The State of Information Security 2004: Best Practices

Executive Summary Our second annual Global State of Information Security study, conducted in partnership with CIO magazine, CSO magazine and PricewaterhouseCoopers, identified IT security best practices with clear benefits. The study identified a Best Practice group—organizations that indicated a high degree of confidence in their security measures—and compared their responses to the remaining survey base. Some of the key practices included: Best practice groups have adopted a long-term view of security investments versus a shorter-term, one fiscal year-at-a-time planning cycle, evident in more security staff and more consistent investment year to year. Best practice companies were more apt to integrate corporate and IT security and more frequently had the senior security executive report to a CSO or security committee rather than to the CIO. Additionally, this group engaged both business units and IT in security issues and decisions. This change in organizational structure and reporting has contributed to greater alignment and increased commitment from management, with the best practice organizations experiencing greater alignment of security objectives and business objectives as well as security spending and business objectives. Best practice organizations have clearly adopted long-term, risk-based security strategies more so than their counterparts. The greatest barriers to good security—limited budget, limited staff—were common to the best practice group as well as the overall survey respondents. However, time to focus on security was much less of a factor for the best practice group.