Analysis: 2007 Global State of Information Survey

Five years ago, when CIO, CSO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.

By Scott Berinato

Page 6

Security Dollars Come from IT

Funding for information security comes from (could check more than one)

Another hallmark of an evolved security function is its convergence with physical security, usually under a CSO. This makes sense both for operational efficiency and because threats are becoming more converged. Access control is a classic example of convergence paying dividends. By combining building access and network access in one system, you save money, improve efficiency and create a single view into both physical threats (illegal entry) and digital ones (illegal network access).

And for four years, convergence of physical and IT security steadily increased. Until this year.

Physical and Information Security Converge, Then Diverge

Information and physical security are separate

Overall Revenue $1B or more

2003 71% NA

2004 50% NA

2005 47% NA

2006 25% 36%

2007 46% 55%

Information and physical security report to the same executive leader

Overall Revenue $1B or more

2003 11% NA

2004 26% 22%

2005 31% 24%

2006 40% 33%

2007 34% 27%

Respondents who do not integrate physical and information security personnel: 69%

Of those, percent with no plans to integrate personnel: 80%

Who's in Charge?

Signs of I.T.'s control and influence are peppered throughout the survey results. For example, when asked what security guidelines their companies followed, respondents were far more likely—sometimes two or three times more likely—to cite more general IT guidelines like ITIL than security-specific ones like SAS 70 and various ISO security standards.

What's going on here? Johnson has one theory: "Security seems to be following a trajectory similar to the quality movement 20 or 30 years ago, only with security it's happening much faster. During the quality movement, everyone created VPs of quality. They got CEO reporting status. But then in 10 years the position was gone or it was buried."

In the case of the quality movement, Johnson says, that may have been partly because quality became ingrained, a corporate value, and it didn't need a separate executive. But the evidence in the survey suggests that security is neither ingrained nor valued. It's not even clear companies know where to put security, which would explain the "gobs of dotted line" reporting structures.

That brings us to another theory: organizational politics. What if separating security from IT were creating checks on software development (not a bad thing, from a security standpoint)? What if all this security awareness the survey has indicated actually exposed the typical IT department's insecure practices?

One way for IT to respond would be to attempt to defang security. Keep its enemy close. Pull the function back to where it can be better controlled.