The Global State of Information Security 2003

From a worldwide study conducted by PricewaterhouseCoopers and CIO magazine, we look at where infosec is in 2003 and where it's going.

By Scott Berinato

Page 4

Why haven't information security professionals adopted a risk management approach?

"Because it's harder," McCreary says. "It takes more time and effort, and, of course, more knowledge than they have."To-Dos1. Target spending on the soft stuffawareness, education, risk management traininginstead of throwing more technology at the problem.

2. Take better advantage of the technology you do have by interpreting the data it generates, not just letting it block attacks.

The Confidence Correlation

Those who are very confident in their security have stronger security infrastructures in place, and they spend more on security as a percentage of their IT budgets.What the Numbers MeanStructure and dedicated resources breed confidence. And confidence, experts say, breeds better security. In a sea of data that fails to reveal relationships between security and best practices, the confidence factor is a welcome sight. We can even go so far as to herald the one-quarter of respondents who called themselves "very confident" in their organizations' security as security leaders. That group tends to create far more structure around security within the organizationin other words, making it a discipline and not something that happens as part of the IT group. They hire more security executives and give those executives more control over policy, spending and staffs.

Another key point: The more confident a company is in its security, the less likely the security is controlled by the IT department. Many believe that IT's oversight of information security has been a limiting factor in improving itthat, if the CSO reports through the CIO, it's like having the fox guard the henhouse. If the CIO, for example, controls both the CRM implementation, which he's been told to get done in one year for $2 million, and is also in charge of information security, which will add time and money to that project, to which master does he answer?

At the very least, IT leaders should be self-policing and conducting independent audits of their security practices. But the numbers in that regard don't suggest companies are. About 75 percent of companies don't perform third-party assessments of privacy standards, and 60 percent don't audit security standards. No one indicated that systems were tested for security/policy compliance.

Extracting information security from the IT department overnight may not be wise either, but a good way to start the process of separating the two would be to conduct third-party audits and verification that security isn't getting subverted.

Bill Spernow, former director of IT for the Georgia Student Finance Commission, says the first thing he did when he got his job was to fight for, and win, independence from the IT department. "It's the biggest battle I had there," he says. "If I see a CISO reporting to some IT component, I see a position that's not working, guaranteed. The conflict of interest is just too much to overcome. Having the CISO report to IT, it's a deathblow."To-Dos1. Create structure around information security by hiring a CSO or creating an executive security committee.