The Fifth Annual Global State of Information Security

Five years ago, when CIO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.

1 2 Page 2
Page 2 of 2

The reason CIO and CSO have always advocated for the separation of IT and security is the classic fox-in-the-henhouse problem. To wit, if the CIO controls both a major project dedicated to the innovative use of IT and the security of that project—which might slow down the project and add to its cost—he's got a serious conflict of interest. In the 2003 survey, one CISO said that conflict "is just too much to overcome. Having the CISO report to IT, it's a death blow."

And every year after that, the trend was for the security function to gain increasing autonomy. More security executive positions were created. More decision-making power was shifted to security and away from IT. And more security groups reported to functions outside of IT, including the legal department, the risk department and, most significantly, the CEO. The trend was even more pronounced at large companies.

In 2007, this trend didn't slow down; it flipped. What's more, the reversal was most pronounced in the largest companies. For example, respondents chose from 12 possible functions to which their CISO could report. Those 12 functions were divided into three categories:

  1. IT (CIO, CTO)
  2. Neutral (board, CEO, CFO, COO, legal)
  3. Security (CSO, risk, security committee, CPO, audit)

To allow respondents to select more than one of these answers, we created "shares"—the percentage of respondents with some reporting relationship to one of these three categories. Here are the results.

Reporting to IT

Security has some reporting relationship to the following:

2006 2007 2007 (>$1B Revenue)
IT 41% 53% 60%
Neutral 76% 79% 68%
Security 44% 46% 48%

A 12 percent rise in the number of security executives reporting to IT is hugely significant. And when you slice that by large companies, it's a 19 percent rise. Notice, too, that bigger companies show fewer information security executives reporting to neutral functions.

Also see

Conventional Wisdom of Information Security

M. Eric Johnson, an economist who specializes in information security issues at Dartmouth College, says, "We actually analyzed the org charts, and the solid-line relationships are going back to IT and the CIO. CISOs have gobs of dotted line relationships, but IT is dominating reporting structures and the budgets."

Indeed, the trend is even more pronounced when you follow the money trail.

GISS07_sec_dollars.gif

Another hallmark of an evolved security function is its convergence with physical security, usually under a CSO. This makes sense both for operational efficiency and because threats are becoming more converged. Access control is a classic example of convergence paying dividends. By combining building access and network access in one system, you save money, improve efficiency and create a single view into both physical threats (illegal entry) and digital ones (illegal network access).

And for four years, convergence of physical and IT security steadily increased. Until this year.

And Furthermore...

More data points to ponder from the "Global State of Information Security" Survey.

"Uh, Boss? Can We Talk?"

Are security and IT communicating enough with the CEO? By comparing their answers, one finds some startling disconnects.

What the Boss Thinks; What You Know

CEOs seem to think their enterprises are a lot more secure (and their employees more reliable) than CIOs and security leaders do. Conversely, CIOs and security leaders are a lot more optimistic about their budgets than are their CEOs.

CEO CIO CISO/CSO/ Infosec dir.
We've had fewer than 10 security incidents 74% 65% 53%
We've had an unknown number of incidents 18% 25% 28%
An employee or former employee was the source of the incident 44% 71% 83%
We do not conduct enterprise risk assessments 31% 21% 13%
Security spending will increase in '07 41% 53% 57%
Spending will stay the same 41% 32% 28%

We Need to Be But Are Not in Compliance With

Again, CEOs are far more confident than their CIOs and security execs that their enterprises are compliant. Either the CEOs are clueless, or the people who should know aren't telling.

CEO CIO CISO/CSO/ Infosec dir.
HIPAA 9% 14% 27%
Sarbanes-Oxley 9% 20% 32%
State privacy breach laws 10% 12% 21%

Privacy—Better, But...

Perhaps because of the sheer number of incidents involving privacy breaches, companies have improved their privacy practices. They are increasingly separating privacy from security and also separating security governance (which would take part in setting privacy policy) from tactical security. That means, for example, the people deploying monitoring tools aren't the ones setting the usage policy for those tools. But more work needs to be done. Some of the key steps to ensuring data privacy—encrypting databases, classifying data by risk level—haven't become standard practice. The industry least likely to have adopted privacy practices is technology. A privacy leader? Consumer banking.

Who Wants to Know?

Privacy Best Practices

Employ CPO Separate privacy & security Separate security gov. & ops. Classify data by risk
Overall 22% 54% 66% 70%
> $1B revenue 30% 66% 58% 79%
Financial services 33% 64% 60% 80%
Consumer financial 41% 69% 55% 90%
Retail 14% 51% 66% 58%
Health insurance 53% 73% 49% 81%
Healthcare provider 49% 72% 65% 64%
Technology 22% 49% 72% 77%

More on Privacy

While 60 percent of survey respondents posted privacy policies internally, only 24 percent posted policies on their external websites. Only 28 percent audited their privacy standards through a third party. Sounds like a cover-your-butt ploy; after all, if you don't have a policy posted, you can't be sued for violating or not living up to it. And if you haven't had your privacy audited, you don't have to fix all the problems an audit would find.

Respondents who do not keep an

accurate inventory of user data:
69%

Respondents who do not keep an

accurate inventory of where data is stored:
67%

Region of Risk

One of the areas of the world where the focus on information security has intensified is Latin America, specifically Brazil and Mexico. Researchers and law enforcement believe that cultural differences in acceptance of less-secure online transaction methods and fewer controls and regulations on banking activity have made the region the banking center of choice for the Internet criminal underground. Here are some select findings.

Infosec budget as % of IT budget Do not conduct risk assessment Budget will rise more than 10% in '07 > 1 day downtime
Overall 15% 23% 20% 8%
U.S. and Canada 12% 19% 16% 7%
South America 19% 36% 30% 15%
Brazil 16% 43% 29% 21%
Mexico 21% 33% 28% 13%
China 19% 32% 26% 13%
India 21% 17% 33% 9%

Physical and Information Security Converge, Then Diverge

Information and physical security are separate

Overall Revenue $1B or more
2003 71% NA
2004 50% NA
2005 47% NA
2006 25% 36%
2007 46% 55%

Information and physical security report to the same executive leader

Overall Revenue $1B or more
2003 11% NA
2004 26% 22%
2005 31% 24%
2006 40% 33%
2007 34% 27%

Respondents that do not integrate physical

and information security personnel:
69%

Of those, percent with no

plans to integrate personnel:
80%

Who's in Charge?

Signs of IT's control and influence are peppered throughout the survey results. For example, when asked what security guidelines their companies followed, respondents were far more likely—in some cases two or three times more likely—to cite more general IT guidelines like ITIL than security-specific ones like SAS 70 and various ISO security standards.

What's going on here? Johnson has one theory: "Security seems to be following a trajectory similar to the quality movement 20 or 30 years ago, only with security it's happening much faster. During the quality movement, everyone created VPs of quality. They got CEO reporting status. But then in 10 years the position was gone or it was buried."

In the case of the quality movement, Johnson says, that may have been partly because quality became ingrained, a corporate value, and it didn't need a separate executive. But the evidence in the survey suggests that security is neither ingrained nor valued. It's not even clear companies know where to put security, which would explain the "gobs of dotted line" reporting structures.

That brings us to another theory: organizational politics. What if separating security from IT were creating checks on software development (not a bad thing, from a security standpoint)? What if all this security awareness the survey has indicated actually exposed the typical IT department's insecure practices?

One way for IT to respond would be to attempt to defang security. Keep its enemy close. Pull the function back to where it can be better controlled.

Survey Methodology

The "Global State of Information Security 2007" survey, a worldwide study by CIO, CSO and Pricewaterhouse-Coopers, was conducted online from March 6 through May 4, 2007. Readers of CIO and CSO and clients of PricewaterhouseCoopers from around the globe were invited via e-mail to take the survey. The results shown in this report are based on the responses of 7,200 CEOs, CFOs, CIOs, CSOs, VPs and directors of IT and IS, and security and IT professionals from more than 100 countries. Thirty-six percent of the respondents were from North America, followed by Europe (28%), Asia (23%), South America (12%), and the Middle East and South Africa (2%). The margin of error for this study is +/- 1%.

"What I hear from CIOs," says Johnson, "is at the end of the day they're responsible for failures anyway. They're on the line whether security is separate or not." Why wouldn't the CIO want to control something he's ultimately responsible for?

On the other hand, maybe security was never as separate as it seemed. Companies created CISO-type positions but never gave them authority. "I continually see security people put in the position of fall guy," says Woerner of TD Ameritrade. "Maybe some of that separation was, subconsciously, creating a group to take the hit." Woerner also believes that the trend of the security budget folding into the IT department could be a direct result of security auditing that focuses primarily on infrastructure. That is, when auditors look at information security weaknesses, they recommend technological fixes. And IT buys the technology. Why should IT be charged for another department's expenses?

Whatever the reason, the trend is disturbing to some security professionals, especially at a time when they play an ever more central role in corporate crises, and in society in general.

The state of Internet security is eroding quickly. Trust in online transactions is evaporating, and it will require strong security leadership for that trust to be restored. For the Internet to remain the juggernaut of commerce and productivity it has become will require more, not less, input from security.

But right when the best and brightest security minds are needed most, they're being valued less.

Scott Berinato is executive editor of CSO.

Related:

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Download CIO's Roadmap Report: 5G in the Enterprise