Evolving cyber threats continue to drive security strategy

43 percent of global companies think they have an effective information security strategy in place and are proactively executing their plans, placing them in the category of information security “front-runners.”

Twenty-seven percent of respondents in the PwC study identified themselves as “strategists” while the remaining identified themselves as “tacticians” and “firefighters” (15 and 14 percent respectively).

The 9th annual survey of more than 9,600 security executives from 138 countries found that 72 percent of respondents report confidence in the effectiveness of their organization’s information security activities – however confidence has declined markedly since 2006.

The findings of the survey have helped carve a new definition of an information security leader. Even though 43 percent see themselves as “front-runners,” according to the survey only 13 percent made the “leader” cut.

Those identified as leaders have an overall information security strategy in place, a CIO or executive equivalent who reports to the “top of the house,” measured and reviewed security policy effectiveness, and an understanding of the security breaches facing the organization in the past year.

“Companies now have greater insights than ever before into the landscape of cyber crime and other security events – and they’re translating this information into investments specifically focused on three areas: prevention, detection and operational web-related technologies,” said Mark Lobel, a principal in PwC’s Advisory practice. “Just a few years ago, almost half of this survey’s respondents couldn’t answer the most basic questions about the nature of security-related breaches; now approximately 80 percent or more of respondents can provide specific information about the frequency, type and source of security breaches their organizations faced this year.”

Since 2007, there has a been a dramatic leap in organizations’ awareness and insight into the types and frequency of attacks, particularly in the industries of aerospace & defense, financial services, technology, telecom and the public sector.

“After three years of cutting information security budgets and deferring security-related initiatives, respondents are bullish about security spending. What is evident, however, is that many of the vulnerabilities that began emerging last year — two years after the global economic downturn — are still present and require attention,” said Mr. Lobel.

This year, a significant percentage of respondents across industries agreed that one of the most dangerous cyber threats is an Advanced Persistent Threat (APT) attack. A number of survey respondents found that the threat of an APT is driving their organization’s security spending. These included 64 percent of respondents from the industrial manufacturing sector, 60 percent of technology respondents, 49 percent of entertainment and media respondents and utilities respondents, 45 percent of financial services respondents and 43 percent of consumer products and retail respondents.

Only 16 percent of respondents say their organizations are prepared and have security policies that are able to confront an APT.

According to the survey, the rise of cloud computing has improved but also complicated the security landscape. More than four out of ten respondents report that their organization uses cloud computing: 69 percent for software-as-a-service, 47 percent for infrastructure-as-a-service and 33 percent for platform-as-a-service.

Fifty-four percent of organizations say that cloud technologies have improved security; while 23 percent say it has increased vulnerability. The largest perceived risk is the uncertain ability to enforce provider security policies.

Mobile devices and social media represent a significant new line of risk – and a demand for prevention. Organizations are beginning to amplify their efforts to prevent mobile and social media based attacks. Forty-three percent of respondents have a security strategy for employee use of personal devices, 37 percent have a security strategy for mobile devices and 32 percent have a security strategy for social media.

Increased awareness of attacks may correlate with organizations mobilizing in certain areas of IT spending. Investments in application firewalls increased from 72 percent last year to 80 percent this year and malicious code detection tools have increased 11 percentage points—from 72 percent last year to 83 percent this year.

Managing security-related risks associated with partners, vendors and suppliers has always been an issue – according to this year’s survey it is getting worse. Seventeen percent of respondents identify customers as the source of security breaches, up slightly from last year (12 percent) and 15 percent have identified partners or suppliers as the source.