The threats and challenges you face haven\u2019t changed much in the past year, but you\u2019re finding a better recipe for protecting your corporate data and networks, according to our eighth annual Global Information Security Survey.\n \n \u201cThere\u2019s a real sense of tension in this year\u2019s numbers; a sense that with the change in the economy there\u2019s been a resetting of expectations,\u201d said Mark Lobel, a principal in the advisory services division of PricewaterhouseCoopers, which conducted the study on behalf of CIO and CSO magazine, a sister publication.\n \n Of the 12,847 business and technology executives surveyed worldwide, 67 percent place a priority on security procedures that help your organization minimize risk. But you realize you must make do with more targeted spending on technology and bring in outside security expertise to manage what your IT staff can\u2019t. Here\u2019s why:\n \n You want to embrace cloud computing because it makes your IT operations leaner and less expensive. But your understanding of cloud security hasn't advanced much in the last year. You have to be cautious.\n \n Your customers want to spend their money online and use more fancy apps to do it\u2014and on mobile devices, too. So you have to guard against vulnerabilities attackers can exploit to steal your customers\u2019 private data and other core assets. What\u2019s more, government and industry regulations often require such protections. Meanwhile, increasingly complex business relationships are forcing you to give outsiders greater access to your internal systems. You need protection from an attack against a business partner that might spill over to your network.\n \n The financial meltdown two years ago may have stalled some of your security initiatives, but 56 percent of you said increasing risks have elevated the role and importance of security at your company. There\u2019s no turning back from what you\u2019ve started.\n Caution in the CloudSixty-two percent of you have little to no confidence in your ability to secure any assets that you put in the cloud. Even among the 49 percent of respondents who have ventured into cloud computing, more than a third (39 percent) have major qualms about security.\n \n \n \n Asked what they think is the greatest risk to their cloud computing strategy, respondents said they were uncertain about their ability to enforce security policies at a provider site, and were concerned about inadequate training and IT auditing.\n \n James Pu, CIO for the Los Angeles County Employees Retirement Association (Lacera), is among the skeptics. He says he loves the flexibility and agility cloud computing could provide, but he\u2019s wary of the inherent availability and security risks.\n \n \u201cAs good as it is today, you don\u2019t have the same reliability as you have with a local-area network,\u201d says Pu, who does double duty as Lacera\u2019s information security officer. \u201cI also worry about the third parties involved.\u201d Cloud vendors, he notes, use third parties to host data centers and hardware. And those hosts may hire people without doing necessary background screening. \u201cWhen data goes into the cloud,\u201d Pu says, \u201call it takes is a software bug to accidentally reveal my data.\u201d\n \n Larry Bonfante, CIO of the United States Tennis Association (USTA), on the other hand, is among those IT leaders who are cautiously moving to the cloud. From a security standpoint, his greatest concern is protecting consumer data\u2014a tall order given that, for example, approximately 80 percent of tickets for U.S. Open matches are purchased online. He isn\u2019t ready to let those transactions happen in the cloud yet because he is not convinced that all the technological pieces are in place to do it securely. But he feels differently about his back-end financial and reporting systems.\n \n He\u2019s moved all internal back-end systems to the Amazon Web Services platform, believing that Amazon\u2019s security resources will supplement those of his own organization. Bonfante says the benefits include lower costs and fewer servers for his IT staff to baby-sit, which has allowed him to deploy new solutions more quickly. He says the cloud has also reduced the USTA\u2019s carbon footprint: Less on-site hardware means less energy is used to power the IT shop.\n \n Before cloud computing can become universally accepted as a secure option, a few things have to happen, says Ken Pfeil, CSO for a large mutual fund company in the Boston area and formerly CSO for financial companies Capital IQ and Miradiant. (Pfeil spoke for himself and asked that his current company not be named).\n \n First, he says, security experts must come up with more specific guidelines for which kinds of data are acceptable to store in the cloud, be it customer information or intellectual property. He also wants clarification from regulatory agencies such as the Securities and Exchange Commission as to how financial reporting controls should work in the cloud.\n \n He\u2019s not satisfied that those questions have been answered, especially when it comes to the kinds of financial data that can go to the cloud. Therefore, his company is avoiding it for now.\n Keeping Tabs on Business PartnersYou still have a choice as to whether to trust cloud vendors to manage your data. Your relationship with business partners is more complicated.\n \n \n \n Survey respondents are somewhat more concerned than they were last year that their own security is threatened because the security of business partners and suppliers had been shaken by the recession. More than three-fourths (77 percent) of respondents agreed that their partners and suppliers had been weakened by the recession, up from 67 percent a year ago.\n \n \u201cCompanies are increasingly dependent on third parties whether they like it or not, and those partners need access to your IT infrastructure and your data,\u201d Lobel says. \u201cThat\u2019s tough when times are good and scary when times are bad.\u201d Facing their own business problems, third parties need to cut costs just like you do, and they may slash security controls in the process, he says.\n \n Josh Jewett, senior vice president and CIO for Family Dollar, says the company has taken steps to ensure business partners don\u2019t compromise its security. \u201cWe hold third parties accountable not only contractually, but also operationally,\u201d he says. \u201cThey must demonstrate they meet the same security standards we have internally.\u201d\n \n Family Dollar\u2019s partners are also subject to periodic scrutiny by the company or an independent auditor. If their practices jeopardize the company\u2019s data or business continuity, it has the contractual right to terminate the relationship.\n \n Similarly, Lacera\u2019s Pu, who is also a certified IT auditor, borrows a tactic President Ronald Reagan used to enforce nuclear arms treaties with the former Soviet Union: Trust but verify. \u201cThird parties are often required to put their security procedures on paper, but there is never the follow-up to verify. We check up on them,\u201d Pu says. \u201cWe ask vendors a lot of questions and we limit what they can access. When they come in, we make sure they are escorted.\u201d What\u2019s more, business partners aren\u2019t allowed to connect computers to Lacera\u2019s networks without using approved security measures, and they must abide by clear rules governing how data can be used.\n \n If any data or applications are not relevant to a business need, partners don\u2019t get access to it. The data or application must be directly tied into whatever initiative\u2014such as an event\u2014the two sides are working on together, Pu says.\n \n Bonfante feels much the same way about giving business partners access to his systems. Financial applications are locked down. Partners also can\u2019t access parts of the network where customer data is housed. Under those conditions, he feels pretty safe about sharing other parts of the network.\n \n \u201cThere\u2019s always some concern, but we work with our partners to ensure things like encryption and password protection\u201d are used, he says, adding that data flowing between USTA and its partners is encrypted. That way, it\u2019s indecipherable and therefore useless to a rogue outsider who tries to access it.\n \n Pfeil says that to ensure secure business partnerships, companies need to get security personnel involved before business leaders choose who will provide third-party services. Security experts will eye potential partners\u2019 security controls more carefully than, say, the events and marketing people who identify and pursue these partners. Security practitioners are also more likely to insist that partners give each other a detailed tour of their security operations.\n \n Like Jewett, Pfeil is a stickler for cut-and-dried contract terms. \u201cSecurity must be in the language. How will authentication be handled? How will data be handled in motion and at rest? Which side is responsible for which controls? You must answer all these questions,\u201d he says.\n In Outsourcers We TrustCompanies may put business partners\u2019 security under scrutiny, but many IT and business leaders acknowledge they can\u2019t always keep that information secure internally\u2014at least not without help from outside experts.\n \n \n \n More than half (52 percent) of survey respondents said that outsourcers, also known as managed security service providers (MSSPs), are important or very important to accomplishing their security objectives. Another 19 percent said outsourcers play some role. Meanwhile, more than 30 percent cited outsourcing of some or all security functions, such as e-mail filtering and management of application firewalls, as a top priority in the next 12 months, up from 18 percent a year ago.\n \n While these numbers don\u2019t represent a tidal wave of change since last year, Lobel says they do signal a shifting of the winds.\n \n The greater interest in outsourcing \u201cis an outcome of the cut in IT services,\u201d he says. For example, companies are no longer as willing to pay someone in-house to monitor security operations overnight when a vendor can do it for less. \u201cThe cost of doing a bad job in-house is cheaper than what vendors will charge you, but the cost of doing security really well in-house is more expensive than what vendors will charge,\u201d Lobel says.\n \n Companies realize it\u2019s better to put security in the hands of those who are immersed in it, says Warren Axelrod, a former CSO and author of the book Outsourcing Information Security. \u201cIf you need surgery, you would rather go to a surgeon who does five of these procedures a day instead of one a month.\u201d\n \n More than 30 percent of survey respondents are making outsourcing an important priority so they can establish security safeguards that aren\u2019t currently in place, including functions such as e-mail filtering and penetration testing. Meanwhile, 60 percent said they already outsource the secure disposal of technology hardware and 59 percent said they\u2019ve delegated administration of password resets. In the areas of strategy and standards, 32 percent said they have outsiders helping them establish security baselines for external partners, suppliers and other IT vendors. Twenty-four percent outsource their centralized security information-management procedures.\n \n Family Dollar\u2019s Jewett says his company has hired a variety of service providers to execute and audit portions of its security program. He declined to go into detail about which items he outsources and why, but he says the company bases such decisions on the following criteria: its own assessment of internal skills and resources, the relative cost of outsourcing versus keeping the work in house, the need for segregation of duties, and risk assessments.\n \n Without a dedicated IT security team at USTA (the function is among the responsibilities of its director of technology and operations), Bonfante relies on MSSPs to handle such tasks as Web monitoring and filtering, e-mail scanning and storage surveillance. He expects to outsource additional security functions in the coming year, though he\u2019s not ready to outline specifics.\n \n Pfeil says successful information-security outsourcing depends on CIOs understanding the vendor\u2019s expertise. Failing to scrutinize a vendor\u2019s specialties is an obvious, yet common, mistake. \u201cCompanies have to carefully review the specialty areas and also take the time to investigate the track record of a company they\u2019re thinking of going with,\u201d he says. Not every MSSP handles every type of security need. Just because a provider has a big name doesn\u2019t mean it\u2019s the best fit for your company, he cautions.\n \n Once you do hire an outsourcer, it\u2019s important to establish service-level agreements (SLAs) that define, for example, the number of incidents per month the MSSP needs to be able to spot and a game plan for dealing with these incidents. One provision Pfeil requires in any SLA is timetables dictating when the MSSP must notify the company of suspicious activity.\n \n \u201cWe need to be notified within 10 minutes of this type of event, four hours for that kind of event,\u201d Pfeil says. You also need meaningful penalties associated with failure to meet the deadlines, he adds. \u201cIf we see you not meeting agreements, I don\u2019t pay my bill.\u201d\n The Way ForwardOur survey shows that despite the recent economic conditions, companies aren\u2019t making drastic cutbacks in security. In fact, most of you neither cut nor deferred security expenditures. Looking ahead, 52 percent expect security spending to increase at least 10 percent in the next year; 9 percent plan to increase their spending by more than 30 percent.\n \n \n \n Lobel notes that projected spending increases are never a given. Companies may approve a budget but wait until the last minute to free up the money because of continued economic uncertainty. But he expects to see a continuing increase in demand for better security as companies feel the pressure of regulatory compliance just as they offer more services online. \n \n \u201cThere is pent-up demand for investments in things like application and mobile security,\u201d Lobel says. \u201cWhen they green-light the actual spending, you\u2019ll see things really take off.\u201d\n \n When that happens, global IT security will take another step forward.\n How We Got the Numbers\nBy Research Manager Carolyn Johnson\nThe Global Information Security Survey, a worldwide study by CIO, CSO and PricewaterhouseCoopers, was conducted online from February 19 to April 30, 2010. CIO and CSO print and online readers and clients of PricewaterhouseCoopers from around the globe were invited to take the survey. Results are based on responses from 12,847 security and IT professionals from more than 100 countries. The most respondents\u201437 percent\u2014were from Asia, followed by Europe (30 percent), North America (17 percent), South America (14 percent) and the Middle East and South Africa (2 percent). Follow Senior Editor Bill Brenner on Twitter: @BillBrenner70.