Information Security Study Shows Increased Risk, Insufficient Spending

The latest report from PwC, conducted with CIO and CSO Magazines, points to some interesting trends in international information security. The global study drew its respondents from 138 countries, indicating the common threats, improvements and concerns facing industries worldwide.

Interesting Facts and Observations

Highlights from the PwC report:

70 percent of executives across industries and markets worldwide are confident in the effectiveness of their organization’s information security practices. They have an effective strategy in place. They consider their organizations proactive in executing it. And their insights into the frequency, type and source of security breaches has leapt dramatically over the past 12 months.
Some evidence points to a 'crisis in leadership' and dangerous deficits in strategy. Capabilities across security domains are degrading. And security-related third-party risks are on the rise.
The two most important business issues or factors driving their information security spending were economic conditions and the need to ensure business continuity and disaster recovery.
About half of the respondents are deferring security projects and reducing spending on IT security.
Approximately 80 percent or more of respondents can provide specific information about security event frequency, type and source. Prevention, detection and web-related technologies, three sets of capabilities across regions, industries and organizational size, are attracting more sunshine this year than any other single core security-related area.
About half believe that the security spending drought will ease at some point in the next 12 months.
The most sophisticated, adaptive and persistent class of cyber threats is no longer a rare event. In the few short months since the survey was launched on February 10, 2011, leading organizations worldwide have been targeted by Advanced Persistent Threat (APT) attacks. These entities include national governments, nuclear laboratories, security firms, military contractors and an international organization that oversees the global financial system. Yet APT isn’t just a threat to the public sector and the defense establishment. It’s an increasingly urgent issue for the private sector as well. This year, significant percentages of respondents across industries agreed that APT drives their organization’s security spending. These included 43 percent of consumer products and retail respondents, 45 percent of financial services respondents, 49 percent of entertainment and media respondents and 64 percent of respondents from the industrial manufacturing sector. Only 16 percent of respondents say their organization’s security policies address APT. In addition, more than half of all respondents report that their organization does not have core capabilities directly or indirectly relevant to countering this strategic threat—such as penetration testing, identity management technology or a centralized security information management process.
What are the greatest obstacles to effective information security? Leaders point to the lack of capital, among other factors - and shine the spotlight hottest at the 'top of the house.'
Mobile devices and social media represent a significant new line of risk - and defense. New rules are in effect this year for many organizations, though not yet the majority.
More than four out of ten respondents report that their organization uses cloud computing: 69 percent for software-as-a-service, 47 percent for infrastructure-as-a-service and 33 percent for platform-as-a-service.
Has the cloud improved security? More than half (54 percent) say it has, 23 percent believe that security has 'weakened' and 18 percent see no change. What about the greatest risks to cloud computing strategies? The largest one is perceived to be the uncertain ability to enforce provider security policies. Others include inadequate training and IT auditing, questionable privileged access control at the provider site, the proximity of data to someone else’s and the uncertain ability to recover data, if necessary
The study includes a definition of a leader in information security. A leader has:
- An overall information security strategy in place
- Their CISO or equivalent security leader reporting to the 'top of the house' - i.e. either the CEO, the CFO, the COO or legal counsel
- Both measured and reviewed the effectiveness of its information security policies and procedures within the past year
- An understanding of exactly what type of security events have occurred over the past 12 months

Leaders are reporting half as many incidents on average (1,274 per year vs. 2,562 for all survey respondents). Yet they’re encountering significantly higher levels of exploitation of data (45 percent vs. 26 percent), of mobile devices (36 percent vs. 23 percent), of applications (30 percent vs. 20 percent), of systems (40 percent vs. 29 percent) and of networks (40 percent vs. 28 percent). They’re also much more likely to suspect that the attacks are initiated by employees (38 percent vs. 32 percent), former employees (41 percent vs. 26 percent) and hackers (50 percent vs. 35 percent).

Confidence Increases While Threat Remains the Same

Key takeaways for me include the observation that many have confidence in their IT security, yet the threat presented by APT, social media and mobile has not been satisfactorily addressed. At the same time as technology is presenting new risks, spending on security continues to be reduced. The pressure to improve efficiency must be immense.