Despite Optimism, Companies Must Improve Security Strategies as Incidents Continue to Rise, According to PwC, CIO and CSO’s The Global State of Information Security® Survey 2013
Lacking a realistic game plan, nearly half of respondents view their company as a security ‘front-runner’, while number of incidents rise; Over half say top-level leadership is greatest obstacle to improving effectiveness
NEW YORK and FRAMINGHAM, Mass., — Sept. 20, 2012 — The rise in global security incidents, diminished budgets and degrading security programs have left organizations to deal with security risks that are neither well-understood nor consistently addressed. Executives around the world feel confident that they’re winning the high-stakes game of information security despite the growing number of obstacles, according to The Global State of Information Security® Survey 2013 released today by PwC US in conjunction with CIO and CSO magazines.
“Security models of the past decade are no longer effective. Today’s rapidly evolving threat landscape represents a danger that shows no signs of diminishing, and businesses can no longer afford to play a game of chance,” said Mark Lobel, a principal in PwC’s Advisory practice. “Companies that want to be information security leaders should prepare to play a new game – one that requires advanced skills and strategy to win against emerging threats.”
According to the tenth annual survey, the general mood among global executives is largely optimistic. The majority of respondents said they are very or somewhat confident their organizations have instilled effective information security behaviors into their culture (68 percent), and are very or somewhat confident their information security activities are effective (more than 70 percent). Yet, while nearly half of respondents (42 percent) view their organization as a “front-runner” in information security strategy and execution, the survey finds that only 8 percent actually qualify as true information security leaders. According to PwC, “leaders” are defined as companies that have a chief information security officer (or CISO equivalent) who reports to the organization’s top executives, have an overall information security strategy in place, have measured and reviewed the effectiveness of their security in the last year, and understand exactly what types of security events have occurred.
“Clearly, many executives have unfounded confidence in their security capabilities,” said Bob Bragdon, publisher of CSO. “In order to strengthen security practices, organizations must embrace a new way of thinking in which information security is both a means to protect data as well as an opportunity to create value to the organization. Security strategies and security spending must be well-aligned with business goals.”
Despite an increase in the number of respondents reporting 50 or more incidents (13 percent), fewer than half (45 percent) expect an increase in their budgets in the next 12 months – down from 51 percent and 52 percent in 2011 and 2010, respectively. While multiple factors shape security budgets, the primary determinant is the economic environment, with information security concerns far down the list. Also, senior executives are frequently seen as understanding the problem, with half of respondents – including 86% of the security “leaders” – pointing to top-level leadership as the greatest obstacle to improving information security effectiveness.
The survey shows that a winning security practice is often hindered by decreased deployment of basic information security and privacy tools. Among the categories taking a hit are malicious code detection tools for spyware and adware, down to 71 percent after topping out at 84 percent in 2008, and intrusion detection tools, once in use by nearly two-thirds of respondents and now used by just over half.
In today’s world of “big data,” the survey also finds that most organizations are keeping looser tabs on their data today than in years past. While more than 80 percent say protecting customer and employee data is important, far fewer understand what that data entails and where it is stored. Fewer than 35 percent of respondents said they have an accurate inventory of employee and customer personal data, and only 31 percent reported they had an accurate accounting of locations and jurisdictions of stored data.
The decreased deployment of security and privacy tools is like playing a championship game with amateur sports equipment,” continued PwC’s Lobel. “Intruders are exploiting business ecosystems, leaving reputational, financial and competitive damage in their wake. Today’s information security leaders must acknowledge that playing the game at a higher level is required to achieve effective security. The very survival of the business demands that they understand, prepare for, and quickly respond to security threats.”
Addressing Security Threats in Social, Mobile and the Cloud
As mobile devices, social media, and the cloud become commonplace inside the enterprise and out, technology adoption is moving faster than security. PwC has found that 88 percent of consumers use a personal mobile device for both personal and work purposes, yet only 45 percent of companies have a security strategy to address personal devices in the workplace and 37 percent have malware protection for mobile devices.
Despite an increase in the number of respondents reporting safeguards in place for mobile, social media, cloud computing, and policies covering the use of employee-owned devices, only 44 percent report having a mobile security strategy and less than 40 percent have strategies for the cloud and social media. These numbers lag the adoption rates of the technologies themselves.
Asia Leads in Practices and Performance, while North America Leads in Mobile and Social
The survey finds that years of investment pay off as Asia leads the world in security practices and performance. Among all regions, Asia has the fewest respondents who expect a decrease in security budgets this year. Roughly 60 percent of Asia respondents expect to see an increase over the next 12 months. That’s down from 74 percent in 2011, but still among the highest of any region. As for keeping up with new challenges, Asia rates highly for mobile security initiatives and cloud security strategy.
Despite Asia’s lead in practices and performance, North America ties Asia for the lead in cloud security strategy and leads in mobile and social media security. Responses from North American firms also indicate that they are the least likely to outsource security functions. Further responses indicate North American organizations are the best at staying on plan when it comes to IT projects.
To learn more about the survey, including industry specific highlights and further regional information, please visit: www.pwc.com/giss2013.
The Global State of Information Security® Survey 2013 is a worldwide study by PwC, CIO Magazine, and CSO Magazine. It was conducted online from February 1, 2012 to April 15, 2012. Readers of CIO and CSO magazines and clients of PwC from around the globe were invited via e-mail to take the survey. The results discussed in this report are based on the responses of more than 9,300 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from 128 countries. Forty percent (40%) of respondents were from North America, 26% from Europe, 18% from Asia, 14% from South America, and 2% from the Middle East and South Africa. The margin of error is less than 1%.
About CIO and CSO Magazines
CIO and CSO magazines are published by IDG Enterprise, producer of award-winning media properties, executive programs and the CIO Executive Council for IT and security executives who use technology and security to thrive and prosper in this new era of business. The CIO portfolio includes CIO.com, CIO magazine (launched in 1987), CIO Executive Programs and the CIO Executive Council. CIO properties provide business technology leaders with analysis and insight on information technology trends and a keen understanding of IT’s role in achieving business goals. The U.S. edition of the magazine and website are recipients of more than 200 awards to date, including the Top B-to-B magazine since 2000 from American Society of Business Publication Editors, two Grand Neals from the Jesse H. Neal National Business Journalism Awards and two Magazine of the Year awards from the National Society of Business Publication Editors.
Launched in 2002 the CSO portfolio includes CSOonline.com, CSO magazine and CSO Executive Programs. The properties provide chief security officers (CSOs) in the public and private sectors with analysis and insight on security trends and a keen understanding of how to develop and implement successful strategies to secure all business assets—from people to information and financial value to physical infrastructure. The U.S. edition of the magazine and website are the recipients of more than 100 awards to date, including the Top B-to-B magazine since 2000 and Magazine of the Year award from the American Society of Business Publication Editors as well as the Grand Neal from the Jesse H. Neal National Business Journalism Awards. IDG Enterprise is a subsidiary of International Data Group (IDG).
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
About PwC’s Advisory Practice
PwC’s Advisory professionals help organizations improve business performance, respond quickly and effectively to crisis, and extract value from transactions. We understand our clients’ industries and unique business challenges, and look across the entire organization — focusing on strategy, structure, people, process and technology — to help clients build their next competitive advantage. See http://www.pwc.com/us/consulting for more information or follow us @PwCAdvisory.
About the PwC Network
PwC firms help organizations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with close to 169,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.