But the battle to protect critical data is far from won. The largest security research project ever done—the “2004 Global Information Security Survey,” with 8,100 respondents from 62 countries on six continents.
In the 2003 survey, they noted that the infosecurity discipline had grown but had not really improved. This year, they found that the security function didn’t really grow but did, in fact, improve—at least incrementally.
Despite flat levels of spending, few new human resources being devoted to infosecurity, and the fact that the number of breaches was slightly up from last year, those breaches caused less downtime and cost less when they did occur. They believe this means that incidents are being better managed.
More companies (although still far from a majority) have created an executive-level security presence, and more have included risk management, audit and other non-IT elements in their security governance.
Last year’s barriers to good security—budgets and time—were still cited this year as the most common obstacles, although fewer companies said those issues prevented them from getting the job done. That’s progress, and that’s the good news.
Information security professionals in large part did not execute this year what they said last year were their top strategic priorities.
Negative factors (such as fear of litigation) remain the primary drivers of security spending. Positive factors (such as contributing to business objectives) were less common.
The attitude among security professionals toward critical infrastructure, regulation and working with the authorities after incidents can best be described as laissez-faire, maybe even lackadaisical.
As fond as the IT industry is of declaring revolutions, the information security part of IT resists such drama.
This year’s data reinforces the view that security remains a discipline, adapting itself over time to a harsh environment of threats and vulnerabilities.
They defined a small group—about one-fifth of respondents—that described itself as “very confident” in the effectiveness of its information security practices. This group has earned the right to be confident. Collectively, while those respondents reported more security incidents, they experienced less downtime and fewer financial losses than the average respondent. This is just one of the reasons they are the Best Practices Group.
In last year’s data, we uncovered what we called “The Confidence Correlation”—in which enterprises that expressed confidence in their security were, in fact, more secure. This year, the trend was even more pronounced.
The Best Practices Group may have suffered more incidents than the average respondent, but those incidents didn’t precipitate more damage or downtime. Indeed, the Best Practices Group suffered less of each despite being targeted more often. That higher number of reported incidents can be attributed to two facts.
First, these tended to be larger companies, and larger companies are targeted more by the bad guys.
Second, the Best Practices Group generally had a more comprehensive security infrastructure, which gave it more visibility into what was happening on its networks.
They know the Best Practices Group had better security, because the survey asked respondents what security and privacy safeguards their companies had in place.
And for every single one of the 84 safeguards listed, the Best Practices Group was more likely—sometimes by a wide margin—than the average respondent to have put it in place.
The organizations with high confidence in their security created a virtuous cycle.
They do a better job securing their infrastructure, which breeds confidence in the enterprise (especially in the executive ranks), and that confidence translates into support that manifests itself in resources. Greater resources means the Best Practices Group can improve security, which breeds more confidence.
It’s good to be confident. It’s better to have good reason to be confident. Here’s a to-do list that we believe will help you work your way into the Best Practices Group. These disciplines can either exist under a single CSO or as separate entities governed by an executive security committee.
1. Invest: U.S. respondents said infosecurity accounts for less than 9 percent of their IT budgets. The Best Practices Group claimed 14 percent.
2. Separate information security from IT and then merge it with physical security.
3. Conduct a penetration test to patch up network and application security. (The Best Practices Group was 60 percent more likely to do this than the average respondent.) Perform a complete security audit to identify threats to employees and intellectual property. (The Best Practices Group did this far more often than the average respondent.) Create a comprehensive risk assessment process to classify and prioritize threats and vulnerabilities. (The Best Practices Group was 50 percent more likely to do this.) Define your overall security architecture and plan from the previous three steps. (Two-thirds of the Best Practices Group did this as opposed to only half of the respondents overall.)
4. Establish a quarterly review process, with metrics (for example, employee compliance rates) to measure your security’s effectiveness. This will help you to use your increased resources more efficiently.
Yet, damages to the enterprise were down.
And the time between the announcement of a vulnerability and the attack that exploited it was shrinking from several months to, in the case of Sasser, 18 days.
That’s why it’s so surprising and heartening to report that while the bad stuff keeps coming, one-third of respondents who were hit by security breaches reported zero downtime, and one-third also reported zero financial damages. Overall, both downtime and damages were lower this year than last.
This year’s data indicates that information security executives are learning to treat their colds and remembering that an ounce of prevention is worth a pound of cure.
Fifty-four percent of our respondents designed or improved their existing disaster recovery and business continuity plans in 2004.
Out of 30 security priorities (the top 17 are listed in “Missing the Mark,” right) named in operations and technology in 2003, execution fell short of ambition in 28 instances.
More disturbing is the fact that the only two priorities from the 2003 survey that were implemented to a greater degree than planned involved firewalls. The most commonly cited barrier was, as always, money. Ikbal sees a series of factors contributing to the priority gap: “These tasks are unpleasant, and people will put them off if they can.
Last year, only 15 percent of respondents said they’d created a CSO or CISO position; that leaped to 31 percent this year.
For those who theorize that regulation and government involvement will improve information security, these numbers should prove unnerving. Regulation has yet to drive companies toward better security or have much impact on their practices. Only half of all U.S. respondents claimed to be in compliance with HIPAA, and 41 percent reported that they comply with Sarbanes-Oxley. Of course, not every respondent needs to comply with HIPAA. But if we look at those industries that do—health care, pharmaceutical, and biotech at 71 percent, 45 percent and 40 percent compliance, respectively—the story doesn’t change that much.
Security professionals are dubious of both current and potential future regulation. “No regulation is preferable to bad regulation,” says the CISO of a major electronics company. On the other hand, if we don’t regulate, we’re heading to a bad event with critical infrastructure, and then you’ll end up with regulation passed in reaction to the bad event. Tt would be the worst of both worlds.”
That bad event is what DHS’s color-coding seeks to avoid. The government’s threat-level reporting is widely believed to be for the public but, in fact, it was meant to alert first responders in the private sector to guide them in their protection of the critical infrastructure. When DHS Secretary Tom Ridge introduced the system in 2002, he said, “We anticipate and hope that businesses and hospitals and schools…will develop their own protective measures for each threat condition.”
Only one in 10 respondents reacts to homeland security alerts, and again, the breakdown by industry serves to reinforce that point. No other industry reached 10 percent answering yes. And eight industries, including agriculture and electronics, had zero respondents who changed their practices according to the threat level.
“What can we do with a nonspecific threat?” “If it were, say, an orange alert for the supply chain, then we could take specific actions. Otherwise, we can’t be moving resources around without knowing why we’re doing it.”
Regulations don’t create security; people create security. At the same time, regulation has a purpose. Even Scott Charney, CSO of Microsoft, believes that well-crafted regulations (he used to write them when he worked for the Justice Department) can have a positive effect on information security.
Right now, the DHS’scolor-coded alert system does not identify the specific threats that the infrastructure faces. “The key is they have to be written well, and that’s not easy to do,” Charney says. “Passing a regulation that says ‘Thou shalt be safe’ isn’t useful.” Right now, the color-coded alert system does not identify the specific threats that the infrastructure faces, nor does it guide the actions of information security professionals.
Until DHS and industry leaders, in a combined effort, can define what’s supposed to happen when the light goes from yellow to orange, the threat-level warning system can only produce agitation, not information.
“The Game’s Afoot” The data from the “2004 Global Information Security Survey” shows movement in the right direction. Happily, you’ve evolved, and information security practices are slowly improving. Unhappily, the threat environment is also evolving.
Just as you’ve started to gain ground in the virus battles, spam, malicious code and confidence tricks are being designed to far more destructive ends (including extortion and theft) than simple network downtime. Phishing was so limited last year that we didn’t even ask about it. This year, 13 percent of respondents said they were affected by it.
Yes, you’re managing the viruses and other security nuisances better. But, the information infrastructure is no longer the target; it’s just the path used to get to far more profitable targets.
Perhaps this is why the “not at all confident” group of respondents ticked up from 10 percent last year to 14 percent this year.
Yes, information security improved in 2004, but this is no time to celebrate. Ever more sophisticated Dr. Moriarities are out there, lurking. For them, and for you, the game’s afoot.
http://www.csoonline.com/read/090104/survey.html