V. The Best and Brightest

Last year we highlighted the financial services sector as possessing the best information security practices, and this year that industry once again leads all others in integrating information security with strategic operations.

Companies in the financial services sector—banks, insurance companies, investment firms—are more likely to employ a CSO than other industries. Security budgets in the financial sector are typically a bigger slice of the IT budget as a whole and increase at a faster rate than in other sectors. That may be because financial services companies are more likely to link security policies and spending to business processes. These companies are proactive, instituting formal information security processes such as log file monitoring and periodic penetration tests. More of their employees follow company security policies. Not surprising, financial services companies also have deployed more information security technology gadgets, such as intrusion detection and encryption tools, and identity management solutions.

It’s obvious, therefore, that financial services organizations are far more likely—almost twice as likely, in fact—to have an overall strategic security plan in place. Consequently, they reported fewer financial losses, less network downtime and fewer incidents of stolen private information than any other vertical.

The reason for all this is also obvious. The product in the financial services industry is money, and money is the prime target of cybercriminals, including organized crime, insiders and even terrorists. Protecting the money is the industry’s most critical concern. The past few years have seen a sharp increase in cybercrime (phishing, identity theft, extortion and spyware, to name a few). Anytime a security executive can demonstrate to top executives that investing in security can protect and increase shareholder value, he will be more likely to convince the boardroom to make that investment and make security a strategic part of the organization.

Financial services companies are more likely than enterprises in other industries to use ROI to measure the effectiveness of security investments (29 percent versus an average of 25 percent), and they also are more likely to use potential impact on revenue to justify investments (36 percent versus an average of 27 percent). These arguments work. More financial services companies saw a double-digit increase in their 2006 security budgets than those in any other sector.

Regulation plays a part too. The financial industry must adhere to the most stringent information security laws, and therefore it leads other industries in following proven, strategic information security practices.

Following this line of reasoning about regulatory compliance, one would think that government, health care and education—all highly regulated and entrusted with securing private information—would match the financial sector in instituting strategic security practices. One would, however, think wrongly. According to the survey, government, health care and education, despite their responsibility for protecting the personal information of hundreds of millions of citizens, patients and students, are less likely than finance to follow the best tactical and strategic security practices. The government and health-care sectors, for the most part, lead other sectors in following and instituting information security policies and moving to become more strategic. But the two sectors are well behind financial services. Only 42 percent of government entities report having an overall security strategy, compared with 56 percent in the financial sector.

The education sector is even farther behind in developing, following, and deploying information security practices and tools. Educational organizations find themselves in this position even after highly publicized network break-ins, including those at San Diego State University and most recently at Ohio University, which exposed students’ and their families’ data, including home addresses, Social Security and credit card numbers, and tax information.

In fact, the education sector suffers more negative security events (viruses and worms, denial-of-service attacks, identity thefts, unauthorized entries and trafficking in illicit data), more network downtime and more downtime that lasts for many days than what the average respondent worldwide experiences.

And the security future doesn’t look bright for the educational sector either. A smaller portion of educational security respondents than most other sectors said they plan to hire a C-level security leader, conduct background checks of new hires, start checking if networks are compliant with security policies, conduct or institute employee security awareness programs or install encryption tools—just to name a few. Educational organizations are sticking to more mundane and tactical security fixes: installing firewalls, backing up data and deploying network security tools. It’s relatively easy to predict that the education sector’s security outcomes will not improve significantly in 2007.