The 2012 Global State of Information Security Survey® reveals that 43 percent of global companies think they have an effective information security strategy in place and are proactively executing their plans, placing them in the category of information security “front-runners.” Twenty-seven percent of respondents identified themselves as “strategists” while the remaining identified themselves as “tacticians” and “firefighters” (15 and 14 percent respectively). The study, the largest of its kind, is conducted by PwC US in conjunction with CIO and CSO magazines.
The 9th annual survey of more than 9,600 security executives from 138 countries found that 72 percent of respondents report confidence in the effectiveness of their organization’s information security activities - however confidence has declined markedly since 2006. The findings of the survey have helped carve a new definition of an information security leader. Even though 43 percent see themselves as “front-runners,” according to the survey only 13 percent made the “leader” cut. Those identified as leaders have an overall information security strategy in place, a CIO or executive equivalent who reports to the “top of the house,” measured and reviewed security policy effectiveness, and an understanding of the security breaches facing the organization in the past year.
According to the survey, the rise of cloud computing has improved but also complicated the security landscape. More than four out of ten respondents report that their organisation uses cloud computing: 69 percent for software-as-a-service, 47 percent for infrastructure-as-a-service and 33 percent for platform-as-a-service. Fifty-four percent of organisations say that cloud technologies have improved security; while 23 percent say it has increased vulnerability. The largest perceived risk is the uncertain ability to enforce provider security policies.
Matthew Parker Manager at PwC Channel Islands said “This demonstrates the need to perform effective reviews of cloud service providers, companies need to ensure they are comfortable with the level of control in place at anyone they are hosting data with, this should form a part of the due diligence processes performed when assessing the risks to the corporate information.”
Mobile devices and social media represent a significant new line of risk – and a demand for prevention. Organisations are beginning to amplify their efforts to prevent mobile and social media based attacks, however, more than half of all respondents report that their organisation does not yet have a security strategy for employee use of personal devices, including mobile devices, as well as the use of social media.
Managing security-related risks associated with partners, vendors and suppliers has always been an issue – according to this year’s survey it is getting worse. Seventeen percent of respondents identify customers as the source of security breaches, up slightly from last year (12 percent) and 15 percent have identified partners or suppliers as the source.
“Whilst internal staff still remains the biggest threat to information security, organisations should not overlook their exposure through trusted 3rd parties such as service providers” commented Mr. Parker.