Not to be alarmist, but WAKE UP, PEOPLE! Our information security is, in many ways, failing.
Our Full Survey Results PDF
From CSOonline.com: Ways to Maximize Your Security Budget
Ask the 11 alleged hackers charged in August with breaking into TJX and other retailers by way of insecure Wi-Fi. Forty
million credit and debit card numbers were stolen. Ask the Medicaid claims processor at the outsourcer EDS. In February she
pleaded guilty to stealing Social Security numbers and dates of birth, and selling them for use on fake tax returns. Ask the
courier hired by the University of Utah Hospital to take backup tapes to offsite storage. One day in June, he used his own
car instead of his company’s secured van. The tapes, containing billing data for 2.2 million patients, were stolen from his
Or you could, as we did, ask 7,097 business and technology executives worldwide about their security troubles. In this, our
sixth year of conducting the “Global State of Information Security” survey with PricewaterhouseCoopers, we got an earful
about the challenges, worries and wins in security technology, process and personnel.
Quantifying returns on information security projects can be a struggle, often because it’s hard to put a dollar value on a
crisis averted. This year, a bad economy forces decision makers to squint even harder at proposals. Even so, survey results
show companies are buying and applying technology tools, including software for intrusion detection, encryption and identity
management, at record levels. That’s pretty good news.
However—and this is serious, folks—too many organizations still lack coherent, enforced and forward-thinking
security processes, our survey shows. While 59 percent of respondents said they have an “overall information security
strategy,” that’s up just two points from last year and it’s not enough, says Mark Lobel, advisory services principal at
PricewaterhouseCoopers. Two elements, Lobel says, correlate with lower numbers of security incidents: having a C-level
security executive and developing the aforementioned security strategy. But disappointing numbers piled up this year. (For
additional stats see “The Global State of Information Security.“)
For instance, 56 percent of respondents employ a security executive at the C level, down 4 percent from last year. You comb
network logs for fishy activity, but just 43 percent of you audit or monitor user compliance with your security policies (if
you have them). This is up 6 percent from 2007, but still “not where we need to be,” Lobel says.
As a result, security is still largely reactive, not proactive. More-sophisticated organizations will funnel data from
network logs and other monitoring tools into business-intelligence systems to predict and stop security breaches. So along
with encryption fanatics and identity management experts, an infosec team needs statisticians and risk analysts to stay ahead
of trouble and keep the company name off police blotters.
Still, while our survey illuminates continuing problems, in discovering the problems, we also see a path to safer data for
companies that, yes, apply technology but also develop processes and make them part of everyone’s everyday work. So it’s not
all grim. What we have to do now is examine our failings, then act.
The Big Picture: Technology Reigns
Money really is power, isn’t it? When asked to indicate any sources of funding for information security, 57 percent of survey
respondents named the IT group and 60 percent cited functional areas such as marketing, human resources and legal as major
providers. Just 24 percent indicated a dedicated security department budget.
With the IT group a strong force, technology becomes the answer to many security questions. To someone with a hammer,
everything looks like a nail, according to the old saw. Divert potential phishing attacks with spam filters. Stymie laptop
thieves by encrypting corporate data.
If there’s a security tool out there, our survey pool uses it.
Companies have realized they must do a better job disposing of outdated computer hardware, for example, wiping disks of data
and applications. Sixty-five percent of respondents now have tools to do that, up from 58 percent last year. More
organizations than ever are encrypting databases (55 percent), laptops (50 percent), backup tapes (47 percent) and other
media. Use of intrusion-detection software also is up: 63 percent this year compared with 59 percent last year. And
installing firewalls to protect individual applications, not just servers and networks, increased to 67 percent from last
year’s 62 percent.
That’s good stuff.
Despite these technology-oriented gains, though, disturbing trends continue in the areas of security processes and
personnel—some negate any protection an IT budget can buy. For example, encrypting sensitive data
makes good sense, but such technology can’t stop an employee from flouting policies concerning how that data should be
If the goal is to secure information, to make it truly safe, you’d better develop processes and procedures for putting your
nails in the right place before whacking anything with a technology hammer. Technology must be part of a larger plan to
secure information, says Dennis Devlin, chief information security officer at Brandeis University. Devlin reports to
Brandeis’s vice president and provost for libraries and information technology.
Criminal activity becomes the focus of a lot of what we do in information security. Lock down the Wi-Fi to keep out the bad
guy. (Got that, TJX?) But well-meaning people who make bad decisions inflict untold numbers of security incidents upon us,
Devlin says. He’s seen it at Brandeis, since joining last year, and at Thomson Corp., now called Thomson Reuters, where he
was chief security officer for seven years.
For example, employees sometimes fall for e-mail scams and open attachments that unleash malicious software such as
key-stroke loggers that record passwords and rootkits that take control of operating systems. Devlin says the job of security
managers is to teach self-defense. Rather than warn employees to watch out for the latest e-mail scam bearing a specific
subject line, for example, the idea is to teach people broader lessons about the risks of clicking on unfamiliar URLs,
opening attachments or handing over Social Security numbers to anyone online, he says.
“It’s not possible with technology to protect every individual from every possible security risk,” he says. “Our job is to
teach people to think the way we think.”
Like Brandeis, more organizations seem to be trying that. This year, 54 percent of survey respondents said they provide
employees with security awareness training, up from 42 percent last year.
But there’s plenty of work to do. Just 41 percent of those surveyed require employees to undergo training on the corporate
organizations—slightly higher than last year—don’t take the simple step of posting their privacy policies on
their internal websites.
Furthermore, what’s taught at many organizations provides only a veneer of security, namely, compliance with government or
Regulations such as the Health Insurance Portability and Accountability Act for medical data, Sarbanes-Oxley for financial
data and the Payment Card Industry standard for credit card data continue to move executives to action. The threats of fines
and jail time tend to do that. For example, 44 percent of respondents say they test their organization for compliance with
whatever laws and industry regulations apply, up from 40 percent last year; 43 percent say they monitor user compliance with
security policy, a healthy increase from last year’s 37 percent. Assessing internal risks to compliance is something 55
percent are doing, up from 49 percent.
But let’s not pass around attaboys too quickly. Note that even with such positive steps, those numbers are far from 100
percent. Many organizations aren’t doing much beyond checking off the items spelled out in regulations—and basic
safeguards are being ignored, says Karen Worstell, a managing principal at the consulting firm W Risk Group, former chief
information security officer at Microsoft, and former CISO and VP of IT risk management at AT&T.
Adhering to regulations and standards doesn’t amount to thorough security policy, Worstell says, for many reasons. For one,
organizations can sometimes pass compliance audits simply by writing up policies, without demonstrating how they adhere to
them. Other times, the standard or regulation may have holes.
PCI, for example, mandates that a firewall be installed to protect cardholder data. But Worstell says the standard doesn’t
address whether a company has processes to ensure that once a piece of technology is installed, it’s regularly upgraded or
monitored to see how effective it is. “If security stops at PCI, that’s not enough,” she says. Hannaford Supermarkets
experienced the theft of customer credit and debit card data from December 2007 to last March, a period when the grocery
chain was certified compliant with PCI, “the highest security standards required by the credit card industry,” the company says.
Neither is it enough if security monitoring stops within your own four walls. But that’s exactly what’s happening. A dirty
secret uncovered in this year’s poll reveals that companies don’t know, and apparently don’t care to know, what happens to
their data once they hand it to another company. Get ready to be disturbed.
Outsourced Out of Sight, Security Out of Mind
Here’s one of the most worrisome of our findings this year: A skimpy 22 percent of respondents keep an inventory of all the
outside companies that use their data.
If that isn’t enough to make you wince, we’ve got more. Just 37 percent of our survey respondents require third parties
handling the personal data of customers or employees to comply with their privacy policies. Even fewer—28
percent—perform due diligence of those third parties to understand how or whether they safeguard information. Yet 75
percent of respondents profess at least some level of confidence in the effectiveness of their partners’ security. Isn’t that
Yet due diligence on any outsiders that handle your data is more important than ever as companies parcel out corporate work
of all sorts to third parties, says Tom Bowers, managing director of Security Constructs, an industry analysis firm
specializing in trade-secret protection technologies. In that respect, pharmaceutical companies can teach other industry
verticals a great deal, he says.
Bowers was senior manager of global information security operations at Wyeth Pharmaceuticals for seven years before starting
Security Constructs. Bowers’s security group subjected potential Wyeth business partners to detailed scrutiny of their
security practices. He had to. “We were responsible for protecting intellectual property no matter where it sat. Here or with
an outsourced clinical trials company in Dublin. Wherever.”
Ken Harris, CIO at Shaklee, says every company should make sure its outsourcers have the same security as its own—or
better. “You vet the security and disaster recovery of your outsource providers in the same way you would vet your own
operation,” he says, adding, “It does take time and resources.”
Companies skip this security check, though, because it’s expensive and time-consuming, says PwC’s Lobel. Checking out a
partner’s security and privacy practices would take at least one full-time employee at least two days for the smallest
company, he estimates. “A large company may have literally thousands of partners,” he says.
Not Just Systems
Where data is and where it’s going constantly worries information security managers. Thirty-eight percent of the managers we
surveyed said they experienced one to 49 security events in the past year, and another 35 percent say they don’t know whether
they have been hit. Those figures are close to last year’s results.
Among those in our survey who experienced incidents, 39 percent found out about them via server or firewall logs and 37
percent used intrusion detection or prevention systems. But a significant number—36 percent—say a colleague clued
them in. These figures reflect an unchanging trend showing that the human element is just as important as any technological
one when it comes to good security. More evidence of the need for diligent and repeated employee training.
Investing employees with responsibility for keeping data correct and protected is the best way for a company to guard against
security threats, says Tim Stanley, CISO at Continental Airlines.
Stanley wants to categorize every file in the enterprise by three variables: owner, business value and risk level. The government has “top secret,”
“secret” and “confidential” ratings, but Continental’s designations will be more granular and dynamic, using tiers and
subsets of tiers. Thinking this way vaults Continental ahead of most companies. Just 24 percent report that classifying the
business value of data is part of their security policies. While 68 percent classify their data according to risk level, at
least periodically, 30 percent don’t ever do it.
The complexity of such a project explains the low numbers, Lobel says. “Doing this project is a lot of effort, and unless
there’s a regulatory need for it, many don’t do it.”
Stanley expects the project to take three or four years. “Anything that keeps planes in the air and money coming through is
Tier 1,” Stanley explains. That would include information about crew scheduling, and cargo and fuel needs, as well as credit
card processing information. Tier 2 or 3 is still important to protect, but not critical to keeping planes aloft, for
example, providing employees access to their 401(k) accounts.
Security technology and procedures will correspond to the risk and tier level in which a given piece of data falls, as
defined by the data owner. Tier 1 might mandate twice-a-day backups and two-factor user authentication, he says. “I can
expend my resources more appropriately to our data’s value and therefore save the company money,” he says. “Stop spending $10
to protect $5 worth of data.” Music to an airline CEO’s ears, no doubt.
Which Brings Us
Back to Money
With security budgets averaging $1.7 million, an optimistic 44 percent of those surveyed said their information security
spending would increase this year, while 4 percent expected a decrease. Where will the money go? We see glimmers of hope.
Top priorities in the coming year include hiring information security consultants and hiring a chief information security
officer. Respondents also plan to develop security procedures for handheld devices and create an identity management
strategy. They expect to invest in technologies, including biometrics, to tighten access to sensitive data, as well as in
data-leakage prevention and security event correlation tools to start analyzing what works and what doesn’t on which kinds of
These steps, Lobel says, will get companies closer to a comprehensive security strategy. Already, he notes, 40 percent of
organizations use security as a marketing point, usually soliciting business on the grounds that they protect customer data
better than their rivals. “But it’s only a competitive advantage if it works, if it’s good security.”