Chief Security Officers Reveal Business Continuity, Resiliency & Disaster Recovery the Top Security Business Concern in 2006; In Stark Contrast, CSO Magazine Survey Finds CSOs Investing In Compliance, Not Recovery

FRAMINGHAM, MA – March 14, 2006 – The CSO Magazine Security Sensor(TM), a bi-annual survey of 420 chief security officers (CSOs) and senior security executives conducted by IDG's CSO magazine, reveals business resiliency and disaster recovery as the top ranking priority for security chiefs in 2006–up from the third most important priority in 2004. Conversely, educating employees about security policies slipped from the top priority in 2003 to the third most important priority in 2006. Yet while business preservation and disaster recovery top the list of business priorities, the money isn't on the table: the top factor driving security investment in 2006 is regulation and compliance (43%), with only 5% of respondents ranking risk of financial loss as a top priority and a mere three percent 3% investing due to security concerns about the threat of terrorism and war.

"It's very likely that the fallout from Hurricane Katrina and the latest upheaval in U.S. Port security matters have driven home the importance of contingency planning for the nation's CSOs," says Derek Slater, editor of CSO magazine. "However, CSOs' short-term fiscal priorities reflect an immediate need to comply with government and industry mandates such as Sarbanes-Oxley. While CSOs recognize the strong need to plan for business continuity, they don't seem able to secure the money to take necessary steps at this time, and that's a big risk."

CSOs on Information Security Confidence

Only 7% of senior security executives are extremely confident that their organizations' information security activities are effective with 43% very confident and another 42% reporting they are somewhat confident. A small minority of respondents (7%) are not very confident in their organizations' security effectiveness with one percent stating they are not at all confident.

CSOs on Corporate Security

Leading the list of corporate security (e.g., physical security, facilities security, and investigations) initiatives in 2006 is the education of senior management regarding physical security (35%) with 34% reporting the education of all employees about physical security practices a top priority. Twenty-five percent (25%) consider participation in exercises that simulate security crisis responses a top priority while 22% name the evaluation and deployment of access control a priority (down from 33% in 2005).

CSOs on Risk

When it comes to spending time and resources on risks and risk-related activities, 27% of respondents will spend the most time on information security (e.g., cyber crime, data security) with 16% focusing on business continuity management and 14% on business ethics compliance. Only 4% plan to spend the majority of time and resources managing threats of terrorism.

CSOs on Responsibility

Additional findings reveal that once an IT security system is in place, the majority of respondents (66%) say the information technology (IT) department is responsible for managing the solution with only 23% reporting management is the responsibility of the security department.

CSOs on Vendor Cycles

Almost one-third of respondents (31%) report the average purchase cycle is three months to less than six months when considering major enterprise security purchases with a known vendor. Twenty-seven percent (27%) report the process takes less than three months with 16% reporting the process will exceed nine months. When the same purchase decisions are made with an unfamiliar vendor, 22% report an average purchase cycle of three months to less than six months and only 7% report a purchase cycle of less than three months.

CSOs on 2006 Goals

The majority of respondents (54%) plan to investigate data protection in 2006, with 43% researching business continuity planning and another 32% looking into privacy maters. Very few CSOs plan to investigate the growing health crisis surrounding avian flu (15%) and even fewer plan to research employee violence mitigation (10%).


CSO magazine conducted this online survey between January 25 and February 10, 2006 among chief security officers and other security executives who subscribe to CSO magazine. An email invitation containing a link to the survey was sent to 15,000 CSO subscribers, receiving 420 completed surveys. Respondents have average company revenues of $8.6 billion, control average security budgets of $16.7 million and an average number of 20,497 employees. CSO subscribers are pre-qualified security executives with security purchasing authority at their organizations. The sample was chosen using an nth select across the CSO magazine subscriber circulation. Results have a +/- 4.8% margin of error.

For complete results, please contact Karen Fogerty at 508.935.4091 or

About CSO Magazine

Launched in 2002, CSO magazine, its companion website ( and the CSO Perspectives(TM) conference provide chief security officers (CSOs) with analysis and insight on security trends and a keen understanding of how to develop successful strategies to secure all business assets–from people to information and financial value to physical infrastructure. The magazine is read by 27,000 security leaders from the private and public sectors. The U.S. edition of the magazine and website are the recipients of 50 awards to date, including the American Society of Business Publication Editor's Magazine of the Year award as well as five Jesse H. Neal National Business Journalism Awards and Grand Neal runner-up honors two years in a row. Licensed editions of CSO magazine are published in Australia, France and Sweden. The CSO Perspectives(TM) conference, the first face-to-face conference designed for CSOs and featuring speakers from the national stage and the CSO community, offers educational and networking opportunities for pre-qualified corporate and government security executives. CSO magazine, and the CSO Perspectives conference are produced by International Data Group's award-winning business unit: CXO Media Inc.

About CXO Media, Inc.

CXO Media Inc. produces award-winning media properties and executive programs for corporate officers who use technology to thrive and prosper in this new era of business, including CIO, CSO magazines and websites, and the CIO Executive Council. CXO Media is a subsidiary of International Data Group (IDG), the world's leading technology media, research and event company. A privately-held company, IDG publishes more than 300 magazines and newspapers including Bio-IT World, CIO, CSO, Computerworld, GamePro, InfoWorld, Network World, and PC World. The company features the largest network of technology-specific websites with more than 400 around the world. IDG is also a leading producer of more than 170 computer-related events worldwide including LinuxWorld Conference & Expo(R), Macworld Conference & Expo(R), DEMO(R), and IDC Directions. IDC provides global market research and advice through offices in 50 countries. Company information is available at