Are CIOs Too Cocky About Security?

The ninth annual Global Information Security Survey conducted by CSO magazine and PricewaterhouseCoopers indicates the vast majority of tech and business execs are overconfident about their security policies.

By George V. Hulme
Wed, September 28, 2011

CIO — There’s been no shortage of high-profile and damaging data breaches in the past year. And the targets are widely varied—they include security firms RSA Security and HBGary Federal, defense contractors Lockheed Martin and Northrop Grumman, entertainment giant Sony, major retailers, healthcare companies and marketing firms.

Despite these attacks, the ninth annual Global Information Security Survey conducted by CIO’s sister publication CSO magazine and PricewaterhouseCoopers indicates that of the 9,600-plus business and technology execs surveyed, 43 percent identify themselves as security frontrunners and believe they have a sound security strategy and are executing it effectively.

“Clearly, something unusual is happening, with so many organizations viewing themselves as security leaders,” says Mark Lobel, a principal in the advisory services division of PwC. In reality, “nowhere near 43 percent [are] leaders.”

Pete Lindstrom, research director at Spire Security, has another take. “Either 43 percent are fooling themselves, or they are reaching a good level of success in setting their strategy and hitting it.”

To better understand the actual security-management capabilities of the respondents who said they were leaders, PwC filtered the results according to factors it thinks are markers of real leadership. To meet the criteria, a company had to have a security strategy in place, IT security had to report to senior business leadership, the company had to have reviewed its IT security policy in the past year, and if the business had suffered a breach, it had to understand the cause. “When we finished that analysis, the amount of frontrunners fell from 43 percent to 13 percent,” Lobel says.

Where does this unwarranted confidence come from? “Perhaps they didn’t have bad things happen, or they’re not aware that bad things have happened,” says Lobel. “That can definitely create a false sense of security.”

That complacency could partially explain why so many organizations have decided to defer security spending. This year, 51 percent of respondents said they were postponing security-related capital expenditures, up from 46 percent last year. Operating expenditures didn’t get by unscathed either, with 48 percent of respondents saying they’ve deferred projects. That’s up from 43 percent.

That’s not to say respondents aren’t spending on security. They are, and they’re focusing on protecting Web attack vectors and deploying technologies that aim to prevent attacks. Investment in application firewalls grew from 72 percent to 80 percent in the past year, and investment in malicious-code-detection tools rose from 72 to 83 percent.

“It’s good to see the investment in technologies,” says Lobel. “However, the data shows they’re not making investments in the processes necessary to make sure security policies are in place so [technology] works in sync to defend the enterprise.”

Robert Fecteau, business technology officer at BAE Systems Intelligence and Security, calls the security budget cuts shortsighted. Security breaches can leak product designs, ruin reputations and make a company less competitive, he points out. “If your systems are penetrated, everything that you thought you saved in budget cutbacks will be lost.”

Our Commenting Policies