TORONTO, September 27, 2006 — Canadian companies are more concerned with protecting their reputations than their global competitors when they spend on information security. This is one of the findings in the latest 2006 Global State of Information Security (GSIS) survey, a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers (PwC). Fifty-three per cent of Canadian companies surveyed said their reputation was driving their information security spending — much higher than the global average of 41%.
“A company’s long-term client relationships and profitability can depend on its reputation. Poor information security that loses data such as customer profiles can seriously affect a company’s brand,” says Robert Riemer, PwC security and privacy leader in the GTA. “The cost of handling the public relations issues associated with losing customer identities can be devastating — comprehensive information security can prevent this.”
The GSIS survey is the largest of its kind and includes the responses of almost 7,800 senior executives at companies in more than 50 countries across all industries. 250 Canadian organizations of various sizes participated, representing a wide range of sectors.
The study found that 67% of Canadian organizations actively engage both business and IT decision-makers in addressing information security issues, compared to 52% worldwide. This is a very positive finding, and suggests that Canadian companies are increasingly aware that information security is a key business issue today.
However, organizations are still relying too much on funding from their IT budgets to pay for their security. Riemer notes that, “In some areas, Canadian companies have recognized that all business units should contribute to the information security budget. Unfortunately, many organizations continue to rely on IT dollars to fund security and a better balance is needed. All departments are affected by breaches to information security — it’s much more than just an IT issue, it’s a business issue.”
87% of companies in Canada said their information security budgets are part of their IT budget. This compares to 79% globally. When it came to overall spending, 48% of companies said their information security budgets will increase in 2006 and 42% said it will stay the same. Respondents told us that the top two barriers to better security were limited budgets and a limited number of staff dedicated to security.
The 2006 GSIS survey also looked at information security and outsourcing, and found that confidence with the security of outsource vendors is not high. Forty-three per cent of respondents were not at all or only somewhat confident in their outsourcers’ security and just 20% were very confident. Riemer believes that when organizations measure the costs and benefits of outsourcing they need to include security as a key part of their decision.
“The key to outsourcing information is making an informed decision before sending it out,” says Riemer. “Organizations need to understand the sensitivity of their information, so they can define appropriate standards and guidelines for outsourcers to follow upfront.”
A surprise finding was that 61% of Canadian respondents surveyed have limited or no security training for the end-users of their technology — their employees. “Over the long term, organizations need to create a culture of security in the workplace, where employees recognize the threats to their organization’s information security and how they can combat them,” says Riemer. “This can take time but is one of the most solid defences a business can build.”
When it came to staffing, 64% of Canadian organizations were found to be dedicating two or less full-time employees or equivalents to information security. This is above the global average of 55%. Twenty-one per cent of the companies surveyed employ a Chief Information Security Officer (CISO). Riemer adds, “This is a similar trend with other countries but still a low number and in need of improvement. Defining a CISO role can help businesses better understand the threats and risks facing their information assets; improve their security posture in a sustainable manner; and address the complex and growing number of regulations affecting information and privacy.”
The 2006 survey also asked companies if their security policies were aligned with their spending. Under a third of Canadian respondents said that their physical and IT security functions report to the same executive leader. This compares to 40% globally.
“Information security teams need to align with physical security personnel to protect a business. The two areas can no longer work in isolation,” says Riemer. “If a resource such as a laptop is stolen or lost, you’re not only losing the computer, you’re losing the information on it, which can be far more valuable. One way to align physical and information security teams better is to cross-train employees from different departments. Having both teams work in collaboration is the key.”
Working in collaboration on information and physical security can also help organizations better plan for business continuity and disaster recovery. On this front, Canadian respondents were in the lead. Seventy-four per cent of Canadian companies say continuity and recovery are driving their information security spending, compared to 57% globally.
For more information on the 2006 Global State of Information Security (GSIS), please visit www.pwc.com/ca/security.
About PricewaterhouseCoopers
PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 130,000 people in 148 countries work collaboratively using Connected Thinking to develop fresh perspectives and practical advice. In Canada, PricewaterhouseCoopers LLP (www.pwc.com/ca) and its related entities have more than 4,300 partners and staff in offices across the country.
(Unless otherwise indicated, “PricewaterhouseCoopers” refers to PricewaterhouseCoopers LLP, Canada, an Ontario limited liability partnership. PricewaterhouseCoopers LLP, Canada, is a member firm of PricewaterhouseCoopers International Limited.)
