They’re becoming more financially independent, with some security budgets increasing at double-digit rates. And they say they’re more confident in their level of security, perhaps because their networks have not had a serious virus or worm in the past 12 months. But teenagers, as any parent knows, live in the moment and have an ability to ignore what they know they should do and do what they know they shouldn’t.
The survey shows us that most executives with security responsibilities have made little or no progress in implementing strategic security measures that could have prevented many of the security mishaps reported this year. Only 37 percent of respondents said they have an overall security strategy. And they’re planning to focus more on tactical fixes than on strategic initiatives, ensuring that in the coming year they will be more reactive than proactive.
What’s more, companies continue to do business with insecure organizations.
One of the most unsettling findings in this year’s study is the sad state of security in India, by a wide margin the world’s primary locus for IT outsourcing. Many survey respondents in India admitted to not adhering to the most routine security practices. The problem is obvious, but right now it’s apparently easier to ignore than to address.
Harder to ignore is the constant news of large organizations losing laptops packed with unencrypted personal data on millions of customers.
Similarly, even after Hurricane Katrina, which hit the Gulf Coast seven months before we launched our survey, a majority of companies still do not have a business continuity/disaster recovery plan in place, and plans to complete one this year have become less important to security officials than in 2005.
A large proportion of security execs admitted they’re not in compliance with regulations that specifically dictate security measures their organization must undertake or risk stiff sanctions, up to and including prison time for executives. There’s evidence that organizations that comply with security laws are more likely to be integrating and aligning security with their enterprise’s business strategy and processes, which in turn reduces the number of successful attacks and the financial losses that result from them. In short, security can create value if it’s part of an organization’s business plan and if the executive in charge is part of the executive team making those strategic spending and policy decisions.
A similar spike occurred in the percentage of respondents saying their physical and information security chiefs report to the same executive leader, to 40 percent from 11 percent in 2003.
To answer that, one need look no further than the daily newspaper stories about lost and stolen laptops containing private customer information.
The good news is that the survey contains that proof: Organizations that reported that their security polices and spending are aligned with their business processes experienced fewer financial losses and less network downtime than those that did not.
The widespread absence of even the most routine security tools (patch management, content filters and access control software) and policies (secure disposal of hardware, business continuity plans, setting security baselines for outside business partners) has left many Indian companies vulnerable to serious attack and the inevitable financial losses that follow.
For information security executives, that means focusing on technology—on tactics, not strategies. Perhaps not coincidentally, this year executives are shifting from more strategic security practices toward more traditional technology practices (compared with last year’s results).
In 2005, for every one technology item on the security executive’s to-do list, respondents mentioned four process fixes.
“I tend to open meetings with executives by reminding them that security is a business decision and everything we do from cameras to encryption to information classification is a decision that the business makes to protect its assets, and I don’t own that decision,” Spaltro says.
As was the case last year, a surprising portion of survey respondents admitted that they’re not in compliance with the information security laws and regulations that govern their industries. More than one-quarter of U.S. security execs who said their organizations need to be compliant with HIPAA, the eight-year-old law that requires health-care organizations to protect patient information, admitted that they are not. Nearly one in five U.S. survey respondents said they should be but are not in compliance with California’s 2002 security breach law, which requires companies to notify individuals if an unauthorized person obtains access to their private information (such as credit card numbers). Similarly, it would have been hard over the past four years to miss the requirements of such laws as Sarbanes-Oxley and Gramm-Leach-Bliley. Still, more than one-third of all U.S. respondents said they are not in compliance with Sarbanes-Oxley even though they should be, and more than one out of seven said they were not compliant with Gramm-Leach-Bliley.
That’s a slight improvement from last year, but considering the stiff criminal penalties of not complying, many executives seem to be leaving themselves open to lawsuits and possible prison terms and exposing their enterprise to fines.
And this is not simply an American phenomenon. Half of Australian organizations surveyed admitted to not complying with their country’s privacy legislation. Almost a third of U.K. respondents said they do not comply with their country’s eight-year-old Data Protection Act, and nearly one-third of stereotypically law-abiding Canadian organizations said they do not comply with their nation’s privacy act. At the root of this may be a lack of enforcement. To date, the cost of noncompliance is not as high as the expense of complying—the price of labor, hardware and software. In the absence of penalties, security executives have not been able to mount a business case for compliance.
Add to that the fact that despite high-profile security breaches and lost laptops over the past year, the actual damages and ID thefts that can be directly tied to the incidents are small, says Jim Lewis, director of the Technology and Public Policy program at the Center for Strategic & International Studies in Washington, D.C. “People may have a sense that they are not as vulnerable as they used to be,” he says, and so not complying with laws is perceived as less risky.
If security is to improve, security laws need more teeth. And that applies to an organization’s own rules as well. Survey respondents reported that more than two-thirds of users are compliant with their organization’s security policies, a statistic that has remained unchanged over the past three “Global State of Information Security” surveys. One of the most critical factors for reducing network downtime is compliance with an organization’s security rules, Lobel points out, but that requirement isn’t even in control objectives for information and related technology, or Cobit, the bible for IT governance. Lobel suggests organizations assign penalties for not complying with their own security policies. But make sure, he adds, that the penalty matches the infraction. “You may not want to terminate someone who puts passwords on yellow sticky notes,” Lobel says, “but there have to be some consequences.”
The Best and Brightest Last year we highlighted the financial services sector as possessing the best information security practices, and this year that industry once again leads all others in integrating information security with strategic operations. Companies in the financial services sector—banks, insurance companies, investment firms—are more likely to employ a CSO than other industries. Security budgets in the financial sector are typically a bigger slice of the IT budget as a whole and increase at a faster rate than in other sectors. That may be because financial services companies are more likely to link security policies and spending to business processes.
It’s obvious, therefore, that financial services organizations are far more likely—almost twice as likely, in fact—to have an overall strategic security plan in place. Consequently, they reported fewer financial losses, less network downtime and fewer incidents of stolen private information than any other vertical. The reason for all this is also obvious. The product in the financial services industry is money, and money is the prime target of cybercriminals, including organized crime, insiders and even terrorists.
Anytime a security executive can demonstrate to top executives that investing in security can protect and increase shareholder value, he will be more likely to convince the boardroom to make that investment and make security a strategic part of the organization. The financial industry must adhere to the most stringent information security laws, and therefore it leads other industries in following proven, strategic information security practices.
Following this line of reasoning about regulatory compliance, one would think that government, health care and education—all highly regulated and entrusted with securing private information—would match the financial sector in instituting strategic security practices. According to the survey, government, health care and education, despite their responsibility for protecting the personal information of hundreds of millions of citizens, patients and students, are less likely than finance to follow the best tactical and strategic security practices. Educational organizations find themselves in this position even after highly publicized network break-ins, including those at San Diego State University and most recently at Ohio University, which exposed students’ and their families’ data, including home addresses, Social Security and credit card numbers, and tax information.
In fact, the education sector suffers more negative security events (viruses and worms, denial-of-service attacks, identity thefts, unauthorized entries and trafficking in illicit data), more network downtime and more downtime that lasts for many days than what the average respondent worldwide experiences. Educational organizations are sticking to more mundane and tactical security fixes: installing firewalls, backing up data and deploying network security tools.
http://www.csoonline.com/read/090106/fea_exec.html
[Editorial Note: It is actually worth visiting this link since there is a lot of valuable information]