The Global State of Information Security 2005

Every day it’s something else.

Millions of personally identifiable records stolen.

Intellectual property left on a laptop that’s gone missing.

Corporate espionage rings that stretch from the United Kingdom to the Middle East and use IT to infiltrate companies.

Phishing scams by the thousands: puddle phishing, Wi-phishing, pharming.

Then there’s spam and spyware, zombie networks, DDoS (distributed denial-of-service) attacks and session hijacking. Online auction fraud. Online extortion. We haven’t even mentioned good old viruses and worms, but those still work too.

To borrow from forestry parlance, information security is an escaped wildfire. And according to “The Global State of Information Security 2005,” a worldwide study by CIO and PricewaterhouseCoopers (PWC), you are the firefighters, desperately trying to outflank the fireline and prevent flare-ups and firestorms. It’s a thankless, impossible business.

In this environment, just holding your ground is a victory, and that’s what you’re doing. This is the third annual edition of the survey—once again the largest of its kind with more than 8,200 IT and security executives responding from 63 countries on six continents. Each year the data has shown incremental improvement in the tactical battle to react to and fight off security incidents.

At the same time, the data shows a notable lack of focus on actions and strategies that could prevent these incidents in the first place. There’s also a remarkable ambivalence among respondents about compliance with government regulations, a clear lack of risk management discipline, and a continuing inability to create actionable security intelligence out of mountains of security data.

Just 37 percent of respondents reported that they had an information security strategy—and only 24 percent of the rest say that creating one is in the plans for next year. With increasingly serious, complex, targeted and damaging threats continuously emerging, that’s not a good thing.

“When you spend all that time fighting fires, you don’t even have time to come up with the new ways to build things so they don’t burn down,” says Mark Lobel, a security-focused partner with PricewaterhouseCoopers. “Right now, there’s hardly a fire code.” Lobel compares the global state of information security to Chicago right before the great fire. “Some folks were well-protected and others weren’t,” he says, but when the ones that weren’t protected began to burn, the ones that were protected caught fire too.

Of course, with the survey’s thousands of pages of data and tens of thousands of data points, the overall security picture is a little more complex than “Everyone’s tactical; no one’s strategic.” Some respondents show signs of embracing a more holistic approach than others. So we’ll delve into one industry sector—financial services—as a best practices group that, while still struggling to put out fires, has devoted more time, resources and strategic thinking to its information security posture than the average respondent. We’ll also highlight some other encouraging numbers that suggest that more companies than ever are laying the groundwork for a more strategic information security department.

In all, we’ll look at eight distinct cuts of the data from “The Global State of Information Security 2005,” and post several more online (www.cio.com/091505). Use the data to benchmark yourself and to glean ways you can start to beat back the flames. Maybe even create a fire code so that if a cow does knock over a lantern, the whole city won’t burn.

Sowing the Seeds of Strategic Security

As information security gains more status in the organization, security improves.

IT’s clear from the data that respondents spend most of their time in reactive mode: responding to incidents, deploying firewalls, and dealing with everyday nuisances like spam and spyware. Ironically, the most common proactive step respondents take is to develop business continuity and disaster recovery plans. So even their proactive steps are investments in reactive measures.

Having said that, a few numbers did pop out that suggest that the foundation is being laid for a time when information security may become more strategic. This year more companies employed security executives and focused on integration between physical and information than in the two previous years.

“Security has gotten more visibility since I started watching this sector 11 years ago, no doubt,” Lobel says. “Most encouraging is the combination of physical and information controls. All business eventually will have an e-business component, and as business evolves, security has to evolve with it and include physical and information security in equal proportions. Some of the data is starting to show that evolution, but we’re clearly not there yet.”

Security’s rising profile is most encouraging when you cross-reference the governance numbers with effectiveness. Those companies where the function resides near the top have a far better security posture than the average respondent. Security’s more strategic at those companies that have elevated the role. For example, only 37 percent of respondents said they have an overall security strategy. At companies with CSOs, that number leaps to 62 percent. Likewise, 80 percent of companies with CSOs also employed a CISO or equivalent, compared with about 20 percent overall.

Companies with an executive security function also reported that their spending and policies are more aligned with the business and that a higher percentage of their employees comply with internal information security policies. Companies with a security chief also measured and reviewed information security policies more than those without a security executive, and they were far more likely to prioritize information assets by risk level.

Resources are dialed up at companies with a security executive too. They averaged more full-time employees at their companies and higher budgets. They were almost twice as likely to have a security budget separate from the IT budget and, while they were equally likely to get additional monies for security from the IT department, companies with executive infosec leaders reported getting more money more often from other lines of business, such as legal, risk, and compliance and regulatory groups. Companies that haven’t elevated the role outnumber those that have. But if companies that have elevated information security tend to act more strategically (and more companies are doing that), then it follows that information security is getting more strategic. It’s early on in the trend, but it’s a positive.

Surveillance World

The bigger the company, the more it watches its employees.

There’s a sudden and dramatic rise in companies monitoring their employees. The upsurge, part of a trend toward more surveillance both in public and in private, can be attributed to several factors.

First, CISOs want to rein in instant messaging and other applications. Those apps not only sap employee productivity but they’re easy vehicles for intellectual property theft and other information leaks. Second, security execs need to put down rampant spam and malware—feral creatures that often get into networks through unauthorized usage by employees and knock systems offline, slow down overall network performance, spread viruses and open up the network to further attacks. Third, they want to shield the company from liability when employees use peer-to-peer networks to download copyrighted material, such as movies and music. And finally, there’s the evergreen insider threat. Thirty-three percent of all infosecurity attacks originated from employees, with another 28 percent coming from ex-employees and partners. In short, the only way security chiefs believe they can control the technologies that their employees use is to watch what they do with them. That’s why 88 percent of respondents either have monitoring in place or plan to by year’s end. It follows, too, that bigger companies have more to monitor and more resources to do it, and hence will monitor more.

Ironically, PWC’s Lobel points out, it could be the unintended consequence of another, positive trend that’s helping nurture the monitoring culture. “With more and more security organizations reporting outside of IT, they really don’t integrate day in and day out with the folks rolling out the systems,” he says. That is the trend. As we saw on Page 64, more companies have information security reporting to the CEO or other departments, and more are integrating it with the physical security function. Currently, the only way to combat that disconnect between who’s deploying the applications and who’s securing them is to monitor. “In fact,” says Lobel, “the less security reports to IT, the more you’ll need this watchdog function.”

DHS Gets Low Marks

Information security executives have a negative perception of the Department of Homeland Security. The color-coded alert system has proved useless.

Cybersecurity has become something of a standing joke inside DHS, a buried priority that was even rumored to be moving to the Office of Management and Budget, of all places. It’s also endured the departure of several appointees who left after only a few months, including Richard Clarke, Howard Schmidt and Amit Yoran. It seems DHS’s attitude toward information security is reflected in our respondents’ perception of how the agency has handled it. More respondents rated DHS’s handling of information security as “poor” than those who rated it “excellent” and “good” combined. DHS is also under pressure from Congress and other critics to either radically change or altogether scrap the color-coded alert system, and the numbers suggest that that’s the right move in terms of infosec, since it hardly registered, even with critical infrastructure companies, when the feds declared Orange Alerts.

Compliance? What’s That?

The majority of information security executives range from ambivalent (at best) to downright dismissive (at worst) about the intentions, effect and pertinence of security regulations.

One pwc analyst called these numbers scary, but which is scariest? Is it the comparatively low number of respondents who are in compliance? Or the shockingly high number of respondents who cop to not complying even though they know that they have to? Or could it be the startlingly low number who believe that the regulations apply to them? (The list of regulatory mandates in the survey was much longer, but other, lesser regulations showed a similar pattern.)

The third one may be the most telling. Just 11 percent of respondents said they needed to be in compliance with California’s SB 1386 law, which mandates that companies report breaches of personal data to consumers. In fact, any company that has even one customer in California must comply with the law, and surely more than 11 percent of U.S. respondents’ companies do business in our most populous state. Similarly, more than half said they didn’t need to comply with Sarbanes-Oxley, and four out of 10 respondents in the health-care industry said that the Health Insurance Portability and Accountability Act (HIPAA) didn’t apply to them, which seems impossible on the face of it.

But what do the numbers mean? Here are two theories, both of which probably play some role: One, the regs are confusing and difficult to comply with. This would explain the low numbers of respondents who believe they needed to comply with HIPAA or Gramm-Leach-Bliley regulations. They simply don’t understand how the rules apply to them. Another theory is that the regulations have, in respondents’ minds anyway, few if any teeth. Companies don’t fear any serious repercussions for not complying with the regulations, either because the mandates are too vague to really be enforced, or the regulatory agencies aren’t devoting resources to enforcement.

Supporting the “lack of teeth” theory is the fact that only a third of respondents reported having compliance testing in place, and only a quarter link their security organization to the compliance group.

Lobel offers a third factor: “There’s just a lot of regs for these guys to deal with.” Indeed, security mandates so far have targeted specific threats, industries or niches without a single overarching standard for companies to aim for. In this survey, we listed 43 regulations, all of which some respondents said they needed to comply with, and some respondents even added ones we didn’t put on the list. Inevitably, companies will prioritize their limited resources to comply with those they consider most pressing and let others go.

But the point remains: The negative attitude toward regulation (only half of respondents believe it has increased the effectiveness of information security) indicates that they haven’t had the intended effect, at least on information security.

Safe Deposits

The financial services industry takes care of security business better than the rest of us. Learn from their best practices.

Related:
1 2 Page 1
Page 1 of 2
Survey says! Share your insights in our 19th annual State of the CIO study