BOSTON -- Regulatory and internal compliance remain the primary drivers of your organization's security spending, but closing quickly on their heels is a concept certainly familiar to voters less than a week from the presidential election: change.
"We've got a long way to go as an industry before CEOs understand what that means and why security staffs need to grow."
James Mignone, CISORBS Americas
PricewaterhouseCoopers' annual Global State of Information Security Survey puts technological and market-driven change -- brought about by a glut of mergers and acquisitions, advancements and interest in Web 2.0 technologies for business and other such factors -- almost on par with compliance. The Big Four audit firm released the survey results Tuesday.
"If security is going to add value to the business, it has to get involved from the get-go in all of these changes," said Gerard Verweij, technology advisory services partner with PricewaterhouseCoopers (PwC).
Compliance remains the most important ongoing trend emerging from the survey, which was taken by nearly 7,100 people globally, including C-level professionals such as financial officers and chief executives. Of note was the lack of alignment between security and top executives around security spending and internal compliance.
For example, CEOs and chief financial officers (CFOs) believe security policies and spending are completely aligned with business objectives, much more so than chief information security officers (CISOs) and chief information officers (CIOs). CEOs, CFOs and even CIOs, meanwhile, believe business continuity and disaster recovery are the primary business issues driving security spending, while CISOs stand on regulatory compliance.
Ironically, 73% of respondents believe users are compliant with internal policies, but less than half conduct compliance testing or monitor compliance with policy to back up that belief.
Overall, the survey demonstrates that security is becoming more of a strategic than operational function, but it's also becoming incumbent on CISOs to demonstrate their value, especially in a recession.
"You must have a risk strategy and conduct risk assessments to determine where to spend your money," said panelist James Mignone, CISO at RBS Americas, the former Citizens Financial Group. "And it's not just spending on technology, but on people and processes. We've got a long way to go as an industry before CEOs understand what that means and why security staffs need to grow."
Security and the economy:
Virtualization security gains traction while IT budgets shrink: The SearchSecurity.com editorial team discusses virtualization security, the overcompliance mentality, PCI DSS changes, and tightening IT security budgets.
Security Squad: Security pros face troubles: The SearchSecurity editorial team discusses how the poor economy affects security pros, cybersecurity for the next president, vendor security transparency and the job market.
Download MP3 | Subscribe to security audio downloads
Mignone called for the development of metrics to enable management to better understand risks and how security mitigates them.
"We have a bad reputation of being just cool tool guys, but when CEOs and management ask questions, having cool tools is not a good answer," Mignone said. "We need to translate how we're mitigating risk from risk assessments and translate that to metrics so that management can understand what we're doing. You need a team that's IT risk-focused rather than a team that is make up of IT security geeks. We need them, but it's got to be a coordinated team looking at the whole picture, and not just at the technology in the background."
Another noteworthy trend from the survey is the double-digit increases in implementations for technologies such as encryption and Web security products. Driven by regulation and data protection initiatives, encryption for laptops, databases, tapes and removable media is being more widely deployed. Implementation numbers for content filters, site certification spending and even Web services security is also increasing.
While technology spending and projects may be up, investments in people and processes are up slightly or down. The number of organizations performing background checks is down 2% from a year ago, while monitoring the use of assets, tiered authentication and centralized information management went up between 2% and 7%.