The State of Information Security 2003

The best place to start with "The State of Information Security 2003," a comprehensive, exhaustive survey of global security practices conducted by CIO in partnership with PricewaterhouseCoopers, is with what it doesn’t include.

It doesn’t include any revelation that will make you slap your forehead and exclaim, "Oh, that’s what I should do!"

Nowhere in its pages will you find The Answer, because The Answer is a fiction, even if the problem—how to know if you’re making your enterprise as safe as possible as efficiently as possible—is not.

What this survey does include in its depth (7,500-plus respondents) and intricacy (44 questions cross-tabulated by company size, security budget, geographical region and dozens of other categories), is a profile of the imperfect and evolving world of information security. (You can view the entire survey at and significant slices of it beginning on Page 86.)

According to the survey, you’re just beginning to appreciate information security as an ongoing discipline. You understand that establishing good security practices will be hard and will involve a complex integration of technology, education, risk analysis and regulation.

You know you need to do more, but the survey indicates that you’re not yet doing it.

In one sense, you can hardly be blamed for temporizing. As the survey shows, right now information security is a confused and paradoxical business. For example:

  • You’ve increased spending significantly, and yet that investment has had no measurable impact on security breaches.
  • You’re constantly warned about digital Pearl Harbors, yet the vast majority of reported incidents are relatively small.
  • You’re told aligning security and business strategies should be a top priority, and yet those who’ve fared best avoiding breaches, downtime and security-related damages are the least likely to be aligned.

    All this may be out of your enterprise’s control. However, in other areas, information executives seem to be contributing to the confusion. For example:

  • Respondents who suffered the most damages from security incidents were twice as likely as the average respondent to plan on decreasing security spending in the coming year.
  • Those same respondents were nearly half as likely to list staff training as a priority.

In short, the survey shows that as much as the information security discipline has grown since its baptism—on Sept. 18, 2001 (one week after the terrorist attacks and the day the Nimda worm hit)—it hasn’t much improved.

However, what’s crystal clear is that confidence in security correlates to better security. In other words, enterprises that believe they’re doing better are doing better.

What follows are five selected views of "The State of Information Security 2003." Each view provides insight into some aspect of this complex new discipline, including an innovative method for benchmarking security spending.

You may not find The Answer here, but you will find data and lots of it. And there’s no question that that’s what you need to start improving your information security.

The Confidence Correlation

Those who are very confident in their security have a stronger security infrastructure in place, and they spend more on security as a percentage of their IT budget.

What the Numbers Mean

Structure and dedicated resources breed confidence. And confidence, experts say, breeds better security. In a sea of data that fails to reveal relationships between security and best practices, the confidence factor is a welcome sight.

The respondents who describe themselves as very confident in their organizations’ security (24 percent) can be called security leaders. That group has created far more structure around security within the organization than the group that describes itself as less confident. They’ve hired more security executives and given those executives more control over policy, spending and personnel.

Another key point: The more confident a company is in its security, the less likely that security goes through the IT department. Many in the security world believe that IT’s control of information security has been a limiting factor in improving information security.

For example, if the CIO is responsible for both the CRM implementation (which he’s been told to get done for $2 million in one year) and information security (which will add both time and money to the project), which charge will get his attention and which will get short shrift?

Bill Spernow, former director of IT for the Georgia Student Finance Commission, says the first thing he did when he got his job was fight for, and win, independence from the IT department. "If I see an organization where the CISO reports to some IT component, I see a position that’s not working, guaranteed," says Spernow. "The conflict of interest is just too much to overcome. Having the CISO report to IT, it’s a deathblow."

To Do:

1. Create structure around information security by hiring a CSO or creating an executive security committee.

2. Remove information security from the purview of the IT department.

The Per Capita Benchmark

Dividing employees by security budget reveals some surprising—and erratic—spending habits. But even here the confidence correlation is clear.

What the Numbers Mean

The per capita security spend—the information security budget divided by the number of employees—provides a benchmark with which a company can compare itself within its own industry and across industries, regardless of company size. It can also show how spending per employee varies geographically. This is a simple but powerful metric.

Impulsively, you might use the spectrum to see if your spending is normal. But while there is an overall average spending level ($964), there’s nothing normalized about a range that goes from as little as $100 per employee to well into the thousands.

Many factors could account for this. In some industries, the consequences of vulnerability are exponentially greater, even if personnel requirements are not. Energy utilities, for example, are exquisitely sensitive to what could happen if their security were to be breached, and the data from 72 energy respondents yielded an average security spend per capita of a little more than $7,000. On the other hand, automobile manufacturers may have less at risk. Their per capita spend came in at $220.

Despite the lack of a norm, the confidence correlation shows up here too, and starkly. The very confident companies spent nearly two and a half times more per capita than those companies that lacked confidence and one and a half times as much as the overall average. (Interestingly, the 6 percent of respondents who said they were unsure how confident they were spent just $585 per capita, even less than the least confident.)

To Do:

1. Try the per capita security expenditure calculation.

2. Compare your per capita expenditure to the average in your industry, and to the very confident and not very confident groups.

Brushfires, Not Conflagrations

Major security breaches are the exception, not the rule. Most security incidents lasted less than a day, cost less than $10,000, and most companies had 10 or fewer of these events in the past year.

What the Numbers Mean

"Terrorists Shut Down Power Grid." "Hackers Cripple Allied Inc." Both plausible headlines—or lines from security consultants trying to sell their services. But the survey data shows that information executives are not being confronted by events of that magnitude. They’re dealing instead with lots of brushfires.

The question then becomes: Are the big bang incidents rare because you’ve protected your enterprise well? Are the little hacks common because you haven’t done a good job protecting against them? Or are the big ones rare because they’re hard to pull off and you’re simply lucky to have avoided them, but not lucky enough to have avoided the easier-to-execute smaller incidents?

Howard Schmidt, vice president and CISO of eBay (and former special adviser to the White House for cyberspace security), thinks the prevalence of little bangs everywhere does not suggest that business has done a good job steeling itself against major attacks. Instead, he sees a severe lack of discipline everywhere.

"If anything, the more you take care of the little stuff, the less likely someone will be able to pull off a big attack," says Schmidt. "I see it all the time. Companies are always pushing, ’Let’s just open this one little port.’ Then next thing you know, they want another port and another. And that leads to all these vulnerabilities that turn into little brushfires. No one draws the line and says no. Instead of creating a culture of security, we’re often creating a culture of getting around security."

The encouraging message buried in Schmidt’s commentary is that in order to mitigate the problem, little if any additional technology, spending or other resources are really required. All that’s required is some discipline—someone to draw the line and say no.

The other matter to deal with here is the high percentage of respondents (40 percent) who indicated that they were unsure of their losses. This probably can be attributed to the fact that security is still a young discipline. If it wasn’t money that was lost, respondents simply don’t know how to calculate the cost of losing intellectual property, or some part of a company’s reputation, or even downtime.

So they don’t try. This is a function of information security’s immaturity, a trait that will reappear in the next cut of data. If companies can’t calculate the cost of a breach, it’s highly unlikely that they’re even trying to create a formula for figuring security ROI.

To Do:

1. Refocus a security program so that it takes into account the smaller, more frequent threats as well as "the sky is falling" threats.

2. Assign a disciplinarian, and vigilantly enforce security rules.

Still Reactive After All These Fears

Despite experts preaching about risk management and treating security proactively, security is still largely justified by fear and government regulation.

What the Numbers Mean

No matter how much evangelizing experts do about making security a contributor to the bottom line and measuring its ROI, it’s still easier to rely on scare tactics to justify security investments.

The numbers indicate how counterproductive that is. For example, the low percentage of respondents who take into consideration the security requirements of their partners and vendors means that they aren’t thinking about security as an external networking problem. Their thinking still focuses on "How will a hacker attack me?" and not "How will any given hack attack reach me?" Also, companies aren’t demanding that their partners and vendors meet given security levels, which would make interaction safer.

Covenant Health is a perfect example. Covenant Health wasn’t attacked, but the Slammer worm still infected the five-hospital network in Knoxville, Tenn. It slithered through a port left open to a Covenant service provider. That provider was also infected but not attacked; the worm had infected the service provider through a port left open to one of its partners.

To spin an old caveat: When you connect your network with a partner, you’re also connecting to your partner’s partners. Yet only 22 percent of respondents demand that partners practice safe business.

Covenant Health Senior Vice President and CIO Frank Clark learned the hard way. He now demands partners meet certain security requirements that he defines before they’re allowed to link to his network. "We now make them specify exactly what they want access to and what ports they need," he says. "What we’re finding is they themselves have a hard time knowing what they need access to." Clark hopes the corrective action causes a domino effect—that by requiring his partners to meet higher security standards, his partners will require their partners to do the same, and so forth.

To Do:

1. Pursue metrics and business justifications for security. Try to wean yourself away from using fear to justify security investments.

2. Set security requirements for anyone connecting to your network, and insist that partners and vendors meet those requirements.

No Correlations and Odd Correlations

It is difficult to find a relationship between good security and spending. And sometimes there’s even an inverse relationship.


The difference in spending between those companies that have

n 0-50+ incidents

n 0-10 days of downtime and

n $0-$500,000 damages in the last 12 months

never varies more than 1.06 percent.


Companies that suffered more than a half million in security-related damages were more than twice as likely to say they were cutting their security spending as those who suffered no damages. Those who had more than 50 incidents and those who had more than 10 days of incident-related downtime were also more likely to decrease spending than those who reported no incidents and no downtime.

What the Numbers Mean

Since company size (and therefore budgets) varies so widely across the survey’s more than 7,500 respondents, the relative measure of security spending as a percentage of the overall IT budget provides a better comparative measure than the total spent on security.

1 2 Page 1
Page 1 of 2
Download CIO's Winter 2021 digital issue: Supercharging IT innovation