Are you an IT security leader - really?

An astonishing number of survey respondents believe they are IT security leaders. But what does it really take to be a leader, and how does your organization stack up?

. What's this?

By George V. Hulme

October 03, 2011CSO

A surprisingly high—unreasonably high, in fact—number of organizations think their security program is part of the vanguard of risk management.

That was one surprising finding of this year's annual Global Information Security Survey, conducted by CSO and CIO magazines in partnership with PricewaterhouseCoopers. More than 9,600 business and technology executives from around the world took the survey, and 43 percent of those surveyed believe their organizations are IT security leaders. The other categories respondents could choose from were strategist, tactician and follower.

Obviously those enterprises, by definition, can't all be at the forefront of security. "Most of these 'leaders,' in my opinion, have a false sense of their level of security," says Mark Lobel, a principal in the advisory services division of PwC.


Ahead of the Bell Curve

In an attempt to identify the organizations that might actually be information security leaders, PwC filtered the results according to conditions it felt would qualify a company to deserve the label.

  • First, the CISO had to report directly to a senior executive.
  • Second, the organization had to have an IT security strategy in place and the ability to execute that strategy.
  • Third, it had to have reviewed its security policy in the past year.
  • And finally, if the company had suffered a data breach, it had to know the breach's cause.

Under those criteria, less than 5 percent of respondents' organizations actually made the cut.

About half of respondents reported suffering one or more breaches, and a third said they weren't breached in the past year.

About 8 percent couldn't tell whether they had been breached or not. The good news from those figures is that a growing number of companies believe they understand the security events happening on their networks, and know what applications or systems were infiltrated.

However, that confidence doesn't align with the increased sophistication of malware in recent years. "In our engagements and my conversations with peers, we are dealing with more organizations that are grappling with international infiltration," says Shawn Moyer, practice manager of research consulting at Accuvant Labs. (For more on this topic, see for example Customized, Stealthy Malware Growing Pervasive). "Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere," Moyer says.

"I think there are a lot of executives out there with a false sense of security," says one security manager at a Midwest manufacturing firm.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER