Analysis: 2007 Global State of Information Survey

Five years ago, when CIO, CSO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.

1 2 Page 2
Page 2 of 2

A 12 percent rise in the number of security executives reporting to IT is hugely significant. And when you slice that by large companies, it's a 19 percent rise. Notice, too, that bigger companies show fewer information security executives reporting to

neutral functions.

M. Eric Johnson, an economist who specializes in information security issues at Dartmouth College, says, "We actually analyzed the org charts, and the solid-line relationships are going back to IT and the CIO. CISOs have gobs of dotted line relationships, but IT is dominating reporting structures and the budgets."

Indeed, the trend is even more pronounced when you follow the money trail.

Security Dollars Come from IT

Funding for information security comes from (could check more than one)

Another hallmark of an evolved security function is its convergence with physical security, usually under a CSO. This makes sense both for operational efficiency and because threats are becoming more converged. Access control is a classic example of convergence paying dividends. By combining building access and network access in one system, you save money, improve efficiency and create a single view into both physical threats (illegal entry) and digital ones (illegal network access).

And for four years, convergence of physical and IT security steadily increased. Until this year.

Physical and Information Security Converge, Then Diverge

Information and physical security are separate

Overall Revenue $1B or more

2003 71% NA

2004 50% NA

2005 47% NA

2006 25% 36%

2007 46% 55%

Information and physical security report to the same executive leader

Overall Revenue $1B or more

2003 11% NA

2004 26% 22%

2005 31% 24%

2006 40% 33%

2007 34% 27%

Respondents who do not integrate physical and information security personnel: 69%

Of those, percent with no plans to integrate personnel: 80%

Who's in Charge?

Signs of I.T.'s control and influence are peppered throughout the survey results. For example, when asked what security guidelines their companies followed, respondents were far more likely—sometimes two or three times more likely—to cite more general IT guidelines like ITIL than security-specific ones like SAS 70 and various ISO security standards.

What's going on here? Johnson has one theory: "Security seems to be following a trajectory similar to the quality movement 20 or 30 years ago, only with security it's happening much faster. During the quality movement, everyone created VPs of quality. They got CEO reporting status. But then in 10 years the position was gone or it was buried."

In the case of the quality movement, Johnson says, that may have been partly because quality became ingrained, a corporate value, and it didn't need a separate executive. But the evidence in the survey suggests that security is neither ingrained nor valued. It's not even clear companies know where to put security, which would explain the "gobs of dotted line" reporting structures.

That brings us to another theory: organizational politics. What if separating security from IT were creating checks on software development (not a bad thing, from a security standpoint)? What if all this security awareness the survey has indicated actually exposed the typical IT department's insecure practices?

One way for IT to respond would be to attempt to defang security. Keep its enemy close. Pull the function back to where it can be better controlled.

"What I hear from CIOs," says Johnson, "is at the end of the day they're responsible for failures anyway. They're on the line whether security is separate or not." Why wouldn't the CIO want to control something he's ultimately responsible for?

On the other hand, maybe security was never as separate as it seemed. Companies created CISO-type positions but never gave them authority. "I continually see security people put in the position of fall guy," says Woerner of TD Ameritrade. "Maybe some of that separation was, subconsciously, creating a group

to take the hit." Woerner also believes that the trend of the security budget folding into the IT department could be a direct result of security auditing that focuses primarily on infrastructure.

That is, when auditors look at information security weaknesses, they recommend technological fixes. And IT buys the

technology. Why should IT be charged for another depart-

ment's expenses?

Whatever the reason, the trend is disturbing to some security professionals, especially at a time when they play an ever more central role in corporate crises, and in society in general.

The state of Internet security is eroding quickly. Trust in online transactions is evaporating and it will require strong security leadership for that trust to be restored. For the Internet to remain the juggernaut of commerce and productivity it has become will require more, not less, input from security.

But right when the best and brightest security minds are needed most, they're being valued less. n

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline