A new survey draws attention to the need for a greater focus on the enforcement of security policies and procedures in Ireland and globally. This is against a background that less than a third of Irish and global organisations feel that their company’s security policies are aligned with the company’s business objectives.
As expected, Irish and global investment in information security infrastructure (firewalls, authentication, data back-up) is strong across all organisations. However, no matter how strong an organisation’s security infrastructure is, it can be rendered ineffective when security policies and procedures are not adhered to consistently. It is in this area that many organisations’ information security arrangements are lagging. In fact, just a quarter of Irish organisations (26%) report having effective enforcement mechanisms in place and just over a third (37%) capture and report on metrics which measure the impact of their information security activities.
The survey further revealed that less than a quarter of security spending for Irish (24%) and global (22%) organisations was completely aligned with the company’s business objectives while only a third were completely confident that their organisation’s information security activities were effective.
The survey, the 5 th annual Global State of Information Security Survey 2007, is a worldwide study by CIO Magazine, CSO Magazine and PricewaterhouseCoopers and is the largest of its kind. It represents the views of 7,200 IT, security and business executives across all industries in more than 119 countries, including Ireland.
Speaking at the launch of the survey at the 2007 Info Ireland conference, Ciaran Kelly, Advisory Partner, PwC said: “Irish and global findings are broadly similar. There has been a growing awareness and understanding of information security threats over the last few years. There has also been a greater recognition of the need to invest in the infrastructure and other safeguards necessary to mitigate the risks posed by these threats and to protect corporate information systems and the confidential and commercial data that these systems contain. However, to be effective, this investment in information security infrastructure needs to be backed up with a solid and continuous focus on ensuring that an organisation’s security policies and procedures are applied right across the business”.
Speaking at the Info Ireland conference, Billy Hawkes, Ireland’s Data Protection Commissioner noted: “Data security remains a critical issue for organisations entrusted with personal information. Failure to provide adequate security is not only against the law, it’s also a breach of trust with customers. Data security will therefore be an important focus of my Office’s audit programme over the coming years”.
Global industry specific highlights
Entertainment & Media (E&M)
- More E&M companies this year have a security strategy in place (44 percent in 2007 vs. 30 percent in 2006), but the industry still lags behind the cross-industry average of 57 percent.
- E&M companies are more likely this year to report security attacks exploited a known application or operating system vulnerabilities (53 percent in 2007 vs. 41 percent in 2006). This rate is significantly higher than the cross-industry average of 35 percent.
- E&M companies lag behind companies in other sectors in applying user passwords (68 percent vs. 80 percent), using application firewalls (57 percent vs. 62 percent), and ensuring that their security policies address segregation-of-duty conflicts at the application (46 percent vs. 53 percent level).
- Only 29 percent have security policies for Security in System Development (SDLC).
Consumer products and retail
- Although consumer products and retail companies are more likely this year than last to encrypt data in transmission (60 percent in 2007 vs. 45 percent in 2006), many have yet to encrypt areas where data leakage may occur including sensitive data residing in databases (49 percent), laptops (58 percent), and on backup tapes (62 percent).
- More consumer products and retail organisations have an overall security strategy this year (52 percent in 2007 vs. 34 percent in 2006).
- More CISOs at consumer products and retail companies are reporting to the top of the organisation – the Board of Directors, CEO, CFO or VP (69 percent in 2007 vs. 51 percent in 2006).
- Consumer products and retail companies are less likely than other sectors to hire a chief privacy officer (14 percent vs. 22 percent) and much more likely to report their organization does not yet classify data and information assets according to risk level (42 percent vs. 30 percent).
Healthcare: Payers
- Payers are far more likely than financial services organisations to employ a chief privacy officer (53 percent vs. 33 percent), encrypt data in transmission (87 percent vs. 75 percent), and have a business continuity or disaster recovery plan in place (83 percent vs. 71 percent).
- Payers are significantly more likely to outsource some or all of their security (32 percent vs. cross-industry average of 20 percent).
- Only 8 percent of payer respondents report incidents that compromised customer records compared to 26 percent of financial services respondents.
- Less than half (40 percent) of payers do not define security baselines for external partners or vendors, and more than half (55 percent) do not keep an accurate inventory of third parties using customer data.
Government
- More than half (53 percent) of all public sector respondents report their agency’s physical and information security organisations are separate with no linkage or integration across policies or procedures.
Only 33 percent of public sector respondents report physical security and information security are integrated and report to the same leader.
Public sector organisations are more likely this year to have a chief privacy officer in place (26 percent in 2007 vs. 19 percent in 2006).
- More public sector respondents report they encrypt data in transmission (60 percent) than data at rest in databases (44 percent), laptops (39 percent), file shares (35 percent) and backup tapes (37 percent).
- Barely three out of 10 public sector organisations have an accurate inventory either of user data kept (31 percent) or of locations or jurisdictions where this data is stored (33 percent).
- 61 percent of public sector organisations do not require their employees to complete training on the organisation’s privacy policies and practices.
Methodology
The Global State of Information Security 2007, a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers, was conducted online from March 6, 2007 through May 4, 2007. Readers of CIO and CSO magazine and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results shown in this report are based on the responses of 7,200 CEOs, CFOs, CIOs, CSOs, VPs and directors of IT and IS and security and IT professionals from more than 100 countries. Thirty-six percent of the respondents were from North America, followed by Europe (28 percent), Asia (23 percent), South America (12 percent) and the Middle East and South Africa (2 percent). The margin of error for this study is +/- 1.0 percent.
Please reference the study as “The State of Information Security 2007, a worldwide study by CIO, CSO and PricewaterhouseCoopers.” Source line must include CIO, CSO and PricewaterhouseCoopers. Survey results will be covered in-depth in the September 15 th issue of CIO magazine and the October issue of CSO magazine. The coverage will also be available online at www.cio.com and www.csoonline.com. Information about the survey will also be available at www.pwc.com/security.
About PricewaterhouseCoopers
PricewaterhouseCoopers ( www.pwc.com/ie) provides industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 140,000 people in 149 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.
“PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
About CIO and CSO Magazines
CIO and CSO magazines are published by CXO Media Inc., producer of award-winning media properties and executive programs for corporate officers who use technology to thrive and prosper in this new era of business. Launched in 1987, CIO magazine addresses issues vital to the success of chief information officers (CIOs) worldwide. The CIO portfolio includes a companion website www.CIO.com, CIO Executive Programs, a series of face-to-face conferences providing educational and networking opportunities for pre-qualified corporate and government leaders, and the CIO Executive Council, a professional organization of CIOs created to achieve lasting change in critical industry, academic, media and governmental groups. The U.S. edition of the magazine and website are recipients of more than 160 awards to day, including two Grand Neals from the Jesse H. Neal National Business Journalism Awards and two Magazine of the Year awards from the National Society of Business Publication Editors.
Launched in 2002, CSO magazine, its companion website ( www.CSOonline.com) and the CSO Perspectives™ conference provide chief security officers (CSOs) with analysis and insight on security trends and a keen understanding of how to develop successful strategies to secure all business assets—from people to information and financial value to physical infrastructure. The U.S. edition of the magazine and website are the recipients of 80 awards to date, including the American Society of Business Publication Editor’s Magazine of the Year award as well as eleven Jesse H. Neal National Business Journalism Awards. CXO Media is a subsidiary of International Data Group (IDG).
