The Fifth Annual Global State of Information Security
Five years ago, when CIO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.
Region of Risk
One of the areas of the world where the focus on information security has intensified is Latin America, specifically Brazil and Mexico. Researchers and law enforcement believe that cultural differences in acceptance of less-secure online transaction methods and fewer controls and regulations on banking activity have made the region the banking center of choice for the Internet criminal underground. Here are some select findings.
| Infosec budget as % of IT budget | Do not conduct risk assessment | Budget will rise more than 10% in '07 | > 1 day downtime | |
|---|---|---|---|---|
| Overall | 15% | 23% | 20% | 8% |
| U.S. and Canada | 12% | 19% | 16% | 7% |
| South America | 19% | 36% | 30% | 15% |
| Brazil | 16% | 43% | 29% | 21% |
| Mexico | 21% | 33% | 28% | 13% |
| China | 19% | 32% | 26% | 13% |
| India | 21% | 17% | 33% | 9% |
Physical and Information Security Converge, Then Diverge
Information and physical security are separate
| Overall | Revenue $1B or more | ||
|---|---|---|---|
| 2003 | 71% | NA | |
| 2004 | 50% | NA | |
| 2005 | 47% | NA | |
| 2006 | 25% | 36% | |
| 2007 | 46% | 55% |
Information and physical security report to the same executive leader
| Overall | Revenue $1B or more | ||
|---|---|---|---|
| 2003 | 11% | NA | |
| 2004 | 26% | 22% | |
| 2005 | 31% | 24% | |
| 2006 | 40% | 33% | |
| 2007 | 34% | 27% |
| Respondents that do not integrate physical and information security personnel: | 69% |
|---|---|
| Of those, percent with no plans to integrate personnel: | 80% |
Who's in Charge?
Signs of IT's control and influence are peppered throughout the survey results. For example, when asked what security guidelines their companies followed, respondents were far more likely—in some cases two or three times more likely—to cite more general IT guidelines like ITIL than security-specific ones like SAS 70 and various ISO security standards.
What's going on here? Johnson has one theory: "Security seems to be following a trajectory similar to the quality movement 20 or 30 years ago, only with security it's happening much faster. During the quality movement, everyone created VPs of quality. They got CEO reporting status. But then in 10 years the position was gone or it was buried."
In the case of the quality movement, Johnson says, that may have been partly because quality became ingrained, a corporate value, and it didn't need a separate executive. But the evidence in the survey suggests that security is neither ingrained nor valued. It's not even clear companies know where to put security, which would explain the "gobs of dotted line" reporting structures.
That brings us to another theory: organizational politics. What if separating security from IT were creating checks on software development (not a bad thing, from a security standpoint)? What if all this security awareness the survey has indicated actually exposed the typical IT department's insecure practices?
One way for IT to respond would be to attempt to defang security. Keep its enemy close. Pull the function back to where it can be better controlled.
Survey Methodology
The "Global State of Information Security 2007" survey, a worldwide study by CIO, CSO and Pricewaterhouse-Coopers, was conducted online from March 6 through May 4, 2007. Readers of CIO and CSO and clients of PricewaterhouseCoopers from around the globe were invited via e-mail to take the survey. The results shown in this report are based on the responses of 7,200 CEOs, CFOs, CIOs, CSOs, VPs and directors of IT and IS, and security and IT professionals from more than 100 countries. Thirty-six percent of the respondents were from North America, followed by Europe (28%), Asia (23%), South America (12%), and the Middle East and South Africa (2%). The margin of error for this study is +/- 1%.
$firstKeyword
Receive the latest security news as it breaks.
