The Global State of Information Security Survey 2013 personalized benchmark report
Tim Cook, CEO
About the survey
Changing the game
Information security has always been a high-stakes game. For many businesses, however, it has become a pursuit that is almost impossible to win.
That’s because the rules have changed, and opponents—old and new—are armed with expert technology skills. Risks to data security continue to intensify, and show no signs of abating. “You can’t succeed in today’s elevated threat environment if you don’t know the players and you don’t know the rules,” says Gary Loveland, PwC’s security principal for products and services industries.
Yet The Global State of Information Security® Survey 2013 shows that 71% of respondents across industries are confident in the effectiveness of their information security practices. A culture of security, they believe, permeates their organizations. In fact, 68% of respondents are confident they have instilled effective security behaviors into their organizational culture. They believe their strategies are sound and many—42% of respondents—consider themselves to be security leaders in their field.
The odds, however, are not in their favor. Despite high levels of confidence, we have seen a clear decrease in deployment of basic information security and privacy tools. What’s more, reported security incidents are rising and new technologies such as cloud computing, mobility, and social networking are being adopted faster than they can be safeguarded.
The uncertain economy of the past four years has made information security an increasingly challenging game whose outcome can have potentially serious consequences for your organization. In today’s rapidly evolving threat landscape, businesses have fallen behind in information security processes and technologies. The result? Defenses have been weakened and security practices dulled by a protracted period of tight budgets and truncated projects. At the same time, their adversaries are becoming ever more sophisticated, breaching the defenses of business ecosystems and leaving reputational, financial, and competitive damage in their wake.
Those keeping score agree: The bad guys appear to be in the lead.
But respondents to The Global State of Information Security® Survey 2013 seem to be playing from an entirely different game plan. Among more than 9,300 executives across 128 countries and virtually every industry, confidence in information security practices remains high.
At the same time, however, many report degradations in core security policies and technologies. Case in point: Only 51% of respondents say they have policies defining backup and recovery/business continuity, down from 63% in 2009. They also report declines in use of important security technologies. Among the categories taking a hit are malicious code detection tools for spyware and adware, down to 71% from 83% last year, and intrusion detection tools, which were once used by nearly two-thirds of respondents but are now employed by just over half.
Taken together, the combination of inflated confidence and diminished security programs has created an environment in which organizations have become vulnerable to increasingly sophisticated risks. Given today’s elevated threat environment, businesses can no longer afford to play a game of chance. They must prepare to play a new game, one that requires advanced levels of skill and strategy to win.
Study methodology
The Global State of Information Security® Survey 2013 is a worldwide study by PwC, CIO magazine, and CSO magazine. It was conducted online from February 1, 2012, to April 15, 2012. Readers of CIO and CSO magazines and clients of PwC from around the globe were invited via e-mail to take the survey. The results discussed in the report are based on the responses of more than 9,300 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from 128 countries. Forty percent of respondents were from North America, 26% from Europe, 18% from Asia, 14% from South America, and 2% from the Middle East and South Africa. The margin of error is less than 1%. All figures and graphics in this report were sourced from survey results.
Trends in your region:
Years of investment pay off as Asia leads the world in security practices and performance.
Among all regions, Asia has the fewest respondents who expect a decrease in security budgets this year. In fact, roughly 60% of Asian respondents expect to see an increase over the next 12 months. That’s down from 74% in 2011, but still among the highest of any region.
But Asia’s success in creating a culture of security goes beyond spending. The region, in fact, boasts the highest number of self-proclaimed front-runners among our survey respondents. Confidence in information security runs high in Asia, and at least some of this confidence is justified by the extent to which strategy, technology, and processes are in place.
For example, senior security executives report directly to the CEO more often in Asia than elsewhere—an important measure of security’s place in organizational culture. And it’s clear that this culture of security runs deep: Asian organizations are the second most likely to bake security into major projects from the start, and are more likely than their peers in other regions to base security spending on factors like business continuity and disaster recovery, rather than other external drivers.
Asia respondents also put their organizations at or near the top of global averages in terms of security and privacy technology deployment, and also in terms of process. As for keeping up with new challenges, Asia rates highly for mobile security initiatives and cloud security strategy.
Security budgets are almost flat in North America, but certain strategies show gains.
At first glance, the budget outlook for North America is uninspiring. Only about one-third of respondents expect to see a bump in their security budgets, continuing a modest uptrend but far behind Asia and South America. Almost the same percentage—a larger percentage than in any other region—expects budgets to remain flat, and uncertainty hangs over the discussion of dollars, with almost one-quarter of respondents saying they do not know where spending is headed.
But look a little closer and one trend emerges: predictable outcomes. Responses from North American organizations indicate that they are the best in the world at staying on plan when it comes to IT projects. Based on their survey responses, they are the least likely to defer capital or operational projects, and the deferrals that do happen tend to be shorter than those in other regions. And North American firms are the least likely to cut budgets for capital and operational projects.
This strength in process and planning extends to other areas. Respondents say that their contingency plans for downtime, for example, are quite effective. Indeed, average downtimes over the past 12 months as a result of security incidents (unavailable services/applications/network) are lower in North America than in other regions.
Other areas in which North American respondents indicate superior performance when measured against peers include the vital areas of mobility, social media, and the cloud. While progress in these areas still lags the adoption rates of the technologies, North America ties with Asia for the lead in cloud security strategy and is tops in mobile and social networking security—the latter by a considerable margin. Another distinction: Responses from North American firms indicate that they are far and away the least likely to outsource security functions.
South America plays catch-up on security investments and emerges as a leader in some important categories
An upbeat mood is evident in South America, where spending has picked up after a fallow spell and confidence is on the rebound. More than 60% of respondents expect to see their security budgets increase in the next 12 months, including the highest proportion in any region expecting very large budget increases of 30% or more. Conversely, deferrals and cuts to project budgets are more frequent than in most other regions.
The surge of investment comes as tough economic times were beginning to deplete the region’s security arsenal. Now South American respondents are at or near the top of global rankings for confidence in security culture and the effectiveness of security activities. In terms of privacy and security technologies, South America tends to outscore Europe and in some cases has surpassed North America.
Looking to the future, South American respondents indicate the region is doing pretty well in initiatives for mobile security, at least as compared with regions other than Asia. Respondents are also bullish about the cloud’s impact on security. South America trails only Asia in the frequency of security policy reviews. Outsourcing of various security functions, however, is more common among South American respondents than among respondents from any other region.
As spending stalls in Europe and safeguards weaken, some security practices are improving.
European respondents claim modest confidence in the effectiveness of their information security policies and activities. The region has a lower percentage of self-proclaimed front-runners than any part of the globe except the Middle East and South Africa. And as Winston Churchill might have put it, these executives have much to be modest about.
Spending remains in the doldrums. Expectations for budget growth are higher than North America, but Europe also leads every region except the Middle East and South Africa in respondents anticipating lower budgets (14%). Both security spending and security policies are less well-aligned with business goals than in other established regions.
Europe does lead the world in the percentage of firms that employ chief privacy officers or the equivalent, and also rates highly in terms of employing CISOs and chief security officers (CSOs). However, these executives report to the top of the house less often than in the three other leading regions. Europe scores poorly in terms of privacy technology and policy, and surpasses only the Middle East and South Africa in terms of fewer senior security executives reporting directly to the CEO.
Here we compare your self-assessment vs the average assessments of organizations in the industry, that have annual revenue of and are located in .
Based on your responses and compared to the survey respondents,
How to read a bullet graph:
These graphs show how you ranked each benchmark on a relative scale. The thin red line shows your ranking, and the thick orange line represents the average ranking of your comparison group.
Benchmarks in which you exceed the average are colored green.
The survey found that the economic environment ranks first among multiple factors shaping security budgets, with information security concerns lying far down the list. Your responses indicate that your organization when determining information security spending. The factors you indicated are marked with orange bars.
The survey shows a relaxation of the policies that set security standards across the enterprise. Your responses indicate that your organization’s security policies are those of other survey respondents. The elements you indicated are marked with orange bars.
This year’s survey reveals a decrease in deployment of important security safeguards over the past 12 months. Your responses indicate that your organization’s process information security safeguards are those of other survey respondents. The elements you indicated are marked with orange bars.
The survey shows that, overall, data privacy safeguards have not declined in the past year – but there is certainly room for improvement. Your responses indicate that your organization’s data privacy safeguards are those of other survey respondents. The elements you indicated are marked with orange bars.
Overall, survey respondents reveal a decline in the use of some basic information security technologies. Your responses indicate that your organization’s information security safeguards are other survey respondents. The elements you indicated are marked with orange bars.
Mobile security is one of the most pressing issues facing organizations today. Your responses indicate that your organization has initiatives to address mobile security risks. The initiatives you indicated are marked with orange bars.
The source of security incidents is most often employees and former employees, according to the survey. Based on your responses, are the most likely source(s) of most security incidents. The sources of incidents you indicated are marked with orange bars.
More than half (55%) of survey respondents say they have a contingency plan in place to deal with security incidents. Based on your responses, your organization is Your response is marked with orange bars.
Almost half (48%) of survey respondents say they have a mechanism to report security incidents to employees, and 40% say they have the same for customers. Based on your responses, your organization is other respondents in reporting security incidents to customers and employees. The reporting capabilities you indicated are marked with orange bars.
How PwC can help
Most organizations lack the in-house expertise to create, implement, and manage a comprehensive information security program that addresses all these areas. That’s where we can help.
PwC has expertise in the full spectrum of information security. Our team of specialists can help you with security management, threat and vulnerability assessment, information security architecture, regulatory and policy compliance, identity and access management, privacy and data protection, and security awareness and education. After implementation of these solutions, we can help monitor and measure deployments to drive future performance.
Our security practice has helped leading companies build a holistic, business-focused approach to security that is instilled into the very fabric of the organization. We believe that information security should be both a means to protect data and an opportunity to create value to the business. Let us show you how.
PwC Security Leaders are on hand to discuss your organization's risk profile.
Security leaders
Or visit www.pwc.com/giss2013