When it comes to information security, the reflection you see in your morning mirror is probably not that of a sharp, confident, professional IT executive. Rather, that man in the mirror is more likely to look like a gangly, awkward, not-yet-to-be-fully-trusted teenager.
That's what "The Global State of Information Security 2006" survey tells us. In its fourth edition, this largest-of-its-kind survey reveals that global information executives, still relatively new to security's disciplines, are learning and improving but are still prone to risky behaviors—behaviors that could have devastating consequences.
The study by CSO, CIO and PricewaterhouseCoopers (PwC), with 7,791 respondents in 50 countries, indicates that an increasing number of executives (CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security) across all industries and in private- and public-sector organizations continue to make incremental improvements in deploying information security policies and technologies, although the rate of improvement is slower than in previous years. They're becoming more financially independent, with some security budgets increasing at double-digit rates. And they say they're more confident in their level of security, perhaps because their networks have not had a serious virus or worm in the past 12 months.
But teenagers, as any parent knows, live in the moment and have an ability to ignore what they know they should do and do what they know they shouldn't. The survey shows us that most executives with security responsibilities have made little or no progress in implementing strategic security measures that could have prevented many of the security mishaps reported this year. Only 37 percent of respondents said they have an overall security strategy. And they're planning to focus more on tactical fixes than on strategic initiatives, ensuring that in the coming year they will be more reactive than proactive.
What's more, companies continue to do business with insecure organizations. One of the most unsettling findings in this year's study is the sad state of security in India, by a wide margin the world's primary locus for IT outsourcing. Many survey respondents in India admitted to not adhering to the most routine security practices. The problem is obvious, but right now it's apparently easier to ignore than to address.
Harder to ignore is the constant news of large organizations losing laptops packed with unencrypted personal data on millions of customers. Every year we report that such incidents should motivate companies to tighten security, but every year the survey indicates that's not happening. Similarly, even after Hurricane Katrina, which hit the Gulf Coast seven months before we launched our survey, a majority of companies still do not have a business continuity/disaster recovery plan in place, and plans to complete one this year have become less important to security officials than in 2005.
Complacency, it seems, abounds. A large proportion of security execs admitted they're not in compliance with regulations that specifically dictate security measures their organization must undertake or risk stiff sanctions, up to and including prison time for executives. Some of these regulations—such as California's security breach law, the Health Insurance Portability and Accountability Act (HIPAA), and non-U.S. laws such as the European Union Data Privacy Directive—have been around for years. Is this an example of adolescent rebellion, or are security executives finding it hard to obtain the necessary resources to comply?
The answer, says Mark Lobel, a PwC advisory partner specializing in security, is neither, actually. The information security discipline still suffers from the fundamental problem of making a business value case for security. Security is still viewed and calculated as a cost, not as something that could add strategic value and therefore translate into revenue or even savings.
But if one digs into the results, there are reasons for optimism. There's evidence that organizations that comply with security laws are more likely to be integrating and aligning security with their enterprise's business strategy and processes, which in turn reduces the number of successful attacks and the financial losses that result from them. In short, security can create value if it's part of an organization's business plan and if the executive in charge is part of the executive team making those strategic spending and policy decisions.
The six sections that follow illustrate that global information security management practices are varied and, with a few notable exceptions, have yet to mature. New this year, we have posted online (at www.csoonline.com/podcasts) a panel discussion with security practitioners and experts discussing the survey findings and offering solutions that may help information executives improve the security of their organizations. The data, we hope, will bolster the argument for a more strategic approach to security. And strategy—thinking ahead, connecting actions to their consequences—is, of course, a sign of maturity.
I. Growing Up, Slowly
The 2006 survey shows that a few more companies than last year are thinking about security strategically, at least in some areas. A larger percentage of companies are aligning security objectives with business objectives (20 percent of respondents said they align all security spending with their business objectives, up from 15 percent in 2004) and are prioritizing data sets based on the sensitivity of the information contained in each application. They're then protecting those sets with the appropriate amount of security (25 percent in 2006, up from 21 per cent in 2004).
One of the biggest changes from last year is that more companies are integrating physical and information security. The percentage of organizations that reported having some form of integration between physical and information security has grown rapidly, to 75 percent in 2006 from 29 percent in 2003. A similar spike occurred in the percentage of respondents saying their physical and information security chiefs report to the same executive leader, to 40 percent from 11 percent in 2003.
Why is that important? To answer that, one need look no further than the daily newspaper stories about lost and stolen laptops containing private customer information. Just ask the U.S. Department of Veterans Affairs and AIG, both of which were involved this spring in high-profile cases of stolen laptops. With physical and information security combined, fewer laptops may be lost. And if they are lost or stolen, that combination should make gaining access to the data stored in them nearly impossible. "In today's environment of IP-based control devices, cameras and other security sensors, the physical aspect is becoming more and more of an IT issue," says Jason Spaltro, executive director of information security for Sony Pictures Entertainment.
With increasing aggregation and integration of security functions comes larger security budgets. Almost half of the survey respondents said their budgets would increase this year, with more than one out of five saying the rate of increase would be in the double digits. That's a faster increase than the overall IT budget. More security execs are being granted more financial autonomy too. That signals that security heads are being granted more responsibility, a key ingredient to raising security's strategic profile in the organization.
However, the vast majority of companies worldwide, almost 64 percent, still have not created C-level security positions such as chief security officer or chief information security officer.
Managing security strategically, and at the executive level, may make sense in theory but is increasingly looking like a moot point in the boardroom. "We need proof strategic security planning works to convince the business side of the organization to make a seat for it at the executive table," you may say.
The good news is that the survey contains that proof: Organizations that reported that their security polices and spending are aligned with their business processes experienced fewer financial losses and less network downtime than those that did not.
Sounds like the making of a value statement.
II. The Wild, Wild East
India lags far behind the rest of the world in instituting even the most basic information security practices and tools. With the subcontinent claiming status as the outsourcing partner of choice for the biggest IT powerhouses in the world, these findings should be a source of considerable concern: 49 percent of all offshore outsourcing implementations are located in India, with up to 90 percent of worldwide outsourcing revenue going to India, according to Duke University and Ciber/Archstone Consulting.
The widespread absence of even the most routine security tools (patch management, content filters and access control software) and policies (secure disposal of hardware, business continuity plans, setting security baselines for outside business partners) has left many Indian companies vulnerable to serious attack and the inevitable financial losses that follow. Extortion, fraud and intellectual property theft occurred last year at one in every five or six Indian companies; rates that are double and even quadruple those of the rest of the world. Nearly one in three Indian organizations suffered some financial loss because of a cyberattack last year, compared with one out of five worldwide and one out of eight in the United States. "You cannot take information security for granted in India," PwC's Lobel warns.
While the survey does not identify companies by name, and so results do not indicate if popular Indian outsourcing companies are among the below-average security practitioners, Lobel suggests taking a cautious tack before jumping into an outsourcing relationship. The first step companies should take when considering outsourcing work to India is to verify that an Indian-based unit's security processes and policies are of the same caliber as its U.S. unit.
Second, Lobel suggests conducting a risk assessment of the Indian unit's security practices. Even if an Indian organization says that it follows a familiar, specific security practice, don't presume the organization defines the practice the same way that you do. "Conducting background checks may mean something entirely different in India than it does here," Lobel points out. Find out exactly what the practice involves.
Indian security officials have their work cut out for them, but they do say they plan to work to harden information security. Indian organizations lead their foreign counterparts (sometimes by a significant amount) in deploying new security measures and policies. And they're not just tactical. A substantially larger percentage of Indian companies (nearly double the rate worldwide) reported plans to hire a C-level security executive this year. Whether the Indian organizations are able to follow through and begin to reduce the security gap is something that should show up in the 2007 survey. Stay tuned.
III. The Strategy Gap
When an individual thinks he doesn't have enough information on which to base decisions, or as many resources as he believes he needs and, for the most part, he's not part of the planning process, what does he do? Typically, he falls back on what he knows best. For information security executives, that means focusing on technology—on tactics, not strategies.
Perhaps not coincidentally, this year executives are shifting from more strategic security practices toward more traditional technology practices (compared with last year's results). In 2005, for every one technology item on the security executive's to-do list, respondents mentioned four process fixes. This year, that ratio is nearly 1-to-1. In all, of the top dozen items on the 2006 security to-do list, seven can be described as a technological fix. Among the top five are some of the more routine and easy security measures, including data backup, network firewalls, application firewalls and instituting user passwords. That explains why the percent of companies reporting they have an overall strategic plan in place was unchanged at 37 percent.
At the very least, some of the shifts are perplexing. Dropping from the top spot in 2005 to fourth place this year is the development of a business continuity and disaster recovery plan. That's a surprising result given Hurricane Katrina's reminder of the importance of such plans.
But news coverage about disasters and security breaches may not be a driver for security investments. Our prediction that last year's 10th item on the information security to-do list—spending on IP protection—would move up because of the sharp increase in high-profile identity thefts and the increase in the amount of digitized content (such as iTunes) did not occur. IP protection didn't even make the 2006 top 10 list. Even some of the simpler and less costly strategic security practices dropped. Conducting employee awareness training dropped from second to a tie for 10th on the priority list.
The kicker here is that designing an overall information security strategy, fourth on the list last year, didn't make the 2006 list.