PwC Global Information Security Study
This latest report from PwC, conducted with CIO and CSO Magazines, has some interesting content. One thing I like is that the respondents are truly global: the 9,600 responses come from 138 countries, 29% from North America, 26% from Europe, 21% from South America, 20% from Asia, and 3% from the Middle East and South Africa.
- 70% of executives across industries and markets worldwide are confident in the effectiveness of their organization’s information security practices… They have an effective strategy in place. They consider their organizations proactive in executing it. And their insights into the frequency, type and source of security breaches has leapt dramatically over the past 12 months.
- Some evidence points to a “crisis in leadership” and dangerous deficits in strategy. Capabilities across security domains are degrading. And security-related third-party risks are on the rise.
- The two most important business issues or factors driving their information security spending were economic conditions and the need to ensure business continuity and disaster recovery.
- About half of the respondents are deferring security projects and reducing spending on IT security.
- Approximately 80% or more of respondents can provide specific information about security event frequency, type, and source. prevention, detection and web-related technologies, three sets of capabilities across regions, industries and organizational size, are attracting more sunshine this year than any single other core security-related area
- About half believe that the security spending drought will ease at some point in the next 12 months.
- The most sophisticated, adaptive and persistent class of cyber threats is no longer a rare event. In the few short months since the survey was launched on February 10, 2011, for example, leading organizations worldwide have been targeted by Advanced Persistent Threat attacks. These entities include national governments, nuclear laboratories, security firms, military contractors and an international organization that oversees the global financial system. Yet APT isn’t just a threat to the public sector and the defense establishment. It’s an increasingly urgent issue for the private sector as well. This year, significant percentages of respondents across industries agreed that APT drives their organization’s security spending. These included 43% of consumer products and retail respondents, 45% of financial services respondents, 49% of entertainment and media respondents and 64% of respondents from the industrial manufacturing sector. Only 16% of respondents say their organization’s security policies address APT. In addition, more than half of all respondents report that their organization does not have core capabilities directly or indirectly relevant to countering this strategic threat—such as penetration testing, identity management technology or a centralized security information management process.
- What are the greatest obstacles to effective information security? Leaders point to the lack of capital, among other factors—and shine the spotlight hottest at the “top of the house.”
- Mobile devices and social media represent a significant new line of risk— and defense. New rules are in effect this year for many organizations, though not yet the majority.
- More than four out of ten respondents report that their organization uses cloud computing—69% for software-as-a-service, 47% for infrastructure-as-a-service and 33% for platform-as-a-service.
- Has the cloud improved security? More than half (54%) say it has, 23% believe that security has “weakened” and 18% see no change. What about the greatest risks to cloud computing strategies? The largest one is perceived to be the uncertain ability to enforce provider security policies. Others include inadequate training and IT auditing, questionable privileged access control at the provider site, the proximity of data to someone else’s and the uncertain ability to recover data, if necessary
- The study includes a definition of a leader in information security. A leader has:
- An overall information security strategy in place;
- Their CISO or equivalent security leader reporting to the “top of the house”—i.e., either the CEO, the CFO, the COO or legal counsel;
- Both measured and reviewed the effectiveness of its information security policies and procedures within the past year; and,
- An understanding of exactly what type of security events have occurred over the past 12 months.
- Leaders are reporting half as many incidents, on average (1,274 per year vs. 2,562 for all survey respondents). Yet they’re encountering significantly higher levels of exploitation—of data (45% vs. 26%), of mobile devices (36% vs. 23%), of applications (30% vs. 20%), of systems (40% vs. 29%) and of networks (40% vs. 28%).They’re also much more likely to suspect that the attacks are initiated by employees (38% vs. 32%), former employees (41% vs. 26%) and hackers (50% vs. 35%).
Key takeaways for me include the observation that many have confidence in their IT security, yet the threat presented by APT, social media, and mobile has not been satisfactorily addressed. At the same time as technology is presenting new risks, spending on security continues to be reduced. The pressure to improve efficiency must be immense.
What do you think? Are these observations consistent with yours?