Research
The Global State of Information Security 2006
Some things are getting better slowly but security practices are still immature and, in some cases, they're regressing
By Allan Holmes
The widespread absence of even the most routine security tools (patch management, content filters and access control software) and policies (secure disposal of hardware, business continuity plans, setting security baselines for outside business partners) has left many Indian companies vulnerable to serious attack and the inevitable financial losses that follow. Extortion, fraud and intellectual property theft occurred last year at one in every five or six Indian companies; rates that are double and even quadruple those of the rest of the world. Nearly one in three Indian organizations suffered some financial loss because of a cyberattack last year, compared with one out of five worldwide and one out of eight in the United States. "You cannot take information security for granted in India," PwC's Lobel warns.
While the survey does not identify companies by name, and so results do not indicate if popular Indian outsourcing companies are among the below-average security practitioners, Lobel suggests taking a cautious tack before jumping into an outsourcing relationship. The first step companies should take when considering outsourcing work to India is to verify that an Indian-based unit's security processes and policies are of the same caliber as its U.S. unit.
Second, Lobel suggests conducting a risk assessment of the Indian unit's security practices. Even if an Indian organization says that it follows a familiar, specific security practice, don't presume the organization defines the practice the same way that you do. "Conducting background checks may mean something entirely different in India than it does here," Lobel points out. Find out exactly what the practice involves.
Indian security officials have their work cut out for them, but they do say they plan to work to harden information security. Indian organizations lead their foreign counterparts (sometimes by a significant amount) in deploying new security measures and policies. And they're not just tactical. A substantially larger percentage of Indian companies (nearly double the rate worldwide) reported plans to hire a C-level security executive this year. Whether the Indian organizations are able to follow through and begin to reduce the security gap is something that should show up in the 2007 survey. Stay tuned.
III. The Strategy Gap
When an individual thinks he doesn't have enough information on which to base decisions, or as many resources as he believes he needs and, for the most part, he's not part of the planning process, what does he do? Typically, he falls back on what he knows best. For information security executives, that means focusing on technology—on tactics, not strategies.
global state of information security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Log Management in a Cyber World
- Implementing Best Practices for Web 2.0 Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
