Global State of Information Security Survey 2008 findings

Asian companies have made dramatic gains in upgrading their information security efforts, according to the 6th annual Global State of Information Security Survey 2008. The study – the largest of its kind – was conducted by PricewaterhouseCoopers LLP (PwC) in conjunction with CIO and CSO magazines. The study polled 7,000 information technology executives from 119 countries across all industries on the challenges of protecting corporate information assets.
 
Boosted primarily by the widespread progress made by companies in India, Asian companies are now on par and many surpass North American companies in establishing leading practices in security, the study found. Companies in South America are making great strides in many critical areas of security and are catching up quickly. Efforts to improve information security in Europe, meanwhile, appear to have stalled.
 
“Companies in India have reported strong, consistent, double-digit gains across virtually every security domain and have taken a strategic approach to security,” says Mark Lobel, a principal in the Advisory practice of PricewaterhouseCoopers. “Security efforts of Indian organizations have surpassed those of companies in the United States and we expect this trend to continue given that so many Indian survey respondents expect security spending to increase over the next 12 months.”
 
This year, survey respondents across industries and sectors, countries and regions, business models and company sizes, report strong, double-digit advances in implementing new security technologies. Overall, 74 percent of respondents reported that information security spending will either increase or stay the same over the next 12 months.
 
However, although organizations continue to invest heavily in security tools such as software for intrusion detection, encryption and identity management, they are still struggling with their security processes. There appears to be an overall misalignment with executive management’s view of security, causing many organizations to fail to capture the full value of their spending, the study shows.
 
“Information has become the new currency of business – its portability and accessibility are crucial components of a collaborative, interconnected business landscape,” adds Lobel. “Organizations need to be prepared to address data security issues, have the proper tools in place, and understand how to use them effectively.”
 
According to the study, more organizations than ever are encrypting databases (55 percent), laptops (50 percent), backup tapes (47 percent) and other media. Fifty-nine percent of respondents said they have implemented an “overall information security strategy” which includes: the increased use of intrusion detection software (62 percent compared to 52 percent in 2007); the installment of firewalls to protect individual applications (67 percent compared to 62 percent in 2007); and the disposal of outdated computer hardware (67 percent compared to 58 percent in 2007). The majority of security spending comes from the IT group (57 percent) followed by the security department and other functional areas such as marketing, human resources and legal.
 
“We know security is on the minds of decision makers around the globe,” says Abbie Lundberg, Editor of CIO magazine. “One question we were interested in this year was where the investment emphasis is being placed. The answer is in technology; now companies need to back that up with an increased focus on ensuring compliance with existing policies and programs.”
 
When asked to identify the most critical business issues or factors driving information security spending, 57 percent of respondents still point first to “business continuity/disaster recovery.”  This year, the study asked about the impact of “change” and 40 percent of respondents cited “change” almost as often as they did “compliance with regulations or internal policies” (44 percent and 46 percent respectively) as critical factors driving security spending.
 
In spite of the rapidly evolving maturity of security capabilities, a surprisingly large percentage of respondents “don’t know what they don’t know.” Many respondents cannot answer basic questions about the risks to their company’s key information. Thirty-five percent of respondents aren’t sure how many security incidents their organizations have had in the past 12 months. This number is higher in North America (40 percent) and Europe (36 percent) than it is in South America (28 percent) and Asia (25 percent). As a result, security remains largely a reactive function of the organization.
 
“Companies must decide on the right strategy, engage the right people, target the right data, and employ the right technology effectively. Those that are ready for the surprises will be the ones to succeed,” says Lobel.