Organisations worldwide are investing in infrastructure but lagging in implementation, measurement and review of security and privacy policies.
That is according to the fifth annual Global State of Information Security Survey 2007, a worldwide study by audit firm PricewaterhouseCoopers. The study includes responses of 7,200 IT, security and business executives in more than 119 countries across all industries.
Results according to PwC show India has made major gains since 2006 with information security practices and safeguards while China lags behind the rest of the world in almost all privacy safeguards. Other findings show that IT is taking budgetary control in 2007, with the majority of information security budgets now coming directly from the IT department.
Data breaches are driving privacy concerns, but encryption of data at rest remains a low priority despite it being the source of many data leakage issues.
According to the survey, the majority of organizations now have a CSO or CISO in place (60 percent in 2007 versus 43 percent in 2006), as well as an overall information strategy (57 percent in 2007 versus 37 percent in 2006), and results show the majority are also heavily invested in technology safeguards such as network firewalls (88 percent), data backup (82 percent), user passwords (80 percent), and spyware (80 percent). However, the investment of time in practical measures remains low.
For example, some 63pc of respondents state they do not audit or monitor user compliance with security policies, and less than half (48 per cent) measured and reviewed the effectiveness of security policies and procedures in the last year.
What they say
“Clearly, there is greater awareness of the threats, as well as the tools and safeguards available to offset threats and protect against attack. But sound infrastructure is only half of the solution,” says Mark Lobel, a principal in the Advisory practice of PricewaterhouseCoopers. “Security leaders and practitioners need to create and enforce internal policies in order to help ensure appropriate use and protection of corporate information systems.”
The study also suggests most companies do not document enforcement procedures in their information security policies. Less than one-third (31 per cent) include enforcement mechanisms while only 28 per cent include collection of security metrics.
“Uncertainty about the business value of security investments will continue to be high as long as companies fail to monitor user compliance or measure the impact of information security safeguards,” says Lobel.
IT in lead
Improving internal protocol and alignment of security spending to business objectives will likely fall to IT leadership in the coming years, it is claimed. Survey results show the majority (65 per cent) of information security budgets now come directly from the IT department, a jump fro 48 per cent in 2006. Other department budgets for information security are down this year, including compliance/regulatory (9 per cent in 2007 versus 18 per cent in 2006), finance (15 percent in 2007 versus 19 per cent in 2006), and other business lines (4 percent in 2007 versus 18 percent in 2006).
Security reporting and IT bounced back for the first time in four years with survey results showing more split reporting lines and security reporting to multiple departments.
“Specifically, this is a check-all-that-apply question that shows security is now reporting to more than one master,” explains Lobel. “We see more security practitioners reporting to the CIO (38 percent in 2007 versus 33 per cent in 2006) and CTO (15 percent in 2007 versus 6 percent in 2006). We also see more security executives having multiple reporting lines including risk and the CFO — 6 per cent to 9 percent and 7 percent to 11 percent respectively.”
Gaps in alignment of security spending to business objectives
Currently there are gaps in the alignment of security spending to business objectives. According to the survey, only 30 per cent of respondents report their organisation’s information security policies are completely aligned to business objectives, and even less (22 per cent) believe security spending is completely aligned. This is up only slightly from 2006 when 28 percent of respondents reported their security policies were completely aligned with business objectives. And although 42 percent of respondents report regulatory compliance has significantly increased security spending, 58 per cent report they do not link security—either through organizational structure or policy—to privacy and/or regulatory compliance.
“Gaps in alignment of security policies and spending to business objectives will shrink when compliance practices become more tightly aligned with broader risk management objectives,” says Lobel.
The study also suggests a lack of agreement between CEOs, CIOs and CSOs on security priorities and spending. For CEOs and CIOs, business continuity and disaster recovery are the top priorities for information security spending. However, for CISOs, the number one priority is regulatory compliance. Ironically, given the common business objective of lowering risk, most respondents (78 percent) report their organizations do not continuously classify data and information assets by risk level. Seventy-three percent do not include classifying the business value of data in their security policy.
Privac profile
Other survey results show privacy continues to be high profile but not necessarily high priority for security executives. Most companies report gains in privacy safeguards however there are a few key areas in which companies still tend to be weak. Only one-third (33 percent) of respondents keep an accurate inventory of user data or the locations and jurisdictions where data is stored. Similarly, only one-quarter (24 percent) keep inventory of all third parties using customer data.
Encryption of data at rest also remains a low priority even though it is the source of many data leakage issues. Less than half of respondents report encrypting data residing on databases and laptops (50 percent and 42 percent respectively).
India improves
India made major gains since 2006 with information security practices and safeguards such as hiring CSOs and CISOs (87 percent in 2007 versus 58 percent in 2006), implementing an overall security strategy (62 percent in 2007 versus 34 percent in 2006) and using passwords (69 percent in 2007 versus 54 percent in 2006). However, both India and China report higher rates of extortion, fraud, IP theft and financial losses than in the US.
China leads other countries in requiring third parties to comply with privacy policies but lags behind in almost all other privacy safeguards.
Only 14 percent employ a chief privacy officer (compared to 23 percent in the US., 22 percent worldwide), 18 percent have mechanisms in place to report security incidents to customers or business partners (compared to 32 percent in the US; 29 percent worldwide), 39 per cent require employees to complete training on privacy policies and practices (compared to 50 percent in the US, 37 percent worldwide), and 31 percent secure web transactions (compared to 51 percent in the U.S.; 46 percent worldwide).
“Whether you are outsourcing your IT or manufacturing, you have to step back and make sure the companies you are working with are protecting your information,” says Lobel.
Employees most likely source of information security event
In other survey highlights, for the first time, employees took over the number one spot as the most likely source of an information security event. The majority (69 per cent) of respondents cite employees and former staff as the likeliest source of attacks, surpassing hackers at 41per cent. This is up significantly from 2005 when only 33 per cent of respondents cited staff as the most likely source versus 63 percent for hackers. Email and abused valid user accounts and permissions are reported as the primary methods for such attacks yet only about half (52 percent) of respondents employ routine people-related information security safeguards. Simple safeguards such as personnel background checks (52 percent), monitoring employee use of Internet/information assets (48 percent) and dedicating human resources to employee awareness programs for internal policies and procedures (47 percent) remain uncommon.
The majority of respondents (63 per cent) still do not have an identity management strategy in place.
Need for improvement
The study also shows continued corporate struggle with extending security to third parties. One in five respondents (21 percent) don’t know if their users are in compliance with information security policies. Furthermore, 70 percent are only somewhat or not at all confident in their partners and suppliers’ information security and 55 percent are only somewhat or not at all confident in their outsourced vendor’s security.
