I. Growing Up, Slowly

The 2006 survey shows that a few more companies than last year are thinking about security strategically, at least in some areas. A larger percentage of companies are aligning security objectives with business objectives (20 percent of respondents said they align all security spending with their business objectives, up from 15 percent in 2004) and are prioritizing data sets based on the sensitivity of the information contained in each application. They’re then protecting those sets with the appropriate amount of security (25 percent in 2006, up from 21 percent in 2004).

One of the biggest changes from last year is that more companies are integrating physical and information security. The percentage of organizations that reported having some form of integration between physical and information security has grown rapidly, to 75 percent in 2006 from 29 percent in 2003. A similar spike occurred in the percentage of respondents saying their physical and information security chiefs report to the same executive leader, to 40 percent from 11 percent in 2003.

Why is that important? To answer that, one need look no further than the daily newspaper stories about lost and stolen laptops containing private customer information. Just ask the U.S. Department of Veterans Affairs and AIG, both of which were involved this spring in high-profile cases of stolen laptops. With physical and information security combined, fewer laptops may be lost. And if they are lost or stolen, that combination should make gaining access to the data stored in them nearly impossible. "In today’s environment of IP-based control devices, cameras and other security sensors, the physical aspect is becoming more and more of an IT issue," says Jason Spaltro, executive director of information security for Sony Pictures Entertainment.

With increasing aggregation and integration of security functions comes larger security budgets. Almost half of the survey respondents said their budgets would increase this year, with more than one out of five saying the rate of increase would be in the double digits. That’s a faster increase than the overall IT budget. More security execs are being granted more financial autonomy too. That signals that security heads are being granted more responsibility, a key ingredient to raising security’s strategic profile in the organization.

However, the vast majority of companies worldwide—almost 64 percent—still have not created C-level security positions such as chief security officer or chief information security officer.

Managing security strategically, and at the executive level, may make sense in theory but is increasingly looking like a moot point in the boardroom. "We need proof strategic security planning works to convince the business side of the organization to make a seat for it at the executive table," you may say.

The good news is that the survey contains that proof: Organizations that reported that their security polices and spending are aligned with their business processes experienced fewer financial losses and less network downtime than those that did not.

Sounds like the making of a value statement.