INFORMATION SECURITY EXECUTIVES STRUGGLE TO HOLD LINE AGAINST SECURITY THREATS
NEW YORK, NY – SEPTEMBER 13, 2005 – Over 8,200 information security executives in 63 countries struggle to hold the line against security threats and incidents, according to the State of Information Security 2005, the world’s largest information security study by IDG’s CIO magazine and PricewaterhouseCoopers. The average number of security-related events reported is up from 704 in 2004 to 862 in this year’s study, an increase of 22.4%. The number of organizations reporting financial losses from these events is 22%, a significant increase from last year’s 7 percent. Hackers remain the most likely source of events, accounting for 63% of attacks, compared to 66% in 2004, followed by employees (33% versus 28%) and former employees (20% versus 21%). The most common type of attack for the second consecutive year is malicious code (e.g. computer virus), representing 59% of attacks and up from 53% the year before.
As a result of continuing threats, security spending is on the rise from 11% of company revenue in 2004 to 13% of company revenue this year. When asked where the money for security spending comes from, respondents point to several internal groups. Information technology (IT) is responsible for security budgets, according to 58% of respondents, followed by finance at 19%. Some 40% of this year’s respondents report their companies’ employ a chief information security officer (CISO) or chief security officer (CSO), up from 31% in 2004. On a strategic level, only 37% of respondents report a security plan is in place at their firm and only 24% report they expect to develop one in the coming year. The number of organizations with a security plan rises to 62% when the organization employees a CISO or a CSO.
Almost four in 10 U.S. respondents (38%) report that they are currently not in compliance with Sarbanes-Oxley requirements, although they are required to be so. Likewise, almost one in four (23%) of those who must comply with HIPAA (Health Insurance Portability & Accountability Act) are not doing so. And 15 and 11 percent of U.S. respondents, respectively, are not in compliance with California State Bills 1386 and 1950 regarding data security and privacy, although they are required to be so.
"Incremental improvements continue in all areas of security, including spending,” says Scott Berinato, senior editor, CIO and CSO magazines. “However, improvements are far outpaced by the sophistication and volume of threats info security professionals face. They simply cannot keep up the defense and management of a highly vulnerable IT infrastructure and highly clever adversaries."
“Companies often make the mistake of trying to tackle security problems by just adding another security technology. It is easier to put out fire with the help of a firefighter, a set of steps for the firefighter to follow and the right tools such as a truck full of water, hoses, an axe, and so on,” says Mark Lobel, Advisory partner, PricewaterhouseCoopers. "If you are missing any tools, the fire will continue to grow. A successful security solution lies in the ability to implement the right balance of people, process and technology to control the security fires that burn each day."
The study also reveals mixed signals from organizations regarding privacy issues. The good news is that 17% of respondents employ a chief privacy officer and a higher percentage of respondents report keeping inventory of all third-party use of their data (26% compared to 16% in 2004.) The bad news is that respondents slipped in a couple of areas, including posting their organization’s policy on its website (47% vs. 52% in 2004) and providing employees with privacy training (58% down from 75% in 2004.)
Additional Survey Findings
• 59% of organizations continue to monitor what their employees are viewing online.
• 85% of American companies report nine or fewer negative incidents in the past year. U.S. companies rank behind New Zealand (95%), India (91%), Canada (89%), France and Germany (87%) and Italy (86%) in this area.
• 55% of organizations report security incidents to external agencies, up from 51% in 2004.
• Data backup is the leading information security technology practice used (84%), followed by network firewalls (82%) and user passwords (80%).
Survey results will be covered in-depth in the September 15th issue of CIO magazine and the October issue of CSO magazine in a series of articles co-authored by Berinato and Research Editor Lorraine Cosgrove. The coverage will also be available online at www.cio.com and www.csoonline.com. Information about the survey will also be available at www.pwc.com/security.
Methodology & Respondent Profile
The Global State of Information Security 2005, a worldwide study by CIO magazine and PricewaterhouseCoopers, was conducted online from March 14 through April 23, 2005. Readers of CIO and CSO magazines and clients of PricewaterhouseCoopers from around the globe participated in the survey via email. The results are based on the responses from more than 8,200 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 63 countries. The margin of error for this survey is 1%.
The study represents a broad range of industries, including computer-related manufacturing and software (11%), consulting and professional services (11%), financial services/banking (9%), government (9%), education (7%), health care (5%), telecommunications (5%) and transportation (5%).
Thirty-two percent (32%) of the executives surveyed report total annual sales of less than $100 million while 17% reported sales between $100 million and $999.9 million. Twenty-one percent (21%) of survey respondents say their organizations’ annual sales exceed $1 billion while 17% are non-profit organizations and therefore did not report annual sales; 12% did not answer the question.
In terms of title, 54% of respondents hold IT titles including CIO, chief technology officer (CTO), vice president, director and manager while 10% are information security professionals. Twelve percent (12%) of those surveyed hold CEO, CFO or non-IT director titles while 24% list “other” as their title.
About CIO Magazine
Launched in 1987, CIO magazine addresses issues vital to the success of chief information officers (CIOs) worldwide. The CIO portfolio includes a companion website (www.CIO.com), CIO Executive Programs and the CIO Executive Council™. CIO properties provide technology and business leaders with analysis and insight on information technology trends and a keen understanding of IT’s role in achieving business goals. The U.S. edition of the magazine and website are recipients of 140 awards to date, including two Grand Neals from the Jesse H. Neal National Business Journalism Awards and two Magazine of the Year awards from the National Society of Business Publication Editors. CIO magazine is published in more than a dozen countries, including Australia, Canada, China, France and Germany. CIO Executive Programs—a series of face-to-face conferences including CIO Perspectives® and the CIO 100 Awards & Symposium™—provide educational and networking opportunities for pre-qualified corporate and government leaders. The CIO Executive Council is a professional organization of CIOs created to achieve lasting change in critical industry, academic, media and governmental groups. CIO magazine, CIO.com, and CIO Executive Programs, and the CIO Executive Council are produced by International Data Group’s award-winning business unit: CXO Media Inc.
PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services for public and private clients. More than 120,000 people in 144 countries connect their thinking, experience and solutions to build public trust and enhance value for clients and their stakeholders.
"PricewaterhouseCoopers" refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.