Giss 2011 Survey Report

8/2/2019 Giss 2011 Survey Report

1/58

Respectedbutstill restrainedIn the atermath o the worst global economic jolt in 30 years,inormation security conronts a new economic order.

Findings rom the 2011 Global State o Inormation Security Survey

Advisory Services

Security


2/58

Methodology

The 2011 Global State o Inormation Security Survey is aworldwide security survey by PricewaterhouseCoopers, CIOMagazine and CSO Magazine. It was conducted online romFebruary 19, 2010 to March 4, 2010. Readers o CIO andCSO Magazines and clients o PricewaterhouseCoopers romaround the globe were invited via email to take the survey. Theresults discussed in this report are based on the responses omore than 12,840 CEOs, CFOs, CIOs, CSOs, vice presidentsand directors o IT and inormation security rom 135 countrieThirty-seven percent o respondents were rom Asia, 30% romEurope, 17% rom North America, 14% rom South America,and 2% rom the Middle East and South Arica. The margin oerror is less than 1%.


3/58

Table o contents

The heart o the matter

As global economic conditions continueto uctuate, inormation security hoversin the balancecaught between a new

hard-won respect among executivesand a painstakingly cautious undingenvironment.

An in-depth discussion

Signs o securitys strategic gains andadvances stand side by side with newlyemerging cracks in its oundation.

I. Spending: A subtle but enormously meaningul shit

ll. Economic context: The leading impacts and strategies

lll. Funding and budgets: A balance between caution and optimism

IV. Capabilities and breaches: Trends too large to ignore

V. New areas o ocus: Where the emerging opportunities lie

VI. Global trends: A changing o the guard

What this means to your business

Learn rom the downturn. And makecrucial changes. But also be among the

frst to ace orward.


4/58


As global economicconditions continue touctuate, inormation

security hovers in thebalance caught betweena new hard-won respectamong executives anda painstakingly cautious

unding environment.


5/58

Over the past year, it has been hard to predict when, where and with what

strength global economic conditions might improve.

So it isnt surprising to discover this year, thataccording to the results o

the 2011 Global State o Inormation Security Surveyexecutives across

industries and markets worldwide have been reluctant to release unding to

support the inormation security unction.

This fnancial restraint is in spite o clear evidence that as inormation security

emerges rom the smoke o a brutal yearand, in eect a trial by fre, as las

years survey revealedit is sporting a new hard-won respect, not just rom

many but rom most o this years respondents. This includes more than 12,80

CEOs, CFOs, CIOs, CISOs, CSOs and other executives responsible or their

organizations IT and security investments in more than 135 countries.

As the spending restraint continues, however, some block and tackle secur

capabilities that took a ull decade to develop are degrading and, day by day,

opening up organizations to new windows o risk.

This year, the tension is acute. Between ongoing maturation in the security

unction and regression. Between caution in this economy and optimism.

Between preserving cash and protecting the business.

Caught in the balance is the inormation security unctionthirsty or unds

and poised to continue systematically driving into the heart o the business.

What is the evidence o these trends? What are the implications or spending

during the next six to 12 months? Where are the greatest security-related

vulnerabilities emerging? And which are the most crucial opportunities and

priorities your organization should ocus on now and over the next year to

increase the contribution that security makes to your business?



6/58


Signs o securitysstrategic gains andadvances stand side by

side with newly emergingcracks in its oundation.


7/58


I. Spending: A subtle but enormously

meaningul shit

Finding #1

Three strategic trends in spendingeach o them several years in

the makingare now hard to miss.

Finding #2

This years spending drivers arent new. But heres the surprise:

Almost every one o these actors are trending at, or near,our-year lows.

Finding #3

Client requirement has now emergedeither as the new avor

o the year or perhaps as a strategic driver o spending that will

endure over time.


8/58

Look at these numbers over a multi-year period. This yearor the

frst time in the course o the surveythree long-term strategic

trends in inormation spending have appeared in the spotlight.

1. Security is on the CFOs protect list

We frst saw evidence o this last year. This years data provides

additional confrmation o the trend. As the unction maturesandcontributes in more obvious and direct ways to business objectives

it is encountering much more stable unding curves. As the surve

revealed last year, security unding is protected during the down

cycle. Andas we will point out in the pages that ollowthis und

ing is increased as market vigor returns.

2. Yet security is still vulnerable to the avor o the year

Because security sits at the heart o the business, its spending

driversthe actors emphasized most prominently and most oten

by executives seeking unding or security-related initiativestend

to be very closely aligned with the hot priorities o the business,whatever they might be at the time. In short, securitys spending

drivers are susceptible to what we might call the avor o the year

Take the US market, or example. In 2007, six years ater the event

o 9/11, 68% o US respondents identifed business continuity and

disaster recovery as the single largest driver o security spending,

compared with 43% today. In the same yearfve years ater the

passage o the Sarbanes-Oxley Act and two years ater the Health

Insurance Portability and Accountabilitys (HIPAA) Security Rule too

eectUS respondents identifed regulatory compliance as the

second-greatest spending driver, compared with 47% today.

3. The water drop eect

Big splash then diusion. Ater peaking as drivers, each o these

actors, rom business continuity to regulatory compliance, shits

rom an external game-changer to an internal given. They re-

main important to the organizationoten crucially sobut precise

because o their value, they become integrated into the business.

How? Through, or example, newly automated systems or eature-

enhanced sotware. Updated job descriptions. Policies and busine

practices. And more comprehensively designed internal controls.

Finding #1. Three strategic trends in spending

each o them several years in the making

are now hard to miss.


9/58


Finding #2. This years spending drivers

arent new. But heres the surprise: Almost

every one o these actors are trending at,

or near, our-year lows.

Which actors are driving inormation security spending this year?

At frst glance, the answer isnt much o a shock: economic condi-

tions (reported by 49% o respondents), business continuity and

disaster recovery (40%), company reputation (35%), internal policy

compliance (34%) and regulatory compliance (33%). (Figure 1)

These are the primary actors you would expectnot just one year

ater the greatest economic downturn in the last 30 years but also

ater a decade o expanding globalization; continual introduction o

new technologies that enable a ree ow o inormation worldwide;

the introduction o the Advanced Persistent Threat; and a wave o

regulation across markets, industries and regions.

What is surprising, however, is that almost every one o these ac-

tors is trending at or near our-year lows. Take business continuity/

disaster recovery, or example. Sixty-eight percent o respondents

pointed to this actor just our years ago. That was 28 points ago

reduction o 41% compared with this year. The other drivers showcomparable declines. (Figure 2)

First, lets clariy a key issue: Does this mean these actors areless

important? Absolutely not. In many respects, theyve never been

more vital. Theyre just not as vigorous spending drivers as theyve

been in the past.


10/58

Figure 1: Percentage o respondents who identiy the ollowing business issues or actors as the

most important drivers o inormation security spending in their organization. (1)

(1) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.

Source: The 2011 Global State o Inormation Security Survey

Regulatory

compliance

Internal policy

compliance

Company

reputation

Business

continuity/

disaster recovery

Economic

conditions

49%

40%

35% 34% 33%


11/58


Figure 2: Percentage o respondents who identiy the ollowing business issues or actors as the

most important drivers o inormation security spending in their organization. (2)


* This calculation measures the dierence between response levels over a three-year period rom 2007 to 2010.


2007 2008 2009 2010Three-year

% change*Economic conditions n/a n/a 39% 49% n/

Business continuity/disaster recovery 68% 57% 41% 40% -41%

Company reputation 44% 39% 32% 35% -20%

Internal policy compliance 51% 46% 38% 34% -33%

Regulatory compliance 54% 44% 37% 33% -39%


12/58

What is the new avor o the year? Client requirementalthough

the meaning o this term likely varies a bit across respondents.

This year, when respondents were asked how inormation security

spending was justifed in their organization, nearly every one o the

top seven actors they identifedrom common industry practice t

potential liability or revenue impactsreected declines in comparson with 2007. The reductions ranged rom 10% to 26%.

Client requirement was not only the sole actor in the top seven to

increase over this period, it also moved up in ranking rom the bot-

tom o the list (#6 position) to near parity (#2 position) with the lead

ing actor: justifcation or inormation security. (Figure 3)

Does client requirement reer to an internal client or an external one

A contractual mandate or a minimal threshold on a request or pro-

posal? While the survey is ambiguous on this point, its abundantly

clear that client requirement in general is driving spending morethan it ever has in the past.

Is client requirement just the new avor, or will it prove to be a

more enduring driver? Could client requirement become the global

acknowledged leading driver o security spending in the next three

to our years?

Perhaps. At this point it appears to be one more sign that, ater

15 years, the inormation security unction continues to take on a

ar more customer-acing, business-supporting, strategic value-building role.

Finding #3. Client requirement has now

emergedeither as the new avor o the year

or perhaps as a strategic driver o spending

that will endure over time.


13/58


Figure 3: Percentage o respondents who identiy the ollowing actors when asked to reveal

how inormation security is justifed in their organization. (3)




2007 2008 2009 2010Three-year

% change*Legal/regulatory environment 58% 47% 43% 43% -26%

Client requirement 34% 31% 34% 41% +21%

Proessional judgment 45% 46% 40% 40% -11%

Potential liability/exposure 49% 40% 37% 38% -22%

Common industry practice 42% 37% 34% 38% -10%

Risk reduction score 36% 31% 31% 30% -17%

Potential revenue impact 30% 27% 26% 27% -10%


14/58


15/58


II. Economic context: The leading impacts

and strategies

Finding #4

While the impacts o the downturn linger, the largest increase in ris

is associated with weaker partners and suppliers.

Finding #5

The strategies companies are taking this year are largely the same

as those taken last year. Some o these strategies, however, may bopening up companies to new areas o risk.


16/58

While a robust return to economic strength has been elusive, most

economists agree that market conditions today are ar better than

they were in late 2008. So its natural to expect that executive per-

ceptions o the impacts the downturn has had on the security unc

tion would be dierent than they were last year.

Theyre not. At least most o them arent. In act, theyre surprisingconsistent with last years. Most agree, or example, that the regu-

latory environment has become more complex and burdensome.

And that the increased risk environment continues to elevate the

importance o the security unction. And that ongoing cost-reductio

eorts make adequate security more difcult to achieve. (Figure 4)

So whats the greatest change reported in the global economys im

pact to the unction this year? Respondents are considerably more

likely than last year to report that business partners and suppliers

have been weakened by economic conditions.

Thats understandable, especially given actors such as the re-

cent surge in globalization and cross-border participation in supply

chains and emerging market development as well as the act that

one would naturally expect the real impacts to partners and suppli-

ers to take at least one year to emerge.

But theres a much less obvious implication here, one that is enor-

mously revealing about the strategic evolution in the maturity o the

security unction.

This data isnt just coming rom senior business and IT decision-

makers. Clearly, this inormation is also coming romeither direct

or indirectlycore business managers at the center o companies

and their operations. This includes the business unit heads, the op

erational decision-makers, the supply chain experts who work mos

closely with the organizations business partners and suppliers.

Finding #4. While the impacts o the downturn

linger, the largest increase in risk is associated

with weaker partners and suppliers.


17/58


Figure 4: Percentage o respondents reporting the ollowing impacts o current economic

conditions on their organizations inormation security unction. (4)



In other words, this year, were starting to see quantitative evidence

o anecdotal trends we have been tracking or several years: That

the spotlights on securitys value are turned on and shining brightly

not just at the C-suite level but also at the very heart o organizatio

al operations, in areas such as production, supply chain, procure-

ment, business development and strategic partnering.

56%

56%

55%

52%

50%

52%

43%

43%

52%

43%

50%

42%

2010

2009

2010

2009

2010

2009

2010

2009

2010

2009

2010

2009

Regulatory environment has become more complex and burdensome

Increased risk environment has elevated the role and importance of the security function

Cost reduction efforts make adequate security more difficult to achieve

Threats to the security of our information assets have increased

Our business partners have been weakened by the economic conditions

Our suppliers have been weakened by the economic conditions


18/58

Consider the strategies organizations are engaging to continue

meeting security objectives in the ace o this years uncertain eco-

nomic conditions. (Figure 5)

For the second year in a row, increasing the ocus on data protec-

tion is the single most common strategy worldwide. Also consisten

with last years results are other prioritiessuch as prioritizing security investments based on risk; strengthening the companys gover-

nance, risk and compliance program; and accelerating the adoptio

o security-related automation technologies to increase efciencies

and cut costs.

Yet a second set o trends includes other strategies. Such as in-

creasing reliance on managed security services. Reducing the

number o ull-time security personnel. And shiting security-related

responsibilities to non-security personnel.

The business rationale behind these tactics, o course, is based onthe need or greater efciencies and a more reliable supply o more

diversifed security-related skills. Like IT, security needs to lower th

cost o ongoing operations and devote more o the budget to new

value-creation activities. But at the same timeand this is critical

these tactical strategies, in some cases, may be opening up organ

zations to new areas o risk.

For example, i companies are increasing their reliance on managed

security services providers, are they also (1) enhancing governance

and oversight mechanism, (2) conducting periodic audits o the providers operations, and (3) ensuring the alignment o the providers

processes with the companys security policies, regulatory man-

dates and strategic risk management priorities?

Finding #5. The strategies companies are

taking this year are largely the same as those

taken last year. Some o these strategies,

however, may be opening companies to new

areas o risk.


19/58


Figure 5: Percentage o respondents reporting that, in order to meet their security objectives in

the context o the harsh economic realities, the ollowing strategies are important. (5)

(5) Respondents who answered Important, Very Important or Top Priority. Not all responses included. Does not add up to 100%.

Respondents were allowed to indicate multiple actors.


Increasing the focus on data protection 71%

69%

67%

66%

66%

65%

59%

48%

43%

Prioritizing security investments based on risk

Strengthening the companys governance, risk and compliance program

Refocusing on core of existing strategy

Accelerating the adoption of security-related automation technologies to increase efficiencies and cut costs

Pursuing more complete configuration of DLP tools

Increasing reliance on managed security services

Allocating security-related tasks to non-security IT employees

Reducing the number of full-time security personnel


20/58


21/58


III. Funding and budgets: A balance between

caution and optimism

Finding #6

Financial caution remains high as executives in the industry keep

a tight lid on the budgetary coersat least or now.

Finding #7

Yet this caution appears to be easing or projects more than six

months out and or reductions o 10% or more.

Finding #8

Asked about their expectations about security spending in the

coming year, respondents are more optimistic than at any time

since beore 2005.


22/58

Funding is still tight. Theres no question about it. Although some

industries and markets appear to be strengthening, companies are

reacting with extreme caution.

Asked whether their organization had reduced budgets or security

initiatives over the last year, nearly hal o all 12,847 respondents

agreed that they hador capital (47%) and operating expenditures(46%). And, in act, these numbers matched last years responses t

the same question(47% and 46% respectively). (Figure 6)

Quite surprisingly (at least given the signs o an impending market

return to healthy levels o growth), more respondents than last year

reported that their organization had deerred security-related und-

ing or capital expenditures (rom 43% in 2009 to 46% this year) an

operating expenditures (rom 40% to 42%).

A subtle tightening o the purse strings? Yes, apparently. A sign

o even greater unding restraint to come? Perhaps. But not likely.Evidence suggests this hyper-ocus on costs, in some cases, migh

be akin to one segment o the global consumer markets aversion

to spending money in the months immediately preceding their pur-

chase o a new car. Saving now in anticipation o spending later.

Finding #6. Financial caution remains high as

executives in the industry keep a tight lid on th

budgetary coersat least or now.


23/58



Figure 6: Percentage o survey respondents who report that their organization is reducing

budgets or security initiatives or deerring them.

Has your company reduced budgets or any security initiatives? 2009 2010

Yes, or capital expenditures 47% 47%

Yes, or operating expenditures 46% 46%

Has your company deerred security initiatives? 2009 2010




24/58

In the seconds ater the wheel o a ast-moving 200-ton ocean-

transport vessel directs the ship in a markedly dierent direction

and beore the evidence o this turn is apparent to the ships com-

passthe water level on one side o the wave-cutting bow register

an unmistakable change.

Thats happening hereso to speak. We took a closer look at howrespondents answered our question about spending restraint or

capital and operating expenditures. And what we discovered is qui

ascinating.

Spending caution appears to be easing or projects more than six

months out and or reductions o 10% or more. And its building

up at the bow or projects under six months or budget reductions

under 10%.

Why is demand bunching up or near-term projects? Its hard to

tell. Some o our clients are concerned about the short-term reliabiity and calendar timing o the return to economic strength. Others

are interested in unding a higher portion o security-related invest-

ments in operating and capital expenditures rom actual revenue

streams as they maniest themselves on a cash basis, rather than

accrual. And many management teams, o course, have their head

down trying to balance securitys demand or those unds against

frst distribution calls or value-creating unding rom across the

enterprise.

How do we view this trend in the data? As a noteworthy shit inthe ocus o unding restraintaway rom long-term initiatives and

increasingly concentrated on initiatives planned or the short-term.

We take that as an unimpeachable sign o cautious optimismone

sign, actually, o two.

Finding #7. Yet this caution appears to be

easing or projects more than six months out

and or reductions o 10% or more.


25/58


Figure 7: Percentage o survey respondents who report that their organization is reducing

budgets or security initiatives or deerring them.


Has your company reduced budgets or any security initiatives?2009 2010

One-year

change


- by under 10% 19% 22% + 3 pts

- by more than 10% 28% 25% - 3 pts


- by under 10% 19% 22% + 3 pts

- by more than 10% 27% 24% - 3 pts

Has your company deerred security initiatives?2009 2010

One-year

change

Yes, or capital expenditures 43% 46%- by less than 6 months 21% 27% + 6 pt

- by more than 6 months 22% 19% - 3 pt


- by less than 6 months 22% 26% + 4 pt

- by more than 6 months 18% 16% - 2 pt


26/58

The second sign o optimism is a bit more exuberant. This year, ex

pectations that spending will increase leaped by more points than

any time since the earliest years o this survey. This optimismheld

by 52% o respondents, a higher number than any response level

since beore 2005is signifcant. (Figure 8)

Absent another worldwide shock to the global economy, we maysee a release o this pent-up demand at the bow and an increase

in security-related spending on capital and operating expenditures

as early as later this year.

Finding #8. Asked about their expectations

about security spending in the coming year,

respondents are more optimistic than at any

time beore 2005.


27/58


Figure 8: Percentage o survey respondents who report that security spending will increase over

the next 12 months. (6)



201020092008200720062005

42%

46%44% 44%

38%

52%


28/58


29/58


IV. Capabilities and breaches: Trends too

large to ignore

Finding #9

Ater posting solid advances in the last several years, some frms a

allowing these capabilities to degrade.

Finding #10

As organizations continue to gain new visibility into security

incidents, they are learning more about the real costs o breaches.

Finding #11

This year, there is a signifcant shit in the ongoing evolution o

the CISOs reporting channel away rom the CIO in avor o the

companys senior business decision-makers.


30/58

This year, adoption levels or many inormation security-related pro

cesses appear to have stalledan unplanned consequence, per-

haps, o the austerity in the unding environment. Respondents are

just as likely as they were last year, or example, to have an overall

security strategy in place (65% in 2009, 65% this year), use vulnera

bility scanning tools (53% in 2009, 53% this year), and have wireles

(cellular and Wi-Fi) security standards and procedures (45% in 20045% this year). (Figure 9)

In many cases, however, these adoption rates are actually in declin

Fewer respondents compared with last year, or example, conduct

personnel background checks (60% in 2009, 56% this year),

dedicate people to monitoring employee use o the Internet and

inormation assets (57% in 2009, 53% this year), and conduct an

employee security awareness program (53% in 2009, 49% this

year). (Figure 10)

Just a one-year impact? Maybe so. But where it occurs, this regression oten returns these capabilities to 2008 levels or below.

Finding #9. Ater posting solid advances in

the last several years, some frms are allowing

these capabilities to degrade.


31/58




2006 2010200920082007

37%

57%59%

65% 65%

Have an overall information security strategy

2006 20102009200820072006

21%

28%

36%

44%42%

Integrate privacy and compliance plans

20102009200820072006

11%

29%

35%

43% 43%

Have implemented security eventcorrelation software

2006 20102009200820072006

38%

58%

67%

59% 60%

Ensure the secure disposal of

technology hardware

2006 20102009200820072006

30%

50%

54% 53% 53%

Use vulnerability scanning tools

2006 20102009200820072006

29% 29%

40%

45% 45%

Have wireless (cellular and Wi-Fi) securitystandards and procedures

Figure 9: Percentage o survey respondents who report that their organization has the ollowing

security- and privacy-related capabilities in place. These sample responses highlight the act tha

many capability advances have stalled. (7)


32/58



2006 20102009200820072006

51% 52% 51%

60%56%

Conduct personnel background checks

2006 20102009200820072006

25%

42% 43%

50%

46%

Have established security baselines for external

partners, customers, suppliers and vendors

2006 20102009200820072006

39%42%

54% 53%

49%

Conduct an employee security

awareness program

2006 20102009200820072006

40%

48%50%

57%

53%

Have people dedicated to monitoring employee

use of the Internet and information assets

2006 20102009200820072006

34%

44%

51%53%

48%

Use a centralized security information

management process

2006 20102009200820072006

49%47%

54%

58%

54%

Actively monitor and analyze information

security intelligence


security- and privacy-related capabilities in place. These sample responses reect the emerging

degradation in some capabilities. (8)


33/58


For years, the percentages o respondents who reported not know

ing about key security event-related acts have been painully high.

Just a ew years ago in 2007, or example, 40% didnt know how

many security events had occurred in the past 12 months. Today,

23% dont. In 2007, almost hal (45%) didnt know what type o se-

curity events had occurred. Today 33% dont. (Figure 11)

As organizations continue to turn on the lights, however, what the

are fnding is sobering. In short, the impact o security events on th

business has risen to signifcant levelsparticularly with respect to

fnancial losses (now reported by 20% o all respondents), thet o

intellectual property (15%) and compromises to brands or reputa-

tions (14%). (Figure 12)

As these numbers continue to rise, we oresee even greater pressu

on the CFO to release undingnot just to maintain security capa-

bilities at their current level but also to advance securitys ability to

protect and enable the business.

Finding #10. As organizations continue to gain

new visibility into security incidents, they are

learning more about the real costs o breaches


34/58



2010200920082007

Dont know how many security

events have occurred in the

past 12 months

2010200920082007

Dont know what type of

security events occurredi.e.,

whether exploitation occurred

to applications, data, mobile

devices (such as smart phones

and USBs), systems, networks,

or through social engineering

23%

32%

35%

40%

33%

39%

44%45%

2010200920082007

Dont know what the likely

source of the event was

i.e., current employees,

former employees, hackers,

customers, partners

and suppliers

34%

39%42%

44%

Not available

Figure 11: Percentage o survey respondents who report the ollowing inormation with respect

to negative security-related events impacting their organization. (9)


35/58


Figure 12: Percentage o all survey respondents who report the ollowing business impacts to

their organization. (10)

2010200920082007

Financial losses

2010200920082007

Theft of intellectual property

20%

14%

8%

6%

15%

10%

6%5%

2010200920082007

Brand or reputation

compromised

14%

10%

6%5%




36/58

The gap has widened. Three years ago, companies still viewed the

inormation security unction principally as a technology cost cente

One unimpeachable sign o this was the act that the single most

common reporting channel or the Chie Inormation Security Ofce

(or equivalent inormation security executive) was to the Chie Inor

mation Ofcer.

How quickly the times have changed. Since 2007, the number o

respondents reporting this viewpoint has declined very signifcantly

rom 38% to 23% this year.

So where is the CISO reporting today? To the business side o the

house, typically to the Board, the CEO, the CFO, the Chie Operat

ing Ofcer and the Chie Privacy Ofcer. (Figure 13)

Whats the strategic signifcance o this reporting shit? Across in-

dustries, we continue to see evidence o executive recognition that

securitys strategic value is more closely aligned with the businessthan with IT.

Finding #11. This year, there is a signifcant shi

in the ongoing evolution o the CISOs reporting

channel away rom the CIO in avor o the

companys senior business decision-makers.


37/58


Figure 13: Percentage o survey respondents who report that their organizations Chie

Inormation Security Ofcer or equivalent inormation-security leader reports to the ollowing

senior executives. (11)




2007 2008 2009 2010

Three-year

% change*

Chie Inormation Ofcer (CIO) 38% 34% 32% 23% -39%

Board o Directors 21% 24% 28% 32% +52%

Chie Executive Ofcer (CEO) 32% 34% 35% 36% +13%

Chie Financial Ofcer (CFO) 11% 11% 13% 15% +36%

Chie Operating Ofcer (COO) 9% 10% 12% 15% +67%

Chie Privacy Ofcer (CPO) 8% 8% 14% 17% +113%


38/58


39/58


V. New areas o ocus: Where the emerging

opportunities lie

Finding #12

Not surprisingly, social networking represents one o the astest

emerging new areas o risk.

Finding #13

One o the leading priorities or many companies is mitigating the

consequences o a breachthrough better incident response.

Finding #14

A newly popular tool in the CISOs arsenal? Insurance.


40/58

As i protecting data across applications, networks and mobile

devices wasnt complex enough, social networking by employees i

presenting organizations worldwide with a new and growing rontie

o risk.

The risks, rom an inormation security perspective, include the loss

or leaking o inormation; statements or inormation that could damage the companys reputation; activity such as downloading pirated

material with legal and liability implications; identity thet that direc

and indirectly compromises the companys network and inorma-

tion; and data aggregation in building up a picture o an individual t

mount security attacks through social engineering.

Few companies are adequately prepared to counter this threat.

Most companies (60%) have yet to implement security technologie

supporting Web 2.0 exchanges such as social networks, blogs or

wikis. And even more (77%) have not established security policies

that address the use o social networks or Web 2.0 technologiesacritical strategy that costs virtually nothing. (Figure 14)

Finding #12. Not surprisingly, social networking

represents one o the astest emerging new

areas o risk.


41/58



inormation security capabilities in place. (12)



40%

40%

23%

23%

2010

2009

2010

2009

Have implemented security

technologies supportingWeb 2.0 exchanges such as

social networks, blogs or wikis

Have security policies

that address the use of

social networks or

Web 2.0 technologies


42/58

At frst glance, the nearly six out o every 10 (58%) respondents wh

report their organization has a contingency plan in place or securit

incidents is a healthy number. (Figure 15)

But when you actor this number by the percentage who report tha

their plan is eective (63%), the results are disheartening.

In eect, most organizations (63%) have no plan or the plan they

have doesnt work.

Finding #13. One o the leading priorities

or many companies is mitigating the

consequences o a breachthrough better

incident response.


43/58


Figure 15: Percentage o survey respondents reporting on whether or not their organization has

a contingency plan to respond to incidents.


Yes

58%

No

23%

Dont know

19%


44/58

Strategies in countering inormation security risks continue to

emerge. For the frst time this year, we asked respondents whether

their organization has an insurance policy that protects it rom thet

or misuse o assets such as electronic data or customer records.

Almost hal46%said yes. And more than a ew have made a

claim (17%) and collected on it (13%). We expect to see these numbers rise signifcantly over the next several years. (Figure 16)

Finding #14. A newly popular tool in the CISOs

arsenal? Insurance.


45/58


Figure 16: Percentage o all survey respondents reporting on the ollowing insurance-related

issues. (13)



46%

17%

13%

Yes, we have collected

on a claim

Yes, we have made a claimYes, our organization has

an insurance policy that

protects it from theft or

misuse of assets such

as electronic data or

customer records


46/58


47/58


VI. Regional trends: A changing o the guard

Finding #15

With confdence, persistence and momentum, Asia lines up on the

runway to become the new global leader in inormation security.

Finding #16

With more caution and restraintand without the same promise o

growth that Asia expectsNorth America idles its engines.

Finding #17

South America presses the gas pedal and the brakes at the same

time, while Europe displays a marked lack o direction and urgency


48/58

Ater chasing North America or several years, Asia now reports

higher maturity levels across more capabilities than any other

world region.

Pick your metric. Asian respondents point to client requirement a

among the leading justifcations or security spending in ar greater

numbers than do those in any other world region. They are morelikely to acknowledge that the increased risk environment inherent

current economic conditions has increased the role and importance

o the security unction. Theyre singularly more ocused on data

protections than those in other regions. And they are more progres

sive at addressing emerging practicessuch as employing dedicat

ed security personnel to support internal business departments an

implementing security technologies supporting Web 2.0 exchanges

At the same time, while Asian companies are pursuing comparable

strategies to meet their security objectives in the context o harshe

economic conditions, theyre doing so with signifcantly more vigorand energy. For example, the enthusiasm with which Asian respon-

dents consider strengthening governance, risk and compliance ca-

pabilities to be a top priority, very important or important (75%

stands in marked contrast to the responses rom South America

(70%), North America (66%) and Europe (56%).

Just a blip in the multiyear trend lines? No. Quite the contrary. Asia

has been doggedly plowing signifcant resources into inormation

security programs or several years.

And Asia has momentum. Asian respondents are much more opti-

mistic that security spending will increase in the months ahead tha

their regional counterparts worldwide. Soon Asia will lead the world

in inormation security. Next year? The year ater? Asia is just pick-

ing the runway. (Figures 17 and 18)

Finding #15. With confdence, persistence and

momentum, Asia lines up on the runway to

become the new global leader in inormation

security.


49/58


In acute contrast to Asias advances in inormation securityand it

more vigorous ocus on strategic issues such as alignment o secu

rity with the business and the crucial need to protect dataNorth

America has chosen to gear down on its investments in inorma-

tion security over the past year and look ater its fnancial resource

The writing is on the wall. Most o North Americas maturity levels inormation security capabilities have remained at or declined ove

the past 12 months.

Although ew in number, there were some bright spots worth noting

These include North American advances in embracing enterprise s

curity management sotware and gains in improving the impact tha

virtualization has had on the inormation security unction.

Remember, though, that the gas in the North American car isnt

the same. Where Asian executives point proactively to client re-

quirement as the leading justifcation or security spending, NorthAmerican managers look reactively frst to legal and regulatory

mandates.

Thats quite revealingand perhaps a bit prophetic. In a ew years,

we may collectively look back on the frst decade o this century an

agree that in its adolescence, inormation security responded to a

stickregulationas evidenced by North American leadership in

the unction through 2009. But as inormation security matured into

a ully integrated business unction with a guaranteed seat at the

management table, the carrot proved the primary driverclientrequirements and the revenue-enhancing role that security can play

when its truly aligned with the business. And we may well point to

Asias dominance in the unction, frst maniested in 2009 and 2010

as the frst step in a new evolutionary phase or the unction. (Fig-

ures 17 and 18)

Finding #16. With more caution and restraint

and without the same promise o growth that

Asia expectsNorth America idles its engines


50/58

Unlike Asia, which appears to have almost shrugged o many o

the global economys short-term impacts on inormation security,

South Americas ocus on the unction over the past year has been

more volatileand conicted. On the one hand, South America

stands right behind the Middle East and Arica as the regions most

likely to deer security-related initiatives or reduce budgets or capi

tal and operating expendituresa sign that the ags o fnancialcaution are ying high in these areas o the world. On the other,

South Americans nearly rival Asians in their optimism that inorma-

tion security spending will increase over the next 12 months.

At the same time, in a year when every other global region is post-

ing double-digit gains in concern that business partners and suppl

ers have been weakened by economic conditions, South Americas

anxiety on this point has actually declined. Thats a worrisome sign

given, or example, that only 28% o South Americans say their

organization conducts due diligence o third parties handling the

personal data o customers and employees.

In Europe, the ocus on inormation is ar more muted. Europe now

trails other regions in maturity across most security capabilities.

Although it is pursuing comparable strategies in addressing the

impacts o the economic conditionssuch as prioritizing security

investments based on riskit is doing so at a much lower level o

commitment than its regional counterparts elsewhere in the world.

Like North America, Europe continues to suer poor visibility into

security events and, as a result, may be unaware o the true impact

o events on the business. And while 68% o European respondentsay their organization places a high level o importance on protect-

ing sensitive customer inormation, the responses rom other globa

regions (Asia, 80%; North America, 80%; South America, 76%)

reect more conviction, direction and urgency. (Figures 17 and 18)

Finding #17. South America presses the gas

pedal and the brakes at the same time, while

Europe displays a marked lack o direction

and urgency.


51/58


Figure 17: Dierences in regional inormation security practices. (14)



AsiaNorth

America

South

AmericaEurope

A leading driver o security spending: Economic conditionsOfcer 53% 55% 51% 41%

A leading driver o security spending: Business continuity 50% 42% 35% 29%

A leading driver o security spending: Company reputation C 41% 33% 37% 28%

One o the leading justifcations or security: Legal/regulatory requirement 45% 55% 35% 35%

One o the leading justifcations or security: Potential liability/exposure 45% 50% 32% 25%

One o the leading justifcations or security: Client requirement 52% 37% 39% 29%

Security spending will increase or stay the same 86% 71% 81% 68%

View protecting sensitive customer inormation important/extremely important 80% 80% 76% 68%

Use enterprise security management sotware 49% 42% 41% 34%

Have accurate inventory o where sensitive data stored 42% 40% 33% 24%

Have an overall inormation security strategy 68% 73% 58% 60%

Have established security baselines or partners and customers 46% 55% 47% 39%

Have dedicated security personnel supporting internal business departments 56% 45% 51% 38%

Have handheld/portable device security standards 52% 47% 41% 36%

Encrypt removable media 59% 44% 53% 43%

Use tools to discover unauthorized devices 56% 56% 52% 45%

Use data leakage prevention (DLP) tools 50% 46% 41% 40%

Have security technologies supporting Web 2.0 exchanges 48% 36% 43% 32%

Number o security incidents in the past 12 months: Unknown 14% 37% 19% 29%

Type o security incidents: Unknown 22% 43% 35% 40%

Likely source o incidents: Unknown 26% 44% 31% 41%

Business impacts o security incidents: Financial losses 49% 39% 45% 32%

Business impacts o security incidents: Intellectual property thet 35% 35% 29% 29%

Business impacts o security incidents: Brand/reputation compromised 35% 32% 22% 28%

Conduct enterprise risk assessment at least twice a year 41% 28% 42% 33%

Continuously prioritize inormation assets according to their risk level 24% 16% 20% 16%

Have a centralized security inormation management process 52% 57% 44% 40%


52/58

Figure 18: Dierences among regional perceptions o the impacts o the economic downturn on

the inormation security unction. (15)

(15) Respondents who answered either agree or strongly agree.


AsiaNorth

America

South

AmericaEurope

Increased risk environment has elevated the role and importance o the

inormation security unction

65% 53% 56% 45%

The regulatory environment has become more complex and burdensome 62% 58% 52% 50%

Cost reduction eorts make adequate security more difcult to achieve 53% 53% 55% 43%

Our business partners have been weakened by the downturn 57% 54% 48% 48%

Our suppliers have been weakened by the downturn 55% 52% 46% 46%

Risks to the companys data have increased due to employee layos 46% 39% 43% 38%

Threats to the security o our inormation assets have increased 48% 50% 41% 33%


53/58


54/58

What this means or your business

Learn rom the downturn.And make crucial changes.

But also be among the frstto ace orward.


55/58

Its an uncertain year, and security hangs in the balance. On the on

hand, the ags o caution are prominent:

Tight fscal discipline and spending constraints

A ocus on preserving cash, although some key security process

es are beginning to degrade

Fewer incidents, but increasingly higher negative impacts to

the business

Emerging new areas o risk and the greater possibility, relative to

last year, that the security unction may not be prepared to pro-

tect the business

On the other hand, the signs o optimismand growing unctional

maturityare impossible to miss:

Emergence rom the 2009 economic trial by fre with more re-

spect rom the business

Deeper appreciation o securitys value, not only rom the C-suite

but also rom the operational core o the enterprise

Emergence o client requirement as a growing driver o

spending

New visibility into why events occur, where they come rom and

what harm they causeand the highest level o optimism about

spending in the last fve years

What does this mean or your business? Learn rom the downturn.

And make crucial changes. But also be the frst among your com-

petitors to ace orward and strategically position your inormationsecurity unction to support your perormance in the years ahead.

What this means or your business


56/58

Figure 19: Its an uncertain yearand security hangs in the balance.

OptimismCaution

A ocus on preserving cash, although

some key security processes are

beginning to degrade

Tight fscal discipline and spending

constraints

Fewer incidents, but increasinglyhigher negative impacts to the

business

Emerging new areas o risk, and the

greater possibility, relative to last year,

that the security unction may not be

prepared to protect the business

Deeper appreciation o securitys

value, not only rom the C-suite,

but also rom the operational core o

the enterprise

Emergence rom the 2009 economic

trial by frewith more respect rom

the business

Emergence o client requirementas a growing driver o spending

New visibility into why events occur,

where they come rom and what harm

they causeand the highest level o

optimism about spending in the last

fve years

2011


57/58


58/58

This publication is printed on Mohawk Options PC.It is a Forest Stewardship Council (FSC) certifed

stock using 100% post-consumer waste (PCW) fberand manuactured with renewable, non-polluting

wind-generated electricity.

Recycled paper

For more inormation,

please contact:

Gary Loveland

Principal, National Security Leader

949.437.5380

[email protected]

Mark Lobel

Principal

646.471.5731

[email protected]

or visit:

www.pwc.com/giss2011

pwc.com/giss2011

Giss 2011 Survey Report

Documents

Transcript of Giss 2011 Survey Report