Now that chief executive officers are responsible for validating financial reports and internal controls, they're paying more attention to information technology and chief information security officers.
A recent PricewaterhouseCoopers and CIO magazine survey of 7,500 senior IT executives revealed that security spending has increased in 62% of companies, up 12% from 2002. The survey included executives from numerous industries in more than 40 countries.
Joe Duffy, a PwC partner and the company's security and privacy practice global leader, said the increase is being driven by regulation and the security demands of an always-on environment.
Legislation like the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and others affect corporate governance and accountability, demanding that executives of publicly held companies have a handle on financial statements and the processes behind them.
"That means IT and security," Duffy said. "How can they possibly certify the reliability of financials where all the data is a bunch of 1s and 0s sitting on a mainframe somewhere without addressing [security] issues?"
The offshoot of this is that CISOs may finally have an avenue to air their concerns to enterprise decision makers, including the board of directors.
"There's such an emphasis on governance now that boards and audit committees have to be more active than a year ago," Duffy said.
In addition to governance issues, the survey revealed that 64% of enterprises experienced security breaches in the last 12 months. Malicious code, intrusions and denial-of-service attacks were the most common breaches, resulting in application crashes, network downtime and the loss of sensitive data. Those surveyed said external attacks accounted for 67% of breaches. Unauthorized internal users were blamed for 31% of attacks.
Duffy said the number of internal attacks is high, but the number of external attacks is on the rise. August's unprecedented outbreak of malicious code activity indicates this trend isn't likely to reverse. Duffy blames faulty security processes.
"It's very popular to bash Microsoft, but this is a very hard problem to solve. The truth is that a lot of organizations don't have a full account of their IT assets," Duffy said. "If you have a SQL Server running somewhere, and you don't know where it is or what it's doing, how can you patch it? It's not always Microsoft's fault. In most cases, this is a basic processes issue."
Additionally, 41% of survey respondents said they do not report incidents to the authorities. Those that do report breaches generally contact legal counsel, CERT or government authorities. In addition, 40% admitted that they do not know the financial losses their enterprises have endured.
Also, 47% said security policies are set by the CIO, while 46% said spending levels are set by the CEO. Most (78%) said information security is included in the overall IT budget. Fewer than 30%, meanwhile, said they have integrated IT and physical security.
FOR MORE INFORMATION:
FEEDBACK: Has regulation closed the gap between security officers and the C-level in your enterprise?
Send your feedback to the SearchSecurity.com news team.