Five truths that have emerged from five years of the "Global State of Information Security" survey Five truths that have emerged from five years of the “Global State of Information Security” surveyAfter five years of conducting the “Global State of Information Security” survey, we have noted some critical trends in information security. We’ve also uncovered nontrends—numbers that remain so constant and predictable that we can now call them conventional wisdom. Here, then, are five pieces of wisdom based on numbers in the survey that never seem to change.Spending lags. You’re always about 10 percent happier with security policy’s alignment with the business than you are with security spending’s alignment. Over the years, roughly 85 percent of you have said that your security policies are completely or somewhat aligned with the business, while just 75 percent said that about spending. After all, who doesnt want more money?Partners too. You’re more confident in your own security than that of your partners, suppliers and vendors. Once again, around 80 percent to 85 percent of you were either very or somewhat confident in your security, but when you were asked about partners and vendors, the number dropped to between 70 percent and 75 percent. Remember, you’re someones partner and he’s not too thrilled about you either. Few are cocky. About one in 12 of you think very highly of yourselves. Since 2003, the number of respondents who claimed 100 percent of their users were in compliance with their security policies hovers around 8 percent.Size doesn’t matter. Company size does not affect spending. When the information security budget is measured as a percentage of the IT budget, it remains constant no matter how many employees a company has or what its revenue is. Size of company matters less in security spending than in industry. Technology companies spend the most; nonprofits and educational enterprises spend the least. Banks lead. Financial services companies are attacked more but suffer less. Over the years, respondents in the money business have reported more security incidents without an appreciable increase in losses or downtime as a result. They do this despite not having significantly larger security budgets than others. The financial sector models best practices. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe