Awareness of the problematic nature of information security is approaching an all-time high. Out of every IT dollar spent, 15 cents goes to security. Security staff is being hired at an increasing rate. Surprisingly, however, enterprise security isn't improving.
For the fifth straight year, CIO, CSO and PricewaterhouseCoopers (PWC) present select results and analysis from the "Global State of Information Security" survey, the world's largest, most comprehensive annual information security survey.
And the first question to ask is, Are you feeling anxious?
Are you feeling the disquiet that comes from knowing there's no reason why your company can't be the next TJX? The angst of knowing that these modern plagues—these spam e-mails, these bots, these rootkits—will keep coming at you no matter how much time and money you spend trying to stop them? The chill that comes from knowing how much you don't know?
Yeah, you're feeling it.
You're feeling it because you're seeing it. According to the 2007 survey, a comprehensive canvassing of 7,200 respondents on six continents, you see the information security problem more clearly than ever before. You're seeing it because you've created tools and systems in order to see it. For example:
You've added processes. Three years ago, only 37 percent of companies reported having an overall security strategy. This year, 57 percent did. Also, nearly four out of five companies conducted enterprise risk assessments, at least periodically.
You've deployed technology. Nine out of 10 respondents said they use firewalls, monitor users and rely on intrusion detection infrastructure, and that number approached 98 percent when responses were limited to larger companies (more than $1 billion in revenue). Encryption is at an all-time high, with 72 percent reporting some use of it (compared to 48 percent last year).
You've hired people. The number of CISOs and CSOs employed continues to rise. And the mean number of information security workers per company has topped 100, most likely due to more outsourcing and the use of contract employees.
You've crafted an infrastructure for understanding. You're seeing it, and that's why you're feeling it. You're undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them.
Awareness may be at an all-time high, but awareness doesn't equal improvement, and awareness doesn't bring happiness. The sad fact is that the strides made to date have not crossed the threshold from seeing to fixing.
"That next level of maturity has not been reached," says Mark Lobel, a principal with PWC's advisory services. "We have the technology but still don't have our hands around what's important and what we should be monitoring and protecting. Where's that console that says, 'Hey, credit card numbers are crossing the firewall and this is a PCI issue that has a real business impact?'"
Read on for more on what awareness has led to and other insights from the "Global State of Information Security 2007" survey.
"I See," Said the Blind Man
Five years ago, 36 percent of respondents to the "Global State of Information Security" survey reported that they had suffered zero security incidents. This year, that number was down to
Does this mean there are more incidents? We don't think so. We believe it simply means that more companies are aware of the incidents that they've always suffered but into which, until recently, they had no visibility. Those once inexplicable network outages are now known to be security incidents. Perhaps a spam outbreak wasn't considered a security incident before, but now that it can deliver malware, it is. Awareness is higher, and that's because companies have spent the past five years building an infrastructure that creates visibility into their security posture.
The Infrastructure Is in Place
Baseline deployment of people, process and technology continues to rise steadily, sometimes dramatically. Among those companies that don't have these techniques in place, the priority for adding it is remarkably low, indicating that most people who think they need these things now have them.
2006 2007 Priority for 2008
People: You have a...
CSO 21% 28% 13%
CISO 22% 32% 17%
CPO 16% 22% 14%
Process: You have...
An overall security strategy 37% 57% 13%
A baseline for customers andpartners 25% 42% 10%
Centralized SIM 34% 44% 11%
Technology: You deploy...
Firewalls 77% 93% 15%
Encryption 43% 72% 25%
IDS, A-V and other detection* 57% 90% 28%
Data backup 78% 82% 14%
User security / ID management* 73% 89% 33%
IPS / filters* 44% 83% 22%
Internet security* 31% 70% 14%
* Before 2007, these categories were not consolidated. The percentage listed is the highest percentage given for one of the subcategories now consolidated into the new category.
We've Seen the Enemy; It's You
This year marks the first time "employees" beat out "hackers" as the most likely source of a security incident. Executives in the security field, with the most visibility into incidents, were even more likely to name employees as the source.
Likely Sources of Incidents
Recognition of the insider threat is a sign that awareness is increasing, largely due to the controls that have been put in place over the past five years.
Who Attacked Us? 2006 2007 2007 Security Executives Only
Employee/former employee 51% 69% 84%
Hacker 54% 41% 40%
Have employees suddenly turned more malicious? Are inside jobs suddenly more fashionable and productive than they used to be? Probably not. Most security experts will tell you that the insider threat is relatively constant and is usually bigger than its victims suspect. None of us wants to think we've hired an untrustworthy person.
This spike in assigning the blame for breaches and attacks to employees is probably more like the dip in companies that report zero incidents—a reflection of awareness, of managers' ability to recognize what was always there but what they couldn't previously determine.
"What's happening is we're doing a better job with logging and understanding situations," says Ron Woerner, former information security manager at ConAgra Foods, now security engineering consultant at TD Ameritrade. "For a while, I think, ignorance was bliss. Now, with all the technology in place, we're learning that we all have the same problems."
Here's how building a security infrastructure can lead to more employees named as culprits in security incidents. A CISO is hired. He has the tools to investigate internal network anomalies and the authority to ask business unit leaders to provide him with information for an investigation. His deployment of user-monitoring tools helps him identify insider threats. Then he centralizes security information management software that automatically detects anomalous network behavior. Then maybe he adds a periodic risk assessment process (another trend on the rise, according to the survey) and suddenly his office is finding previously unknown vulnerabilities being exploited. Perhaps he adds an anonymous e-mail/hotline function for whistle-blowers. With all of this and more in place, a company has increased its odds of detecting security incidents.
But here's an odd paradox: Despite the massive buildup of people, process and technology during the past five years, and fewer people reporting zero incidents, 40 percent of respondents didn't know how many incidents they've suffered, up from 29 percent last year.
The rate of "Don't know" for the type of incident and the primary method used to attack also spiked.
What You Don't Know& Could Fill Volumes
Increasingly, those involved in information security reply "Don't know" when asked about the number and nature of security incidents.
2006 2007 2007 Cso/ciso
Number of incidents 29% 40% 29%
Type of attack 26% 45% 32%
Primary method used 26% 33% 20%
It doesn't bode well that after years of buying and installing systems and processes to improve security, close to half of the respondents didn't have a clue as to what was going on in their own enterprises. But when close to a third of CSOs and CISOs, who presumably should have the most insight into security incidents, said they don't know how many incidents they've suffered or how these incidents occurred, that's even worse.
The truth is, systems, processes, tools, hardware and software, and even knowledge and understanding only get you so far. As Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming."
Woerner and others believe that the security discipline has so far been skewed toward technology—firewalls, ID management, intrusion detection—instead of risk analysis and proactive intelligence gathering.
If most of the investment has been put into technology, most of the return will come from there too. The tools will do their job. They will tell you what's happening and block the most ham-fisted attacks. But technology is largely reactive. It provides alarms and ex post facto reports of anomalies. Intrusion detection, for example, is not terribly effective at threat intelligence—understanding the nature of vulnerabilities before they affect you. All IDS boxes know is that some preset rule has been broken. Think of a glass break sensor on a window at a museum. That piece of technology is extremely effective at telling you that someone broke the window; it does nothing to explain how and why a painting was stolen, nor can it help you prevent the next window from being broken and the next painting from being snatched.
Furthermore, even a cursory look at security trends demonstrates that adversaries, be they disgruntled employees or hackers, have far more sophisticated tools than the ones that have been put in place to stop them. Antiforensics. Mass distribution of malware through compromised websites. Botnets. Keyloggers. Companies may have spent the past five years building up their security infrastructure, but so have the bad guys. Awareness includes a new level of understanding of how little you know about how the bad guys operate. As arms races go, the bad guys are way ahead.
Why You Have to Change Your Strategy
What can be done about all this? Be strategic. Security investment must shift from the technology-heavy, tactical operation it has been to date to an intelligence-centric, risk analysis and mitigation philosophy.
Information and security executives should, for example, be putting their dollars into industry information sharing. "Collaboration is key," says Woerner. They should invest in security research and technical staff that can capture and dissect malware, and they should troll the Internet underground for the latest trends and leads. Dozens of security companies do just this and provide subscriptions to research services.
"We have to start addressing the human element of information security, not just the technological one," says Woerner. It's only then that companies will stop being punching bags. Only then will they be able to hit back.
IT Strikes Back
Speaking of striking back, the 2007 security survey shows a remarkable (some might say troubling) trend.
The IT department wants to control security again.
In the first year of collaboration on this survey (see www.cio.com/article/29841), CIO, CSO and PWC noted that the more confident a company was in its security, the less likely that company's security group reported to IT. Those companies also spent more on security.
The reason CIO and CSO have always advocated for the separation of IT and security is the classic fox-in-the-henhouse problem. To wit, if the CIO controls both a major project dedicated to the innovative use of IT and the security of that project—which might slow down the project and add to its cost—he's got a serious conflict of interest. In the 2003 survey, one CISO said that conflict "is just too much to overcome. Having the CISO report to IT, it's a death blow."
And every year after that, the trend was for the security function to gain increasing autonomy. More security executive positions were created. More decision-making power was shifted to security and away from IT. And more security groups reported to functions outside of IT, including the legal department, the risk department and, most significantly, the CEO. The trend was even more pronounced at large companies.
In 2007, this trend didn't slow down; it flipped. What's more, the reversal was most pronounced in the largest companies. For example, respondents chose from 12 possible functions to which their CISO could report. Those 12 functions were divided into three categories:
1. IT (CIO, CTO)
2. Neutral (board, CEO, CFO, COO, legal)
3. Security (audit, CPO, CSO, risk, security committee)
To allow respondents to select more than one of these answers, we created "shares"—the percentage of respondents with some reporting relationship to one of these three categories. Here are the results.
Reporting to IT
Respondents have some reporting relationship to the following groups
2006 2007 2007 (>$1B Revenue)
IT 41% 53% 60%
Neutral 76% 79% 68%
Security 44% 46% 48%
A 12 percent rise in the number of security executives reporting to IT is hugely significant. And when you slice that by large companies, it's a 19 percent rise. Notice, too, that bigger companies show fewer information security executives reporting to
M. Eric Johnson, an economist who specializes in information security issues at Dartmouth College, says, "We actually analyzed the org charts, and the solid-line relationships are going back to IT and the CIO. CISOs have gobs of dotted line relationships, but IT is dominating reporting structures and the budgets."
Indeed, the trend is even more pronounced when you follow the money trail.
Security Dollars Come from IT
Funding for information security comes from (could check more than one)
Another hallmark of an evolved security function is its convergence with physical security, usually under a CSO. This makes sense both for operational efficiency and because threats are becoming more converged. Access control is a classic example of convergence paying dividends. By combining building access and network access in one system, you save money, improve efficiency and create a single view into both physical threats (illegal entry) and digital ones (illegal network access).
And for four years, convergence of physical and IT security steadily increased. Until this year.
Physical and Information Security Converge, Then Diverge
Information and physical security are separate
Overall Revenue $1B or more
2003 71% NA
2004 50% NA
2005 47% NA
2006 25% 36%
2007 46% 55%
Information and physical security report to the same executive leader
Overall Revenue $1B or more
2003 11% NA
2004 26% 22%
2005 31% 24%
2006 40% 33%
2007 34% 27%
Respondents who do not integrate physical and information security personnel: 69%
Of those, percent with no plans to integrate personnel: 80%
Who's in Charge?
Signs of I.T.'s control and influence are peppered throughout the survey results. For example, when asked what security guidelines their companies followed, respondents were far more likely—sometimes two or three times more likely—to cite more general IT guidelines like ITIL than security-specific ones like SAS 70 and various ISO security standards.
What's going on here? Johnson has one theory: "Security seems to be following a trajectory similar to the quality movement 20 or 30 years ago, only with security it's happening much faster. During the quality movement, everyone created VPs of quality. They got CEO reporting status. But then in 10 years the position was gone or it was buried."
In the case of the quality movement, Johnson says, that may have been partly because quality became ingrained, a corporate value, and it didn't need a separate executive. But the evidence in the survey suggests that security is neither ingrained nor valued. It's not even clear companies know where to put security, which would explain the "gobs of dotted line" reporting structures.
That brings us to another theory: organizational politics. What if separating security from IT were creating checks on software development (not a bad thing, from a security standpoint)? What if all this security awareness the survey has indicated actually exposed the typical IT department's insecure practices?
One way for IT to respond would be to attempt to defang security. Keep its enemy close. Pull the function back to where it can be better controlled.
"What I hear from CIOs," says Johnson, "is at the end of the day they're responsible for failures anyway. They're on the line whether security is separate or not." Why wouldn't the CIO want to control something he's ultimately responsible for?
On the other hand, maybe security was never as separate as it seemed. Companies created CISO-type positions but never gave them authority. "I continually see security people put in the position of fall guy," says Woerner of TD Ameritrade. "Maybe some of that separation was, subconsciously, creating a group
to take the hit." Woerner also believes that the trend of the security budget folding into the IT department could be a direct result of security auditing that focuses primarily on infrastructure.
That is, when auditors look at information security weaknesses, they recommend technological fixes. And IT buys the
technology. Why should IT be charged for another depart-
Whatever the reason, the trend is disturbing to some security professionals, especially at a time when they play an ever more central role in corporate crises, and in society in general.
The state of Internet security is eroding quickly. Trust in online transactions is evaporating and it will require strong security leadership for that trust to be restored. For the Internet to remain the juggernaut of commerce and productivity it has become will require more, not less, input from security.
But right when the best and brightest security minds are needed most, they're being valued less. n