Global State of Information Security Survey 2013

The Global State of Information
Security Survey
Every year PwC, CIO magazine, and CSO magazine publish the result of a survey of thousands of CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from a 100+ countries all over the world. It helps gathering information on the current trends, perceptions and overall state of the IT security from a top management perspective.

Attackers have become better and more aggressive: more attacks, more sophisticated, with bigger impacts, more nation-state controlled attacks... In the era of the cloud, social media, mobile and BYOD cyber security is certainly being heavily impacted. The exposure has increased and it has certainly been noted by this report as well: "The bad guys appear to be in the lead". All is not dark, there are some good news, but we must keep improving.

Assessment and culture

The report finds that good self-assessments continue: It's necessary for companies to understand and verify the risk they are taking. Also most respondents believe their organizations have instilled effective information security behaviors into organizational culture. Almost 50% of new projects see information security being taken into account either at project inception, or during the analysis and design phase. This is a good number, but more education is required, still. Finally most respondents (71%) say their information security activities are effective: This number used to be higher, this may be the result of better self-assessments which allow actual risks to be discovered.

In an post about the survey on CIO's website Colin Slater, partner at PwC says that "we still got a real lack of planning, it came up last year. It came out again this year". This is sad, because Information Security is both cheaper and more effective if it's initiated early in the project process, and supported by strong culture and leadership. “You need to have a strategy that defines what are the outcomes you want,” says Slater.

Capabilities and training

Between the economic climate, the pressure the do more with less and the pace of change of technology it's difficult to keep security on top of the agenda. 
The cloud, social media, BYOD are all trend which can have a severe impact on security. More controls would be necessary when the budget for security stagnates or is being compressed. The report is clear: The economic environment ranks first among the multiple factors shaping security budgets,with information security concerns lying far down the list.
The use of malicious code detection tools went from 83% to 71% in one year. IDS, rogue device detection, vulnerability scanning and other tools usage went done use when down by about 10% each. Sound security practices as well, with less backup, DR and BCP, review of users and access, application security, logging and monitoring, physical security. The authors draw an interesting parallel:
That’s like playing a championship game with amateur sports equipment.
Training and eduction is also being impacted. This is a worry as well as employees are still a major vector for data loss, either intentionally or not.

Seeing a diminution of the capacity to prevent cyber security breaches is a concern as we're facing both a larger exposure and more professional attackers. We could see an increase of successful attacks in the future.

Recommendations

The reports comes with some recommendations for businesses willing to lower their exposure and increase security:
  1. Implement a comprehensive risk-assessment strategy and align security investments with identified risks
  2. Understand their organization’s information, who wants it, and what tactics adversaries might use to get it
  3. Understand that information security requirements—and, indeed, overall strategies for doing business—have reached a turning point
  4. Embrace a new way of thinking in which information security is both a means to protect data and an opportunity to create value to the business
The first two are revolving around the same concept:
What gets measured gets done.
You need to know where your business is at, what are the threats, the risks, the current problems, in order to effectively and efficiently protect it. “What is important to the business? Then you can make decisions on what level of investment you need to protect it. If it is subjective, you are never going to get a clear view of your basic building blocks,” says Slater. What gets measured gets done better, should I add.

The third one reflects what I've mentioned in the introduction: Attackers are becoming more professional, sometimes with entire nation-state supporting them. The defence of company assets also needs to become even more professional.

Finally the fourth recommendation mentions the creation of value to the business. I can't see how security could create value. But security can certainly save money. Investments in security is similar to contracting an insurance: You can protect the company from the impact of daily risks. The difficulty is to decide which level of policy is right for you. You can estimate the ROI of you security, and you should.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)