The Fifth Annual Global State of Information Security
Five years ago, when CIO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.
"We have to start addressing the human element of information security, not just the technological one," says Woerner. It's only then that companies will stop being punching bags. Only then will they be able to hit back.
IT Strikes Back
Speaking of striking back, the 2007 security survey shows a remarkable (some might say troubling) trend.
The IT department wants to control security again.
In the first year of collaboration on this survey, CIO, CSO and PWC noted that the more confident a company was in its security, the less likely that company's security group reported to IT. Those companies also spent more on security.
The reason CIO and CSO have always advocated for the separation of IT and security is the classic fox-in-the-henhouse problem. To wit, if the CIO controls both a major project dedicated to the innovative use of IT and the security of that project—which might slow down the project and add to its cost—he's got a serious conflict of interest. In the 2003 survey, one CISO said that conflict "is just too much to overcome. Having the CISO report to IT, it's a death blow."
And every year after that, the trend was for the security function to gain increasing autonomy. More security executive positions were created. More decision-making power was shifted to security and away from IT. And more security groups reported to functions outside of IT, including the legal department, the risk department and, most significantly, the CEO. The trend was even more pronounced at large companies.
In 2007, this trend didn't slow down; it flipped. What's more, the reversal was most pronounced in the largest companies. For example, respondents chose from 12 possible functions to which their CISO could report. Those 12 functions were divided into three categories:
- IT (CIO, CTO)
- Neutral (board, CEO, CFO, COO, legal)
- Security (CSO, risk, security committee, CPO, audit)
To allow respondents to select more than one of these answers, we created "shares"—the percentage of respondents with some reporting relationship to one of these three categories. Here are the results.
Reporting to IT
Security has some reporting relationship to the following:
| 2006 | 2007 | 2007 (>$1B Revenue) | |
|---|---|---|---|
| IT | 41% | 53% | 60% |
| Neutral | 76% | 79% | 68% |
| Security | 44% | 46% | 48% |
A 12 percent rise in the number of security executives reporting to IT is hugely significant. And when you slice that by large companies, it's a 19 percent rise. Notice, too, that bigger companies show fewer information security executives reporting to neutral functions.
M. Eric Johnson, an economist who specializes in information security issues at Dartmouth College, says, "We actually analyzed the org charts, and the solid-line relationships are going back to IT and the CIO. CISOs have gobs of dotted line relationships, but IT is dominating reporting structures and the budgets."
$firstKeyword
Receive the latest security news as it breaks.
