Awareness of the problematic nature of information security is approaching an all-time high. Out of every IT dollar spent, 15 cents goes to security. Security staff is being hired at an increasing rate. Surprisingly, however, enterprise security isn't improving.
For the fifth straight year, CIO, CSO and PricewaterhouseCoopers (PWC) present select results and analysis from the "Global State of Information Security" survey, the world's largest, most comprehensive annual information security survey.
And the first question to ask is, Are you feeling anxious?
Need more history? Check out the previous surveys.
Are you feeling the disquiet that comes from knowing there's no reason why your company can't be the next TJX? The angst of knowing that these modern plagues—these spam e-mails, these bots, these rootkits—will keep coming at you no matter how much time and money you spend trying to stop them? The chill that comes from knowing how much you don't know?
Yeah, you're feeling it.
You're feeling it because you're seeing it. According to the 2007 survey, a comprehensive canvassing of 7,200 respondents on six continents, you see the information security problem more clearly than ever before. You're seeing it because you've created tools and systems in order to see it. For example:
You've added processes. Three years ago, only 37 percent of companies reported having an overall security strategy. This year, 57 percent did. Also, nearly four out of five companies conducted enterprise risk assessments, at least periodically.
You've deployed technology. Nine out of 10 respondents said they use firewalls, monitor users and rely on intrusion detection infrastructure, and that number approached 98 percent when responses were limited to larger companies (more than $1 billion in revenue). Encryption is at an all-time high, with 72 percent reporting some use of it (compared to 48 percent last year).
You've hired people. The number of CISOs and CSOs employed continues to rise. And the mean number of information security workers per company has topped 100, most likely due to more outsourcing and the use of contract employees.
You've crafted an infrastructure for understanding. You're seeing it, and that's why you're feeling it. You're undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them.
Results of the 2007 Global State of Information Security Survey
CSO Publisher Bob Bragdon discusses the findings of the 2007 Global State of Information Security Survey with PricewaterhouseCooper's Mark Lobel, and CSO magazine's Scott Berinato.
Awareness may be at an all-time high, but awareness doesn't equal improvement, and awareness doesn't bring happiness. The sad fact is that the strides made to date have not crossed the threshold from seeing to fixing.
- Aerospace and Defense
- Energy (oil and gas)
- Entertainment and Media
- Financial Services
- Public Sector
- Retail and Consumer
"That next level of maturity has not been reached," says Mark Lobel, a principal with PWC's advisory services. "We have the technology but still don't have our hands around what's important and what we should be monitoring and protecting. Where's that console that says, 'Hey, credit card numbers are crossing the firewall and this is a PCI issue that has a real business impact?'"
Read on for more on what awareness has led to and other insights from the "Global State of Information Security 2007" survey.
"I See," Said the Blind Man
Five years ago, 36 percent of respondents to the "Global State of Information Security" survey reported that they had suffered zero security incidents. This year, that number was down to 22 percent.
Does this mean there are more incidents? We don't think so. We believe it simply means that more companies are aware of the incidents that they've always suffered but into which, until recently, they had no visibility. Those once inexplicable network outages are now known to be security incidents. Perhaps a spam outbreak wasn't considered a security incident before, but now that it can deliver malware, it is. Awareness is higher, and that's because companies have spent the past five years building an infrastructure that creates visibility into their security posture.
The Infrastructure Is in Place
Baseline deployment of people, process and technology continues to rise steadily, sometimes dramatically. Among those companies that don't have these techniques in place, the priority for adding it is remarkably low, indicating that most people who think they need these things now have them.
|2006||2007||Priority for 2008|
|People: You have a...|
|Processes: You have...|
|An overall security strategy||37%||57%||13%|
|A baseline for customers/partners||25%||42%||10%|
|Technology: You deploy...|
|User security/ID management*||73%||89%||33%|
* Before 2007, these categories were not consolidated. The percentage listed is the highest percentage given for one of the subcategories now consolidated into the new category.
We've Seen the Enemy; It's You
This year marks the first time "employees" beat out "hackers" as the most likely source of a security incident. Executives in the security field, with the most visibility into incidents, were even more likely to name employees as the source.
Likely Sources of Incidents
Recognition of the insider threat is a sign that awareness is increasing, largely due to the controls that have been put in place over the past five years.
|Who attacked us?|
|2006||2007||2007 Security Executives Only|
Have employees suddenly turned more malicious? Are inside jobs suddenly more fashionable and productive than they used to be? Probably not. Most security experts will tell you that the insider threat is relatively constant and is usually bigger than its victims suspect. None of us wants to think we've hired an untrustworthy person.
This spike in assigning the blame for breaches and attacks to employees is probably more like the dip in companies that report zero incidents—a reflection of awareness, of managers' ability to recognize what was always there but what they couldn't previously determine.
"What's happening is we're doing a better job with logging and understanding situations," says Ron Woerner, former information security manager at ConAgra Foods, now security engineering consultant at TD Ameritrade. "For a while, I think, ignorance was bliss. Now, with all the technology in place, we're learning that we all have the same problems."
Here's how building a security infrastructure can lead to more employees named as culprits in security incidents: A CISO is hired. He has the tools to investigate internal network anomalies and the authority to ask business unit leaders to provide him with information for an investigation. His deployment of user-monitoring tools helps him identify insider threats. Then he centralizes security information management software that automatically detects anomalous network behavior. Then maybe he adds a periodic risk assessment process (another trend on the rise, according to the survey), and suddenly his office is finding previously unknown vulnerabilities being exploited. Perhaps he adds an anonymous e-mail/hotline function for whistle-blowers. With all of this and more in place, a company has increased its odds of detecting security incidents.
But here's an odd paradox: Despite the massive buildup of people, process and technology during the past five years, and fewer people reporting zero incidents, 40 percent of respondents didn't know how many incidents they've suffered, up from 29 percent last year.
The rate of "Don't know" for the type of incident and the primary method used to attack also spiked.
What You Don't Know...Could Fill Volumes
Increasingly, those involved in information security reply "Don't know" when asked about the number and nature of security incidents.
|Number of incidents||29%||40%||29%|
|Type of attack||26%||45%||32%|
|Primary method used||26%||33%||20%|
It doesn't bode well that after years of buying and installing systems and processes to improve security, close to half of the respondents didn't have a clue as to what was going on in their own enterprises. But when close to a third of CSOs and CISOs, who presumably should have the most insight into security incidents, said they don't know how many incidents they've suffered or how these incidents occurred, that's even worse.
The truth is, systems, processes, tools, hardware and software, and even knowledge and understanding only get you so far. As Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming."
Woerner and others believe that the security discipline has so far been skewed toward technology—firewalls, ID management, intrusion detection—instead of risk analysis and proactive intelligence gathering.
If most of the investment has been put into technology, most of the return will come from there too. The tools will do their job. They will tell you what's happening and block the most ham-fisted attacks. But technology is largely reactive. It provides alarms and ex post facto reports of anomalies. Intrusion detection, for example, is not terribly effective at threat intelligence—understanding the nature of vulnerabilities before they affect you. All IDS boxes know is that some preset rule has been broken. Think of a glass break sensor on a window at a museum. That piece of technology is extremely effective at telling you that someone broke the window; it does nothing to explain how and why a painting was stolen, nor can it help you prevent the next window from being broken and the next painting from being snatched.
Furthermore, even a cursory look at security trends demonstrates that adversaries, be they disgruntled employees or hackers, have far more sophisticated tools than the ones that have been put in place to stop them. Antiforensics. Mass distribution of malware through compromised websites. Botnets. Keyloggers. Companies may have spent the past five years building up their security infrastructure, but so have the bad guys. Awareness includes a new level of understanding of how little you know about how the bad guys operate. As arms races go, the bad guys are way ahead.
Why You Have to Change Your Strategy
What can be done about all this? Be strategic. Security investment must shift from the technology-heavy, tactical operation it has been to date to an intelligence-centric, risk analysis and mitigation philosophy.
Information and security executives should, for example, be putting their dollars into industry information sharing. "Collaboration is key," says Woerner. They should invest in security research and technical staff that can capture and dissect malware, and they should troll the Internet underground for the latest trends and leads. Dozens of security companies do just this and provide subscriptions to research services.
"We have to start addressing the human element of information security, not just the technological one," says Woerner. It's only then that companies will stop being punching bags. Only then will they be able to hit back.
IT Strikes Back
Speaking of striking back, the 2007 security survey shows a remarkable (some might say troubling) trend.
The IT department wants to control security again.
In the first year of collaboration on this survey, CIO, CSO and PWC noted that the more confident a company was in its security, the less likely that company's security group reported to IT. Those companies also spent more on security.
The reason CIO and CSO have always advocated for the separation of IT and security is the classic fox-in-the-henhouse problem. To wit, if the CIO controls both a major project dedicated to the innovative use of IT and the security of that project—which might slow down the project and add to its cost—he's got a serious conflict of interest. In the 2003 survey, one CISO said that conflict "is just too much to overcome. Having the CISO report to IT, it's a death blow."
And every year after that, the trend was for the security function to gain increasing autonomy. More security executive positions were created. More decision-making power was shifted to security and away from IT. And more security groups reported to functions outside of IT, including the legal department, the risk department and, most significantly, the CEO. The trend was even more pronounced at large companies.
In 2007, this trend didn't slow down; it flipped. What's more, the reversal was most pronounced in the largest companies. For example, respondents chose from 12 possible functions to which their CISO could report. Those 12 functions were divided into three categories:
- IT (CIO, CTO)
- Neutral (board, CEO, CFO, COO, legal)
- Security (CSO, risk, security committee, CPO, audit)
To allow respondents to select more than one of these answers, we created "shares"—the percentage of respondents with some reporting relationship to one of these three categories. Here are the results.
Reporting to IT
Security has some reporting relationship to the following:
|2006||2007||2007 (>$1B Revenue)|
A 12 percent rise in the number of security executives reporting to IT is hugely significant. And when you slice that by large companies, it's a 19 percent rise. Notice, too, that bigger companies show fewer information security executives reporting to neutral functions.
M. Eric Johnson, an economist who specializes in information security issues at Dartmouth College, says, "We actually analyzed the org charts, and the solid-line relationships are going back to IT and the CIO. CISOs have gobs of dotted line relationships, but IT is dominating reporting structures and the budgets."
Indeed, the trend is even more pronounced when you follow the money trail.
Another hallmark of an evolved security function is its convergence with physical security, usually under a CSO. This makes sense both for operational efficiency and because threats are becoming more converged. Access control is a classic example of convergence paying dividends. By combining building access and network access in one system, you save money, improve efficiency and create a single view into both physical threats (illegal entry) and digital ones (illegal network access).
And for four years, convergence of physical and IT security steadily increased. Until this year.
More data points to ponder from the "Global State of Information Security" Survey.
"Uh, Boss? Can We Talk?"
Are security and IT communicating enough with the CEO? By comparing their answers, one finds some startling disconnects.
What the Boss Thinks; What You Know
CEOs seem to think their enterprises are a lot more secure (and their employees more reliable) than CIOs and security leaders do. Conversely, CIOs and security leaders are a lot more optimistic about their budgets than are their CEOs.
|CEO||CIO||CISO/CSO/ Infosec dir.|
|We've had fewer than 10 security incidents||74%||65%||53%|
|We've had an unknown number of incidents||18%||25%||28%|
|An employee or former employee was the source of the incident||44%||71%||83%|
|We do not conduct enterprise risk assessments||31%||21%||13%|
|Security spending will increase in '07||41%||53%||57%|
|Spending will stay the same||41%||32%||28%|
We Need to Be But Are Not in Compliance With
Again, CEOs are far more confident than their CIOs and security execs that their enterprises are compliant. Either the CEOs are clueless, or the people who should know aren't telling.
|CEO||CIO||CISO/CSO/ Infosec dir.|
|State privacy breach laws||10%||12%||21%|
Who Wants to Know?
Privacy Best Practices
|Employ CPO||Separate privacy & security||Separate security gov. & ops.||Classify data by risk|
|> $1B revenue||30%||66%||58%||79%|
More on Privacy
While 60 percent of survey respondents posted privacy policies internally, only 24 percent posted policies on their external websites. Only 28 percent audited their privacy standards through a third party. Sounds like a cover-your-butt ploy; after all, if you don't have a policy posted, you can't be sued for violating or not living up to it. And if you haven't had your privacy audited, you don't have to fix all the problems an audit would find.
Respondents who do not keep anaccurate inventory of user data:
Respondents who do not keep anaccurate inventory of where data is stored:
Region of Risk
One of the areas of the world where the focus on information security has intensified is Latin America, specifically Brazil and Mexico. Researchers and law enforcement believe that cultural differences in acceptance of less-secure online transaction methods and fewer controls and regulations on banking activity have made the region the banking center of choice for the Internet criminal underground. Here are some select findings.
|Infosec budget as % of IT budget||Do not conduct risk assessment||Budget will rise more than 10% in '07||> 1 day downtime|
|U.S. and Canada||12%||19%||16%||7%|
Physical and Information Security Converge, Then Diverge
Information and physical security are separate
|Overall||Revenue $1B or more|
Information and physical security report to the same executive leader
|Overall||Revenue $1B or more|
Respondents that do not integrate physicaland information security personnel:
Of those, percent with noplans to integrate personnel:
Who's in Charge?
Signs of IT's control and influence are peppered throughout the survey results. For example, when asked what security guidelines their companies followed, respondents were far more likely—in some cases two or three times more likely—to cite more general IT guidelines like ITIL than security-specific ones like SAS 70 and various ISO security standards.
What's going on here? Johnson has one theory: "Security seems to be following a trajectory similar to the quality movement 20 or 30 years ago, only with security it's happening much faster. During the quality movement, everyone created VPs of quality. They got CEO reporting status. But then in 10 years the position was gone or it was buried."
In the case of the quality movement, Johnson says, that may have been partly because quality became ingrained, a corporate value, and it didn't need a separate executive. But the evidence in the survey suggests that security is neither ingrained nor valued. It's not even clear companies know where to put security, which would explain the "gobs of dotted line" reporting structures.
That brings us to another theory: organizational politics. What if separating security from IT were creating checks on software development (not a bad thing, from a security standpoint)? What if all this security awareness the survey has indicated actually exposed the typical IT department's insecure practices?
One way for IT to respond would be to attempt to defang security. Keep its enemy close. Pull the function back to where it can be better controlled.
The "Global State of Information Security 2007" survey, a worldwide study by CIO, CSO and Pricewaterhouse-Coopers, was conducted online from March 6 through May 4, 2007. Readers of CIO and CSO and clients of PricewaterhouseCoopers from around the globe were invited via e-mail to take the survey. The results shown in this report are based on the responses of 7,200 CEOs, CFOs, CIOs, CSOs, VPs and directors of IT and IS, and security and IT professionals from more than 100 countries. Thirty-six percent of the respondents were from North America, followed by Europe (28%), Asia (23%), South America (12%), and the Middle East and South Africa (2%). The margin of error for this study is +/- 1%.
"What I hear from CIOs," says Johnson, "is at the end of the day they're responsible for failures anyway. They're on the line whether security is separate or not." Why wouldn't the CIO want to control something he's ultimately responsible for?
On the other hand, maybe security was never as separate as it seemed. Companies created CISO-type positions but never gave them authority. "I continually see security people put in the position of fall guy," says Woerner of TD Ameritrade. "Maybe some of that separation was, subconsciously, creating a group to take the hit." Woerner also believes that the trend of the security budget folding into the IT department could be a direct result of security auditing that focuses primarily on infrastructure. That is, when auditors look at information security weaknesses, they recommend technological fixes. And IT buys the technology. Why should IT be charged for another department's expenses?
Whatever the reason, the trend is disturbing to some security professionals, especially at a time when they play an ever more central role in corporate crises, and in society in general.
The state of Internet security is eroding quickly. Trust in online transactions is evaporating, and it will require strong security leadership for that trust to be restored. For the Internet to remain the juggernaut of commerce and productivity it has become will require more, not less, input from security.
But right when the best and brightest security minds are needed most, they're being valued less.
Scott Berinato is executive editor of CSO.