Information Security Function ‘Protected’ During Economic Downturn According to PricewaterhouseCoopers/CIO/CSO Magazine’s Global State of Information Security Survey(R) 2010; 63% of global survey respondents say spending on security function will increase or stay the same in spite of economic downturn

NEW YORK and FRAMINGHAM, Mass. – October 15, 2009 – According to the 7th annual Global State of Information Security Survey® 2010, released today, six out of ten respondents (63 percent) expect spending to either increase or stay the same – in spite of the worst economic downturn in decades – or perhaps because of it. The study, the largest of its kind, is conducted by PricewaterhouseCoopers LLP (PwC) in conjunction with CIO and CSO magazines. More than 7,200 executives from 130 countries across all industries were asked about their information security expectations. The results demonstrate that global leaders appear to be "protecting" the information function from budget cuts – but at the same time are placing it under intensive pressure to "perform."

"The increased risk environment has visibly elevated the role and importance of the information security function to the entire business organization," says Mark Lobel, an Advisory principal at PricewaterhouseCoopers. "After years of misalignment, business and IT leaders seem to be starting to think like each other. This year, as we move from 2009 to 2010, may turn out to be a high-stakes 'coming of age'."

The Global State of Information Security Survey® 2010 shows that across industries and from the private to the public sector, the downturn has had a major impact on security spending. A few key industry trends from this year's survey include:

— Financial Services

– This year, fewer financial services respondents predict spending

will increase (40 percent in 2009; 46 percent in 2008) yet two-

thirds (64 percent) expect spending to either increase or stay the

same.

– For the first time in the history of this survey, the majority of

metrics used to track advances in security-related capabilities –

across all major security domains, including strategy, structure,

people, process and technology – have, by and large, for the

financial services industry, not improved.

– Seventy-five percent of financial services respondents have an

overall information security strategy in place, compared to 74

percent in 2008.

– Fifty-nine percent of financial services respondents report they

conduct threat and vulnerability assessments (unchanged from

2008).

– Also unchanged from 2008 – 61 percent of financial services

respondents require employees to complete training on privacy

policies/practices.

"It's hard to avoid the conclusion that the economic 'freight train' has impacted financial services companies more than those in any other industry – and largely stopped the global financial services industry's multi-year investment in security capabilities effectively, if temporarily this year, 'in its tracks'," points out Lobel.

— Health Industries

– A key priority this year will be addressing a global trend in stiffer

requirements for breach notification and specific technical controls.

– More than 6 out of 10 provider respondents (61 percent) report that

their organization does not have an incident response policy to

report and handle breaches with third parties handling data.

– As many countries address the security implications of electronic

health record policies, U.S. providers need to address the HITECH

Act.

– On February 17, 2009, President Obama signed into law the American

Recovery and Reinvestment Act of 2009 ("ARRA"). Part of the ARRA,

the HITECH Act strengthens and expands the scope of the HIPAA

privacy and security rules.

– As complexity and regulation increase within the industry – with

heightened penalties and disclosure requirements for breaches and

missteps – U.S. providers will need to understand the financial and

operational implications for their organization.

— Utilities

– Reported incident type levels have declined across all elements,

except one: the exploitation of data is now the leading type of

incident.

– Utility companies have advanced their security and privacy