The Fifth Annual Global State of Information Security
Five years ago, when CIO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.
Awareness may be at an all-time high, but awareness doesn't equal improvement, and awareness doesn't bring happiness. The sad fact is that the strides made to date have not crossed the threshold from seeing to fixing.
- Aerospace and Defense
- Energy (oil and gas)
- Entertainment and Media
- Financial Services
- Healthcare/provider
- Healthcare/payer
- Pharmaceuticals
- Public Sector
- Retail and Consumer
- Telecommunications
- Utilities
"That next level of maturity has not been reached," says Mark Lobel, a principal with PWC's advisory services. "We have the technology but still don't have our hands around what's important and what we should be monitoring and protecting. Where's that console that says, 'Hey, credit card numbers are crossing the firewall and this is a PCI issue that has a real business impact?'"
Read on for more on what awareness has led to and other insights from the "Global State of Information Security 2007" survey.
"I See," Said the Blind Man
Five years ago, 36 percent of respondents to the "Global State of Information Security" survey reported that they had suffered zero security incidents. This year, that number was down to 22 percent.
Does this mean there are more incidents? We don't think so. We believe it simply means that more companies are aware of the incidents that they've always suffered but into which, until recently, they had no visibility. Those once inexplicable network outages are now known to be security incidents. Perhaps a spam outbreak wasn't considered a security incident before, but now that it can deliver malware, it is. Awareness is higher, and that's because companies have spent the past five years building an infrastructure that creates visibility into their security posture.
The Infrastructure Is in Place
Baseline deployment of people, process and technology continues to rise steadily, sometimes dramatically. Among those companies that don't have these techniques in place, the priority for adding it is remarkably low, indicating that most people who think they need these things now have them.
| 2006 | 2007 | Priority for 2008 | |
|---|---|---|---|
| People: You have a... | |||
| CSO | 21% | 28% | 13% |
| CISO | 22% | 32% | 17% |
| CPO | 16% | 22% | 14% |
| Processes: You have... | |||
| An overall security strategy | 37% | 57% | 13% |
| A baseline for customers/partners | 25% | 42% | 10% |
| Centralized SIM | 34% | 44% | 11% |
| Technology: You deploy... | |||
| Firewalls | 77% | 93% | 15% |
| Encryption | 43% | 72% | 25% |
| IDS/A-V/other detection* | 57% | 90% | 28% |
| Data backup | 78% | 82% | 14% |
| User security/ID management* | 73% | 89% | 33% |
| IPS/filters* | 44% | 83% | 22% |
| Internet security* | 31% | 70% | 14% |
* Before 2007, these categories were not consolidated. The percentage listed is the highest percentage given for one of the subcategories now consolidated into the new category.
We've Seen the Enemy; It's You
This year marks the first time "employees" beat out "hackers" as the most likely source of a security incident. Executives in the security field, with the most visibility into incidents, were even more likely to name employees as the source.
$firstKeyword
Receive the latest security news as it breaks.
