Analysis: 2007 Global State of Information Survey

Five years ago, when CIO, CSO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.

Woerner and others believe that the security discipline has so far been skewed toward technology—firewalls, ID management, intrusion detection—instead of risk analysis and proactive intelligence gathering.

If most of the investment has been put into technology, most of the return will come from there too. The tools will do their job. They will tell you what's happening and block the most ham-fisted attacks. But technology is largely reactive. It provides alarms and ex post facto reports of anomalies. Intrusion detection, for example, is not terribly effective at threat intelligence—understanding the nature of vulnerabilities before they affect you. All IDS boxes know is that some preset rule has been broken. Think of a glass break sensor on a window at a museum. That piece of technology is extremely effective at telling you that someone broke the window; it does nothing to explain how and why a painting was stolen, nor can it help you prevent the next window from being broken and the next painting from being snatched.

Furthermore, even a cursory look at security trends demonstrates that adversaries, be they disgruntled employees or hackers, have far more sophisticated tools than the ones that have been put in place to stop them. Antiforensics. Mass distribution of malware through compromised websites. Botnets. Keyloggers. Companies may have spent the past five years building up their security infrastructure, but so have the bad guys. Awareness includes a new level of understanding of how little you know about how the bad guys operate. As arms races go, the bad guys are way ahead.

Why You Have to Change Your Strategy

What can be done about all this? Be strategic. Security investment must shift from the technology-heavy, tacï¿½tical operation it has been to date to an intelligence-ï¿½centric, risk analysis and mitigation philosophy.

Information and security executives should, for example, be putting their dollars into industry information sharing. "Collaboration is key," says Woerner. They should invest in security research and technical staff that can capture and dissect malware, and they should troll the Internet underground for the latest trends and leads. Dozens of security companies do just this and provide subscriptions to research services.

"We have to start addressing the human element of information security, not just the technological one," says Woerner. It's only then that companies will stop being punching bags. Only then will they be able to hit back.

IT Strikes Back

Speaking of striking back, the 2007 security survey shows a remarkable (some might say troubling) trend.