Analysis: 2007 Global State of Information Survey

Five years ago, when CIO, CSO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.

This spike in assigning the blame for breaches and attacks to employees is probably more like the dip in companies that report zero incidents—a reflection of awareness, of managers' ability to recognize what was always there but what they couldn't previously determine.

"What's happening is we're doing a better job with logging and understanding situations," says Ron Woerner, former information security manager at ConAgra Foods, now security engineering consultant at TD Ameritrade. "For a while, I think, ignorance was bliss. Now, with all the technology in place, we're learning that we all have the same problems."

Here's how building a security infrastructure can lead to more employees named as culprits in security incidents. A CISO is hired. He has the tools to investigate internal network anomalies and the authority to ask business unit leaders to provide him with information for an investigation. His deployment of user-monitoring tools helps him identify insider threats. Then he centralizes security information management software that automatically detects anomalous network behavior. Then maybe he adds a periodic risk assessment process (another trend on the rise, according to the survey) and suddenly his office is finding previously unknown vulnerabilities being exploited. Perhaps he adds an anonymous e-mail/hotline function for whistle-blowers. With all of this and more in place, a company has increased its odds of detecting security incidents.

But here's an odd paradox: Despite the massive buildup of people, process and technology during the past five years, and fewer people reporting zero incidents, 40 percent of respondents didn't know how many incidents they've suffered, up from 29 percent last year.

The rate of "Don't know" for the type of incident and the primary method used to attack also spiked.

What You Don't Knowï¿½ Could Fill Volumes

I Dunno

Increasingly, those involved in information security reply "Don't know" when asked about the number and nature of security incidents.

2006 2007 2007 Cso/ciso

Number of incidents 29% 40% 29%

Type of attack 26% 45% 32%

Primary method used 26% 33% 20%

It doesn't bode well that after years of buying and installing systems and processes to improve security, close to half of the respondents didn't have a clue as to what was going on in their own enterprises. But when close to a third of CSOs and CISOs, who presumably should have the most insight into security incidents, said they don't know how many incidents they've suffered or how these incidents occurred, that's even worse.

The truth is, systems, processes, tools, hardware and software, and even knowledge and understanding only get you so far. As Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming."