How Secure is Your Data?
Helen Mallovy Hicks
In this episode, David Craig, an Advisory Services Partner, and Salim Hasham, an IT Advisory vice-president, talk about the importance of information security in today's corporate enviroment. Your data and personal information may be at risk.
Voiceover: Welcome to Strategy Talks, the business podcast series from PricewaterhouseCoopers Canada. Hosted by Dean Mullett, a corporate finance partner specializing in Capital Markets and M&A, and Helen Mallovy Hicks, a partner the Dispute Analysis and Valuations group, this interview series, featuring new topics and guests every episode, is designed to give you valuable insight into some of today’s hottest issues affecting your business.
Helen: The recent economic downturn has raised the bar on information security which is now charged with new challenges. PwC has released a report the 2010 Global State of Information Security Survey, which provides insight into these issues. Today we are joined by David Craig and Salim Hasham, partner and vice president respectfully in PwC’s technology consulting practice. Welcome.
David: Good morning.
Dean: Before we jump into the survey. Why don’t we just take it a step back to basics and let’s talk about what information security really is.
David: Let’s break that into the two words: information and security. So information is really an asset of the firm. It can be in a variety of different states. It can be on paper, it can be electronically stored on a personal computer, it can be on a tape in a vault and that information is critical to the way that the company operates, how it financially performs. It’s information on clients and customers and it’s employees and so information is really that asset of the firm that needs to be protected and Salim is going to talk about the security aspect.
Salim: Traditionally, security of information has been seen as important principally because of the importance of information. Businesses run on information, these are assets that are critical to the overall functioning. Where industry in the past really looked at the need for regulations and control, what we see in our survey and current trends is that this is really moving beyond that to safeguarding what is important to the cooperation. So intellectual property, branding and financial integrity – it’s all of those processes and procedures that allow access to the right information by the right people in a manner that’s both auditable but also sufficient.
Dean: And do you find that the subject matter is one that’s front of mind with people? You think of security when we come into our office building, that’s a physical security presence. We’re talking about information security which is virtual, so it is something that is front of mind with people or do you find that it’s something that they really need to stop, pause and think about?
David: I think that certainly that in this economic downturn, people thought, “Do we need to be spending as much time or energy on information security?” I think the survey really shocked everyone in terms of some of the responses. Globally, across the board in all of the developed countries as well as the emerging nations, the spending on information security actually stayed stable, or increased over this period. So in terms of is it still top of mind? It seems to be very much top of mind, and something that people have been willing to put more time and effort into, rather than less.
Salim: An interesting trend that we’ve seen over the last couple of years, which may help provide insight to that question, is the appointment of either a Chief Information Security Officer (CISO) or somebody at the director of above level who’s been charged with not only regulations and compliance – the traditional measures of security – but more importantly, becoming a business partner. Why is that important? Look at the changing model of today’s organization with the advent of things of like virtualization and cloud computing, the reliance on outsourcing or extended supply chain models, the extent of which business partners and business suppliers are important.
All of these things do nothing but extend the risk boundaries. So where companies traditionally were concerned about their own information, they’re now concerned with shared information. What this is has done, matter fact, is to bring the relevance of the importance of security beyond its traditional compliance and regulations towards, I would say, more of a board-level activity. Even though a firm typically reports either to a chief, to a financial officer and/or an IT officer, the implications are discussed regularly at board meetings either through internal audit or as part of operations risk.
Helen: And tell us about the Global Information Security Survey. What are some of the highlights and what’s the background of this survey?
David: PricewaterhouseCoopers, in conjunction with CIO magazine and CSO magazine, has undertaken this study to find the broadest perspective in the information security space. So we had 7200 participants around the globe, from CEOs to CIOs to CISOs as Salim has indicated, as well as to managers and securities of IT departments. It’s the largest survey of its kind and growing momentum year over year. The highlight, the hypothesis going into the survey this year, was that we did really believe that people would be spending less as revenues declined in organizations. As people were being downsized, that the companies would be spending less, but, quite honestly, the response has been surprising in terms of the response from the community, in terms of no, that information security has actually raised in terms of a profile within the firms.
That some of the investments that have been made for some of the compliance-related activities whether that be privacy, or some of the health-care regulations in the past, those have continued – the people are focusing on that level of protecting their brand or their reputation, despite pressure to cut cost throughout the organization.
Dean: So we’ve been seeing budgets actually increase in information security as opposed as anything else, as everyone is trying to look under every rock trying to find a nickel?
David: Exactly – 63 percent of the respondents said that they were going to spend the same or the spending more on information security. And then of those who indicated they were going to spend less they were really only differing projects by a few months, were more likely to get them into fiscal 2010 rather then fiscal 2009, so that the understanding of needing to protect those information assets is front and center with the leadership in the respondent companies.
Helen: Has security improved over information? Or there issues or greater links given that information is far more electronic these days? A lot less paper must create a lot of new security issues and concerns.
Salim: That’s an interesting question and that is one that is in principal difficult to measure. One of the key outcomes of the survey – not this year, but is a trend of the last three years, is that spending has increased. Regulatory compliance as a driver of securities spending, but also as a driver of activity has increased, so there is a large amount of momentum; a lot of effort expended. Two particular measures are of interest to us in the survey. One is the measure of people who don’t know where their information is. Two years ago, I think it was around 43 percent, which is staggering.
Helen: 43 percent of people don’t know where their information is?
Dean: It’s in the netherworlds somewhere, they have no idea.
David: It’s on someone’s PC.
Salim: And that’s telling in itself, that IT organizations are spending, whether it’s 2 percent of its total revenue on systems, businesses focus entirely on information. That’s what the currency of our economy is. However, alarmingly, a fair majority of them have no idea where that information resides, where it moves, who controls it, and who owns it. But we’ve found over the last two years, as a trend, actually that’s getting better.
Dean: Leaps and bounds, or just kind of marginally?
Salim: Incremental, I think I’ll say.
Dean: You should be a politician.
Salim: Not a bad idea. (laughs) So from 43 percent, I think, from recollection, it’s at about 39 percent this year, as a global average. So it’s an improving trend, and that’s something that we’ve noticed, so it is getting better. On the counterpoint, where organizations have incidents, there are still relatively large numbers. And again, a similar number, 43 percent two years ago, and about 36 percent this year.
We don’t know how many incidents they have. You can’t tell their senior management or the audit committee whether their information has been hacked, leaked, or compromised in any way. Of those that can, what we’ve identified for the first time this year, actually, is that data is the number one target. That’s a change. Last year and the year before, we were seeing trends towards applications or networks. These are technical people attacking technical infrastructure. This year is, what we think, is the first of a number of years of growing trends where data is the target itself.
David: So just to build on what Salim is saying, that data could be your credit card information. It could be a series of personally identifiable pieces of information that, when put together with other data elements, create a profile about you. So when you think of the telephone industry, their networks used to be attacked just so they could steal minutes of use, they could make free long distance calls, or get access to a cable channel without having to pay for it.
But now what organized crime and the hacking community is going after is your Blackberry, or your PDA that’s attached to your belt. It knows more about you than you probably believe… it knows where you are, it knows where you’ve been, it has a calendar, it may know where you’re going. It knows who’s called you, it knows who you’ve called. If you have an internet browser on your device it knows where you may have shopped, it knows when you may be expecting delivery. And the data that’s on that device is so valuable now to organized crime, that’s the data they’re going after. They’re not going after the device to steal the device, or they’re not going after the network to steal minutes of use. It is really that data, the data about you or about your company, that’s really growing in value.
Helen: So back to your question, or your answer earlier, Salim, that 43 percent, declining to 39 percent, don’t know where their data is – it’s more like they know where the data is, but they don’t know where else it could be?
Salim: If you look at the root cause of that, it’s not a technical issue. It’s a purely governance and organizational issue. It’s something that’s being addressed in security as well is wider within the realms of enterprise risk management, or corporate governance.
Traditionally, security was run by technical folks in a large room who were tasked really with administering service. That moved somewhat in the ‘80s and early ‘90s into more of an audit and compliance role. So it was a back-office function of ticking boxes and making sure controls were implemented. Where that’s left the organization is entirely three components. You have IT as an operational unit who are tasked with making business happen, putting the plumbing in. You have the business itself, that’s more concerned with bottom line revenues, with its customer relationships and its market share and security that’s stuck in between the two. And what we’re finding now is that’s changing. I would say that this year is part of the moniker of trial by fire.
This year the businesses have connected the dots. Security has moved from an adjunct, or side function, to actually being the glue between business and technology. For a number of reasons, and I’ll use two examples. Principally, number one, because data has now become the forefront. It is the key concern of most organizations, so security is that cement that bridges technology being able to deliver functionality, and the businesses need to understand and protect its data. Secondly, looking at the advent of new models of business, whether it’s, again, cloud computing virtualization, or whether it’s social media and social networking, which are becoming more prevalent than anybody would have imagined, these things are underpinned by security. Cloud computing, in essence, is throwing your data out into the environment, not knowing where it is at any one point in time, not knowing who has access to it. It is the number one concern. Security is actually the number one concern for organizations looking at cloud computing today.
Dean: So where does this issue about information security reside, in the CEO’s office? Because I find in most organizations, unless the CEO is behind an issue or an initiative, it doesn’t get the traction that you would want to get. So even from 43 to 39 – incremental I think is the word you used? – that seems like a pretty small movement. So our CEO is getting it, and is there a generational issue perhaps, because technology has really advanced at warp speed, and are people keeping up with it? A lot of CEOs I talk to, their eyes glaze over when you mention technology.
David: Dean, you’ve hit the nail right on the head, in terms of when the CEO has a perspective on what damage can be done to their organization by this information leaking, or permeating to users who are unauthorized for it, and they send that message to their team, and they’re concerned about it, then the rest of the organization gets it. So that is part of the survey, is that the CEO awareness of information security is increasing year over year globally. And so, that is helping getting that message of why the budget should be protected, why it’s important to the lifeblood of the organization, and it’s certainly critical on most of the audit committees, for those publicly traded companies.
Helen: What did find in the survey? Are the numbers of breaches, or incidents, increasing?
Salim: I think there are two interesting aspects. Yes they are increasing, but what we’ve found actually is that the increase is probably due in part to two things. One is an actual increase in the threat environment because of the economic downturn, whether that’s because of corporate espionage, or because of competitive intelligence, that is something that’s definitely going on. But actually equally important is the reduction in the number of “I don’t know”s. So the reduction from the 43 percent to the circa 39 percent represents the fact that companies are actually actively now tracking whether threats and actual incidents occur, and who the perpetrators of those are.
David: In this year’s instance, we have separated out some of the Canadian data. One of the key differences that we see in Canada: Canadian respondents actually reported that they don’t know more than our global counterparts. So they don’t know if they’ve been breached, and they don’t know the extent of that breach. So that’s a little wakeup call for the Canadian security teams, to be able to say we need to really focus on being able to say are we aware that our data is being compromised, and what steps need to be taken to reduce the opportunity for that data to be compromised?
Salim: I think in addition to that, even those organizations that do know that they have been impacted, that they had a breach, a full 39 percent don’t know what the source of that breach is. So we do have the traditional actors. In this year’s survey I think 33 percent identified current employees as the source of the breach, 19 percent identified former employees, and 26 percent identified hackers, as a general group. But 39 percent of that total group still has no idea where their breach occurred, and what the source of that breach is. And the underlying message here is very simple: investments in technology are great, and investments in people are all great, but it’s really taking both of those tools, and understanding that data, and using that data to formulate your strategy.
David: Dean, you started off the conversation by saying we see evidence of physical security everywhere, whether that’s cameras or gates, but the survey would say that employees, or former employees, are some of the greatest sources of that information breach, or that data breach, or those security incidents. And in this downturn, where people are focusing on costs, and labour costs, and potentially needing to cut staff, those are likely candidates for taking information in an unauthorized manner out of organizations, at tremendous risk to them. Walking out with client lists, walking out with employee data - those are things that you really need to make sure are addressed as part of your information security awareness campaign.
Dean: So if we spin forward a year from now, unemployment in Canada is high single digits, greater than 10 percent in the US, Helen’s question about how the incidents increase, I would suggest perhaps maybe one of the findings will be that at that point a year from now, incidents have increased even more.
Salim: I think it’s important to bear in mind that the results of the survey only cover the first half of this fiscal. So a lot of this, to us, indicates that organizations are starting to recognize the potential risks. It’ll be interesting to see how those have panned out in the second half of fiscal. The other thing to bear in mind is that we’ve detected over the last couple of years a change in impacts themselves. Where a few years ago we tended to see a lot of hackers – and hackers principally were either those who were innocent hackers, if you like, just testing systems – moving very much towards a trend now of espionage, whether it’s governmental, whether it’s economic, whether it’s market grab or market disruption.
If you look at the results of this year’s losses, principally the two key factors, or two key impacts, were financial losses. Forty-two percent, that’s straight grab for crime. But equally important: almost that 30 percent was brand reputation. So we’re finding that organizations may look to damage the competitors’ brand, which is a very, very quick way of grabbing market share. So there’s a key change in who the perpetrators of incidents are, and what their motivations are.
Dean: So the crooks are getting more sophisticated – so the companies need to be in lock step with that, otherwise they’re exposed.
Salim: Yeah, so to your point, move forwards a year, unemployment will increase, yes there is a threat, but these are threats we’ve faced before. I think the key element here is looking at the incidents and the perpetrators of the incidents as a trend shows us the level of sophistication that organizations need to understand.
Helen: Maybe you can tell us as we wrap up, what are we doing for our clients to help them with improving their information security?
David: There are a number of different steps that we’re taking. Clearly sharing the results of the survey is a fundamental step, and raising awareness. We also have a variety of tools that we bring to our clients. There are a series of analytical and diagnostic tools that our technology and professionals can work with clients in terms of looking at some of the fundamental risks and clients’ performance against that.
Salim: Just to add to that, PwC, like its’ competitors does offer full scale advisory services. But I think more importantly, if you look at the focus of the results of what we have concluded and what we tell our clients the key priorities should be and things that get focused on how we should help our clients in the immediate mid-term. In principal we have a five-step plan that we advice our clients to think very seriously about in terms of taking the results as a key input into developing their own strategy into moving through these tough times and very simply.
Step one of that is to protect your data, know where that data is and understand how to treat it. It’s a fairly complex issue that’s both technical and organizational and we’re very good at helping organizations navigate that. Number two is addressing your big risks.
Organizations face a large and complex number of risks, how do you prioritize those? And being both an accounting and consulting firm we understand both sides of that fence. Organizations, particularly security ones are now faced with multi year investments, so it’s a huge trend towards investing in technologies to manage risks in a more effective way. How do you take those multi year investment portfolios and prioritize them based on the fact that the pressure is on this year? You’ve got a limited budget, even though expectations are that it may increase or stay the same. It’s about providing the return on investment and increase the measure of value.
Take all of those and develop a strategy, how do you really look at your portfolios? How do you align that to the business in a way that makes sense tactically but also strategically? How do you reduce costs? There is a pressure, we’re in an economic downturn, how do you take those multi year, multi million dollar investments and show that they will either reduce risks or provide value for money. That is something that we have great experience in.
Lastly, how do you help organizations to prepare for a new wave of regulations? For example, in Canada, we’re expecting very much a wave of regulations as a result of the financial crisis and a good example of that is an expectation of regulations for data breached. Though, we expect that companies will now be compelled to report breaches of data, which is new and that’s something that’s going to have a fair impact all the way to the board we imagine.
Dean: Thank you David, thank you Salim. I think today has been an eye opener for Helen and I about the risks that are out there and perhaps how companies should be looking at tackling these risks so they’re not exposed and they don’t become a victim of a breach in their information security. To read more on information security or to download the 2010 Global State of Information survey, please visit our webpage at pwc.com/ca/infosecurity.
Voiceover: This concludes this episode of Strategy Talks. Thank you for listening. We hope you’ll join us again, soon for another episode. To download or subscribe to this podcast series, or to find more information on this topic, please visit pwc.com/ca/strategytalks.
The information in this podcast is provided with the understanding that the authors and publishers are not herein engaged in rendering legal, accounting, tax, or other professional advice or services. The audience should discuss with professional advisors how the information may apply to their specific situation. Copyright 2009, PricewaterhouseCoopers LLP, all rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, and Ontario Limited Liability Partnership. Or, as the context requires, the PricewaterhouseCoopers Global Network or other member firms of the network, each of which is a separate, independent legal entity. For full copyright details, please visit our website at pwc.com/ca.