The Global State of Information Security 2008

Our annual survey finds respondents throwing technology at the problem. Which is a beginning, but only a beginning.

1 2 Page 2
Page 2 of 2

The complexity of such a project explains the low numbers, Lobel says. "Doing this project is a lot of effort, and unless there's a regulatory need for it, many don't do it."

Stanley expects the project to take three or four years. "Anything that keeps planes in the air and money coming through is Tier 1," Stanley explains. That would include information about crew scheduling, and cargo and fuel needs, as well as credit card processing information. Tier 2 or 3 is still important to protect, but not critical to keeping planes aloft, for example, providing employees access to their 401(k) accounts.

Security technology and procedures will correspond to the risk and tier level in which a given piece of data falls, as defined by the data owner. Tier 1 might mandate twice-a-day backups and two-factor user authentication, he says. "I can expend my resources more appropriately to our data's value and therefore save the company money," he says. "Stop spending $10 to protect $5 worth of data." Music to an airline CEO's ears, no doubt.

Which Brings Us Back to Money

With security budgets averaging $1.7 million, an optimistic 44 percent of those surveyed said their information security spending would increase this year, while 4 percent expected a decrease. Where will the money go? We see glimmers of hope. Top priorities in the coming year include hiring information security consultants and hiring a chief information security officer. Respondents also plan to develop security procedures for handheld devices and create an identity management strategy. They expect to invest in technologies, including biometrics, to tighten access to sensitive data, as well as in data-leakage prevention and security event correlation tools to start analyzing what works and what doesn't on which kinds of security problems.

These steps, Lobel says, will get companies closer to a comprehensive security strategy. Already, he notes, 40 percent of organizations use security as a marketing point, usually soliciting business on the grounds that they protect customer data better than their rivals. "But it's only a competitive advantage if it works, if it's good security."

Related:

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies