A new security survey shows organizations are strong on infrastructurer but are weak on monitoring and enforcement. Whilst India improves information security safeguards, China leaves room for improvement.

Organizations worldwide are investing in infrastructure but lagging in implementation, measurement and review of security and privacy policies according to the 5th annual Global State of Information Security Survey 2007, a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers.

The study, which is the largest of its kind, represents responses of 7,200 IT, security and business executives in more than 119 countries across all industries. Results show India has made major gains since 2006 with information security practices and safeguards while China lags behind the rest of the world in almost all privacy safeguards.

Other findings show that IT is taking budgetary control in 2007, with the majority of information security budgets now coming directly from the IT department. Additionally, data breaches are driving privacy concerns, but encryption of data at rest remains a low priority despite it being the source of many data leakage issues.

According to the survey, the majority of organizations now have a CSO or CISO in place (60 percent in 2007 vs. 43 percent in 2006), as well as an overall information strategy (57 percent in 2007 vs. 37 percent in 2006), and results show the majority are also heavily invested in technology safeguards such as network firewalls (88 percent), data backup (82 percent), user passwords (80 percent), and spyware (80 percent).

However, the investment of time in practical measures remains low. For example, sixty-three percent of respondents state they do not audit or monitor user compliance with security policies, and less than half (48 percent) measured and reviewed the effectiveness of security policies and procedures in the last year.

"Clearly, there is greater awareness of the threats, as well as the tools and safeguards available to offset threats and protect against attack. But sound infrastructure is only half of the solution," says Mark Lobel, a principal in the Advisory practice of PricewaterhouseCoopers. "Security leaders and practitioners need to create and enforce internal policies in order to help ensure appropriate use and protection of corporate information systems."

The study also reveals most companies do not document enforcement procedures in their information security policies. Less than one-third (31 percent) include enforcement mechanisms while only 28 percent include collection of security metrics.

"Uncertainty about the business value of security investments will continue to be high as long as companies fail to monitor user compliance or measure the impact of information security safeguards," says Lobel.

It takes the lead
Improving internal protocol and alignment of security spending to business objectives will likely fall to IT leadership in the coming years. Survey results show the majority (65 percent) of information security budgets now come directly from the IT department, a jump from only 48 percent in 2006.

Other department budgets for information security are down this year, including compliance/regulatory (9 percent in 2007 vs. 18 percent in 2006), finance (15 percent in 2007 vs. 19 percent in 2006), and other business lines (4 percent in 2007 vs. 18 percent in 2006). Additionally, security reporting and IT bounced back for the first time in four years with survey results showing more split reporting lines and security reporting to multiple departments.

"Specifically, this is a check-all-that-apply question that shows security is now reporting to more than one master," explains Lobel. "We see more security practitioners reporting to the CIO (38 percent in 2007 vs. 33 percent in 2006) and CTO (15 percent in 2007 vs. 6 percent in 2006). We also see more security executives having multiple reporting lines including risk and the CFO — 6 percent to 9 percent and 7 percent to 11 percent respectively."

"There are several theories as to why this shift is happening," says Scott Berinato, Senior Editor of CSO magazine. "One of the predominant theories is that companies tried spinning off information security to other functional areas, but it didn't work."

Gaps in alignment of security spending to business objectives
Currently there are gaps in the alignment of security spending to business objectives. According to the survey, only 30 percent of respondents report their organization's information security policies are completely aligned to business objectives, and even less (22 percent) believe security spending is completely aligned.

This is up only slightly from 2006 when 28 percent of respondents reported their security policies were completely aligned with business objectives. And although 42 percent of respondents report regulatory compliance has significantly increased security spending, 58 percent report they do not link security—either through organizational structure or policy—to privacy and/or regulatory compliance.

"Gaps in alignment of security policies and spending to business objectives will shrink when compliance practices become more tightly aligned with broader risk management objectives," says Lobel.

Interestingly, the study also reveals a lack of agreement between CEOs, CIOs and CSOs on security priorities and spending. For CEOs and CIOs, business continuity and disaster recovery are the top priorities for information security spending. However, for CISOs, the number one priority is regulatory compliance.

Ironically, given the common business objective of lowering risk, most respondents (78 percent) report their organizations do not continuously classify data and information assets by risk level. Seventy-three percent do not include classifying the business value of data in their security policy.

Privacy high profile but not necessarily high priority
Other survey results show privacy continues to be high profile but not necessarily high priority for security executives. Most companies report gains in privacy safeguards however there are a few key areas in which companies still tend to be weak. Only one-third (33 percent) of respondents keep an accurate inventory of user data or the locations and jurisdictions where data is stored.

Similarly, only one-quarter (24 percent) keep inventory of all third parties using customer data. Encryption of data at rest also remains a low priority even though it is the source of many data leakage issues. Less than half of respondents report encrypting data residing on databases and laptops (50 percent and 42 percent respectively).

India improves information security safeguards, China leaves room for improvement
India made major gains since 2006 with information security practices and safeguards such as hiring CSOs and CISOs (87 percent in 2007 vs. 58 percent in 2006), implementing an overall security strategy (62 percent in 2007 vs. 34 percent in 2006) and using passwords (69 percent in 2007 vs. 54 percent in 2006). However, both India and China report higher rates of extortion, fraud, IP theft and financial losses than in the U.S.

China leads other countries in requiring third parties to comply with privacy policies but lags behind in almost all other privacy safeguards. Only 14 percent employ a chief privacy officer (compared to 23 percent in the U.S., 22 percent worldwide), 18 percent have mechanisms in place to report security incidents to customers or business partners (compared to 32 percent in the U.S.; 29 percent worldwide), 39 percent require employees to complete training on privacy policies and practices (compared to 50 percent in the U.S., 37 percent worldwide), and 31 percent secure web transactions (compared to 51 percent in the U.S.; 46 percent worldwide).

"Whether you are outsourcing your IT or manufacturing, you have to step back and make sure the companies you are working with are protecting your information," says Lobel.

Employees most likely source of information security event
In other survey highlights, for the first time, employees took over the number one spot as the most likely source of an information security event. The majority (69 percent) of respondents cite employees and former employees as the likeliest source of attacks, surpassing hackers at 41percent. This is up significantly from 2005 when only 33 percent of respondents cited employees as the most likely source versus 63 percent for hackers.

Email and abused valid user accounts and permissions are reported as the primary methods for such attacks yet only about half (52 percent) of respondents employ routine people-related information security safeguards. Simple safeguards such as personnel background checks (52 percent), monitoring employee use of Internet/information assets (48 percent) and dedicating human resources to employee awareness programs for internal policies and procedures (47 percent) remain uncommon. In addition, the majority of respondents (63 percent) still do not have an identity management strategy in place.

"With a lack of safeguards and basic policies around appropriate Internet and email use, organizations become much more vulnerable to ‘accidental' internal threats. Certainly, not all of these threats are malicious or even intentional," comments Berinato.

Need for improvement in third party security
The study also shows continued corporate struggle with extending security to third parties. One in five respondents (21 percent) don't know if their users are in compliance with information security policies. Furthermore, 70 percent are only somewhat or not at all confident in their partners and suppliers' information security and 55 percent are only somewhat or not at all confident in their outsourced vendor's security.

"An organization's security is only as strong as its users and partners. Without third party security parameters, an organization's partners can inadvertently become its biggest threat," says Berinato.

Industry specific highlights

Entertainment & Media (E&M)
More E&M companies this year have a security strategy in place (44 percent in 2007 vs. 30 percent in 2006), but the industry still lags behind the cross-industry average of 57 percent.

E&M companies are more likely this year to report security attacks exploited a known application or operating system vulnerabilities (53 percent in 2007 vs. 41 percent in 2006). This rate is significantly higher than the cross-industry average of 35 percent.

E&M companies lag behind companies in other sectors in applying user passwords (68 percent vs. 80 percent), using application firewalls (57 percent vs. 62 percent), and ensuring that their security policies address segregation-of-duty conflicts at the application (46 percent vs. 53 percent level).

Only 29 percent have security policies for Security in System Development (SDLC).

Consumer Products and Retail
Although consumer products and retail companies are more likely this year than last to encrypt data in transmission (60 percent in 2007 vs. 45 percent in 2006), many have yet to encrypt areas where data leakage may occur including sensitive data residing in databases (49 percent), laptops (58 percent), and on backup tapes (62 percent).

More consumer products and retail organizations have an overall security strategy this year (52 percent in 2007 vs. 34 percent in 2006).

More CISOs at consumer products and retail companies are reporting to the top of the organization – the Board of Directors, CEO, CFO or VP (69 percent in 2007 vs. 51 percent in 2006).

Consumer products and retail companies are less likely than other sectors to hire a chief privacy officer (14 percent vs. 22 percent) and much more likely to report their organization does not yet classify data and information assets according to risk level (42 percent vs. 30 percent).

Healthcare: Payers
Payers are far more likely than financial services organizations to employ a chief privacy officer (53 percent vs. 33 percent), encrypt data in transmission (87 percent vs. 75 percent), and have a business continuity or disaster recovery plan in place (83 percent vs. 71 percent).

Payers are significantly more likely to outsource some or all of their security (32 percent vs. cross-industry average of 20 percent).

Only 8 percent of payer respondents report incidents that compromised customer records compared to 26 percent of financial services respondents.

Less than half (40 percent) of payers do not define security baselines for external partners or vendors, and more than half (55 percent) do not keep an accurate inventory of third parties using customer data.

Government
More than half (53 percent) of all public sector respondents report their agency's physical and information security organizations are separate with no linkage or integration across policies or procedures.

Only 33 percent of public sector respondents report physical security and information security are integrated and report to the same leader.

Public sector organizations are more likely this year to have a chief privacy officer in place (26 percent in 2007 vs. 19 percent in 2006).

More public sector respondents report they encrypt data in transmission (60 percent) than data at rest in databases (44 percent), laptops (39 percent), file shares (35 percent) and backup tapes (37 percent).

Barely three out of 10 public sector organizations have an accurate inventory either of user data kept (31 percent) or of locations or jurisdictions where this data is stored (33 percent).

61 percent of public sector organizations do not require their employees to complete training on the organization's privacy policies and practices.

Methodology
The Global State of Information Security 2007, a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers, was conducted online from March 6, 2007 through May 4, 2007. Readers of CIO and CSO magazine and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey.

The results shown in this report are based on the responses of 7,200 CEOs, CFOs, CIOs, CSOs, VPs and directors of IT and IS and security and IT professionals from more than 100 countries. Thirty-six percent of the respondents were from North America, followed by Europe (28 percent), Asia (23 percent), South America (12 percent) and the Middle East and South Africa (2 percent). The margin of error for this study is +/- 1.0 percent.

PricewaterhouseCoopers (www.pwc.com) is the world's largest professional services organization. Drawing on the knowledge and skills of more than 125,000 people in 142 countries, we build relationships by providing services based on quality and integrity.

PricewaterhouseCoopers refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.