Every day it’s something else.

Millions of personally identifiable records stolen.

Intellectual property left on a laptop that’s gone missing.

Corporate espionage rings that stretch from the United Kingdom to the Middle East and use IT to infiltrate companies.

Phishing scams by the thousands: puddle phishing, Wi-phishing, pharming.

Then there’s spam and spyware, zombie networks, DDoS (distributed denial-of-service) attacks and session hijacking. Online auction fraud. Online extortion. We haven’t even mentioned good old viruses and worms, but those still work too.

To borrow from forestry parlance, information security is an escaped wildfire. And according to “The Global State of Information Security 2005,” a worldwide study by CIO and PricewaterhouseCoopers (PWC), you are the firefighters, desperately trying to outflank the fireline and prevent flare-ups and firestorms. It’s a thankless, impossible business.

In this environment, just holding your ground is a victory, and that’s what you’re doing. This is the third annual edition of the survey—once again the largest of its kind with more than 8,200 IT and security executives responding from 63 countries on six continents. Each year the data has shown incremental improvement in the tactical battle to react to and fight off security incidents.

At the same time, the data shows a notable lack of focus on actions and strategies that could prevent these incidents in the first place. There’s also a remarkable ambivalence among respondents about compliance with government regulations, a clear lack of risk management discipline, and a continuing inability to create actionable security intelligence out of mountains of security data.

Just 37 percent of respondents reported that they had an information security strategy—and only 24 percent of the rest say that creating one is in the plans for next year. With increasingly serious, complex, targeted and damaging threats continuously emerging, that’s not a good thing.

“When you spend all that time fighting fires, you don’t even have time to come up with the new ways to build things so they don’t burn down,” says Mark Lobel, a security-focused partner with PricewaterhouseCoopers. “Right now, there’s hardly a fire code.” Lobel compares the global state of information security to Chicago right before the great fire. “Some folks were well-protected and others weren’t,” he says, but when the ones that weren’t protected began to burn, the ones that were protected caught fire too.

Of course, with the survey’s thousands of pages of data and tens of thousands of data points, the overall security picture is a little more complex than “Everyone’s tactical; no one’s strategic.” Some respondents show signs of embracing a more holistic approach than others. So we’ll delve into one industry sector—financial services—as a best practices group that, while still struggling to put out fires, has devoted more time, resources and strategic thinking to its information security posture than the average respondent. We’ll also highlight some other encouraging numbers that suggest that more companies than ever are laying the groundwork for a more strategic information security department.