Analysis: 2007 Global State of Information Survey

Five years ago, when CIO, CSO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.

By Scott Berinato

Page 5

The IT department wants to control security again.

In the first year of collaboration on this survey (see www.cio.com/article/29841), CIO, CSO and PWC noted that the more confident a company was in its security, the less likely that company's security group reported to IT. Those companies also spent more on security.

The reason CIO and CSO have always advocated for the separation of IT and security is the classic fox-in-the-henhouse problem. To wit, if the CIO controls both a major project dedicated to the innovative use of IT and the security of that project—which might slow down the project and add to its cost—he's got a serious conflict of interest. In the 2003 survey, one CISO said that conflict "is just too much to overcome. Having the CISO report to IT, it's a death blow."

And every year after that, the trend was for the security function to gain increasing autonomy. More security executive positions were created. More decision-making power was shifted to security and away from IT. And more security groups reported to functions outside of IT, including the legal department, the risk department and, most significantly, the CEO. The trend was even more pronounced at large companies.

In 2007, this trend didn't slow down; it flipped. What's more, the reversal was most pronounced in the largest companies. For example, respondents chose from 12 possible functions to which their CISO could report. Those 12 functions were divided into three categories:

1. IT (CIO, CTO)

2. Neutral (board, CEO, CFO, COO, legal)

3. Security (audit, CPO, CSO, risk, security committee)

To allow respondents to select more than one of these answers, we created "shares"—the percentage of respondents with some reporting relationship to one of these three categories. Here are the results.

Reporting to IT

Respondents have some reporting relationship to the following groups

2006 2007 2007 (>$1B Revenue)

IT 41% 53% 60%

Neutral 76% 79% 68%

Security 44% 46% 48%

A 12 percent rise in the number of security executives reporting to IT is hugely significant. And when you slice that by large companies, it's a 19 percent rise. Notice, too, that bigger companies show fewer information security executives reporting to

neutral functions.

M. Eric Johnson, an economist who specializes in information security issues at Dartmouth College, says, "We actually analyzed the org charts, and the solid-line relationships are going back to IT and the CIO. CISOs have gobs of dotted line relationships, but IT is dominating reporting structures and the budgets."

Indeed, the trend is even more pronounced when you follow the money trail.