other department budgets for information security are down this year, including compliance/regulatory (9 percent in 2007 vs. 18 percent in 2006), finance (15 percent in 2007 vs. 19 percent in 2006), and other business lines (4 percent in 2007 vs. 18 percent in 2006). Additionally, security reporting and IT bounced back for the first time in four years with survey results showing more split reporting lines and security reporting to multiple departments.
"Specifically, this is a check-all-that-apply question that shows security is now reporting to more than one master," explains Lobel. "We see more security practitioners reporting to the CIO (38 percent in 2007 vs. 33 percent in 2006) and CTO (15 percent in 2007 vs. 6 percent in 2006). We also see more security executives having multiple reporting lines including risk and the CFO -- 6 percent to 9 percent and 7 percent to 11 percent respectively."
"There are several theories as to why this shift is happening," says Scott Berinato, Senior Editor of CSO magazine. "One of the predominant theories is that companies tried spinning off information security to other functional areas, but it didn't work."
GAPS IN ALIGNMENT OF SECURITY SPENDING TO BUSINESS OBJECTIVES
Currently there are gaps in the alignment of security spending to business objectives. According to the survey, only 30 percent of respondents report their organization's information security policies are completely aligned to business objectives, and even less (22 percent) believe security spending is completely aligned. This is up only slightly from 2006 when 28 percent of respondents reported their security policies were completely aligned with business objectives. And although 42 percent of respondents report regulatory compliance has significantly increased security spending, 58 percent report they do not link security -- either through organizational structure or policy -- to privacy and/or regulatory compliance.
"Gaps in alignment of security policies and spending to business objectives will shrink when compliance practices become more tightly aligned with broader risk management objectives," says Lobel.
Interestingly, the study also reveals a lack of agreement between CEOs, CIOs and CSOs on security priorities and spending. For CEOs and CIOs, business continuity and disaster recovery are the top priorities for information security spending. However, for CISOs, the number one priority is regulatory compliance. Ironically, given the common business objective of lowering risk, most respondents (78 percent) report their organizations do not continuously classify data and information assets by risk level. Seventy-three percent do not include classifying the business value of data in their security policy.
PRIVACY HIGH PROFILE BUT NOT NECESSARILY HIGH PRIORITY
Other survey results show privacy continues to be high profile but not necessarily high priority for security executives. Most companies report gains in privacy safeguards, however there are a few key areas in which companies still tend to be weak. Only one-third (33 percent) of respondents keep an accurate inventory of user data or the locations and jurisdictions where data is stored. Similarly, only one-quarter (24 percent) keep inventory of all third parties using customer data. Encryption of data at rest also remains a low priority even though it is the source of many data leakage issues. Less than half of respondents report encrypting data residing on databases and laptops (50 percent and 42 percent respectively).
INDIA IMPROVES INFORMATION SECURITY SAFEGUARDS, CHINA LEAVES ROOM FOR IMPROVEMENT
India made major gains since 2006 with information security practices and safeguards such as hiring CSOs and CISOs (87 percent in 2007 vs. 58 percent in 2006), implementing an overall security strategy (62 percent in 2007 vs. 34 percent in 2006) and using passwords (69 percent in 2007 vs. 54 percent in 2006). However, both India and China report higher rates of extortion, fraud, IP theft and financial losses than in the U.S.
China leads other countries in requiring third parties to comply with privacy policies but lags behind in almost all other privacy safeguards. Only 14 percent employ a chief privacy officer (compared to 23 percent in the U.S., 22 percent worldwide), 18 percent have mechanisms in place to report security incidents to customers or business partners (compared to 32 percent in the U.S., 29 percent worldwide), 39 percent require employees to complete training on privacy policies and practices (compared to 50 percent in the U.S., 37 percent worldwide), and 31 percent secure web transactions (compared to 51 percent in the U.S., 46 percent worldwide).
"Whether you are outsourcing your IT or manufacturing, you have to step back and make sure the companies you are working with are protecting your information," says Lobel.
EMPLOYEES MOST LIKELY SOURCE OF INFORMATION SECURITY EVENT
In other survey highlights, for the first time, employees took over the number one spot as the most likely source of an information security event. The majority (69 percent) of respondents cite employees and former employees as the likeliest source of attacks, surpassing hackers at 41 percent. This is up significantly from 2005 when only 33 percent of respondents cited employees as the most likely source versus 63 percent for hackers. Email and abused valid user accounts and permissions are reported as the primary methods for such attacks yet only about half (52 percent) of respondents employ routine people-related information security safeguards. Simple safeguards such as personnel background checks (52 percent), monitoring employee use of Internet/information assets (48 percent) and dedicating human resources to employee awareness programs for internal policies and procedures (47 percent) remain uncommon. In addition, the majority of respondents (63 percent) still do not have an identity management strategy in place.
"With a lack of safeguards and basic policies around appropriate Internet and email use, organizations become much more vulnerable to 'accidental' internal threats. Certainly, not all of these threats are malicious or even intentional," comments Berinato.
NEED FOR IMPROVEMENT IN THIRD PARTY SECURITY
The study also shows continued corporate struggle with extending security to third parties. One in five respondents (21 percent) don't know if their users are in compliance with information security policies. Furthermore, 70 percent are only somewhat or not at all confident in their partners and suppliers' information security and 55 percent are only somewhat or not at all confident in their outsourced vendor's security.
"An organization's security is only as strong as its users and partners. Without third party security parameters, an organization's partners can inadvertently become its biggest threat," says Berinato.
INDUSTRY SPECIFIC HIGHLIGHTS
ENTERTAINMENT & MEDIA (E&M)
* More E&M companies this year have a security strategy in place
(44 percent in 2007 vs. 30 percent in 2006), but the industry
still lags behind the cross-industry average of 57 percent.
* E&M companies are more likely this year to report security
attacks exploited a known application or operating system
vulnerabilities (53 percent in 2007 vs. 41 percent in 2006). This
rate is significantly higher than the cross-industry average of
35 percent.
* E&M companies lag behind companies in other sectors in applying
user passwords (68 percent vs. 80 percent), using application
firewalls (57 percent vs. 62 percent), and ensuring that their
security policies address segregation-of-duty conflicts at the
application (46 percent vs. 53 percent level).
* Only 29 percent have security policies for Security in System
Development (SDLC).
CONSUMER PRODUCTS AND RETAIL
* Although consumer products and retail companies are more likely
this year than last to encrypt data in transmission (60 percent
in 2007 vs. 45 percent in 2006), many have yet to encrypt areas
where data leakage may occur, including sensitive data residing
in databases (49 percent), laptops (58 percent), and on backup
tapes (62 percent).
* More consumer products and retail organizations have an overall
security strategy this year (52 percent in 2007 vs. 34 percent in
2006).
* More CISOs at consumer products and retail companies are
reporting to the top of the organization - the Board of
Directors, CEO, CFO or VP (69 percent in 2007 vs. 51 percent in
2006).
* Consumer products and retail companies are less likely than other
sectors to hire a chief privacy officer (14 percent vs. 22
percent) and much more likely to report their organization does
not yet classify data and information assets according to risk
level (42 percent vs. 30 percent).
HEALTHCARE: PAYERS
* Payers are far more likely than financial services organizations
to employ a chief privacy officer (53 percent vs. 33 percent),
encrypt data in transmission (87 percent vs. 75 percent), and
have a business continuity or disaster recovery plan in place (83
percent vs. 71 percent).
* Payers are significantly more likely to outsource some or all of
their security (32 percent vs. cross-industry average of 20
percent).
* Only 8 percent of payer respondents report incidents that
compromised customer records compared to 26 percent of financial
services respondents.
* Less than half (40 percent) of payers do not define security
baselines for external partners or vendors, and more than half
(55 percent) do not keep an accurate inventory of third parties
using customer data.
GOVERNMENT
* More than half (53 percent) of all public sector respondents
report their agency's physical and information security
organizations are separate with no linkage or integration across
policies or procedures.
* Only 33 percent of public sector respondents report physical
security and information security are integrated and report to
the same leader.
* Public sector organizations are more likely this year to have a
chief privacy officer in place (26 percent in 2007 vs. 19 percent
in 2006).
* More public sector respondents report they encrypt data in
transmission (60 percent) than data at rest in databases (44
percent), laptops (39 percent), file shares (35 percent) and
backup tapes (37 percent).
* Barely three out of 10 public sector organizations have an
accurate inventory either of user data kept (31 percent) or of
locations or jurisdictions where this data is stored (33
percent).
* 61 percent of public sector organizations do not require their
employees to complete training on the organization's privacy
policies and practices.
METHODOLOGY
The Global State of Information Security 2007, a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers, was conducted online from March 6, 2007 through May 4, 2007. Readers of CIO and CSO magazine and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results shown in this report are based on the responses of 7,200 CEOs, CFOs, CIOs, CSOs, VPs and directors of IT and IS and security and IT professionals from more than 100 countries. Thirty-six percent of the respondents were from North America, followed by Europe (28 percent), Asia (23 percent), South America (12 percent) and the Middle East and South Africa (2 percent). The margin of error for this study is +/- 1.0 percent.
NOTE TO EDITORS: Please reference the study as "The State of Information Security 2007, a worldwide study by CIO, CSO and PricewaterhouseCoopers." Source line must include CIO, CSO and PricewaterhouseCoopers. Survey results will be covered in-depth in the September 15th issue of CIO magazine and the October issue of CSO magazine. The coverage will also be available online at www.cio.com and www.csoonline.com. Information about the survey will also be available at www.pwc.com/security.
About PricewaterhouseCoopers
PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 140,000 people in 149 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.
"PricewaterhouseCoopers" refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
About CIO and CSO Magazines
CIO and CSO magazines are published by CXO Media Inc., producer of award-winning media properties and executive programs for corporate officers who use technology to thrive and prosper in this new era of business. Launched in 1987, CIO magazine addresses issues vital to the success of chief information officers (CIOs) worldwide. The CIO portfolio includes a companion website, www.CIO.com, CIO Executive Programs, a series of face-to-face conferences providing educational and networking opportunities for pre-qualified corporate and government leaders, and the CIO Executive Council, a professional organization of CIOs created to achieve lasting change in critical industry, academic, media and governmental groups. The U.S. edition of the magazine and website are recipients of more than 160 awards to date, including two Grand Neals from the Jesse H. Neal National Business Journalism Awards and two Magazine of the Year awards from the National Society of Business Publication Editors.
Launched in 2002, CSO magazine, its companion website (www.CSOonline.com) and the CSO Perspectives(tm) conference provide chief security officers (CSOs) with analysis and insight on security trends and a keen understanding of how to develop successful strategies to secure all business assets -- from people to information and financial value to physical infrastructure. The U.S. edition of the magazine and website are the recipients of 80 awards to date, including the American Society of Business Publication Editor's Magazine of the Year award as well as eleven Jesse H. Neal National Business Journalism Awards. CXO Media is a subsidiary of International Data Group (IDG).