Best Practices: The 2004 Global Information Security Survey

We've defined a small groupabout one-fifth of respondentsthat described itself as "very confident" in the effectiveness of its information security practices. This group has earned the right to be confident. Collectively, while those respondents reported more security incidents, they experienced less downtime and fewer financial losses than the average respondent. This is just one of the reasons they are the Best Practices Group. (See "Why the Best Practices Group Is Best," this page.)

Behind the Numbers

In last year's data, we uncovered what we called "The Confidence Correlation"in which enterprises that expressed confidence in their security were, in fact, more secure. This year, the trend was even more pronounced.

The Best Practices Group may have suffered more incidents than the average respondent, but those incidents didn't precipitate more damage or downtime. Indeed, the Best Practices Group suffered less of each despite being targeted more often.

That higher number of reported incidents can be attributed to two facts. First, these tended to be larger companies, and larger companies are targeted more by the bad guys. Second, the Best Practices Group generally had a more comprehensive security infrastructure, which gave it more visibility into what was happening on its networks.

We know the Best Practices Group had better security, because the survey asked respondents what security and privacy safeguards their companies had in place. And for every single one of the 84 safeguards listed, the Best Practices Group was more likelysometimes by a wide marginthan the average respondent to have put it in place.

The organizations with high confidence in their security created a virtuous cycle. They do a better job securing their infrastructure, which breeds confidence in the enterprise (especially in the executive ranks), and that confidence translates into support that manifests itself in resources. Greater resources means the Best Practices Group can improve security, which breeds more confidence. VoilÃ a virtuous cycle. (See "The Virtuous Cycle)

What We Think

It's good to be confident. It's better to have good reason to be confident. Here's a to-do list that we believe will help you work your way into the Best Practices Group.

1. Spend more. U.S. respondents said infosecurity accounts for less than 9 percent of their IT budgets. (Globally, it's 11 percent.) The Best Practices Group claimed 14 percent.

2. Separate information security from IT and then merge it with physical security. These disciplines can either exist under a single CSO or as separate entities governed by an executive security committee.

3. Do the following four tasks, one each quarter, over the course of the next year: