Every day it\u2019s something else. Millions of personally identifiable records stolen.Intellectual property left on a laptop that\u2019s gone missing. Corporate espionage rings that stretch from the United Kingdom to the Middle East and use IT to infiltrate companies. Phishing scams by the thousands: puddle phishing, Wi-phishing, pharming. Then there\u2019s spam and spyware, zombie networks, DDoS (distributed denial-of-service) attacks and session hijacking. Online auction fraud. Online extortion. We haven\u2019t even mentioned good old viruses and worms, but those still work too. To borrow from forestry parlance, information security is an escaped wildfire. And according to \u201cThe Global State of Information Security 2005,\u201d a worldwide study by CIO and PricewaterhouseCoopers (PWC), you are the firefighters, desperately trying to outflank the fireline and prevent flare-ups and firestorms. It\u2019s a thankless, impossible business.In this environment, just holding your ground is a victory, and that\u2019s what you\u2019re doing. This is the third annual edition of the survey\u2014once again the largest of its kind with more than 8,200 IT and security executives responding from 63 countries on six continents. Each year the data has shown incremental improvement in the tactical battle to react to and fight off security incidents.At the same time, the data shows a notable lack of focus on actions and strategies that could prevent these incidents in the first place. There\u2019s also a remarkable ambivalence among respondents about compliance with government regulations, a clear lack of risk management discipline, and a continuing inability to create actionable security intelligence out of mountains of security data. Just 37 percent of respondents reported that they had an information security strategy\u2014and only 24 percent of the rest say that creating one is in the plans for next year. With increasingly serious, complex, targeted and damaging threats continuously emerging, that\u2019s not a good thing. \u201cWhen you spend all that time fighting fires, you don\u2019t even have time to come up with the new ways to build things so they don\u2019t burn down,\u201d says Mark Lobel, a security-focused partner with PricewaterhouseCoopers. \u201cRight now, there\u2019s hardly a fire code.\u201d Lobel compares the global state of information security to Chicago right before the great fire. \u201cSome folks were well-protected and others weren\u2019t,\u201d he says, but when the ones that weren\u2019t protected began to burn, the ones that were protected caught fire too. Of course, with the survey\u2019s thousands of pages of data and tens of thousands of data points, the overall security picture is a little more complex than \u201cEveryone\u2019s tactical; no one\u2019s strategic.\u201d Some respondents show signs of embracing a more holistic approach than others. So we\u2019ll delve into one industry sector\u2014financial services\u2014as a best practices group that, while still struggling to put out fires, has devoted more time, resources and strategic thinking to its information security posture than the average respondent. We\u2019ll also highlight some other encouraging numbers that suggest that more companies than ever are laying the groundwork for a more strategic information security department.In all, we\u2019ll look at eight distinct cuts of the data from \u201cThe Global State of Information Security 2005,\u201d and post several more online (www.cio.com\/091505). Use the data to benchmark yourself and to glean ways you can start to beat back the flames. Maybe even create a fire code so that if a cow does knock over a lantern, the whole city won\u2019t burn.Sowing the Seeds of Strategic SecurityAs information security gains more status in the organization, security improves.IT\u2019s clear from the data that respondents spend most of their time in reactive mode: responding to incidents, deploying firewalls, and dealing with everyday nuisances like spam and spyware. Ironically, the most common proactive step respondents take is to develop business continuity and disaster recovery plans. So even their proactive steps are investments in reactive measures.Having said that, a few numbers did pop out that suggest that the foundation is being laid for a time when information security may become more strategic. This year more companies employed security executives and focused on integration between physical and information than in the two previous years.\u201cSecurity has gotten more visibility since I started watching this sector 11 years ago, no doubt,\u201d Lobel says. \u201cMost encouraging is the combination of physical and information controls. All business eventually will have an e-business component, and as business evolves, security has to evolve with it and include physical and information security in equal proportions. Some of the data is starting to show that evolution, but we\u2019re clearly not there yet.\u201dSecurity\u2019s rising profile is most encouraging when you cross-reference the governance numbers with effectiveness. Those companies where the function resides near the top have a far better security posture than the average respondent. Security\u2019s more strategic at those companies that have elevated the role. For example, only 37 percent of respondents said they have an overall security strategy. At companies with CSOs, that number leaps to 62 percent. Likewise, 80 percent of companies with CSOs also employed a CISO or equivalent, compared with about 20 percent overall.Companies with an executive security function also reported that their spending and policies are more aligned with the business and that a higher percentage of their employees comply with internal information security policies. Companies with a security chief also measured and reviewed information security policies more than those without a security executive, and they were far more likely to prioritize information assets by risk level.Resources are dialed up at companies with a security executive too. They averaged more full-time employees at their companies and higher budgets. They were almost twice as likely to have a security budget separate from the IT budget and, while they were equally likely to get additional monies for security from the IT department, companies with executive infosec leaders reported getting more money more often from other lines of business, such as legal, risk, and compliance and regulatory groups. Companies that haven\u2019t elevated the role outnumber those that have. But if companies that have elevated information security tend to act more strategically (and more companies are doing that), then it follows that information security is getting more strategic. It\u2019s early on in the trend, but it\u2019s a positive. Surveillance World The bigger the company, the more it watches its employees.There\u2019s a sudden and dramatic rise in companies monitoring their employees. The upsurge, part of a trend toward more surveillance both in public and in private, can be attributed to several factors. First, CISOs want to rein in instant messaging and other applications. Those apps not only sap employee productivity but they\u2019re easy vehicles for intellectual property theft and other information leaks. Second, security execs need to put down rampant spam and malware\u2014feral creatures that often get into networks through unauthorized usage by employees and knock systems offline, slow down overall network performance, spread viruses and open up the network to further attacks. Third, they want to shield the company from liability when employees use peer-to-peer networks to download copyrighted material, such as movies and music. And finally, there\u2019s the evergreen insider threat. Thirty-three percent of all infosecurity attacks originated from employees, with another 28 percent coming from ex-employees and partners. In short, the only way security chiefs believe they can control the technologies that their employees use is to watch what they do with them. That\u2019s why 88 percent of respondents either have monitoring in place or plan to by year\u2019s end. It follows, too, that bigger companies have more to monitor and more resources to do it, and hence will monitor more.Ironically, PWC\u2019s Lobel points out, it could be the unintended consequence of another, positive trend that\u2019s helping nurture the monitoring culture. \u201cWith more and more security organizations reporting outside of IT, they really don\u2019t integrate day in and day out with the folks rolling out the systems,\u201d he says. That is the trend. As we saw on Page 64, more companies have information security reporting to the CEO or other departments, and more are integrating it with the physical security function. Currently, the only way to combat that disconnect between who\u2019s deploying the applications and who\u2019s securing them is to monitor. \u201cIn fact,\u201d says Lobel, \u201cthe less security reports to IT, the more you\u2019ll need this watchdog function.\u201dDHS Gets Low MarksInformation security executives have a negative perception of the Department of Homeland Security. The color-coded alert system has proved useless.Cybersecurity has become something of a standing joke inside DHS, a buried priority that was even rumored to be moving to the Office of Management and Budget, of all places. It\u2019s also endured the departure of several appointees who left after only a few months, including Richard Clarke, Howard Schmidt and Amit Yoran. It seems DHS\u2019s attitude toward information security is reflected in our respondents\u2019 perception of how the agency has handled it. More respondents rated DHS\u2019s handling of information security as \u201cpoor\u201d than those who rated it \u201cexcellent\u201d and \u201cgood\u201d combined. DHS is also under pressure from Congress and other critics to either radically change or altogether scrap the color-coded alert system, and the numbers suggest that that\u2019s the right move in terms of infosec, since it hardly registered, even with critical infrastructure companies, when the feds declared Orange Alerts.Compliance? What\u2019s That?The majority of information security executives range from ambivalent (at best) to downright dismissive (at worst) about the intentions, effect and pertinence of security regulations.One pwc analyst called these numbers scary, but which is scariest? Is it the comparatively low number of respondents who are in compliance? Or the shockingly high number of respondents who cop to not complying even though they know that they have to? Or could it be the startlingly low number who believe that the regulations apply to them? (The list of regulatory mandates in the survey was much longer, but other, lesser regulations showed a similar pattern.)The third one may be the most telling. Just 11 percent of respondents said they needed to be in compliance with California\u2019s SB 1386 law, which mandates that companies report breaches of personal data to consumers. In fact, any company that has even one customer in California must comply with the law, and surely more than 11 percent of U.S. respondents\u2019 companies do business in our most populous state. Similarly, more than half said they didn\u2019t need to comply with Sarbanes-Oxley, and four out of 10 respondents in the health-care industry said that the Health Insurance Portability and Accountability Act (HIPAA) didn\u2019t apply to them, which seems impossible on the face of it.But what do the numbers mean? Here are two theories, both of which probably play some role: One, the regs are confusing and difficult to comply with. This would explain the low numbers of respondents who believe they needed to comply with HIPAA or Gramm-Leach-Bliley regulations. They simply don\u2019t understand how the rules apply to them. Another theory is that the regulations have, in respondents\u2019 minds anyway, few if any teeth. Companies don\u2019t fear any serious repercussions for not complying with the regulations, either because the mandates are too vague to really be enforced, or the regulatory agencies aren\u2019t devoting resources to enforcement.Supporting the \u201clack of teeth\u201d theory is the fact that only a third of respondents reported having compliance testing in place, and only a quarter link their security organization to the compliance group.Lobel offers a third factor: \u201cThere\u2019s just a lot of regs for these guys to deal with.\u201d Indeed, security mandates so far have targeted specific threats, industries or niches without a single overarching standard for companies to aim for. In this survey, we listed 43 regulations, all of which some respondents said they needed to comply with, and some respondents even added ones we didn\u2019t put on the list. Inevitably, companies will prioritize their limited resources to comply with those they consider most pressing and let others go. But the point remains: The negative attitude toward regulation (only half of respondents believe it has increased the effectiveness of information security) indicates that they haven\u2019t had the intended effect, at least on information security.Safe DepositsThe financial services industry takes care of security business better than the rest of us. Learn from their best practices.For the past two years we\u2019ve highlighted a best practices group, culled from those respondents who professed that they were \u201cvery confident\u201d in their information security. This year, our best practices group is not sorted by confidence, but rather pulled directly from one industry\u2014financial services.The financial services sector has long been presumed to practice superior information security, largely because of the preciousness of its assets (money) and the fact that its business is carried out almost entirely on IT systems. The stakes are higher, the risks are higher, so the information security protection must be higher too.To an extent, the data supports the idea that companies in the money business tend to be more strategic and more secure than the rest of us, and, it turns out, even more confident. Another factor that helps financial companies excel is that they tend to be bigger, and bigger companies usually have more resources. (Then again, bigger companies often have a harder time with governance, and financial services companies, by this data, show strong organization.) But we also chose the financial services sector as a best practices group for several other reasons. The stakes are fiercely high in a business shooting huge sums of money around IT networks. Also, financial services companies already use risk models, returns on investment and other strategic tools in other parts of the business and have begun to apply those same tools to information security. Finally, the financial community knows regulations and has for a long time. When it comes to information security, the financial services industry is in a position where everyone else is headed.The differences between that place and the place most people are today is pronounced. Start with money. Financial services companies have bigger security budgets, but not necessarily bigger vis-\u00bfis the overall IT budget. To whatever extent these companies are more secure than the average company, that superiority can be attributed to more efficient spending, and spending on strategic planning, not technology. One simple example of this is investment in network firewalls. It was the fifth most cited strategic priority for next year with all respondents, but it doesn\u2019t even make the top 10 with financial services companies. Same for data backup, which is number three overall but noton financial services companies\u2019 radar. These companies have these important technologies in place but also seem to have shifted priorities, perhaps understanding that more technology doesn\u2019t mean more security. (The one type of technology financial services companies do seem to be investing in is identity management\u2014not surprising as a reaction to the ID theft epidemic.)On the other hand, the banks were far more likely to have listed compliance testing as a priority for next year compared with the overall respondent base. You should anticipate this happening to your company, and start preparing sooner rather than later, as regs\u2014including the big ones such as Sarbanes-Oxley, but also local ones such as California\u2019s 1386 law and whatever new regs come out of the current identity theft pandemic\u2014start to take hold and you have no choice but to do compliance testing.And just because the financial companies seem to be more strategic doesn\u2019t mean they shy away from using threats to justify investments. While financial companies are slightly more likely to use ROI and contribution to business objectives as justifications for security investments, they are still far more likely to rely on legal and regulatory requirements, liability and revenue impact to justify their investments. Interestingly, half of all financial services respondents said \u201ccommon industry practice\u201d was one justification for security investments\u2014suggesting either some level of information sharing amongst companies in the industry, or at least a copycat culture where many security executives try to keep up with the good security Joneses.One area in which the financial services sector doesn\u2019t seem to outperform the rest of the respondents is integration with physical security practices. Watching the year-over-year numbers next year in this area will be important given the number of high-profile data thefts that used physical security weaknesses\u2014or at least the disconnect between the information security practices and physical security practices\u2014to gain access to personal records.So Many Breaches, So Few InsightsWhen it comes to malicious activity on their network, information security executives have more information than ever, but that doesn\u2019t mean they know what to do with it.The numbers on incidents, downtime and damages have remained steady, but some other numbers in this year\u2019s breach data are unsettling. First, the sharply rising number of respondents who report damages as \u201cunknown,\u201d up to 47 percent this year from 40 percent two years ago, suggests that respondents have neither the time nor the means to truly calculate losses from a breach, or if they considered the attacks minor, they didn\u2019t bother. The increased sophistication of attacks during the past year could also contribute to the rising \u201cunknown\u201d group.The more complex attacks hit more complex targets. Take the hypothetical identity theft of 1,000 customer records. Many experts are concerned about \u201cdeferred loss identity theft,\u201d wherein thieves sit on stolen identities for months or years until victims believe the danger has passed. It\u2019s hard to put figures on potential outcomes like that.Other \u201cunknown\u201d responses get one\u2019s attention too: \u201cUnknown\u201d showed up in survey responses as the second most prevalent attack type, the fourth most common attack method and the third highest attack source. Plus, data or material damages trail only firewall and IDS logs as the means of discovering attacks. In other words, information security professionals most often react. They learn of attacks after the damage is done. And often once the events happened, they couldn\u2019t figure out what it was, where it came from or who did it.CIOs, CISOs and CSOs have gotten quite good at collecting and logging events on their networks\u2014organizing their haystacks\u2014but haven\u2019t been able to reliably turn all that data into intelligence\u2014efficiently finding the needles before they are pricked by them. A long-term strategic goal of all information security departments should be to reorganize so that they work as an intelligence unit rather than just a data collection unit.Follow the Money...Please!Information security is getting more money, but exactly how much and from where isn\u2019t always clear. It\u2019s more evidence of a lack of strategic direction.in previous years when we asked what your information security budget was, we didn\u2019t include \u201cdon\u2019t know\u201d as an option. This year, we did, and Bang! A full one-fifth (22 percent) of the information executives responding said they didn\u2019t know how much money their companies budget for infosecurity. More signs of a lack of proactive, strategic focus. Not good.Good news: The information security function can shake some money out of other departments\u2019 pockets to supplement its own appropriations.The larger companies are most guilty of not tracking their spending well. About 40 percent of the 1,700 companies with $5 billion in revenue or more said they didn\u2019t know their information security budget. Bigger companies, with more divisions and probably a more distributed world view, might have a harder time pinning down all the monies devoted to information security. In fact, the bigger companies reported much higher usage of money from other departments for security than smaller companies did. Many bigger companies also have integrated information and physical security, making their information security budget a less distinct entity.We didn\u2019t report the spending trends here\u2014whether budgets were increasing, decreasing or staying the same because for the third straight year those numbers stayed relatively constant. Except for one telling tidbit. We added \u201cdon\u2019t know\u201d to the question of whether or not budgets will increase, stay the same or decrease, and 16 percent said they weren\u2019t sure which way their budgets were headed. E-mail Senior Editor Scott Berinato at firstname.lastname@example.org.