Chief Security Officers Speak Out About Biggest Security Risks

FRAMINGHAM, MA – AUGUST 29, 2002 – A new poll of 1,000+ chief security officers (CSOs) and security executives conducted by IDG's CSO magazine reveals top concerns of today's security experts, as well as insight into the emerging CSO job function. The poll, released in tandem with the launch of CSO magazine, reveals 59% of CSOs believe electronic attacks (such as viruses) pose the biggest concern to their company over physical attacks (8%) or electronic attacks with physical consequences (3%). Nearly half (49%) anticipate a major cyber attack by a terrorist organization (i.e., Al Qaeda) will happen within the next 3 months to one year, with only 7% saying it will never happen.


"While a lot of attention is focused now on external threats–whether criminal or terroristic–the survey shows CSOs to be widely aware that the greatest risks of damage and economic loss may reside within their own walls," says Lew McCreary, Editor in Chief of CSO magazine.

The new CSO Magazine Security Sensor™, explores several aspects of security including cyber crime concerns, monitoring capabilities and technology vendor accountability. In examining cybercrime, 53% of respondents believe their current employees pose a greater threat to their company's technology infrastructure than former employees or external persons. More than half (55%) say they report cyber crimes while only 32% quantify the financial cost of them. And only 22% have insurance* covering losses caused by cyber crimes. The nation's security executives also are universally holding vendors accountable for the reliability of their security offerings. An overwhelming 95% think technology vendors need to tighten up the security configuration of their products.

Other key CSO Magazine Security Sensor™ findings:


CSO poll respondents bring diverse credentials to their position: 88% have previous work experience in information technology (IT); 28% in security consulting, 27% in military and 26% in engineering. Only 7% have previously worked in law enforcement, with 2% of total respondents having experience with the FBI and 1% with the US Secret Service

The average annual budget for staff and/or purchasing security products and systems services is $8.4 million

Almost one-half (42%) say their security budget includes both physical and information security while about one in ten (11%) are responsible for both (IT) and physical security with security being their primary, singular focus

"It's not surprising that a high percentage of CSOs have budget authority over the purchase of IT products used in physical security, even though many may lack full administrative responsibility," comments McCreary. "As the overall information-technology experts, they can ensure that any such systems are properly evaluated and will fit within the rest of the enterprise IT and security infrastructure. This is especially important since many physical and logical security systems have to inter-operate."


Respondents are split on whether the US Government and US businesses are better prepared to respond to cyber attacks today than they were on September 11, 2001. Fifty-two percent (52%) say the US Government is better prepared, 51% believe US business is better prepared and a comparable 51% say their own company is better prepared

Only 9% of respondents have already adopted biometrics (i.e., retina-scans, fingerprint scans, etc.) with 48% planning to adopt biometrics in the future. Approximately one-third (32%) do not have biometrics on their radar at all.

Complete Findings:

1. When do you anticipate a major cyber attack by a terrorist organization (i.e., al Qaeda) will happen?

7% Within the next 3 months

12% Within 3 – 6 months

30% Within 6 months – 1 year

11% More than 1 year

7% Never

32% Unsure

1% No answer

2. Which of the following do you believe are better prepared to respond to and recover from a cyber attack today than on September 11, 2001. (Check all that apply.)

52% U.S. Government

51% U.S. Business

51% Your Company

3. What do you believe is the #1 cyber security concern for the nation?*

29% National security: disruption of essential public services

26% Economic: disruption of essential financial services

9% National security: destruction of essential public services

8% Privacy: identity theft

7% Privacy: protecting confidential information

6% National security: espionage resulting in disclosure of sensitive data

6% Economic: financial fraud

4% Economic: corporate espionage resulting in theft of proprietary data

1% Privacy: unauthorized use of credit cards

2% Other

2% Unsure

1% No answer

4. Who poses the greater threat to your company's technology infrastructure?*

53% Current employees

28% External persons not employed by your organization

10% Former employees

9% Unsure

1% No answer