Home » Data Protection » Malware/Cybercrime

Research

The Global State of Information Security 2006

Some things are getting better slowly but security practices are still immature and, in some cases, they're regressing

By Allan Holmes

Page 3

One of the biggest changes from last year is that more companies are integrating physical and information security. The percentage of organizations that reported having some form of integration between physical and information security has grown rapidly, to 75 percent in 2006 from 29 percent in 2003. A similar spike occurred in the percentage of respondents saying their physical and information security chiefs report to the same executive leader, to 40 percent from 11 percent in 2003.

Why is that important? To answer that, one need look no further than the daily newspaper stories about lost and stolen laptops containing private customer information. Just ask the U.S. Department of Veterans Affairs and AIG, both of which were involved this spring in high-profile cases of stolen laptops. With physical and information security combined, fewer laptops may be lost. And if they are lost or stolen, that combination should make gaining access to the data stored in them nearly impossible. "In today's environment of IP-based control devices, cameras and other security sensors, the physical aspect is becoming more and more of an IT issue," says Jason Spaltro, executive director of information security for Sony Pictures Entertainment.

With increasing aggregation and integration of security functions comes larger security budgets. Almost half of the survey respondents said their budgets would increase this year, with more than one out of five saying the rate of increase would be in the double digits. That's a faster increase than the overall IT budget. More security execs are being granted more financial autonomy too. That signals that security heads are being granted more responsibility, a key ingredient to raising security's strategic profile in the organization.

However, the vast majority of companies worldwide, almost 64 percent, still have not created C-level security positions such as chief security officer or chief information security officer.

Managing security strategically, and at the executive level, may make sense in theory but is increasingly looking like a moot point in the boardroom. "We need proof strategic security planning works to convince the business side of the organization to make a seat for it at the executive table," you may say.

The good news is that the survey contains that proof: Organizations that reported that their security polices and spending are aligned with their business processes experienced fewer financial losses and less network downtime than those that did not.

Sounds like the making of a value statement.

II. The Wild, Wild East

India lags far behind the rest of the world in instituting even the most basic information security practices and tools. With the subcontinent claiming status as the outsourcing partner of choice for the biggest IT powerhouses in the world, these findings should be a source of considerable concern: 49 percent of all offshore outsourcing implementations are located in India, with up to 90 percent of worldwide outsourcing revenue going to India, according to Duke University and Ciber/Archstone Consulting.