Analysis: 2007 Global State of Information Survey

Five years ago, when CIO, CSO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.

By Scott Berinato

Page 2

Read on for more on what awareness has led to and other insights from the "Global State of Information Security 2007" survey.

"I See," Said the Blind Man

Five years ago, 36 percent of respondents to the "Global State of Information Security" survey reported that they had suffered zero security incidents. This year, that number was down to

22 percent.

Does this mean there are more incidents? We don't think so. We believe it simply means that more companies are aware of the incidents that they've always suffered but into which, until recently, they had no visibility. Those once inexplicable network outages are now known to be security incidents. Perhaps a spam outbreak wasn't considered a security incident before, but now that it can deliver malware, it is. Awareness is higher, and that's because companies have spent the past five years building an infrastructure that creates visibility into their security posture.

The Infrastructure Is in Place

Baseline deployment of people, process and technology continues to rise steadily, sometimes dramatically. Among those companies that don't have these techniques in place, the priority for adding it is remarkably low, indicating that most people who think they need these things now have them.

2006 2007 Priority for 2008

People: You have a...

CSO 21% 28% 13%

CISO 22% 32% 17%

CPO 16% 22% 14%

Process: You have...

An overall security strategy 37% 57% 13%

A baseline for customers andpartners 25% 42% 10%

Centralized SIM 34% 44% 11%

Technology: You deploy...

Firewalls 77% 93% 15%

Encryption 43% 72% 25%

IDS, A-V and other detection* 57% 90% 28%

Data backup 78% 82% 14%

User security / ID management* 73% 89% 33%

IPS / filters* 44% 83% 22%

Internet security* 31% 70% 14%

* Before 2007, these categories were not consolidated. The percentage listed is the highest percentage given for one of the subcategories now consolidated into the new category.

We've Seen the Enemy; It's You

This year marks the first time "employees" beat out "hackers" as the most likely source of a security incident. Executives in the security field, with the most visibility into incidents, were even more likely to name employees as the source.

Likely Sources of Incidents

Recognition of the insider threat is a sign that awareness is increasing, largely due to the controls that have been put in place over the past five years.

Who Attacked Us? 2006 2007 2007 Security Executives Only

Employee/former employee 51% 69% 84%

Hacker 54% 41% 40%

Have employees suddenly turned more malicious? Are inside jobs suddenly more fashionable and productive than they used to be? Probably not. Most security experts will tell you that the insider threat is relatively constant and is usually bigger than its victims suspect. None of us wants to think we've hired an untrustworthy person.