Ernst & Young's 2008 Global Information Security Survey begs the eternal question, depending on how you look at the numbers:
Latest security surveys:
spending driven by mergers, Web 2.0 and compliance: PricewaterhouseCoopers' annual Global State
of Information Security Survey found mergers, Web 2.0 and other business initiatives driving
spending nearly as much as compliance.
Community banks to increase security spending, survey finds: Smaller banks place a priority on protecting customer data and plan to spend more on security technology, according to a new survey
Sophos sees increase in malicious email attachments: Spam using malicious attachments and social engineering techniques are targeting computer users in rising numbers, according to security vendor
For example, the survey clearly shows that many companies may be slow to address growing security concerns, such as reliance on third parties -- partners, vendors and contractors. Only 45% of respondents include specific security requirements in all third-party contracts, but an optimist might say this reflects a trend in the right direction. One wonders if the other 55% write language into their more sensitive contracts that involve sharing confidential data or access to key systems.
The 11th annual survey by Ernst & Young (E&Y) polled nearly 1,400 organizations in more than 50 countries with annual revenues ranging from less than $100 million to more than $25 billion, as well as non-profits. Nearly a third of the organizations polled were in the financial services sector and 13% were in manufacturing, the second highest group.
The report comes on the heels of PricewaterhouseCoopers' annual Global State of Information Security Survey.
On a positive note, adoption of international information security standards is clearly trending up. Use of ISO/IEC 27001:2005 was up 15% over 2007 and ISO/IEC 27002:2005 rose 9% over 2007. The E&Y report stated that management standards, such as ISO 9000, have been adopted in certain industries where information security standards are becoming a necessity for doing business.
The survey also found that organizations are overwhelmingly planning to increase or maintain information security spending as a percentage of their total expenditures. The survey was conducted from June 6 to August 1, before the international economic crisis was in full bloom, so the question going forward is: What was the impact on total expenditures? It would be interesting to see the results if the survey was conducted now.
Interestingly, 50% of the respondents said organizational awareness was the most significant challenge to information security initiatives, edging out availability of resources, budget and addressing new threats and vulnerabilities. While the survey didn't specifically address training or awareness programs, only 19% of the respondents said they ran social engineering tests, while Internet and infrastructure testing is also common practice at 85% and 73% respectively.
While E&Y says regulatory compliance has been the leading driver for information security since 2005, it reports that protecting reputation and brand has become a significant driver as well. However, the question asked was not what drives information security initiatives and spending, but rather, what are the perceived consequences of security incidents? What is the "level of significance if information is lost, compromised or unavailable" Eighty-five percent of respondents said damage to reputation and brand was "significant" or "very significant," followed closely by loss of stakeholder confidence, loss of revenue, regulatory action and legal action.
Though the report cites compliance as a driver for raising security awareness and improvements, there's room for healthy skepticism about how much companies would do if they weren't compelled. Every car should have seatbelts, but how many had them before they were mandated?
Other key findings:
- Business continuity is an IT responsibility in 41% of the organizations, compared to 20% in risk management and 11% in information security. It would be interesting to see if this is trending toward or away from IT.
- Most organizations are unwilling to outsource key information security activities. This is somewhat interpretive. While two-thirds to three-quarters of the respondents are keeping things like vulnerability and patch management, incident response, DR/BC, security awareness training and e-discovery and forensics in-house, the majority are either outsourcing or planning to outsource security assessments, audits and pen testing.
- Few companies hedge information security risks with cyber insurance. Generally, around 10% of the organizations have some sort of insurance in one or more of eight information security-related areas, such as the cost of incident response or litigation, and few of the others have plans in the next 12 months. About one-third said they don't know, which leaves some potential for growth in the future.