The Global State of Information Security 2003

From a worldwide study conducted by PricewaterhouseCoopers and CIO magazine, we look at where infosec is in 2003 and where it's going.

In short, the survey shows that as much as the nascent information security discipline has grown since its baptismon Sept. 18, 2001 (one week after the terrorist attacks and the day the Nimda worm hit)it hasn't much improved with age.

Can we suss out any prevailing trend at all? If there's one there, it's hard to tell. In this particular survey, trends drift aimlessly. Positive correlations are rare. What you do about information security and what actually happens seem only vaguely allied.

Except for one case, where a connection was clear. In this survey, confidence in security correlates to better security, irrefutably. In other words, those who feel like they're doing better, are doing better.

What follows are the five cuts we made of "The State of Information Security 2003," including the aforementioned confidence correlation. Each provides insight into some aspect of this confused and complex discipline. In one, there's even a calculationan innovative method for benchmarking security spending called the per capita expenditure.

Forget silver bullets. Hard data, and lots of it, is what you need to start improving information security. And here it is.Fuzzy LogicIt is frustratingly difficult to find any relationship at all between good security and spending. And sometimes there's even a negative relationship.

Companies with $500,000 or more in damages were more than twice as likely to plan to cut security spending as companies that suffered no monetary loss in damages.What the Numbers MeanSince companies' size, and therefore their budgets, varied so widely across the survey's more than 7,500 respondents, the relative measure of security spending as a percentage of the overall IT budget provides a better comparative measure than the total spent on security. The mere single percentage point between the highest spenders and lowest spenders (when cross-tabulated with breach data) shows that those suffering fewer security incidents don't necessarily spend more to stay secureor, to flip it over, those who are hit the hardest by breaches aren't spending any less than those untouched.

So you can't accuse the companies suffering breaches of not spending enough. But perhaps they're not spending well. The hardest question for IT security officers to answer clearly isn't How much should we spend? but rather How should we spend?The answer: Probably by devoting less to technology.Security expert Bruce Schneier thinks the wanton deployment of technology hasn't helped because it hasn't been matched by a similar deployment of the soft stufftraining, education and awareness (see "The Evolution of a Cryptographer" in the September issue).