Visibility of information security exposure is increasing

Visibility of information security exposure is increasing; however, alignment of IT security to business objectives stays limited

International study by PwC, CIO and CSO Magazines shows
signs that the role of Security is maturing but critical deficiencies remain

The European organizations are not yet fully compliant with the increasing local and global regulations, according to “The Global State of Information Security 2006”, a worldwide study by CIO magazine, CSO magazine and PwC. The survey, the largest of its kind, represents the responses of almost 7,800 senior executives at companies in more than 50 countries across all industries. The importance of security becomes more visible within the business boards, but the alignment of security strategy to business objectives is still limited. These findings are confirmed when analyzing the IT security budget evolution: the IT security investments are increased in technology rather than in the alignment and enforcement of security policies. Moreover, benefits of IT security investment are not yet measured fully.

“Belgium is overall in line with EU average, although some additional work should be done in SOX compliance (for those where it applies) and in building objective benefits measurements of security spending,” says Daniel Evrard, IT Management Partner responsible for ICT Process Improvement within PwC Belgium.

Effects of regulations and compliance
Both European organizations and their international colleagues continue to struggle with applicable information security laws and regulations that govern their industries – particularly those in the area of privacy. Of those EU respondents stating that they were noncompliant with applicable regulations, 45 percent are not compliant with the European Union (EU) Data Privacy Directive (38 percent for Belgium) and 17 percent report that they are still not in compliance with Sarbanes-Oxley (29 percent for Belgium). Thirty-six percent of all EU respondents (29 percent for Belgium) are noncompliant with other state/local privacy regulations.

The struggle to meet compliance requirements extends beyond Europe, with a high percentage of non-European firms reporting similar challenges. Eighteen percent of the US-based respondents are non-compliant with California Security Breach Notification Law CA 1386; half of the Australia-based respondents report not being in compliance with Australian Privacy Legislation.

“There is a marked lack of enforcement of these laws and regulations, and the cost of non-compliance is currently not as high as the expense of complying. To improve compliance with these regulations, security laws need to have more meaningful repercussions,” says Sebastian D'Amore, Eurofirm IT Security Partner, PwC. “Additionally, companies need to enforce compliance with their own security policies. This is one of the most critical factors for reducing network downtime, and yet respondents report that only a little more than two-thirds of all users are compliant – a statistic that has remained unchanged over the past three years.”

Some signs of information security maturity
Survey findings show several signs that the role of security is maturing. This year’s survey reveals that 38 percent of respondents (38 percent worldwide; EU: 44 percent; BE: 47 percent) have been in their jobs for five years or more, indicating that security positions are becoming established within most organizations. Furthermore, security executives appear to be moving up the reporting chain, with security heads most frequently reporting to the CIO (33 percent worldwide EU: 30 percent; BE: 38 percent), CEO (31 percent worldwide EU: 26 percent; BE: 33 percent) and the company board (24 percent worldwide; EU: 32 percent; BE: 27 percent)

Despite positive steps, survey responses also reveal critical deficiencies. Only 37 percent of Belgian respondents report having an overall security strategy in place – exactly the same percentage that reported this last year. In addition, while senior security executives are moving up the organizational ladder, the number of organizations hiring CSOs and CISOs has stagnated. Sixty-six percent of respondents (EU: 61 percent; BE: 48 percent) have yet to hire a CSO or CISO (compared to 60 percent in 2005).

Alignment of security to business objectives
Findings show limited improvement in organizations’ alignment of security to business objectives. Only 28 percent of respondents (EU: 27 percent; BE: 26 percent) report that their security policies are completely aligned with business objectives (slightly up from 26 percent in 2005). Moreover, in Europe, 40 percent of the respondents (BE: 38 percent) admit that more than half their users are not in compliance with their information security policies. This is not the case in the US, where only 19 percent of the respondents observe that half of the users are not compliant.

IT security budgets
Almost half of the survey respondents (46 percent) (EU: 39 percent; BE: 37 percent) indicate that their IT security budgets will increase this year, with more than one out of five saying the rate of increase will be in the double digits – a faster increase than the overall IT budget.

Survey results also show the ability to prove that ROI remains a challenge. Today the measure of the effectiveness of security is mainly based on the “professional judgment” (worldwide at 46 percent; EU: 37 percent and BE: 38 percent) and on the “risk reduction score” (worldwide: 32 percent; EU: 31 percent and BE: 30 percent) than “ROI” (worldwide: 25 percent; EU: 20 percent and BE: 15 percent).

Top three priorities in IT security
The third annual survey also shows a noticeable shift in priorities. In 2006, IT executives in Europe and in Belgium listed the top three priorities on their to-do list as technological fixes including data backup, network firewalls and user passwords. This is a departure from 2005 when the number one priority was disaster recovery and business continuity, followed by employee awareness and training programs, and with data backup third on the list.

“For information security to be most effective, organizations must align their security policies and spending with their business process. Organizations that do this, experience fewer financial losses and experience less network downtime than those that do not,” says Sebastian D'Amore.

Confidence lacking in third-party security measures
The level of confidence in security measures has risen slightly from last year, with 33 percent (EU: 35 percent; BE: 47 percent) reporting that they are very confident in their own organization's security (up from 28 percent in 2005). Likewise, the perception of the CEO's level of confidence is up slightly with 39 percent (EU: 37 percent; BE: 43 percent), indicating that they are very confident as compared with 35 percent last year.

However, many organizations rely on third parties for various business reasons – including outsourcing arrangements of financial, HR and IT functions – which in turn impacts the effectiveness of their own organization’s security measures. Of those who use third parties, only 22 percent (EU: 27 percent; BE: 35 percent) report that they are “very confident” in their partner/supplier’s security.

India still needs to close their security gap
This year's survey uncovers some major deficiencies in security measures for organizations responding to the survey from India. As India continues to make enormous gains in the world economy, the security infrastructure is clearly lagging behind.
As a result, extortion, fraud and intellectual property theft occurred last year at one in every five or six India-based companies — rates that are double and even quadruple those of the rest of the world.

Despite the lag in security practices, the survey findings show some positive signs that India is proactively working to remediate the gaps. India-based companies are outspending other nations on information security, with 70 percent of India-based respondents indicating that they have increased security spending since 2005 (vs. worldwide: 46 percent).

Industry-specific highlights
The section hereafter presents the specific highlights per industries. These highlights are based on the worldwide results of the security survey.

Financial services/Banking
  • Financial services firms are more inclined to have a business continuity/disaster recovery plan (75 percent compared to 50 percent across industries), and conduct personal background checks (67 percent versus 51 percent).
  • One of the biggest security challenges for financial services firms is protecting data across the entire information lifecycle. The survey found that, while 68 percent of financial services firms encrypt data in transmission, only 43 percent encrypt stored data and 42 percent keep an accurate inventory of user data.
  • More than half (53 percent) of financial services organizations do not yet address data protection, disclosure and destruction in their security policies.
Healthcare
  • More than a third (36 percent) of healthcare respondents reports their organization now has a privacy officer – well above the cross-industry average of 16 percent.
  • Healthcare organizations are more likely this year than last to have reviewed their privacy policies at least once in the past 12 months (61 percent versus 59 percent in 2005) and posted these policies on their external website (46 percent compared to 43 percent last year).
  • The biggest factor driving security spending in the healthcare industry is business continuity. The survey finds 70 percent of IT executives in the healthcare industry report business continuity as the biggest factor driving spending, versus 57 percent of the total population.
  • When asked about strategic initiatives for next year, IT executives in the healthcare industry report more focus on centralized information security management – 32 percent in 2006, up from 17 percent in 2005; business continuity/disaster planning – 59 percent in 2006 versus 38 percent in 2005; and employee security awareness training – 49 percent in 2006 compared to 19 percent in 2005.

Government/Public sector
  • Public sector organizations in countries around the world are spending more than they ever have on security – 15.2 percent of their IT budgets, which is a clear increase over 2005 and 2004 levels (12.6 percent and 8.7 percent, respectively).
  • Compliance with privacy regulations continues to be the driving force behind many public sector security initiatives. However, only about half of all public sector entities protect privacy through practices such as securing web transactions (56 percent) and posting privacy policies on their internal (53 percent) and external (43 percent) websites.
  • More than three quarters (76 percent) of public organizations have still not established security baselines for external suppliers and vendors, and 62 percent do not yet require third parties to comply with their privacy policies.

Pharmaceuticals
  • Executive confidence in the effectiveness of security practices is higher than it has ever been (91 percent), and half of industry respondents expect to increase security spending in the next twelve months.
  • Pharmaceutical companies are more likely this year than last to encrypt data in transmission (59 percent vs. 54 percent) and post privacy policies on their external web site (42 percent vs. 37 percent). They are also more likely to secure web transactions (56 percent vs. 53 percent) and employ a chief privacy officer (19 percent vs. 16 percent).
  • Only 46 percent of pharmaceuticals have an overall security strategy, and 73 percent do not integrate information security safeguards with privacy and compliance plans.

Technology
  • This year, technology companies are more likely to have an overall security strategy (39 percent vs. 32 percent), and they are significantly more likely to have measured and reviewed the effectiveness of their information security policies and procedures in the prior 12 months (58 percent vs. 43 percent).
  • Most technology respondents (70 percent) admit that their security policies do not address classifying the value of data, and 47 percent report that their organization does not have policies governing data protection, disclosure, and destruction.
  • Only 52 percent of technology respondents report that their organization encrypts data in transmission, and only 41 percent say they encrypt data in storage.

Notes to editor:
  1. About CIO and CSO Magazines
     CIO and CSO magazines are produced by CXO Media Inc., producer of award-winning media properties and executive programs for corporate officers who use technology to thrive and prosper in this new era of business. Launched in 1987, CIO magazine addresses issues vital to the success of chief information officers (CIOs) worldwide. The CIO portfolio includes a companion website www.CIO.com , CIO Executive Programs, a series of face-to-face conferences providing educational and networking opportunities for pre-qualified corporate and government leaders, and the CIO Executive Council, a professional organization of CIOs created to achieve lasting change in critical industry, academic, media and governmental groups. The US edition of the magazine and website are recipients of more than 160 awards to date, including two Grand Neals from the Jesse H. Neal National Business Journalism Awards and two Magazine of the Year awards from the National Society of Business Publication Editors.

    Launched in 2002,     CSO magazine, its companion website ( www.CSOonline.com ) and the CSO Perspectives™ conference provide chief security officers (CSOs) with analysis and insight on security trends and a keen understanding of how to develop successful strategies to secure all business assets — from people to information and financial value to physical infrastructure. The US edition of the magazine and website are the recipients of 80 awards to date, including the American Society of Business Publication Editor’s Magazine of the Year award as well as eleven Jesse H. Neal National Business Journalism Awards. CXO Media is a subsidiary of International Data Group (IDG).
  2. About PwC
    PwC (     www.pwc.com ) provides industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 130,000 people in 148 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.

    "PwC” refers to the network of member firms of PwC International Limited, each of which is a separate and independent legal entity.
  3. Survey results will be covered in-depth in the September 15 issue of CIO magazine and the September issue of CSO magazine. The coverage will also be available online at www.cio.com and www.csoonline.com .
  4. “The Global State of Information Security 2006”, a worldwide study by CIO magazine, CSO magazine and PwC, was conducted online from April 5 through May 22, 2006. Readers of CIO magazine, CSO magazine and clients of PwC from around the globe were invited via email to take the survey. The results shown in this report are based on the responses of more than 7,791 CEOs, CFOs, CIOs, CSOs, vice-presidents and directors of IT and Information Security from more than 50 countries. The margin of error for this study is ±1 percent.
  5. Please reference the study as “The State of Information Security 2006, a worldwide study by CIO , CSO and PwC.” The source line must include CIO , CSO and PwC.