Through Global Best Practices® and the Global state of information security (GISS) benchmarking tool, results from the global survey will be available to help organisations assess current performance and capabilities against peer companies. By submitting the on-line questionnaire, you will receive a customised benchmark report comparing your company’s information security posture to the responses of over 7,000 survey respondents from the 2010 Global state of information security survey. The report will also help companies understand the latest trends their peers are facing as well as the safeguards that are in place to proactively address emerging threats around information security.

To begin the assessment, go to www.globalbestpractices.com/gsiss2010.

Steps you can take to improve security in the coming year

Shifting from a reactive to a proactive posture—and increasing traction among parties by enhancing creativity, sharing and collaboration with users—isn't possible with an ad hoc approach to building better security and privacy capabilities. Focus instead on a more strategic approach—one that coordinates key steps such as the following:

• Get the right people together: Becoming more proactive requires more than forward visibility; it also requires leadership. If you haven't established a CISO or CSO position, consider doing so. Then work to actively engage both business and IT decision-makers in addressing security.
• Embed security awareness more deeply across the enterprise: Perhaps the most powerful driver of positive security outcomes is awareness. Although many survey respondents believe that a good portion of their users are in compliance with the organisation's information security policies, not all companies are checking. In fact, most would benefit by having people dedicated to employee security awareness programmes and requiring employees to complete training on privacy practices. Once your security policies have been clearly defined, make awareness of security and privacy issues a major—and well-championed—corporate objective. And follow up continuously.
• Plan for better security, earlier in development: As corporate investments in technology improve security protecting applications, data and networks, risks remain—especially where no one is looking. This is a great opportunity to become smarter about security earlier in the development process. By doing so, you'll mitigate more risks earlier in the process, which makes it easier than having to redesign or reconfigure mature, fully-implemented systems later.
• Strengthen incident response planning: To lessen the impact of security breaches you should: (1) ensure that you have an integrated approach to security breaches, staffed by a skilled, interdisciplinary team; (2) have a consistent response procedure for incidents; (3) review security policies and align them with your incident response procedures; and, (4) be sure to include your service providers, train your personnel, and test the programme.

While information security is important to almost every industry and business model, it can play a very different role in each—especially in the context of how differently various industries prioritise the key influencers of security spending: the economic downturn, business continuity/disaster recovery, compliance with regulations and internal policies, protecting corporate brands and reputations, and "business change" itself.

Aerospace & defense (97kb)

Automotive (93kb)

Energy & mining (94kb)

Entertainment & media (86kb)

Financial services (86kb)

Healthcare: Provider (88kb)

Industrial products (93kb)

Pharmaceuticals (82kb)

Public sector (81kb)

Retail & consumer (95kb)

Technology (101kb)

Telecommunications (92kb)

Utilities (87kb)

How have information security and privacy practices advanced around the world over the past 12 months? What a difference a year—and an economic crisis—can make. This year, the Global information security survey's regional highlights reveal surprising shifts in momentum—and in leadership.

Asia 

North American and Asian security practices are no longer on a par with one another, as survey responses last year indicated. On the one hand, gains in Asia—across every major security domain, from strategy and assessment to technology—have advanced very significantly over the past 12 months. On the other hand, gains in North America have advanced even further. That may change this year. Here's why:

• Spending: Asian respondents are far more likely than their North American colleagues to estimate that spending on security over the next year will either increase or stay the same (73% vs. 59%).
• Deferrals and cancellations: Decision-makers in Asia are much more likely to view deferrals and cancellations of some security-related initiatives as short-term impacts over a 6-month period than their North American counterparts who believe the project and funding impacts will last for a longer period of time.
• Understanding threats: Asian organisations have a deeper understanding about where the threats to their assets are coming from than do North American ones. They’re much more likely, for example, to know the number of security incidents occurring in the past 12 months as well as the likely source and type of the attack.
• Incidents: With a deeper understanding of their threat environment, Asian organisations have uncovered valuable information: i.e., that the attacks are more numerous than expected. And that the incidents have actually been much more successful in exploiting data and networks—rather than devices, applications and users—than Asian companies estimated last year.
• China takes the global lead: As China muscles its way through the economic downturn, its security capabilities have stepped nimbly ahead of India’s—in a dramatic shift from last year’s trend—and, in the same one-year sweep, ahead of those in the US and most of the world.

Europe 

If one takes this year's European responses to the survey at face value, it would appear that Europe is the region enduring the weakest impacts of the economic downturn on the information security function. Europeans—in comparison with their colleagues around the world—report the lowest impacts across a range of variables, from regulation and employee layoffs to supply chain. They also have comparatively lower expectations that information security spending will either increase or stay the same over the next 12 months (50% vs. 81% in South America and 73% in Asia). If true, that may be good news for European organisations. But it also raises the possibility that, while other regions—those more urgently spurred into action by the downturn—continue to translate their concerns about risks to information assets into even more robust security capabilities next year, Europe will continue to fall behind.

• Leadership and organisation: The few gains evident among Europe organisations this year are in an important domain - security leadership and people-related capabilities. European respondents report a 15-point gain in employing Chief Information Security Officers and a 13-point gain in employing Chief Security Officers.
• Other security domains: European respondents report lackluster gains compared to last year and maturity levels that often trail other regions. For example, Europeans are least likely to have an identity management strategy (40% vs. 55% in North America, 53% in Asia, and 42% in South America) and to conduct threat and vulnerability assessments (39% vs. 55% in North America, 50% in Asia, and 46% in South America).
• Compliance as a driver: Even though European respondents report that regulatory compliance is the single most important business issue driving information security spending, Europe trails behind other regions in actually testing for compliance on a regular basis (39% vs. 57% in North America, 52% in Asia, and 53% in South America).

North America 

After vying with Asia last year for regional dominance in global security practices, North America has stepped ahead in many, though not all, important security domains. Yet as the downturn plays out, North America appears to have eased off on security-related investment in comparison with other regions. This mild slowing in investment, however, may carry implications for future years, particularly since Asia's momentum in security shows no signs of slowing.

• A strong portfolio of capabilities: In the midst of the downturn, North American organisations are falling back on a relatively mature set of security and privacy-related capabilities established over years of investment. North America leads other regions, for example, in areas that range from having an overall information security strategy (73% vs. 66% in Asia, 56% in South America, and 59% in Europe) to conducting employee awareness security programs (63% vs. 55% in Asia, 46% in South America, and 40% in Europe).
• Investment deferral: North American organisations are more likely, however, to spread security-related project deferrals across a year or longer - unlike Asian and South American organisations which have scheduled more of these delays within a shorter 6-month period.
• Enterprise risk management: One emerging area of weakness for North America—at least on a regional comparison basis—is in managing risks at the enterprise level. While North America (30%) trails both South America (43%) and Asia (37%) in adopting enterprise risk management, it's only a few percentage points ahead of Europe (28%).

South America 

For years, South American security capabilities lagged behind those of other global regions. Last year, while Asia and North America vied for leadership, South America nudged up just behind Europe—and moved into the passing lane. This year, South America has stepped cleanly and clearly ahead.

• Double-digit gains: For a second year in a row, South America has posted key double-digit gains in many key areas – such as compliance testing (from 40% in 2008 to 53% in 2009), account deprovisioning (from 27% to 43%) and establishing security baselines for partners and customers (from 41% to 56%).
• Incidents: South American respondents, like their Asian colleagues and unlike their European ones, simply know more about the number, type and source of attacks.
• Risk management: Some of the advances represent important benchmarks for any mature security program. For example, South American organisations are more likely than their counterparts in any other region of the world to conduct an enterprise risk assessment at least twice a year (43%) as well as prioritize their information assets according to their risk level—on a continuous basis (43%).
• Spending drivers: South American respondents point to “client requirements” as the leading factor used to justify security spending, an answer that contrasts with that of European respondents whose leading response was “legal or regulatory requirement”. What's the significance? By linking information security more closely with revenue, South American organisations may have an easier time justifying investment in the security function—one reason, among others, that may be playing a major role in the momentum behind South America's spending.

To register for the New York event, please visit: GISS Roadshow New York.

To register for all other roundtable events, please visit: GISS Roadshow.