Home » Data Protection » Malware/Cybercrime

Research

The Global State of Information Security 2006

Some things are getting better slowly but security practices are still immature and, in some cases, they're regressing

By Allan Holmes

Page 2

Complacency, it seems, abounds. A large proportion of security execs admitted they're not in compliance with regulations that specifically dictate security measures their organization must undertake or risk stiff sanctions, up to and including prison time for executives. Some of these regulations—such as California's security breach law, the Health Insurance Portability and Accountability Act (HIPAA), and non-U.S. laws such as the European Union Data Privacy Directive—have been around for years. Is this an example of adolescent rebellion, or are security executives finding it hard to obtain the necessary resources to comply?

The answer, says Mark Lobel, a PwC advisory partner specializing in security, is neither, actually. The information security discipline still suffers from the fundamental problem of making a business value case for security. Security is still viewed and calculated as a cost, not as something that could add strategic value and therefore translate into revenue or even savings.

But if one digs into the results, there are reasons for optimism. There's evidence that organizations that comply with security laws are more likely to be integrating and aligning security with their enterprise's business strategy and processes, which in turn reduces the number of successful attacks and the financial losses that result from them. In short, security can create value if it's part of an organization's business plan and if the executive in charge is part of the executive team making those strategic spending and policy decisions.

The six sections that follow illustrate that global information security management practices are varied and, with a few notable exceptions, have yet to mature. New this year, we have posted online (at www.csoonline.com/podcasts) a panel discussion with security practitioners and experts discussing the survey findings and offering solutions that may help information executives improve the security of their organizations. The data, we hope, will bolster the argument for a more strategic approach to security. And strategy—thinking ahead, connecting actions to their consequences—is, of course, a sign of maturity.

I. Growing Up, Slowly

The 2006 survey shows that a few more companies than last year are thinking about security strategically, at least in some areas. A larger percentage of companies are aligning security objectives with business objectives (20 percent of respondents said they align all security spending with their business objectives, up from 15 percent in 2004) and are prioritizing data sets based on the sensitivity of the information contained in each application. They're then protecting those sets with the appropriate amount of security (25 percent in 2006, up from 21 per cent in 2004).