The Global State of Information Security 2003

From a worldwide study conducted by PricewaterhouseCoopers and CIO magazine, we look at where infosec is in 2003 and where it's going.

October 01, 2003 — CSO — The best place to start is with what "The State of Information Security 2003" survey doesn't include. It doesn't include some stark bit of data that will make you slap your forehead and exclaim, "Oh, that's the problem!" It doesn't include figures that suggest a secret formula for setting a security budget. Nowhere in its hundreds of pages of raw numbers will you find

The Answer, because The Answer is a fiction, even if the problem is not. Information security is a difficult, nuanced and immature craft. Silver bullets are for people who aren't serious about solving the problem.

What this survey does include, in its depth (more than 7,500 respondents) and intricacy (44 questions cross-tabulated by company size, security budget, geographical region and dozens of other categories) is a comprehensive profile of the imperfect and evolving world of information security.

According to the survey findings, it seems you're all just now coming to terms with information security as a problem. You understand that fixing the problem won't be easythat it will take a complex combination of infrastructure, education, proactive risk analysis and regulation. But at the same time, you seem to be hoping against hope that an easier way out will present itself. You know you need to do more, but the survey shows that you're not yet doing it. It's the classic economic principle known as the Problem of the Commons: Information security is a problem, but it's not my problem.

And one can hardly blame you for taking such a stance. Information security, right now, is a confused and paradoxical business. For example:

You've increased spending significantly, and you're told this is a good thing, and yet it has had zero effect in mitigating security breaches.
You're constantly warned about "digital Pearl Harbors," and yet the vast majority of incidents you report are relatively small, don't last long and don't cost much.
You're told that aligning security and business strategies is a top priority, and yet those who have fared best in avoiding breaches, downtime and security-related damages are the least likely to be aligned with the business.
But in another sense, you seem to be contributing to the confusion.
Respondents who suffered the most damages from security incidents were two times more likely than the average respondent to plan on decreasing security spending next year.
Those with the most damages were nearly half as likely to list staff training as one of their top three priorities.
A quarter of you neither measured nor reviewed the effectiveness of your information security policies and procedures in the past year.