What's happening? Why has strategic planning for security become an afterthought? One answer may be that in an information vacuum (information security executives report that they are unsure of their budgets, where attacks have come from and where they will find people with the skills they need), short-term solutions seem more prudent than long-range ones. Sony's Spaltro offers a more fundamental reason: Information security managers have what he calls "dings" coming into the job. They speak geek. Their bosses don't. "I tend to open meetings with executives by reminding them that security is a business decision and everything we do from cameras to encryption to information classification is a decision that the business makes to protect its assets, and I don't own that decision," Spaltro says. "I'm there to be the bridge between the technology and the risk that they face and help them to make decisions, but in the end it is really for them to tell me what to go execute."
For information security to be most effective, aligning the technological processes with the organization's strategic plan is critical. Companies that make security part of their strategic plan, Lobel says, have fewer breaches, lower financial losses and the fewest network downtimes.
IV. Compliance—Time to Get Tough
As was the case last year, a surprising portion of survey respondents admitted that they're not in compliance with the information security laws and regulations that govern their industries.
That includes high-profile laws that have been on the books for years. More than one-quarter of U.S. security execs who said their organizations need to be compliant with HIPAA, the eight-year-old law that requires health-care organizations to protect patient information, admitted that they are not.
Noncompliance runs broad and deep in all industries, and ignorance of applicable law is a big factor. Nearly one in five U.S. survey respondents said they should be but are not in compliance with California's 2002 security breach law, which requires companies to notify individuals if an unauthorized person obtains access to their private information (such as credit card numbers). But only 22 percent of all U.S. respondents said the law applies to them. However, given that the law applies to any organization that has even one California resident as a customer, student or client—more than one in 10 Americans—a good portion of the 78 percent of enterprises that think the law does not apply to them are likely wrong.
Similarly, it would have been hard over the past four years to miss the requirements of such laws aswww.csoonline.com/article/218577"> Sarbanes-Oxley and Gramm-Leach-Bliley. Still, more than one-third of all U.S. respondents said they are not in compliance with Sarbanes-Oxley even though they should be, and more than one out of seven said they were not compliant with Gramm-Leach-Bliley. That's a slight improvement from last year, but considering the stiff criminal penalties of not complying, many executives seem to be leaving themselves open to lawsuits and possible prison terms and exposing their enterprise to fines.
And this is not simply an American phenomenon. Half of Australian organizations surveyed admitted to not complying with their country's privacy legislation. Almost a third of U.K. respondents said they do not comply with their country's eight-year-old Data Protection Act, and nearly one-third of stereotypically law-abiding Canadian organizations said they do not comply with their nation's privacy act.
At the root of this may be a lack of enforcement. To date, the cost of noncompliance is not as high as the expense of complying—the price of labor, hardware and software. In the absence of penalties, security executives have not been able to mount a business case for compliance. Add to that the fact that despite high-profile security breaches and lost laptops over the past year, the actual damages and ID thefts that can be directly tied to the incidents are small, says Jim Lewis, director of the Technology and Public Policy program at the Center for Strategic & International Studies in Washington, D.C. "People may have a sense that they are not as vulnerable as they used to be," he says, and so not complying with laws is perceived as less risky.
If security is to improve, security laws need more teeth. And that applies to an organization's own rules as well. Survey respondents reported that more than two-thirds of users are compliant with their organization's security policies, a statistic that has remained unchanged over the past three "Global State of Information Security" surveys. One of the most critical factors for reducing network downtime is compliance with an organization's security rules, Lobel points out, but that requirement isn't even in control objectives for information and related technology, or Cobit, the bible for IT governance.
Lobel suggests organizations assign penalties for not complying with their own security policies. But make sure, he adds, that the penalty matches the infraction. "You may not want to terminate someone who puts passwords on yellow sticky notes," Lobel says, "but there have to be some consequences."
V. The Best and Brightest
Last year we highlighted the financial services sector as possessing the best information security practices, and this year that industry once again leads all others in integrating information security with strategic operations.
Companies in the financial services sectorbanks, insurance companies, investment firmsare more likely to employ a CSO than other industries. Security budgets in the financial sector are typically a bigger slice of the IT budget as a whole and increase at a faster rate than in other sectors. That may be because financial services companies are more likely to link security policies and spending to business processes. These companies are proactive, instituting formal information security processes such as log file monitoring and periodic penetration tests. More of their employees follow company security policies. Not surprising, financial services companies also have deployed more information security technology gadgets, such as intrusion detection and encryption tools, and identity management solutions.
It's obvious, therefore, that financial services organizations are far more likely, almost twice as likely in fact, to have an overall strategic security plan in place. Consequently, they reported fewer financial losses, less network downtime and fewer incidents of stolen private information than any other vertical.
The reason for all this is also obvious. The product in the financial services industry is money, and money is the prime target of cybercriminals, including organized crime, insiders and even terrorists. Protecting the money is the industry's most critical concern. The past few years have seen a sharp increase in cybercrime (phishing, identity theft, extortion and spyware, to name a few). Anytime a security executive can demonstrate to top executives that investing in security can protect and increase shareholder value, he will be more likely to convince the boardroom to make that investment and make security a strategic part of the organization.
Financial services firms are more likely than enterprises in other industries to use ROI to measure the effectiveness of security investments (29 percent versus an average of 25 percent), and they also are more likely to use potential impact on revenue to justify investments (36 percent versus an average of 27 percent). These arguments work. More financial services companies saw a double-digit increase in their 2006 security budgets than those in any other sector.
Regulation plays a part too. The financial industry must adhere to the most stringent information security laws, and therefore it leads other industries in following proven, strategic information security practices.
Following this line of reasoning about regulatory compliance, one would think that government, health care and education, all highly regulated and entrusted with securing private information, would match the financial sector in instituting strategic security practices. One would, however, think wrongly. According to the survey, government, health care and education, despite their responsibility for protecting the personal information of hundreds of millions of citizens, patients and students, are less likely than finance to follow the best tactical and strategic security practices. The government and health-care sectors, for the most part, lead other sectors in following and instituting information security policies and moving to become more strategic. But the two sectors are well behind financial services. Only 42 percent of government entities report having an overall security strategy, compared with 56 percent in the financial sector.
The education sector is even farther behind in developing, following, and deploying information security practices and tools. Educational organizations find themselves in this position even after highly publicized network break-ins, including those at San Diego State University and most recently at Ohio University, which exposed students' and their families' data, including home addresses, Social Security and credit card numbers, and tax information.
In fact, the education sector suffers more negative security events (viruses and worms, denial-of-service attacks, identity thefts, unauthorized entries and trafficking in illicit data), more network downtime and more downtime that lasts for many days than what the average respondent worldwide experiences.
And the security future doesn't look bright for the educational sector either. A smaller portion of educational security respondents than most other sectors said they plan to hire a C-level security leader, conduct background checks of new hires, start checking if networks are compliant with security policies, conduct or institute employee security awareness programs or install encryption tools, just to name a few. Educational organizations are sticking to more mundane and tactical security fixes: installing firewalls, backing up data and deploying network security tools. It's relatively easy to predict that the education sector's security outcomes will not improve significantly in 2007.
VI. Dancing in the Dark
You know your information security strategy is working when the number of successful breaches is low, the amount in financial losses is negligible and network downtime is kept to a minimum. Unfortunately, a large percentage of security leaders worldwide have no idea if their security plans are working because they don't know any of these numbers.
From 2003 to 2005, the percentage of survey respondents saying they had fewer than 10 negative information security incidents in the past year remained steady. But this year, we included the option to answer that you do not know how many negative security incidents occurred. This year, nearly one-third of respondents admitted that they do not know how many breaches or unauthorized access events occurred within their organizations.
To a certain extent, that's understandable. Attacks can be hard to identify, and networks can be extensive. What's less comprehensible is that a significant portion of respondents said they have not installed some of the most rudimentary network safeguards. Only one-third of respondents have put in place patch management tools or monitor user activity. Less than half use intrusion detection software or monitor log files (the two best methods organizations can employ to learn of negative security events) and even fewer use intrusion prevention tools. Surprisingly, more than 20 percent of respondents don't even have the most basic security in place, a network firewall.
Installing a firewall is easy. If a significant number of respondents haven't even done that much, it shouldn't be surprising that many more are struggling with the hard stuff. It's hard to quantify attacks and what's lost because of them. First, just understanding what constitutes an incident can be confusing. "Is having spyware on your computer an incident?" Sony's Spaltro asks. "Some may not think so, but we treat it as such." Second, the skill set to track, record, correlate, organize, write and communicate up the executive chain is lacking in most organizations. For the fourth consecutive year, there was an increase in the percentage of respondents throwing their hands up and saying they have no idea how much money their companies lost due to attacks. It's now up to 50 percent.
"How do you calculate the loss of intellectual property or the damage to a corporate reputation?" Lobel asks. "Very smart people have a hard time agreeing on the value."
But until the security department can put a credible dollar figure on what the company is losing because of poor security, the boardroom isn't going to listen to security executives asking for more money to spend on technology or on skilled security workers (cited as the top resources needed to improve security). The CEO wants to know how security affects shareholder value. But answering that would require a strategic overview and, as we have already seen, security professionals, by and large, don't have one. At least, not this year.
Allan Holmes is Washington bureau chief for CIO, a CSO sister publication. He can be reached at aholmes@cio.com. Send feedback to csoletters@cxo.com.