When it comes to information security, the reflection you see in your morning mirror is probably not that of a sharp, confident, professional IT executive. Rather, that man in the mirror is more likely to look like a gangly, awkward, not-yet-to-be-fully-trusted teenager.\n\nThat\u2019s what "The Global State of Information Security 2006" survey tells us. In its fourth edition, this largest-of-its-kind survey reveals that global information executives, still relatively new to security\u2019s disciplines, are learning and improving but are still prone to risky behaviors\u2014behaviors that could have devastating consequences.The study by CIO, CSO and Pricewaterhouse-Coopers (PwC), with 7,791 respondents in 50 countries, indicates that an increasing number of executives (CEOs, CFOs, CIOs, CSOs, and VPs and directors of IT and information security) across all industries and in private- and public-sector organizations continue to make incremental improvements in deploying information security policies and technologies, although the rate of improvement is slower than in previous years. They\u2019re becoming more financially independent, with some security budgets increasing at double-digit rates. And they say they\u2019re more confident in their level of security, perhaps because their networks have not had a serious virus or worm in the past 12 months.But teenagers, as any parent knows, live in the moment and have an ability to ignore what they know they should do and do what they know they shouldn\u2019t. The survey shows us that most executives with security responsibilities have made little or no progress in implementing strategic security measures that could have prevented many of the security mishaps reported this year. Only 37 percent of respondents said they have an overall security strategy. And they\u2019re planning to focus more on tactical fixes than on strategic initiatives, ensuring that in the coming year they will be more reactive than proactive.One of the most unsettling findings in this year\u2019s study is the sad state of security in India, by a wide margin the world\u2019s primary locus for IT outsourcing. The problem is less with the outsourcing companies themselves than with the dangerous waters they swim in. Many respondents from India admit to not adhering to the most routine security practices. The problem is obvious, but right now it\u2019s apparently easier to ignore than to address.Harder to ignore is the constant news of large organizations losing laptops packed with unencrypted personal data on millions of customers. Every year we report that such incidents should motivate companies to tighten security, but every year the survey indicates that\u2019s not happening. Similarly, even after Hurricane Katrina, which hit the Gulf Coast seven months before we launched our survey, a majority of companies still did not have a business continuity\/disaster recovery plan in place, and plans to complete one this year have become less important to security officials than in 2005.Complacency, it seems, abounds. A large proportion of security execs admitted they\u2019re not in compliance with regulations that specifically dictate security measures their organization must undertake or risk stiff sanctions, up to and including prison time for executives. Some of these regulations\u2014such as California\u2019s security breach law, the Health Insurance Portability and Accountability Act (HIPAA), and non-U.S. laws such as the European Union Data Privacy Directive\u2014have been around for years. Is this an example of adolescent rebellion, or are security executives finding it hard to obtain the necessary resources to comply?The answer, says Mark Lobel, a PwC advisory partner specializing in security, is neither, actually. The information security discipline still suffers from the fundamental problem of making a business value case for security. Security is still viewed and calculated as a cost, not as something that could add strategic value and therefore translate into revenue or even savings. But if one digs into the results, there are reasons for optimism. There\u2019s evidence that organizations that comply with security laws are more likely to be integrating and aligning security with their enterprise\u2019s business strategy and processes, which in turn reduces the number of successful attacks and the financial losses that result from them. In short, security can create value if it\u2019s part of an organization\u2019s business plan and if the executive in charge is part of the executive team making those strategic spending and policy decisions.The six sections that follow illustrate that global information security management practices are varied and, with a few notable exceptions, have yet to mature. I. Growing Up, SlowlyThe 2006 survey shows that a few more companies than last year are thinking about security strategically, at least in some areas. A larger percentage of companies are aligning security objectives with business objectives (20 percent of respondents said they align all security spending with their business objectives, up from 15 percent in 2004) and are prioritizing data sets based on the sensitivity of the information contained in each application. They\u2019re then protecting those sets with the appropriate amount of security (25 percent in 2006, up from 21 percent in 2004). One of the biggest changes from last year is that more companies are integrating physical and information security. The percentage of organizations that reported having some form of integration between physical and information security has grown rapidly, to 75 percent in 2006 from 29 percent in 2003. A similar spike occurred in the percentage of respondents saying their physical and information security chiefs report to the same executive leader, to 40 percent from 11 percent in 2003.Why is that important? To answer that, one need look no further than the daily newspaper stories about lost and stolen laptops containing private customer information. Just ask the U.S. Department of Veterans Affairs and AIG, both of which were involved this spring in high-profile cases of stolen laptops. With physical and information security combined, fewer laptops may be lost. And if they are lost or stolen, that combination should make gaining access to the data stored in them nearly impossible. "In today\u2019s environment of IP-based control devices, cameras and other security sensors, the physical aspect is becoming more and more of an IT issue," says Jason Spaltro, executive director of information security for Sony Pictures Entertainment. With increasing aggregation and integration of security functions comes larger security budgets. Almost half of the survey respondents said their budgets would increase this year, with more than one out of five saying the rate of increase would be in the double digits. That\u2019s a faster increase than the overall IT budget. More security execs are being granted more financial autonomy too. That signals that security heads are being granted more responsibility, a key ingredient to raising security\u2019s strategic profile in the organization.However, the vast majority of companies worldwide\u2014almost 64 percent\u2014still have not created C-level security positions such as chief security officer or chief information security officer.Managing security strategically, and at the executive level, may make sense in theory but is increasingly looking like a moot point in the boardroom. "We need proof strategic security planning works to convince the business side of the organization to make a seat for it at the executive table," you may say.The good news is that the survey contains that proof: Organizations that reported that their security polices and spending are aligned with their business processes experienced fewer financial losses and less network downtime than those that did not. Sounds like the making of a value statement.II. The Wild, Wild EastIndia lags far behind the rest of the world in instituting even the most basic information security practices and tools. With the subcontinent claiming status as the outsourcing partner of choice for the biggest IT powerhouses in the world (49 percent of all offshore outsourcing implementations are located in India, with up to 90 percent of worldwide outsourcing revenue going to India, according to Duke University and Ciber\/Archstone Consulting), these findings should be a source of considerable concern.The widespread absence of even the most routine security tools (patch management, content filters and access control software) and policies (secure disposal of hardware, business continuity plans, setting security baselines for outside business partners) has left many Indian companies vulnerable to serious attack and the inevitable financial losses that follow. Extortion, fraud and intellectual property theft occurred last year at one in every five or six Indian companies\u2014rates that are double and even quadruple those of the rest of the world. Nearly one in three Indian organizations suffered some financial loss because of a cyber\u00bfattack last year, compared with one out of five worldwide and one out of eight in the United States. "You cannot take information security for granted in India," PwC\u2019s Lobel warns. While the survey does not identify companies by name, and most likely does not represent the security practices and levels of the popular Indian outsourcing companies, Lobel suggests taking a cautious tack before jumping into an outsourcing relationship. The first step companies should take when considering outsourcing work to India is to verify that an Indian-based unit\u2019s security processes and policies are of the same caliber as its U.S. unit.Second, Lobel suggests conducting a risk assessment of the Indian unit\u2019s security practices. Even if an Indian organization says that it follows a familiar, specific security practice, don\u2019t presume the organization defines the practice the same way that you do. "Conducting background checks may mean something entirely different in India than it does here," Lobel points out. Find out exactly what the practice involves.Indian security officials have their work cut out for them, but they do say they plan to work to harden information security. Indian organizations lead their foreign counterparts (sometimes by a significant amount) in deploying new security measures and policies. And they\u2019re not just tactical. A substantially larger percentage of Indian companies (nearly double the rate worldwide) reported plans to hire a C-level security executive this year. Whether the Indian organizations are able to follow through and begin to reduce the security gap is something that should show up in the 2007 survey. Stay tuned.III. The Strategy Gap When an individual thinks he doesn\u2019t have enough information on which to base decisions, or as many resources as he believes he needs and, for the most part, he\u2019s not part of the planning process, what does he do? Typically, he falls back on what he knows best. For information security executives, that means focusing on technology\u2014on tactics, not strategies. Perhaps not coincidentally, this year executives are shifting from more strategic security practices toward more traditional technology practices (compared with last year\u2019s results). In 2005, for every one technology item on the security executive\u2019s to-do list, respondents mentioned four process fixes. This year, that ratio is nearly 1-to-1. In all, of the top dozen items on the 2006 security to-do list, seven can be described as a technological fix. Among the top five are some of the more routine and easy security measures, including data backup, network firewalls, application firewalls and instituting user passwords. That explains why the percent of companies reporting they have an overall strategic plan in place was unchanged at 37 percent.At the very least, some of the shifts are perplexing. Dropping from the top spot in 2005 to fourth place this year is the development of a business continuity and disaster recovery plan. That\u2019s a surprising result given Hurricane Katrina\u2019s reminder of the importance of such plans.But news coverage about disasters and security breaches may not be a driver for security investments. Our prediction that last year\u2019s 10th item on the information security to-do list\u2014spending on IP protection\u2014would move up because of the sharp increase in high-profile identity thefts and the increase in the amount of digitized content (such as iTunes) did not occur. IP protection didn\u2019t even make the 2006 top 10 list. Even some of the simpler and less costly strategic security practices dropped. Conducting employee awareness training dropped from second to a tie for 10th on the priority list. The kicker here is that designing an overall information security strategy\u2014fourth on the list last year\u2014didn\u2019t make the 2006 list. What\u2019s happening? Why has strategic planning for security become an afterthought? One answer may be that in an information vacuum (information security executives report that they are unsure of their budgets, where attacks have come from and where they will find people with the skills they need), short-term solutions seem more prudent than long-range ones. Sony\u2019s Spaltro offers a more fundamental reason: Information security managers have what he calls "dings" coming into the job. They speak geek. Their bosses don\u2019t. "I tend to open meetings with executives by reminding them that security is a business decision and everything we do from cameras to encryption to information classification is a decision that the business makes to protect its assets, and I don\u2019t own that decision," Spaltro says. "I\u2019m there to be the bridge between the technology and the risk that they face and help them to make decisions, but in the end it is really for them to tell me what to go execute."For information security to be most effective, aligning the technological processes with the organization\u2019s strategic plan is critical. Companies that make security part of their strategic plan, Lobel says, have fewer breaches, lower financial losses and the fewest network downtimes. IV. Compliance\u2014Time to Get ToughAs was the case last year, a surprising portion of survey respondents admitted that they\u2019re not in compliance with the information security laws and regulations that govern their industries.That includes high-profile laws that have been on the books for years. More than one-quarter of U.S. security execs who said their organizations need to be compliant with HIPAA, the eight-year-old law that requires health-care organizations to protect patient information, admitted that they are not. Rules? What Rules?U.S. organizations still ignoring security and privacy laws...Percentage of U.S. organizations admitting they need to be in compliance with a specific law, but are not\n\nRegulation\n2005 \n2006 \n\n\nCalifornia database breach notification act\n15\n15\n\n\nSarbanes-Oxley\n38\n28\n\n\nHIPAA (healthcare respondents only)\n38\n40\n\n\nGLBA (financial services respondents only)\n17\n14\n\n\nOther state\/local privacy regulations\n10\n32\n...but international colleagues are negligent as well.Percentage of non-U.S. organizations admitting they need to be in compliance with a specific law, but are not\n\nRegulation\n2005 \n2006 \n\nAustralian Privacy Legislation (Australia respondents)\n48\n50\n\n\nCNIL (France respondents)\n35\n42\n\n\nData Protection Act of 1998 (U.K. respondents)\n24\n31\n\n\nEuropean Union Data Privacy Directive (Europe residents)\n45\n45\n\n\nCanadian Privacy Act (Canada respondents)\n38\n30\n\nNoncompliance runs broad and deep in all industries, and ignorance of applicable law is a big factor. Nearly one in five U.S. survey respondents said they should be but are not in compliance with California\u2019s 2002 security breach law, which requires companies to notify individuals if an unauthorized person obtains access to their private information (such as credit card numbers). But only 22 percent of all U.S. respondents said the law applies to them. However, given that the law applies to any organization that has even one California resident as a customer, student or client\u2014more than one in 10 Americans\u2014a good portion of the 78 percent of enterprises that think the law does not apply to them are likely wrong. Similarly, it would have been hard over the past four years to miss the requirements of such laws as Sarbanes-Oxley and Gramm-Leach-Bliley. Still, more than one-third of all U.S. respondents said they are not in compliance with Sarbanes-Oxley even though they should be, and more than one out of seven said they were not compliant with Gramm-Leach-Bliley. That\u2019s a slight improvement from last year, but considering the stiff criminal penalties of not complying, many executives seem to be leaving themselves open to lawsuits and possible prison terms and exposing their enterprise to fines. And this is not simply an American phenomenon. Half of Australian organizations surveyed admitted to not complying with their country\u2019s privacy legislation. Almost a third of U.K. respondents said they do not comply with their country\u2019s eight-year-old Data Protection Act, and nearly one-third of stereotypically law-abiding Canadian organizations do not comply with their nation\u2019s privacy act.At the root of this may be a lack of enforcement. To date, the cost of noncompliance is not as high as the expense of complying\u2014the price of labor, hardware and software. In the absence of penalties, security executives have not been able to mount a business case for compliance. Add to that the fact that despite high-profile security breaches and lost laptops over the past year, the actual damages and ID thefts that can be directly tied to the incidents are small, says Jim Lewis, director of the Technology and Public Policy program at the Center for Strategic & International Studies in Washington, D.C. "People may have a sense that they are not as vulnerable as they used to be," he says, and so not complying with laws is perceived as less risky.If security is to improve, security laws need more teeth. And that applies to an organization\u2019s own rules as well. Survey respondents reported that more than two-thirds of users are compliant with their organization\u2019s security policies, a statistic that has remained unchanged over the past three "Global State of Information Security" surveys. One of the most critical factors for reducing network downtime is compliance with an organization\u2019s security rules, Lobel points out, but that requirement isn\u2019t even in control objectives for information and related technology, or Cobit, the bible for IT governance.Lobel suggests organizations assign penalties for not complying with their own security policies. But make sure, he adds, that the penalty matches the infraction. "You may not want to terminate someone who puts passwords on yellow sticky notes," Lobel says, "but there have to be some consequences."V. The Best and Brightest Last year we highlighted the financial services sector as possessing the best information security practices, and this year that industry once again leads all others in integrating information security with strategic operations.Companies in the financial services sector\u2014banks, insurance companies, investment firms\u2014are more likely to employ a CSO than other industries. Security budgets in the financial sector are typically a bigger slice of the IT budget as a whole and increase at a faster rate than in other sectors. That may be because financial services companies are more likely to link security policies and spending to business processes. These companies are proactive, instituting formal information security processes such as log file monitoring and periodic penetration tests. More of their employees follow company security policies. Not surprising, financial services companies also have deployed more information security technology gadgets, such as intrusion detection and encryption tools, and identity management solutions.It\u2019s obvious, therefore, that financial services organizations are far more likely\u2014almost twice as likely, in fact\u2014to have an overall strategic security plan in place. Consequently, they reported fewer financial losses, less network downtime and fewer incidents of stolen private information than any other vertical.The reason for all this is also obvious. The product in the financial services industry is money, and money is the prime target of cybercriminals, including organized crime, insiders and even terrorists. Protecting the money is the industry\u2019s most critical concern. The past few years have seen a sharp increase in cybercrime (phishing, identity theft, extortion and spyware, to name a few). Anytime a security executive can demonstrate to top executives that investing in security can protect and increase shareholder value, he will be more likely to convince the boardroom to make that investment and make security a strategic part of the organization.Financial services companies are more likely than enterprises in other industries to use ROI to measure the effectiveness of security investments (29 percent versus an average of 25 percent), and they also are more likely to use potential impact on revenue to justify investments (36 percent versus an average of 27 percent). These arguments work. More financial services companies saw a double-digit increase in their 2006 security budgets than those in any other sector. Regulation plays a part too. The financial industry must adhere to the most stringent information security laws, and therefore it leads other industries in following proven, strategic information security practices. Following this line of reasoning about regulatory compliance, one would think that government, health care and education\u2014all highly regulated and entrusted with securing private information\u2014would match the financial sector in instituting strategic security practices. One would, however, think wrongly. According to the survey, government, health care and education, despite their responsibility for protecting the personal information of hundreds of millions of citizens, patients and students, are less likely than finance to follow the best tactical and strategic security practices. The government and health-care sectors, for the most part, lead other sectors in following and instituting information security policies and moving to become more strategic. But the two sectors are well behind financial services. Only 42 percent of government entities report having an overall security strategy, compared with 56 percent in the financial sector.The education sector is even farther behind in developing, following, and deploying information security practices and tools. Educational organizations find themselves in this position even after highly publicized network break-ins, including those at San Diego State University and most recently at Ohio University, which exposed students\u2019 and their families\u2019 data, including home addresses, Social Security and credit card numbers, and tax information.In fact, the education sector suffers more negative security events (viruses and worms, denial-of-service attacks, identity thefts, unauthorized entries and trafficking in illicit data), more network downtime and more downtime that lasts for many days than what the average respondent worldwide experiences. And the security future doesn\u2019t look bright for the educational sector either. A smaller portion of educational security respondents than most other sectors said they plan to hire a C-level security leader, conduct background checks of new hires, start checking if networks are compliant with security policies, conduct or institute employee security awareness programs or install encryption tools\u2014just to name a few. Educational organizations are sticking to more mundane and tactical security fixes: installing firewalls, backing up data and deploying network security tools. It\u2019s relatively easy to predict that the education sector\u2019s security outcomes will not improve significantly in 2007.VI. Dancing in the DarkYou know your information security strategy is working when the number of successful breaches is low, the amount in financial losses is negligible and network downtime is kept to a minimum. Unfortunately, a large percentage of security leaders worldwide have no idea if their security plans are working because they don\u2019t know any of these numbers.From 2003 to 2005, the percentage of survey respondents saying they had fewer than 10 negative information security incidents in the past year remained steady. But this year, we included the option to answer that you do not know how many negative security incidents occurred. This year, nearly one-third of respondents admitted that they do not know how many breaches or unauthorized access events occurred within their organizations.To a certain extent, that\u2019s understandable. Attacks can be hard to identify, and networks can be extensive. What\u2019s less comprehensible is that a significant portion of respondents said they have not installed some of the most rudimentary network safeguards. Only one-third of respondents have put in place patch management tools or monitor user activity. Less than half use intrusion detection software or monitor log files (the two best methods organizations can employ to detect breaches) and even fewer use intrusion prevention tools. Surprisingly, more than 20 percent of respondents don\u2019t even have a network firewall.Installing a firewall is easy. If a significant number of respondents haven\u2019t even done that much, it shouldn\u2019t be surprising that many more are struggling with the hard stuff. It\u2019s hard to quantify attacks and what\u2019s lost because of them. First, just understanding what constitutes an incident can be confusing. "Is having spyware on your computer an incident?" Sony\u2019s Spaltro asks. "Some may not think so, but we treat it as such." Second, the ability to track, record, correlate and communicate up the executive chain is lacking in most organizations. For the fourth consecutive year, there was an increase in the percentage of respondents throwing their hands up and saying they have no idea how much money their companies lost due to attacks. It\u2019s now up to 50 percent."How do you calculate the loss of intellectual property or the damage to a corporate reputation?" Lobel asks. "Very smart people have a hard time agreeing on the value."But until the security department can put a credible dollar figure on what the company is losing because of poor security, the boardroom isn\u2019t going to listen to security executives asking for more money to spend on technology or on skilled security workers (cited as the top resources needed to improve security). The CEO wants to know how security affects shareholder value. But answering that would require a strategic overview and, as we have already seen, security professionals, by and large, don\u2019t have one. At least, not this year.