SlideShare ist ein Scribd-Unternehmen logo
1 von 60
Downloaden Sie, um offline zu lesen
Protecting what matters
The 6th Annual Global
Security Survey
Contents


Foreword                                                                 1

Objective of the survey                                                  2

The value of benchmarking                                                3

Who responded                                                            4

Geographic segmentation observations                                     6

Key findings of the survey                                               9

Governance                                                               12

What the CISO is responsible for?                                        14

Risk                                                                     28

Use of security technology                                               34

Quality of operations                                                    38

Privacy                                                                  46

How DTT’s GFSI Practice designed, implemented and evaluated the survey   50

Helpful references and links                                             52

Acknowledgements                                                         54

 Survey development team                                                 54

 Contributors                                                            54

Contacts                                                                 55
Foreword


Welcome to the sixth annual Deloitte Touche Tohmatsu        Organizations encourage their workforces to be
(DTT) Global Financial Services Industry (GFSI) Practice    constantly connected, more productive, and
information security survey. Every year that the DTT GFSI   immediately responsive and the market responds with
Practice – made up of Deloitte member firm Financial        tools to help them to do this. These tools, rolled out at
Services Industry practices – conducts the survey, we       an increasing pace, present a whole new slew of
marvel at the developments that have occurred over the      security issues. The media adds to the urgency by
past year. While many of the categories and initiatives     revealing potential security glitches and the scenarios
that survey respondents talk about stay the same from       that might ensue, e.g., a million mobile phones
year to year, the face of them often changes –              simultaneously dialing a company’s head office as a
sometimes dramatically. There is never a dull moment!       result of a software glitch. As well, there is no shortage
                                                            of sensationalist media coverage for high-profile events,
The top two security initiatives in 2007 were “identity     like the rogue futures trader who contributed to losses
and access management” and “security regulatory             of over US$7 billion dollars announced by a major
compliance.” In 2008, they merely switched spots.           European financial services company.
While the initiatives have not changed, it seems that
each year they need to be addressed with a more             A major focal point, people continue to be an
sophisticated and far-reaching solution.                    organization’s greatest asset as well as its greatest
                                                            worry. That has not changed from 2007. What has
It is no surprise that compliance with regulation and/      changed is the environment. The economic meltdown
or industry guidelines was the top initiative in 2008.      was not at its peak when respondents took this survey.
The compliance initiative encompasses not just the          If there was ever an environment more likely to
“what” (being compliant) but also the “how” (a              facilitate an organization’s people being distracted,
compliance approach that is thorough, cost-effective,       nervous, fearful, or disgruntled, this is it. To state that
and adaptable to increasing regulation). Year 2007 saw      security vigilance is even more important at a time like
the worst credit card data breach ever and it stands as     this is an understatement.
the prime example of what can ensue when an
organization is exposed. The organization in question       Those of us in the security industry know that an
was a retail group subject to the Payment Card              organization’s best defense against internal and external
Industry’s Data Security Standards and had been told        breaches is not technology alone. It is a culture of
by its assessors that weak Wireless Encryption Protocol     security within an organization – a mindset on the part
(WEP), missing software patches and poorly configured       of every individual so that actions in support of
firewalls made them noncompliant. In a Securities and       information security become automatic and intuitive.
Exchange Commission filing, the retail group admitted
to transmitting data to banks "without encryption.”         From the creation of the survey questions to the
                                                            production of this document and everything in
Identity and access management is one of the key            between, this undertaking requires time, effort, detailed
initiatives on the front line of the never-ending battle    attention and, most of all, participation. I want to thank
between good and bad. Its face is changing constantly.      the Chief Information Security Officers, their designates,
It meant something last year and this year it means         and the security management teams from financial
something entirely different. Every year, hackers’          services institutions around the world who participated
techniques get slicker and more innovative. When a          in this survey.
phishing/pharming attempt gets old and stale and
recognized, there is another one – encompassing a
whole new level of technological smarts – waiting in
the wings. The innovation that powers the technology
industry also causes a constant headache for those who
                                                            Adel Melek – Global Leader, Security & Privacy Services
must figure out how to protect information.
                                                            Global Financial Services Industry Practice
                                                            Deloitte Touche Tohmatsu




                                                                                        Protecting what matters The 6th Annual Global Security Survey   1
Objective of the survey


      The goal of the 6th Annual Global Security Survey for
      financial institutions is to help respondents assess and
      understand the state of information security within their
      organization relative to comparable financial institutions
      around the world. Overall, the survey attempts to
      answer the question: How does the information
      security of my organization compare to that of my
      counterparts? By comparing the 2008 data with that
      collected from the previous year’s surveys, DTT GFSI
      Practice can determine differences and similarities,
      identify trends and ponder in-depth questions, such as:
      How is the state of information security changing
      within an organization? And are these changes aligned
      with those of the rest of the industry?

      Where possible, questions that were asked as part of
      the 2004-2007 Global Security Surveys have remained
      constant, thereby allowing for the collection and
      analysis of trend data. In order that questions remain
      relevant and timely with regard to environmental
      conditions, certain areas were re-examined and
      expanded to incorporate the “critical” issues being
      addressed by financial institutions at a global level.
      Deloitte subject matter specialists were enlisted and
      their knowledge leveraged to identify questions with
      these critical issues.




2
The value of benchmarking


Financial services institutions (FSIs), now more than ever,   Survey scope
recognize the importance of performance                       The scope of this survey is global and, as such,
measurements and benchmarks in helping them                   encompasses financial institutions with worldwide
manage complex systems and processes. The Global              presence and head office operations in one of the
Security Survey for financial institutions is intended to     following geographic regions: North America (NA);
enable benchmarking against comparable organizations.         Europe, Middle East, Africa (EMEA); Asia Pacific (APAC);
Benchmarking with a peer group can assist                     Japan; and Latin America and the Caribbean (LACRO).
organizations in identifying those practices that, when       To promote consistency, and to preserve the value of
adopted and implemented, have the potential to                the answers, the majority of financial institutions were
produce superior performance or to result in                  interviewed in their country of headquarters.
recommendations for performance improvements.                 The strategic focus of financial institutions spanned
                                                              a variety of sectors, including banking, securities,
Areas covered by the Survey                                   insurance, and asset management. While industry focus
It is possible that an organization may excel in some         was not deemed a crucial criterion in the participant
areas related to information security, e.g., investment       selection process, attributes such as size, global
and responsiveness, and fall short in other areas, e.g.,      presence, and market share were taken into
value and risk. In order to be able to pinpoint the           consideration. Due to the diverse focus of institutions
specific areas that require attention, DTT’s GFSI Practice    surveyed and the qualitative format of our research, the
chose to group the questions by the following six             results reported herein may not be representative of
aspects of a typical financial services organization’s        each identified region.
operations and culture:

• Governance
  Compliance, Policy, Accountability, Management
  Support, Measurement.                                       The Global Security Survey for financial
• Investment
                                                              institutions is intended to enable
  Budgeting, Staffing, Management.                            benchmarking against comparable
• Risk                                                        organizations.
  Industry Averages, Spending, Intentions, Competition,
  Public Networks, Controls.

• Use of security technologies
  Technology, Encryption, Knowledge Base, Trends.

• Quality of operations
  Business Continuity Management, Benchmarking,
  Administration, Prevention, Detection, Response,
  Privileged Users, Authentication, Controls.

• Privacy
  Compliance, Ethics, Data Collection Policies,
  Communication Techniques, Safeguards, Personal
  Information Protection.




                                                                                        Protecting what matters The 6th Annual Global Security Survey   3
Who responded


              The 6th Annual Global Security Survey respondent data           Top 100 global financial institutions (assets value)
              reflects current trends in security and privacy at a number
              of major global financial institutions. DTT’s GFSI Practice
              agreed to preserve the anonymity of the participants by
              not identifying their organizations. However, DTT’s GFSI
              Practice can state that, overall, the participants represent:                                       21%


              • Top 100 global financial institutions – 21% (based on
                assets value).

              • Top 100 global banks – 21% (based on assets value).                               79%

              • Top 50 global insurance companies – 14% (based on
                market value).

                                                                                 Top 100 global financial institutions      Other
              • Number of distinct countries represented – 32.

                                                                              Top 100 global banks (assets value)




Respondent data reflects current trends
in security and privacy at a number of                                                                            21%


major global financial institutions.
DTT’s GFSI Practice agreed to preserve
the anonymity of the participants by not                                                          79%

identifying their organizations.
                                                                                 Top 100 global banks          Other


                                                                              Top 50 global insurance companies (market value)




                                                                                                               14%




                                                                                                    86%




                                                                                 Top 50 global insurance companies         Other




4
Geographic region                                                  Geographic region (%)
The pool of respondents provides an excellent cross-
                                                                   50
section from around the world, with a breakdown as
follows:
                                                                   40
  Asia Pacific (APAC), excluding Japan                    6%

  Japan                                                   9%       30

  Europe, Middle East and Africa (EMEA)                  48%
                                                                   20
  North America                                          18%

  Latin America and the Caribbean (LACRO)                19%
                                                                   10

Industry breakdown
                                                                    0
The final survey sample reflects all major financial                          APAC              Japan               EMEA         North America         LACRO
sectors:

  Banking                                                62%       Industry breakdown

  Insurance                                              18%

  Investment and securities                               9%                                 8%
                                                                                       3%
  Payments and processors                                 3%

  Other                                                   8%                      9%



Annual revenue
                                                                                                                    62%
The respondent companies represent a broad spectrum                           18%
based on annual revenues*:

  <$1B in annual revenue                                 40%

  $1B-$1.99B in annual revenue                            7%

  $2B-$4.99B in annual revenue                           11%

  $5B-$9.99B in annual revenue                            3%            Banking                           Payments and processors

  $10B-$14.99B in annual revenue                          1%            Insurance                         Other
                                                                        Investment and securities
  >$15B in annual revenue                                13%


                                                                   Annual revenues (all currency stated in U.S. dollars)

                                                                   40

                                                                   35

                                                                   30

                                                                   25

                                                                   20

                                                                   15

                                                                   10

                                                                    5

* Results may not total 100% as DTT’s GFSI Practice is reporting    0
                                                                             <$1B        $1B-$1.99B      $2B-$4.99B     $5B-$9.99B $10B-$14.99B          >$15B
selected information only; responses from those who decline to
answer may not be included in the reported data.


                                                                                                    Protecting what matters The 6th Annual Global Security Survey   5
Geographic segmentation
observations

                                                      APAC
    Regional highlight                                (excl. Japan)   Japan   EMEA   North America   LACRO   Global

    Respondents who feel that security has risen to
    executive management and/or the board as a        77%             79%     70%    63%             78%     72%
    key imperative

    Respondents who feel they have both
    commitment and funding to address regulatory      69%             65%     56%    58%             63%     59%
    requirements

    Respondents who indicated that
    they had a defined and formally documented        62%             50%     64%    62%             68%     61%
    information security strategy

    Respondents who feel that information security
    and business initiatives are appropriately        31%             30%     32%    28%             40%     32%
    aligned

    Respondents who indicate that their
                                                      54%             25%     60%    65%             75%     60%
    information security budget has increased

    Respondents who indicated that their
    expenditures on information security were ‘on
                                                      31%             5%      50%    26%             59%     43%
    plan’ or ‘ahead of requirements’ based on the
    organization’s current needs

    Respondents who have incorporated application
    security and privacy as part of their software    38%             40%     26%    32%             41%     31%
    development lifecycle

    Respondents who feel they presently have the
    required competencies to handle existing and      23%
                                                      23%             25%     41%
                                                                              41%    33%             33%     34%
    foreseeable security requirements

    Respondents whose employees have received
    at least one training and awareness session on    58%             90%     64%    82%             82%     72%
    security and privacy in the last 12 months

    Respondents who have an executive
                                                      23%             85%     58%    82%             24%     57%
    responsible for privacy

    Respondents who have a program for
                                                      38%             84%     43%    76%             18%     48%
    managing privacy compliance

    Respondents who have experienced repeated
                                                      33%             17%     26%    27%             30%     27%
    internal breaches over the last 12 months

    Respondents who have experienced repeated
                                                      58%             17%     49%    51%             50%     47%
    external breaches in the last 12 months




        Highest score

        Lowest score




6
Introduction                                                Japan
In all geographic regions, we have observed that            Japan is unique when it comes to security breaches,
external breaches have fallen sharply over the past         with the lowest incidents of both internal and external
12 months. This is not due to hackers giving up and         breaches (17%) reported across all regions. A number
finding other avenues to pursue but rather to the fact      of factors may contribute to this: the widespread use of
that organizations are getting more security-savvy,         strong authentication, the cultural importance of
being less reactive and more proactive. We have said        honour, the distinct language, and the culturally based
that hackers’ methods are getting more sophisticated –      reluctance to report security breaches. However,
the same is true of the technology designed to thwart       language and strong authentication alone are not
them. The 2008 survey found that functional executives      responsible for the lowest amount of incidents –
and business lines are more involved in the information     organizations in Japan clearly know how to protect
security strategy than they did in 2007; but fewer          themselves. An astounding 90% of employees have
companies are indicating that they have both the            received at least one training and awareness session on
commitment and funding to address regulatory                security and privacy in the last 12 months. Privacy is a
requirements. This shift may be due to the fact that        strong focus in Japan – respondents indicate that 85%
executive management has a greater confidence that          have an executive responsible for privacy and 84% have
security initiatives are in hand and, therefore, do not     a program for managing privacy compliance, numbers
warrant additional resources. There is a noticeable         that make Japan “best in class” in this area across all
global decline in organizations who report that they        regions. Security continues to rise to the executive
have a program in place to manage privacy compliance        management level – 79% in 2008 compared to 71% in
(77% in 2007 has dropped to 48% in 2008).                   2007. But there are areas where Japan is not as strong.
                                                            There has been a rather significant drop in the number
Asia Pacific (APAC) excluding Japan                         of respondents who indicate the presence of a defined
Respondents from APAC indicate that they still have         and formally documented information security strategy
challenges in a number of areas and have experienced        (from 75% in 2007 to 50% in 2008). Further, Japan has
some regression from 2007. Only 7% of respondents in        the lowest number of respondents across all regions
2007 felt that they had the required competencies to        (25%) indicating that their information security budget
handle existing and foreseeable security requirements.      has increased and only 5% of respondents indicating
This percentage has risen to 23% in 2008, but is still      that their expenditures on information security were
the lowest response across all regions. Respondents         ‘on plan’ or ‘ahead of requirements’ based on the
who indicate that their employees have received at least    organization’s current needs. It would seem that, while
one training and awareness session on security and          respondents from Japan feel that their organizations are
privacy in the last 12 months has fallen to 58% in 2008     good at protecting the status quo, they recognize that
from 69% in 2007. This situation may also have              they have a way to go as their organizations’ security
contributed to APAC’s breach track record, which is still   needs increase.
the highest across all regions, although it has fallen
from 2007. APAC respondents indicate that their
organizations appear to place less emphasis on having
an executive responsible for privacy – 85% had one in
2007; that number has fallen to 23% in 2008. And the
obvious follow-on from this finding: while 100% of
respondents felt that their organizations had a program
for managing privacy compliance in 2007, only 38%
feel the same in 2008. A bright spot for APAC is the
fact that they have the highest confidence of
respondents in all regions that they have both the
commitment and funding to address regulatory
requirements.




                                                                                      Protecting what matters The 6th Annual Global Security Survey   7
EMEA                                                         North America
                                  EMEA respondents indicate that they are confident            It appears that a focus on market conditions and the
                                  that their security needs have been addressed – EMEA         ensuing financial turmoil has forced executives in North
                                  is the region that indicates the highest positive response   America to start de-prioritizing security initiatives, which
                                  regarding competencies to handle existing and                may well result in a downward trend in the coming
                                  foreseeable security requirements. However, the              years. Due to the current operating environment and
                                  number of EMEA respondents whose employees have              shift in focus for many respondents, there is a
                                  received at least one training and awareness session on      significant drop in 2008 in the number of respondents
                                  security and privacy in the last 12 months (64%) is the      who feel that security has risen to executive
                                  second lowest score across all regions. This could mean      management and/or the board as a key imperative
                                  that while EMEA organizations place a lot of reliance on     (63% in 2008 versus 84% in 2007**). An organization
                                  their security staff (which accounts for the strong          derives real value from security and privacy initiatives
                                  showing regarding competencies) they are missing an          when they become an integral part of the strategic
                                  opportunity to engage their entire workforce as              plans of the organization. This finding is discouraging –
*   “The Importance of            information security stewards by making them aware of        and is, in fact, the lowest across all regions – because
    Wholesale Financial           industry best practices.                                     when the C-suite is no longer engaged, other areas
    Services to the EU                                                                         suffer, e.g., budget, visibility. Not surprisingly, and in
    Economy 2008”,
    London Economics,             What may be a troubling indicator for EMEA for               keeping with this finding, there is a very low perception
    July 2008, retrieved from     upcoming years is the finding that respondents who           on the part of most respondents that information
    http://www.cityoflondon.      feel they have both commitment and funding to                security and business initiatives are aligned (again, the
    gov. uk on December 10,
    2008                          address regulatory requirements is, at 56%, the lowest       lowest of all regions at 28%). Surprisingly, external
                                  of all regions and a rather significant drop from 77%        breaches are indicated by respondents as the second
** In the 2007 survey,            in 2007.                                                     highest (51%) of all regions, even though they have
   we included individual
   findings for Canada and                                                                     fallen rather significantly from 2007 (78%)***. Where
   the U.S. This year, there is   EMEA respondents also indicate that 64% of their             North American respondents indicate great strides –
   a single aggregate finding     organizations have a formally documented and                 and proving they have taken notice of the fact that
   for both Canada and the
   U.S. defined as North          approved information security strategy. While this           people are an organization’s greatest asset and its
   America.                       number is in line with the global average (61%), EMEA        greatest weakness – is in the area of internal breaches.
                                  has become a crucial hub of the global financial services    Internal breaches have fallen to 27% in 2008 from 44%
*** This finding is consistent
    with a study by the           industry. The EU27 is the world’s leading exporter of        in 2007, the greatest drop across all regions but still
    Identity Theft Resource       wholesale financial services, accounting for over 50% of     well above Japan’s “best in class” 17%.
    Center (ITRC), which          the global total.* One would expect that the number of
    found that in the U.S.
    during 2008, data             organizations with an information security strategy          LACRO
    breaches were up by           would be much higher and that EMEA would be “best            LACRO is the very essence of a late bloomer. LACRO is
    47%. The ITRC study was       in class” of all regions.                                    “best in class” in five areas, topped only by Japan, and
    conducted late in 2008,
    when the full impact of                                                                    lowest in only one area. LACRO respondents indicate
    the financial crisis was      Another finding about EMEA is that it ranks lowest of        that their organizations are still best at having a defined
    being felt. Of the 656        all regions in incorporating application security and        security strategy (68%), but the really good news for
    data breaches the study
    reported, only 78 affected    privacy as part of the software development lifecycle        LACRO is that everything is heading in the right
    financial institutions.       (26% in 2008 and a drop from 33% in 2007). Also,             direction: security budgets are increasing, security
    The ITRC confirms that        when asked to characterize their secure application          spending is on plan or ahead of requirements, and
    the financial industry
    has remained the most         development directives, only 32% of EMEA respondents         business and security initiatives are viewed as being
    proactive in terms of data    indicate that they are “well defined and practical”, on      appropriately aligned. If these trends continue, this will
    protection.                   par with North America (32%), but less than the global       positively affect LACRO’s information security stature.
    “US financial institutions    average (35%).                                               LACRO’s repeated breaches are slightly higher than the
    hit by 78 reported data                                                                    global average, but if LACRO continues to do what it is
    breaches last year”,                                                                       doing, there is every indication that this situation will
    Finextra.com, retrieved
    from                                                                                       resolve itself.
    http://www.finextra.com/
    fullstory.asp?id=19525
    on January 15, 2009.


8
Key findings of the survey


1. Top five security initiatives: two familiar faces           This shift reflects the effect of major media incidents, as
and a newcomer                                                 well as the increasing proliferation of smaller yet
In 2007, “identity and access management” and                  feature-rich mobile media and the potential they
“security regulatory compliance,” were the top two             present for data leakage. Since the focus of end-user
security initiatives; in 2008 they have simply switched        technology seems to be always toward smaller, thinner,
places. Identity and access management are tied in             lighter, with greater capacity and processing power,
second place with a newcomer, “data protection and             the protection of information on the move will be a
information leakage,” which was not even in the top            continuing focus for organizations. In addition, part of
five in 2007.                                                  the increasing visibility of this issue is a result of new
                                                               requirements around breaches – since organizations are
The choice of security regulatory compliance as the top        now required to report breaches, they now need to
priority reflects the fact that many organizations are         have the capability to identify them within a reasonable
struggling with the right way to handle the multiple           timeframe. Data leakage protection is the second most
legal and regulatory requirements as well as those of          cited technology being piloted by respondent
auditors. As budgets get tighter, the focus is on how to       organizations. All these factors mean that incident
address compliance from a cost and risk perspective.           reporting will become more accurate, increasing
In other words, companies are trying to figure out how         visibility and heightening awareness even further.
to close the gaps with the highest risk, leverage
solutions across multiple requirements, and streamline         People continue to be an organization’s greatest asset
reporting. Clearly, the ideal solution is one that is          as well as its greatest risk. The economic turmoil in the
sustainable and can accommodate increased regulation.          U.S. – and its global repercussions – had not yet reached
Although being compliant does not make an                      its peak when questions in this survey were posed to
organization more secure, being more secure is likely to       respondents. Organizations should remain aware of the
make an organization compliant.                                effect that an unsettled financial environment can have
                                                               on its workforce – employees may be disgruntled,
Given the highly profiled rogue-trading and rogue IT           worried, and otherwise distracted. In hard economic
activities of this year, it is no surprise that identity and   times, security vigilance is all-important.
access management continue to be a top priority.
A well regarded European financial services company,           Identity theft, data loss, and information leakage are
headquartered in France, announced at the beginning            now a mainstream concern. Organizations recognize,
of 2008 that the actions of a single futures trader had        and try to offset, the human frailty of their workforces,
led to losses of over US$7 billion dollars. The trader in      who are more mobile, more flexible and more laden
question had exceeded his authority by engaging in             with technological tools than ever before. The focus is
unauthorized trades totaling more than the bank’s              now on education and access control as well as leakage
entire market capitalization of US$52.6 billion.               prevention tools.
Balancing convenient access (both for customers and
employees) with strong security will be an issue that          Security infrastructure improvement moved into the top
organizations must continue to deal with.                      five priorities in 2008. An incident that underscores the
                                                               importance of security infrastructure improvement is the
Although data protection and information leakage is a          recent alleged highjacking of a major U.S. city network
new top five initiative in our 2008 survey, it has already     by one of its network administrators. The administrator
been front and center for months. The worst credit card        allegedly locked out the city from its FiberWAN network
breach in history (which was not public information            and then refused to hand over passwords to the Wide
when respondents participated in 2007 security survey)         Area Network system until his demands were met.
brought data protection and information leakage into
the foreground and put companies on notice. As with            As tempting as it is to save money in hard economic
previous years, the trend with security is less on             times, security infrastructure short-cuts are not the way
infrastructure and perimeter-strengthening and more on         to do it. Attacks are bound to increase when
preventing information from being leaked internally.           organizations let their guard down with “cost saving”
                                                               measures that don’t have adequate controls built in.


                                                                                           Protecting what matters The 6th Annual Global Security Survey   9
2. The evolution of the CISO                                Taking its rightful spot in the top five responsibilities of
                               In 2008, more organizations have a Chief Information        the CISO is security incident response and management.
                               Security Officer (CISO) than ever before (80% versus        “Management” of incidents means not just reporting
                               75% in 2007), and 7% have more than one CISO.               them but also debriefing management in a post
                               The incidence of CISOs reporting to various positions       mortem or root cause analysis to answer key questions
                               within the C-suite is an increasing trend in 2008:          such as, how could this have happened? and how
                               33% report to the CIO (31% in 2007), 11% report to          could it have been avoided?. Effective incident response
                               the CEO (9% in 2007) and 3% to the CSO (same as             and subsequent demonstration of measures to avoid
                               in 2007).                                                   reoccurrence is a sure-fire way to demonstrate
                                                                                           alignment of security objectives with those of the
                               The CISO role is now more focused on security               business.
                               governance, strategy and planning, internal security
                               awareness, and incident response (in 2007 strategy and      3. The evolution of the information
                               planning was first, followed by security governance and     security function
                               security implementation and integration). There is          Every year the information security function continues
                               greater evidence of gradual convergence via risk            to evolve. The increasing use of risk councils, admittedly
                               councils (47% combined versus 23% in 2007 report            a small step toward total convergence, is evidence
                               having gone through some form of convergence,               of this.
                               19% via risk councils). Risk councils bring together
                               various areas of the organization to discuss security and   It is interesting to note that respondents state that the
                               risk issues. These factors all appear to be positive for    biggest barrier to information security is “budget
                               the visibility and stature of the CISO role.                constraints and lack of resources.” This is, no doubt, the
                                                                                           prevailing lament of most functions, not just IT security,
                               The majority of CISOs still report to the CIO (33%) or      particularly in hard economic times. The fact that the
                               to some other technical role: IT Executive (13%), CTO       IT security function’s biggest barrier is now the universal
                               (6%), CSO (3%). As much as CIOs are part of the             complaint of most functions – and not the far more
                               C-suite, this reporting relationship means that security    ominous “lack of management support”, shows that
                               is still projected as mainly an “IT issue.” It may mean     the function is evolving in the right direction.
                               that there is limited potential for greater visibility of
                               information security outside IT, a circumstance that may    Prioritization of initiatives, having a clear business case,
                               support IT’s desire for potential integration with other    articulating the need for, and the impact of, security
                               key functions.                                              will now be reality for security functions, just as it has
                                                                                           been for the rest of IT and the rest of the business for
                               What is interesting is that as the CISO role is becoming    some time.
                               more focused on security governance (87%), strategy
                               and planning (80%), internal security awareness (73%)       Another key driver of the evolution of the security
                               and incident response (62%), the CISO focus moves           function is regulation. As the Enterprise Risk
                               away from traditional areas such as web customers’          Management (ERM) practices of the organization grow
                               administration, external security awareness and disaster    increasingly important – Standard & Poor’s recently
                               recovery planning, and the protection of paper-based        announced that they will review the quality of ERM as
                               information. In 2008, although more and more                a new component in their reviews of credit ratings*,
                               information is being created in electronic format, paper    the information security function must have a security
                               is still the most prevalent medium for information, e.g.,   reporting structure that reflects its importance to the
                               mortgage records in branches, banking information,          compliance of the organization.
* BusinessFinanceMag.com,
  “S&P Rolls Out ERM           etc. However, that finding does not necessarily mean
  Review”, by John             that the CISO is neglecting this area of responsibility –   The percentage of respondents who indicate that their
  Cummings, May 13, 2008.      the emergence of risk councils may well mean that,          CISO reports to a security committee has risen in 2008
  Retrieved from
  http://businessfinancemag.   although security operations may be migrating to other      (9%) compared to 2007 (5%). Nevertheless, this
  com/article/sp-rolls-out-    areas of the organization, the CISO, as part of the risk    percentage is still low and does not fully represent the
  erm-review-0513 on           council, remains informed.                                  governance potential of security committees.
  December 08, 2008.


10
A security committee is typically made up of                   5. Identity and access management
representatives of functions from across the                   “Identity and access management” was the number
organization and allows the security function to               one initiative that respondents mentioned in 2007
increase its visibility across business lines and functions    survey; in 2008, it is number two. We expect that it will
and better align itself with the strategic priorities of the   remain in front for years to come. The reason is
organization.                                                  because the identity and access management onslaught
                                                               to the organization continues from all sides. There is
4. The information security strategy                           increasing regulation. There are increasing industry
Respondents indicate that 61% of organizations have a          guidelines. There are more mobile workers than ever
security strategy and 21% have one in draft form. But          before using more devices than ever before, such as
what is important is not just that a strategy exists in        BlackBerrys, PDAs, laptops, and iPhones. There are more
document form but rather, how the document was                 suppliers, business partners, and other outsiders who
created and how it is being used. For example, what            need secure access to the organizations’ systems.
level of input was sought from executives and business
when the document was being created? Does the                  “Excessive access rights” was stated by respondents as
organization use the document, i.e., embrace its               the top “internal/external audit finding over the past
policies? What was the quality of the input that formed        12 months.” “Unauthorized access to personal
it? Has the strategy translated into benefits, such as         information” was stated as the number one concern
closer alignment with the business and positive                from a privacy perspective. Identity and access
feedback? Is there reporting on the effectiveness of the       management must constantly be enhanced to reflect
strategy?                                                      the state of flux. Future-state identity and access
                                                               management will include enhancements such as an
As they did in 2007, companies in 2008 still appear to         automated process that gives out application access
struggle with the definition of a security strategy and        and then knows immediately when an employee has
what the strategy should include. Essentially, an              left the organization and revokes that access; employee
information security strategy is a plan as to how the          identities that are synchronized across all systems; a
organization can mitigate risks while complying with           system that, instead of simply verifying who has a valid
legal, statutory, contractual, and internally developed        user name and password, also verifies whether the
requirements. Yet only 63% of the respondents who              person needs to be accessing what they are attempting
maintain that their organizations have an information          to access in the network.
security strategy indicate that they have identified their
information security strategy requirements. Only 45%           Identity theft continues unabated in 2008. Those of
have a people strategy, which is low given that many           us who believe that we are on to the tricks of identity
face issues with finding qualified resources. Only 40%         theft scammers and already take the utmost
have included metrics and performance management,              precautions could be unpleasantly surprised by the
which are needed to help ensure that what is being             sophistication of upcoming scams. The good news is
done is meeting the expectations of business. And only         that there is now improved communication among
63% indicate that they have aligned their strategic            businesses, consumers, and law enforcement as to
objectives with the organization. Until these areas are        causes and possible solutions to reduce identity theft
addressed, and information security strategy becomes           crimes. The level of awareness on the part of
thoroughly understood and commonplace, puzzling                consumers grows every day. Organizations are
discrepancies will continue to surface.                        deploying and piloting an increasing array of new
                                                               technology. Security log and event management
                                                               systems are, according to respondents, one of the key
                                                               technologies being piloted over the next 12 months.




                                                                                          Protecting what matters The 6th Annual Global Security Survey   11
Governance




Presence of a defined information governance framework (%)               Governance framework
                                                                        Organizations clearly recognize the link between strong
                  Yes
                                                                        security governance and effective information security –
                                                                        governance for security is one of the top five security
                                                                        initiatives in 2008. In 2007, organizations also appeared
Yes, but in draft form
                                                                        to recognize the importance of an established
        Intend to have                                                  governance framework – 81% of respondents indicated
     within 12 months                                                   that they had one. In 2008, however, that number
                                                                        dropped significantly to 69%. Does this mean that
        Intend to have
     within 24 months                                                   organizations are attributing less importance to the
                                                                        governance framework in 2008? This is unlikely, given
                   No                                                   the position of governance in the top five security
                                                                        initiatives. It is more probably a case of “a little
                         0     20          40           60   80   100   knowledge is a dangerous thing.” As organizations
                                                                        become more security savvy and more informed, they
     2008        2007
                                                                        recognize that an established governance framework is
                                                                        key to guiding the development and maintenance of a
                                                                        comprehensive information security program, and what
                                                                        they considered to be a framework in the past did not
                                                                        meet the definition of an effective governance
                                                                        framework.




12
Reporting                                                   Top direct reporting links (%)
Eighty percent of respondents in 2008 indicate having
a CISO or equivalent position on their corporate roster,                   CIO
and 7% have even more than one. The top four
positions to whom the CISO reports – the CIO, the            Board of Directors

Board of Directors, IT Executive, and the CEO – either
                                                                   IT Executive
show a slight increase from 2007 or remain the same in
2008, indicating that the CISO role shows no signs of                     CEO
moving away from reporting to the C-suite.
By far, the majority of CISOs report to the CIO,            Security Committee

unchanged for the last three years of this survey.
                                                                          CRO
The CISOs still report in aggregate (50%) to
predominantly IT-related positions: CIO, CTO, and IT                      CTO
Executive. The reality remains that the CISO position is
still considered to fulfill a predominantly IT role.                      COO

                                                               General Counsel
In 2008, more CISOs report to a Security Committee,
the fifth most-mentioned reporting line after the CIO,
                                                                          CSO
the Board of Directors, IT Executive, and the CEO.
The greatest number of respondents indicate that the                      CFO
top indirect reporting position for CISOs is the Board of                         0       5        10        15         20       25        30        35
Directors, demonstrating that, just as it was in 2007,
the issue of information security remains a C-suite and        2008         2007
board-level concern.

                                                            Top indirect reporting links (%)


                                                               Board of Directors
                                                             Security Committee
                                                                             CIO
                                                                            CEO
                                                                   Internal Audit
                                                                            CRO
                                                                            CTO
                                                                            CFO
                                                                 General Counsel
                                                                            COO
                                                                                      0   1        2        3       4        5        6         7         8

                                                               2008




                                                                                          Protecting what matters The 6th Annual Global Security Survey       13
What the CISO is
responsible for?

Top functions of CISO (%)                                     Top functions
                                                              Survey respondents indicate that the CISO’s primary
       Security governance                                    responsibilities are security governance, strategy and
                                                              planning, internal security awareness, security incident
            Security strategy
               and planning                                   response and management, as well as security
                                                              assessments (all rating at least 60%, with security
Internal security awareness
                                                              governance as high as 87%). Respondents indicate that
Security incident response
         and management                                       CISOs are least responsible for areas such as web
       Security assessments
                                                              customers’ administration, external security awareness,
                                                              disaster recovery planning, and the protection of paper-
  Vulnerability and threat                                    based information (all ratings less than 40%).
             management
 Security implementation
           and integration                                    These findings do not mean that these latter areas are
                                                              being necessarily neglected. For example, respondents
       Security architecture
                                                              indicate that the CISO is more concerned with internal
        IT risk management                                    security awareness (73%) than with external awareness
         Identity and access                                  (31%). This supports findings later in this survey that
               management                                     the internal workforce is an organization’s biggest
     Security administration                                  worry (36%) versus outsiders (13%). It is natural, then,
                                                              that the CISO would focus on the areas of most
            Security training
                                                              concern. In addition, the emergence of risk councils
         Security consulting                                  may indicate that, while security operations are being
                                                              handled by other areas of the organization, the CISO,
     Security investigations                                  as a member of the risk council, is still involved.
              IT compliance
               management                                     This year, respondents indicate that IT compliance
        Third-party security                                  management (at 48%) is part of the responsibility of the
                                                              CISO. This is an important responsibility, given that
       IT perimeter security
                                                              organizations have identified security regulatory
       Security employees/                                    compliance as their primary security initiative in 2008.
       users administration

        Security operations

        Computer forensics

                     Privacy

        Business continuity
              management
      Security performance
              management
          Disaster recovery
                   planning
      External customers’
      security awareness
     Interaction with law
 enforcement authorities
 Security web customers’
           administration
            Physical security

                                0   20   40   60   80   100   Due to an expanded question set this year, responses that do
                                                              not show comparisons to last year indicate that data was not
     2008          2007                                       collected for that question last year.




14
Information assets                                            Information assets the CISO is responsible for (%)
Respondents indicate that the CISO’s chief
responsibilities are networks, servers, desktops, and                       Networks
laptops. There is nothing surprising about this finding; it
is the lower end of the chart that is more interesting.                        Servers
Only 45% of respondents include paper documents in
the CISO’s mandate. Digital perimeter of the                                 Desktops
organization (69%), data repositories (68%), mobile
storage devices (68%), and mobile communication                               Laptops
devices (61%) also seem to be underrepresented.
In many instances, some of these information assets                      Applications

(e.g., paper documents, data repositories) have not               Digital perimeter of
traditionally been included within the CISO’s mandate.               the organization

However, as more organizations continue to expand                   Data repositories
their information security functions to include IT Risk
                                                                      Mobile storage
Management, and as the respective leaders continue to
                                                                             devices
adopt titles such as Information Security Officers, the
                                                              Mobile communication
question remains – are all information assets being                        devices
appropriately managed?
                                                                    Paper documents

Convergence between logical and                                                          0           20           40            60            80             100
physical security
As they did in 2007 (66%), a large number of
respondents in 2008 (44%) indicate that there are no          Covergence between logical and physical security (%)
plans for their organizations to converge logical and
physical security. However, convergence may typically          Yes – through structural (physical and
be viewed by respondents as an “all or nothing”                    information security) convergence
situation when, in fact, like any shift in thinking, small    Yes – physical and information security
                                                                      remain as seprate functions yet
steps are required to move toward embracing the idea.             report into one common executive
These small steps were implied in the responses in 2008               Yes – through the formation of
and include information sharing through means such as                                     risk councils

risk councils (19%), common executives for separate                       Intend to within 12 months
functions (17%), and structural convergence for better
coordination (11%), all evidence that convergence is                      Intend to within 24 months

gaining some traction. Geographically, respondents in
                                                                                                   No
EMEA, APAC, and Japan indicate the least resistance to
convergence while those in North America and LACRO                                                        0     10         20         30           40         50
indicate the greatest. A greater number of respondents
in 2008 state their intention to converge within
24 months. The reality is that while structural convergence
of logical and physical security represents a radical
change to the traditional structure of an organization,
the survey indicates that there is a shift in thinking
around the idea of convergence.




                                                                                             Protecting what matters The 6th Annual Global Security Survey   15
Number of information security professionals                                       Full-time employees
                                                                                   The majority of respondents indicate that their security
  FTEs* inside security function                                                   organizations have 1 to 50 FTEs (including all
  0                                                                     4%         categories: internal, external, and outsourced/
  1 to 50                                                               85%
                                                                                   consultants). Thirty five percent of respondents indicate
                                                                                   that their organizations do not have outsourced
  51 to 100                                                             6%
                                                                                   information security FTEs at all. In 2008, there is a slight
  101 to 150                                                            2%         increase in the number of respondents who indicate
  FTEs outside security function                                                   that their organizations “added resources” (45% in
  0                                                                     33%        2007 versus 48% in 2008). It is likely that this upward
                                                                                   trend has been interrupted by the current economic
  1 to 50                                                               50%
                                                                                   crisis, which, at the time these questions were posed
  51 to 100                                                             2%
                                                                                   to respondents, had not reached its peak and continues
  101 to 150                                                            1%         to unfold.
  Over 400                                                              4%

  Outsourced/consultants FTEs
                                                                                   Capability of security personnel
                                                                                   In response to the statement, “the organization has all
  0                                                                     35%
                                                                                   the required competencies to respond effectively and
  1 to 50                                                               52%        efficiently to existing and foreseeable security
  51 to 100                                                             2%         requirements” the number of respondents who agree
                                                                                   (34%) is relatively low. Although it is up from 2007
*FTE – full-time employee                                                          (30%), the difference is perhaps too small to conclude
                                                                                   an upward trend. There is a similar gain over 2007
                                                                                   when respondents rate the statement, “the
Capability of security personnel (%)
                                                                                   organization is missing competencies but is adequately
                                                                                   closing the gap” (36% in 2008 compared to 31% in
 Organization has all the
  required competencies
                                                                                   2007). The good news here is that, despite the
   to respond effectively                                                          increasing sophistication of security threats, the
          and efficiently                                                           competencies required to respond effectively (or to
                                                                                   adequately close the gap) are increasing.
  Organization is missing
     competencies but is
      adequately closing
                  the gap



     Organization has large
      gaps in competencies




Staff supplementation or
outsourcing is being used


                              0    5   10      15   20   25   30   35         40

      2008        2007




16
Defined information security strategy                         Presence of a defined information security strategy (%)
Respondents indicate that the presence of a defined
information security strategy has not changed
appreciably from last year (61% in 2008; 63% in 2007).        Yes, formally documented
There is also very little change in those who have one in
draft form (21% in 2008; 23% in 2007) and no change
in those who intend to have one in 12 months (10%
both in 2008 and 2007).                                               Yes, in draft form


Level of involvement in information
security strategy
In just about every area regarding the information                Intend to have within
                                                                             12 months
security strategy – providing input, approving it, and
embracing it – functional executives and business lines
have more involvement than they did in 2007.
The biggest gains over last year come in the area of
                                                                                     No
input to the security strategy (58% for business lines
and 52% for functional executives in 2008 versus
39% combined in 2007) and in the area of buy-in or                                         0       10        20        30    40      50        60        70    80
embracing it (26% and 23% in 2008 versus only
                                                                 2008         2007
10% combined in 2007). Business lines and functional
executives are now more likely to approve information
for the security strategy (33% and 46% in 2008 versus         Level of involvement in information security strategy (%)
27% combined in 2007). Even though the presence of
the information security strategy, either formally
documented or in draft form, remains relatively                   Approve information
                                                                     security strategy
unchanged from 2007, what has changed is the level of
involvement with it on the part of functional executives
and business lines. Why did it happen? One of the
                                                              Embrace security strategy
possible explanations is that functional executives and
business lines are taking an extra step to correct
increased perceived misalignment of business and
                                                                  Lead security strategy
information security initiatives. Increased executive
involvement is a good thing for security function, as it is
likely to increase chances of information security
projects to get funding and ultimately succeed.                           Provide input




                                                                           Not involved


                                                                                           0            10        20         30           40        50         60

                                                                 Business lines       Functional executives




                                                                                               Protecting what matters The 6th Annual Global Security Survey   17
Top security initiatives                                    Major barriers to information security
                              It is no surprise that security regulatory compliance is    Not surprisingly, budget constraints and the increasing
                              the top security initiative. Organizations still grapple    sophistication of threats occupy the first two spots in
                              with how to handle legal, regulatory, and auditor           2008 (56% and 38%, respectively). Further, when the
                              requirements. There is the growing understanding that       majority of questions in this survey were answered,
                              compliance and risk management processes have a             respondents had not yet felt the full force of the current
                              direct effect on stock price. Standard & Poor’s recently    economic woes.
                              announced that they will review the quality of
                              enterprise risk management (ERM) as a new component         Surprisingly, “increasing sophistication of threats” was
                              in their reviews of credit ratings for all listed           seen as less of a barrier in 2008 (38%) than in 2007
                              companies.* This development means a significant            (49%). This result may well indicate that organizations
                              change in business leadership and performance               are being better prepared to deal with them,
                              management.                                                 attributable to the more widespread use of antiviruses
                                                                                          and other security technologies. In addition, emerging
                              In 2008, data protection and information leakage – not      technologies are also seen as less of a barrier in 2008
                              even in the top five in 2007 – tied with the second         (27%) than they were in 2007 (36%). This may be due
                              place priority, identity and access management. This is     to the fact that as respondents become more familiar
                              understandable, given the incidents that have attracted     with the platforms of emerging technology, they feel
                              media attention over the last year, including the largest   that it is less of a barrier each year.
                              hacking and identity theft case ever prosecuted by the
                              U.S. Department of Justice. The targeted retail group       Predictably, lack of management support, a major
                              admitted that some of their files were encrypted and        lament in the early years of this survey, is far down the
                              some were not; the same applied to their data               list of barriers in 2008 (only 15%).
                              transmissions. But it would not have mattered anyway
                              since the decryption tool was allegedly stored in the       Return on information security investments
                              same location as the files, a common mistake according      Respondents indicate that there is essentially, little,
                              to industry analysts.                                       if any, measurement of return on information security
                                                                                          investment. This may well be a factor of the speed at
                              The spate of high-profile vulnerabilities in the form of    which information security needs to move and the
                              high-capacity storage devices, such as USB keys or MP3      agility that is required when threats warrant it.
                              players and the growing popularity of social networking     Measuring return on security investment becomes a
                              sites, such as Facebook and MySpace, continue to make       relatively low priority when the first priority is to quickly
                              data protection ever-more challenging. These mechanisms     thwart hackers at their own game and by whatever
                              introduce opportunities to steal identities and gain        means are necessary. While 23% are working on
                              access to confidential information. Since high-profile      establishing formal metrics (down from 34% in 2007),
                              vulnerabilities will continue to profligate, this aspect    the overwhelming majority (62%) are split between
                              of information security will continue to grow in            “do not measure” and “little, if any, measurement.”
                              importance as an initiative.                                However, the measurement of return on information
                                                                                          security investments is a key factor in engaging C-suite
                                                                                          executives for the necessary support and funding.
                                                                                          Given the economic conditions, it is important to be
                                                                                          able to justify the prioritization of initiatives.


* BusinessFinanceMag.com,
  “S&P Rolls Out ERM
  Review”, by John
  Cummings, May 13, 2008.
  Retrieved from
  http://businessfinance
  mag.com/article/sp-rolls-
  out-erm-review-0513 on
  December 08, 2008.


18
Top five security initiatives of 2008 (%)



    Security regulatory
            compliance



    Access and identity
         management



   Data protection and
   information leakage



 Security infrastructure
          improvement




Governance for security


                           0       10        20       30    40   50   60

   2008          2007



Major barriers in ensuring information security (%)



   Budget constraints and/
      or lack of resources


  Increasing sophistication
                of threats



    Emerging technologies



  Inadequate availability of
      security professionals



Privacy issues and concerns


    Inadequate availability,
       functionality and/or
         interoperability of
           security products

       Lack of information
          security strategy


      Lack of management
                  support


                               0        10     20      30   40   50   60

   2008          2007


                                                                           Protecting what matters The 6th Annual Global Security Survey   19
Reporting on information security status                A more encouraging sign would be that monthly
                                 or security incidents                                   (scheduled) reporting is in the second place for Board of
                                 Respondents indicate that reporting to the Board of     Directors, CEO, and in the first place for senior and
                                 Directors, the Audit Committee, and the CEO is most     executive management. Moreover, monthly reporting to
                                 frequently on an ad hoc basis, i.e., information        senior and executive management (at 30%) is higher
                                 reporting is not scheduled and, therefore, does not     than ad hoc reporting to all other areas.
                                 likely feed into business reporting.


Frequency of reporting on information security status or security incidents


                                                                                                                                Senior and
                                                           Board of                   Audit                                       Executive
                                                           Directors              Committee                    CEO             Management

  Weekly                                                        2%                      0%                     2%                       5%

  Monthly                                                      19%                     13%                    20%                      30%

  Quarterly                                                    19%                     19%                    19%                      17%

  Semi-annually                                                 7%                      7%                     4%                       3%

  Annually                                                     11%                     13%                     6%                       3%

  Ad hoc                                                       19%                     24%                    23%                      24%

  Never                                                        10%                     12%                     9%                       3%

  Only when an incident occurs                                  9%                      8%                    11%                      12%

  Choose not to be informed                                     0%                      0%                     1%                       0%




20
Information security model structure                            Access control compliance with procedures ties with
The biggest increase from 2007 in information security          segregation of duties (30%) as the second most
structure is the rise of the federated model (where a           prevalent audit finding. Access and control compliance
centralized group sets common standards and performs            reflects the security concern of many organizations of
central functions while the business units maintain             having controls in place to ensure users have access
some control over “local” execution). The federated             only to what they need to properly do their jobs.
model is a hybrid of centralized and decentralized,             Auditors look for conflicts in segregation of duties in
employing the best characteristics of both. Twenty two          which one individual has access to responsibilities that
percent of respondents in 2008 versus 13% in 2007               are inherently in conflict with one another. To use a
stated that they followed the federated model. In an            banking example, the same person should not accept
age of increasing regulation and oversight, it is               cash, record deposits, make deposits, and reconcile the
understandable that the decentralized model is losing           account. It is a lack of segregation of duties that allows
ground. Predictably, the centralized model remains the          some individuals to circumvent intended controls.
traditional structure.

Internal/external audit findings                                Information security model structure (%)
The most prevalent internal/external audit findings in
the 2008 survey also reflect organizations’ top security
initiatives, a good sign that there is little confusion as to
                                                                  Centralized
what is a priority. Excessive access rights as the most
prevalent audit finding, followed by access control
compliance with procedures and segregation of duties,
all reflect organizations’ concern about identity and
                                                                   Federated
access management, compliance, and data leakage
protection.

These top three findings in 2008 were also the top
                                                                Decentralized
three findings in 2007. Excessive access rights is cited
by 31% of respondents, compared to 45% in 2007;
access control and compliance with procedures is cited
by 30% of respondents in 2008, compared to 29% in
                                                                       Other
2007; and segregation of duties ties with access control
and compliance in 2008 (30%) compared to 35% in
2007.                                                                           0          10      20         30        40        50        60        70        80

                                                                   2008             2007
Excessive access rights is likely to be an important topic
for some time. Auditors and regulators expect that
individuals will have rights only to the data/information
that are needed to perform their jobs. And when those
rights are no longer needed to perform the job, they
also expect the rights to be revoked. And “revoked”
does not just mean at some point in the future – it
means in a timely fashion. As simple as this sounds in
theory, in practice, it is not. Given changing job
responsibilities, a more mobile workforce, employee
turnover, and corporate reorganizations and mergers,
this is a tall order.




                                                                                                Protecting what matters The 6th Annual Global Security Survey   21
Top internal/external audit findings over the past 12 months (%)



                        Excessive access rights



                           Segregation of duties



Access control compliance with procedures


                    Lack of audit trails/logging



             Lack of documentation of controls



 Excessive developers’ access to production
                          systems and data


                  Lack of review of audit trails


 Lack of clean-up of access rules following
                  a transfer or termination


              Use of production data in testing



                                DRP/BCP testing



             DRP/BCP documentation/currency


     Lack of documented security policies and
        supporting guidelines and procedures

     Servers not hardened consistent with the
                                   standards


         Lack of security awareness programs



        Lack of separate testing environment



             Use of weak password parameters



          Lack of server hardening standards


       Lack of authorization of changes prior
                           to implementation

                                                   0          10   20   30   40   50

      2008          2007




22
Investment in information security                          Percentage of IT budget dedicated to information security (%)
Percentage of IT budget dedicated to
information security
The percentage of IT budget dedicated to information                 1 to 3%
security has not changed appreciably from 2007.
The lowest percentage of IT budget (1% to 3%)
remains the dominant category (29%). The situation is                4 to 6%
unlikely to change in the coming years – security
technologies have moved into the mainstream, and all
participants benefit from the effects of scale, which                7 to 9%
drive down the costs. While changes in regulations
might demand new investments, keeping the
infrastructure and technologies that are already in place
                                                                   10 to 11%
up-to-date is a less expensive task than building
everything from ground up. Increased automation will
also help to ease the burden of security costs to global
financial institutions.                                     Greater than 11%


The year-over-year trending for the security budget                            0          5            10         15           20          25            30
supports these numbers. Eight percent of respondents
have had their security budgets reduced in 2008.
                                                            Year-over-year trending in information security budgets (%)
Twenty nine percent of respondents in 2007 reported a
security budget increase of over 15%; in 2008 their
number dropped to 8%.                                          Less than 0% (i.e.,
                                                                budget has been
                                                                         reduced)



                                                              Increase of 1%-5%




                                                             Increase of 6%-10%




                                                            Increase of 11%-15%



                                                              Increase of greater
                                                                       than 15%

                                                                                     0    5       10        15      20       25       30        35       40




                                                                                         Protecting what matters The 6th Annual Global Security Survey   23
Additional information security funding (%)


                   IT function

             Project sponsors

             Lines of business

                 Risk function

       Compliance/regulatory
                    function
         Information security
     budget is the only source

 Human resources function

               Legal function


             Finance function

          Marketing function

            Do not have an
information security budget
                                 0            10          20          30        40   50




                                     By far, the biggest source of additional
                                     funding over and above the IT budget
                                     comes from the IT function (49%).




24
Expenditures on information security                         Expenditures on information security (%)
Respondents in 2008 indicate a decrease in “On plan”
and an increase in “Falling behind,” a clear trend that
projects are underfunded. This finding supports the                Ahead of
                                                               requirements
reasons cited for “causes of project failure” (lack of
resources) and “major barriers to information security”
(budget constraints).
                                                                     On plan
What is covered under information
security budget
The most striking observation about what is covered
under the information security budget is that key                Catching up
initiatives in 2007 – business continuity management
and disaster recovery – have not only dropped out of
the top five in 2008 but they are well down the list.
They are low on the list of funding priorities as well.        Falling behind
The top areas – consultants, access control products,
and infrastructure protection devices – are all consistent
                                                                                0            10              20             30                40            50
with the top stated security initiatives for 2007.
                                                                2008            2007



Information security budget segmentation (%)


                Security consultants

    Logical access control products
  Infrastructure protection devices/
                           products
   Awareness/communication costs

Desktop and gateway antivirus, etc.

       Hardware and infrastructure

 Personnel and organizational costs

 Compliance and risk management

                   Incident response

          Disaster recovery planning

Security research and development

  Business continuity management

              Studies/research costs

          Audit or certification costs

             Physical access control

                     Insurance costs

                                        0         10            20                     30            40                50                60                 70

   2008



                                                                                            Protecting what matters The 6th Annual Global Security Survey   25
Major causes of failure of information security projects (%)                           Causes of information security project failure
                                                                                       “Lack of resources” is cited as the number one cause of
         Lack of resources                                                             information security project failure. This is consistent
                                                                                       with an earlier observation that budget restraints are
          Shifting priorities                                                          the biggest barrier to information security. Despite the
                                                                                       stated lack of resources – human nature being what it
      Integration problems                                                             is, this will likely be an ongoing lament – there is some
                                                                                       very good news here. “Shifting priorities” has fallen
            Lack of business                                                           rather dramatically from the previous year (48% in 2007
            owners’ support
                                                                                       to 27% in 2008) indicating that organizations are
 Unrealistic expectations                                                              identifying, communicating, and agreeing upon
                                                                                       priorities.
Lack of executive support
                                                                                       As to whether the information security function is
          Lack of ability to                                                           meeting the needs of the organization, the “somewhat
        effectively execute
                                                                                       effective” category and the “very effective” category
     Lack of competencies/                                                             have both lost ground over the year. This is likely a
               capabilities                                                            reflection of the fact that as threats increase in
                                0    10            20          30         40      50   sophistication (more sophisticated in 2008 than ever
                                                                                       before), organizations struggle to keep up with them.
     2008          2007



How information security meets the needs of an organization (%)

80

70

60

50

40

30

20

10

 0
               Very effective         Somewhat effective            Ineffective

     2008          2007




26
Alignment of business and security initiatives                Alignment of business and information security initiatives (%)
Responses to this category, possibly more than any
                                                              60
other, reflect the stature of information security within
the organization, i.e., when business and security            50
initiatives are aligned, IT security will be recognized for
its true value and will have come full circle. It is          40
somewhat discouraging that there is a slight drop from
last year in the assessment that business and security        30
initiatives are “appropriately aligned” (32% in 2008;
38% in 2007) and “not at all aligned” (5% in 2008;            20

6% in 2007). The good news is that the perception that
                                                              10
business and security objectives are “somewhat
aligned” appears to be growing (58% in 2008; 56%
                                                               0
in 2007).                                                             Appropriately aligned             Somewhat aligned                 Not aligned

                                                                   2008       2007




When business and security initiatives are aligned, IT
security will be recognized for its true value and will
have come full circle.




                                                                                              Protecting what matters The 6th Annual Global Security Survey   27
Risk




       Risk tolerance                                              Application security and privacy as part of the
       When asked about their organization’s risk tolerance,       software development lifecycle
       respondents indicate that their tolerance for risk may be   Approximately the same number of respondents as in
       growing. For example, in 2007, 41% of respondents           2007 and the greatest percentage (46%) indicate that
       indicated that they were content “to take the same risk     application security and privacy as part of the software
       as the rest of the industry”; in 2008, that number has      development lifecycle varies from project to project
       fallen to 27% and the statement “…take more risk            indicating, therefore, that it is not standard procedure
       compared to the industry and have a lower cost” has         for all software development. While it might be
       grown by 5%. However, a large percentage (18% in            reasonable for mature financial institutions to conduct
       2008 and 19% in 2007) indicate that they “do not            their own risk-benefit analysis and determine the level
       compare” and 10% have “no empirical data available”:        of due diligence required for each particular software
                                                                   development project, an alarming 14% of respondents
       • To take more risk compared to the industry and have       indicate that incorporating security and privacy as part
         a lower cost – 11% (6% in 2007).                          of the software development life cycle is an
                                                                   afterthought for them:
       • To take the same risk as the rest of the industry –
         27% (41% in 2007).                                        • Incorporated in software development lifecycle – 31%
                                                                     (37% in 2007).
       • To take lesser risk compared to the industry, even at
         a higher cost – 24% (20% in 2007).                        • Varies from project to project – 46% (49% in 2007).

       • We do not compare – 18% (19% in 2007).                    • In most cases it is an afterthought – 14% (14% in
                                                                     2007).
       • No empirical data available – 10% (14% in 2007).




28
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009

Weitere ähnliche Inhalte

Was ist angesagt?

Symantec 2011 Encryption Flash Poll Global Results
Symantec 2011 Encryption Flash Poll Global ResultsSymantec 2011 Encryption Flash Poll Global Results
Symantec 2011 Encryption Flash Poll Global ResultsSymantec
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the InternetSecuring the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internetaccenture
 
Cybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lensCybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lensaakash malhotra
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
 2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ... 2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...Proofpoint
 
Born to be digital - how leading CIOs are preparing for digital transformation
Born to be digital - how leading CIOs are preparing for digital transformationBorn to be digital - how leading CIOs are preparing for digital transformation
Born to be digital - how leading CIOs are preparing for digital transformationEY
 
Decoding Organizational DNA
Decoding Organizational DNADecoding Organizational DNA
Decoding Organizational DNAaccenture
 
2018 Security Priorities
2018 Security Priorities 2018 Security Priorities
2018 Security Priorities IDG
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsScalar Decisions
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summarypatmisasi
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performanceAbhishek Sood
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Investorideas.com
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
With 5G adoption, come new cybersecurity risks to mitigate
With 5G adoption, come new cybersecurity risks to mitigateWith 5G adoption, come new cybersecurity risks to mitigate
With 5G adoption, come new cybersecurity risks to mitigateDeloitte United States
 
Evolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarEvolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarLumension
 
Importance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareImportance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareChromeInfo Technologies
 
Cybersecurity: How To Protect Your Law Firm Data
Cybersecurity: How To Protect Your Law Firm DataCybersecurity: How To Protect Your Law Firm Data
Cybersecurity: How To Protect Your Law Firm DataRocket Matter, LLC
 

Was ist angesagt? (20)

Symantec 2011 Encryption Flash Poll Global Results
Symantec 2011 Encryption Flash Poll Global ResultsSymantec 2011 Encryption Flash Poll Global Results
Symantec 2011 Encryption Flash Poll Global Results
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the InternetSecuring the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet
 
Cybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lensCybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lens
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
 
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
 2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ... 2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
 
Born to be digital - how leading CIOs are preparing for digital transformation
Born to be digital - how leading CIOs are preparing for digital transformationBorn to be digital - how leading CIOs are preparing for digital transformation
Born to be digital - how leading CIOs are preparing for digital transformation
 
Prof m01
Prof m01Prof m01
Prof m01
 
Decoding Organizational DNA
Decoding Organizational DNADecoding Organizational DNA
Decoding Organizational DNA
 
2018 Security Priorities
2018 Security Priorities 2018 Security Priorities
2018 Security Priorities
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian Organizations
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
With 5G adoption, come new cybersecurity risks to mitigate
With 5G adoption, come new cybersecurity risks to mitigateWith 5G adoption, come new cybersecurity risks to mitigate
With 5G adoption, come new cybersecurity risks to mitigate
 
Evolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarEvolving State of the Endpoint Webinar
Evolving State of the Endpoint Webinar
 
Importance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareImportance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in Healthcare
 
Cybersecurity: How To Protect Your Law Firm Data
Cybersecurity: How To Protect Your Law Firm DataCybersecurity: How To Protect Your Law Firm Data
Cybersecurity: How To Protect Your Law Firm Data
 

Andere mochten auch

Tance W[1]
Tance W[1]Tance W[1]
Tance W[1]tance
 
Tanyo 342
Tanyo 342Tanyo 342
Tanyo 342tance
 
Tance Y Sebastian Pulido Romero
Tance Y Sebastian Pulido RomeroTance Y Sebastian Pulido Romero
Tance Y Sebastian Pulido Romerotance
 
C:\Fakepath\Text Of The President[1]
C:\Fakepath\Text Of The President[1]C:\Fakepath\Text Of The President[1]
C:\Fakepath\Text Of The President[1]tance
 
Elecciones 2010
Elecciones 2010Elecciones 2010
Elecciones 2010tance
 
C:\Fakepath\Social Studies Sebas
C:\Fakepath\Social Studies SebasC:\Fakepath\Social Studies Sebas
C:\Fakepath\Social Studies Sebastance
 
Tance y mato
Tance y matoTance y mato
Tance y matotance
 
Social Studies Sebas
Social Studies SebasSocial Studies Sebas
Social Studies Sebastance
 

Andere mochten auch (9)

Tance W[1]
Tance W[1]Tance W[1]
Tance W[1]
 
Tanyo 342
Tanyo 342Tanyo 342
Tanyo 342
 
Tance Y Sebastian Pulido Romero
Tance Y Sebastian Pulido RomeroTance Y Sebastian Pulido Romero
Tance Y Sebastian Pulido Romero
 
C:\Fakepath\Text Of The President[1]
C:\Fakepath\Text Of The President[1]C:\Fakepath\Text Of The President[1]
C:\Fakepath\Text Of The President[1]
 
Elecciones 2010
Elecciones 2010Elecciones 2010
Elecciones 2010
 
C:\Fakepath\Social Studies Sebas
C:\Fakepath\Social Studies SebasC:\Fakepath\Social Studies Sebas
C:\Fakepath\Social Studies Sebas
 
POWER OPTIMISM
POWER OPTIMISMPOWER OPTIMISM
POWER OPTIMISM
 
Tance y mato
Tance y matoTance y mato
Tance y mato
 
Social Studies Sebas
Social Studies SebasSocial Studies Sebas
Social Studies Sebas
 

Ähnlich wie Deloitte Global Security Survey 2009

Etude PwC sécurité de l’information et protection des données (2014)
Etude PwC sécurité de l’information et protection des données (2014)Etude PwC sécurité de l’information et protection des données (2014)
Etude PwC sécurité de l’information et protection des données (2014)PwC France
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...Mighty Guides, Inc.
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital FutureCognizant
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015Capgemini
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE  Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE  Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxMargenePurnell14
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE  Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE  Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxbagotjesusa
 
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Mighty Guides, Inc.
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentIBM Security
 
The 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global InformationThe 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global Informationjtfoster
 
The evolving role of IT managers and CIOs
The evolving role of IT managers and CIOsThe evolving role of IT managers and CIOs
The evolving role of IT managers and CIOsIBM Rational software
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperrickkaun
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
Discussion- 11. How does efficient frontier analysis (EFA) dif.docx
Discussion- 11. How does efficient frontier analysis (EFA) dif.docxDiscussion- 11. How does efficient frontier analysis (EFA) dif.docx
Discussion- 11. How does efficient frontier analysis (EFA) dif.docxmadlynplamondon
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...International Federation of Accountants
 
ORX Analytics & Scenario Forum 2019 - summary
ORX Analytics & Scenario Forum 2019 - summaryORX Analytics & Scenario Forum 2019 - summary
ORX Analytics & Scenario Forum 2019 - summaryLuke Carrivick
 

Ähnlich wie Deloitte Global Security Survey 2009 (20)

Etude PwC sécurité de l’information et protection des données (2014)
Etude PwC sécurité de l’information et protection des données (2014)Etude PwC sécurité de l’information et protection des données (2014)
Etude PwC sécurité de l’information et protection des données (2014)
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
 
Cybersecurity report-vol-8
Cybersecurity report-vol-8Cybersecurity report-vol-8
Cybersecurity report-vol-8
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE  Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE  Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE  Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE  Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
 
The 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global InformationThe 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global Information
 
The evolving role of IT managers and CIOs
The evolving role of IT managers and CIOsThe evolving role of IT managers and CIOs
The evolving role of IT managers and CIOs
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaper
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
Discussion- 11. How does efficient frontier analysis (EFA) dif.docx
Discussion- 11. How does efficient frontier analysis (EFA) dif.docxDiscussion- 11. How does efficient frontier analysis (EFA) dif.docx
Discussion- 11. How does efficient frontier analysis (EFA) dif.docx
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
ORX Analytics & Scenario Forum 2019 - summary
ORX Analytics & Scenario Forum 2019 - summaryORX Analytics & Scenario Forum 2019 - summary
ORX Analytics & Scenario Forum 2019 - summary
 

Deloitte Global Security Survey 2009

  • 1. Protecting what matters The 6th Annual Global Security Survey
  • 2. Contents Foreword 1 Objective of the survey 2 The value of benchmarking 3 Who responded 4 Geographic segmentation observations 6 Key findings of the survey 9 Governance 12 What the CISO is responsible for? 14 Risk 28 Use of security technology 34 Quality of operations 38 Privacy 46 How DTT’s GFSI Practice designed, implemented and evaluated the survey 50 Helpful references and links 52 Acknowledgements 54 Survey development team 54 Contributors 54 Contacts 55
  • 3. Foreword Welcome to the sixth annual Deloitte Touche Tohmatsu Organizations encourage their workforces to be (DTT) Global Financial Services Industry (GFSI) Practice constantly connected, more productive, and information security survey. Every year that the DTT GFSI immediately responsive and the market responds with Practice – made up of Deloitte member firm Financial tools to help them to do this. These tools, rolled out at Services Industry practices – conducts the survey, we an increasing pace, present a whole new slew of marvel at the developments that have occurred over the security issues. The media adds to the urgency by past year. While many of the categories and initiatives revealing potential security glitches and the scenarios that survey respondents talk about stay the same from that might ensue, e.g., a million mobile phones year to year, the face of them often changes – simultaneously dialing a company’s head office as a sometimes dramatically. There is never a dull moment! result of a software glitch. As well, there is no shortage of sensationalist media coverage for high-profile events, The top two security initiatives in 2007 were “identity like the rogue futures trader who contributed to losses and access management” and “security regulatory of over US$7 billion dollars announced by a major compliance.” In 2008, they merely switched spots. European financial services company. While the initiatives have not changed, it seems that each year they need to be addressed with a more A major focal point, people continue to be an sophisticated and far-reaching solution. organization’s greatest asset as well as its greatest worry. That has not changed from 2007. What has It is no surprise that compliance with regulation and/ changed is the environment. The economic meltdown or industry guidelines was the top initiative in 2008. was not at its peak when respondents took this survey. The compliance initiative encompasses not just the If there was ever an environment more likely to “what” (being compliant) but also the “how” (a facilitate an organization’s people being distracted, compliance approach that is thorough, cost-effective, nervous, fearful, or disgruntled, this is it. To state that and adaptable to increasing regulation). Year 2007 saw security vigilance is even more important at a time like the worst credit card data breach ever and it stands as this is an understatement. the prime example of what can ensue when an organization is exposed. The organization in question Those of us in the security industry know that an was a retail group subject to the Payment Card organization’s best defense against internal and external Industry’s Data Security Standards and had been told breaches is not technology alone. It is a culture of by its assessors that weak Wireless Encryption Protocol security within an organization – a mindset on the part (WEP), missing software patches and poorly configured of every individual so that actions in support of firewalls made them noncompliant. In a Securities and information security become automatic and intuitive. Exchange Commission filing, the retail group admitted to transmitting data to banks "without encryption.” From the creation of the survey questions to the production of this document and everything in Identity and access management is one of the key between, this undertaking requires time, effort, detailed initiatives on the front line of the never-ending battle attention and, most of all, participation. I want to thank between good and bad. Its face is changing constantly. the Chief Information Security Officers, their designates, It meant something last year and this year it means and the security management teams from financial something entirely different. Every year, hackers’ services institutions around the world who participated techniques get slicker and more innovative. When a in this survey. phishing/pharming attempt gets old and stale and recognized, there is another one – encompassing a whole new level of technological smarts – waiting in the wings. The innovation that powers the technology industry also causes a constant headache for those who Adel Melek – Global Leader, Security & Privacy Services must figure out how to protect information. Global Financial Services Industry Practice Deloitte Touche Tohmatsu Protecting what matters The 6th Annual Global Security Survey 1
  • 4. Objective of the survey The goal of the 6th Annual Global Security Survey for financial institutions is to help respondents assess and understand the state of information security within their organization relative to comparable financial institutions around the world. Overall, the survey attempts to answer the question: How does the information security of my organization compare to that of my counterparts? By comparing the 2008 data with that collected from the previous year’s surveys, DTT GFSI Practice can determine differences and similarities, identify trends and ponder in-depth questions, such as: How is the state of information security changing within an organization? And are these changes aligned with those of the rest of the industry? Where possible, questions that were asked as part of the 2004-2007 Global Security Surveys have remained constant, thereby allowing for the collection and analysis of trend data. In order that questions remain relevant and timely with regard to environmental conditions, certain areas were re-examined and expanded to incorporate the “critical” issues being addressed by financial institutions at a global level. Deloitte subject matter specialists were enlisted and their knowledge leveraged to identify questions with these critical issues. 2
  • 5. The value of benchmarking Financial services institutions (FSIs), now more than ever, Survey scope recognize the importance of performance The scope of this survey is global and, as such, measurements and benchmarks in helping them encompasses financial institutions with worldwide manage complex systems and processes. The Global presence and head office operations in one of the Security Survey for financial institutions is intended to following geographic regions: North America (NA); enable benchmarking against comparable organizations. Europe, Middle East, Africa (EMEA); Asia Pacific (APAC); Benchmarking with a peer group can assist Japan; and Latin America and the Caribbean (LACRO). organizations in identifying those practices that, when To promote consistency, and to preserve the value of adopted and implemented, have the potential to the answers, the majority of financial institutions were produce superior performance or to result in interviewed in their country of headquarters. recommendations for performance improvements. The strategic focus of financial institutions spanned a variety of sectors, including banking, securities, Areas covered by the Survey insurance, and asset management. While industry focus It is possible that an organization may excel in some was not deemed a crucial criterion in the participant areas related to information security, e.g., investment selection process, attributes such as size, global and responsiveness, and fall short in other areas, e.g., presence, and market share were taken into value and risk. In order to be able to pinpoint the consideration. Due to the diverse focus of institutions specific areas that require attention, DTT’s GFSI Practice surveyed and the qualitative format of our research, the chose to group the questions by the following six results reported herein may not be representative of aspects of a typical financial services organization’s each identified region. operations and culture: • Governance Compliance, Policy, Accountability, Management Support, Measurement. The Global Security Survey for financial • Investment institutions is intended to enable Budgeting, Staffing, Management. benchmarking against comparable • Risk organizations. Industry Averages, Spending, Intentions, Competition, Public Networks, Controls. • Use of security technologies Technology, Encryption, Knowledge Base, Trends. • Quality of operations Business Continuity Management, Benchmarking, Administration, Prevention, Detection, Response, Privileged Users, Authentication, Controls. • Privacy Compliance, Ethics, Data Collection Policies, Communication Techniques, Safeguards, Personal Information Protection. Protecting what matters The 6th Annual Global Security Survey 3
  • 6. Who responded The 6th Annual Global Security Survey respondent data Top 100 global financial institutions (assets value) reflects current trends in security and privacy at a number of major global financial institutions. DTT’s GFSI Practice agreed to preserve the anonymity of the participants by not identifying their organizations. However, DTT’s GFSI Practice can state that, overall, the participants represent: 21% • Top 100 global financial institutions – 21% (based on assets value). • Top 100 global banks – 21% (based on assets value). 79% • Top 50 global insurance companies – 14% (based on market value). Top 100 global financial institutions Other • Number of distinct countries represented – 32. Top 100 global banks (assets value) Respondent data reflects current trends in security and privacy at a number of 21% major global financial institutions. DTT’s GFSI Practice agreed to preserve the anonymity of the participants by not 79% identifying their organizations. Top 100 global banks Other Top 50 global insurance companies (market value) 14% 86% Top 50 global insurance companies Other 4
  • 7. Geographic region Geographic region (%) The pool of respondents provides an excellent cross- 50 section from around the world, with a breakdown as follows: 40 Asia Pacific (APAC), excluding Japan 6% Japan 9% 30 Europe, Middle East and Africa (EMEA) 48% 20 North America 18% Latin America and the Caribbean (LACRO) 19% 10 Industry breakdown 0 The final survey sample reflects all major financial APAC Japan EMEA North America LACRO sectors: Banking 62% Industry breakdown Insurance 18% Investment and securities 9% 8% 3% Payments and processors 3% Other 8% 9% Annual revenue 62% The respondent companies represent a broad spectrum 18% based on annual revenues*: <$1B in annual revenue 40% $1B-$1.99B in annual revenue 7% $2B-$4.99B in annual revenue 11% $5B-$9.99B in annual revenue 3% Banking Payments and processors $10B-$14.99B in annual revenue 1% Insurance Other Investment and securities >$15B in annual revenue 13% Annual revenues (all currency stated in U.S. dollars) 40 35 30 25 20 15 10 5 * Results may not total 100% as DTT’s GFSI Practice is reporting 0 <$1B $1B-$1.99B $2B-$4.99B $5B-$9.99B $10B-$14.99B >$15B selected information only; responses from those who decline to answer may not be included in the reported data. Protecting what matters The 6th Annual Global Security Survey 5
  • 8. Geographic segmentation observations APAC Regional highlight (excl. Japan) Japan EMEA North America LACRO Global Respondents who feel that security has risen to executive management and/or the board as a 77% 79% 70% 63% 78% 72% key imperative Respondents who feel they have both commitment and funding to address regulatory 69% 65% 56% 58% 63% 59% requirements Respondents who indicated that they had a defined and formally documented 62% 50% 64% 62% 68% 61% information security strategy Respondents who feel that information security and business initiatives are appropriately 31% 30% 32% 28% 40% 32% aligned Respondents who indicate that their 54% 25% 60% 65% 75% 60% information security budget has increased Respondents who indicated that their expenditures on information security were ‘on 31% 5% 50% 26% 59% 43% plan’ or ‘ahead of requirements’ based on the organization’s current needs Respondents who have incorporated application security and privacy as part of their software 38% 40% 26% 32% 41% 31% development lifecycle Respondents who feel they presently have the required competencies to handle existing and 23% 23% 25% 41% 41% 33% 33% 34% foreseeable security requirements Respondents whose employees have received at least one training and awareness session on 58% 90% 64% 82% 82% 72% security and privacy in the last 12 months Respondents who have an executive 23% 85% 58% 82% 24% 57% responsible for privacy Respondents who have a program for 38% 84% 43% 76% 18% 48% managing privacy compliance Respondents who have experienced repeated 33% 17% 26% 27% 30% 27% internal breaches over the last 12 months Respondents who have experienced repeated 58% 17% 49% 51% 50% 47% external breaches in the last 12 months Highest score Lowest score 6
  • 9. Introduction Japan In all geographic regions, we have observed that Japan is unique when it comes to security breaches, external breaches have fallen sharply over the past with the lowest incidents of both internal and external 12 months. This is not due to hackers giving up and breaches (17%) reported across all regions. A number finding other avenues to pursue but rather to the fact of factors may contribute to this: the widespread use of that organizations are getting more security-savvy, strong authentication, the cultural importance of being less reactive and more proactive. We have said honour, the distinct language, and the culturally based that hackers’ methods are getting more sophisticated – reluctance to report security breaches. However, the same is true of the technology designed to thwart language and strong authentication alone are not them. The 2008 survey found that functional executives responsible for the lowest amount of incidents – and business lines are more involved in the information organizations in Japan clearly know how to protect security strategy than they did in 2007; but fewer themselves. An astounding 90% of employees have companies are indicating that they have both the received at least one training and awareness session on commitment and funding to address regulatory security and privacy in the last 12 months. Privacy is a requirements. This shift may be due to the fact that strong focus in Japan – respondents indicate that 85% executive management has a greater confidence that have an executive responsible for privacy and 84% have security initiatives are in hand and, therefore, do not a program for managing privacy compliance, numbers warrant additional resources. There is a noticeable that make Japan “best in class” in this area across all global decline in organizations who report that they regions. Security continues to rise to the executive have a program in place to manage privacy compliance management level – 79% in 2008 compared to 71% in (77% in 2007 has dropped to 48% in 2008). 2007. But there are areas where Japan is not as strong. There has been a rather significant drop in the number Asia Pacific (APAC) excluding Japan of respondents who indicate the presence of a defined Respondents from APAC indicate that they still have and formally documented information security strategy challenges in a number of areas and have experienced (from 75% in 2007 to 50% in 2008). Further, Japan has some regression from 2007. Only 7% of respondents in the lowest number of respondents across all regions 2007 felt that they had the required competencies to (25%) indicating that their information security budget handle existing and foreseeable security requirements. has increased and only 5% of respondents indicating This percentage has risen to 23% in 2008, but is still that their expenditures on information security were the lowest response across all regions. Respondents ‘on plan’ or ‘ahead of requirements’ based on the who indicate that their employees have received at least organization’s current needs. It would seem that, while one training and awareness session on security and respondents from Japan feel that their organizations are privacy in the last 12 months has fallen to 58% in 2008 good at protecting the status quo, they recognize that from 69% in 2007. This situation may also have they have a way to go as their organizations’ security contributed to APAC’s breach track record, which is still needs increase. the highest across all regions, although it has fallen from 2007. APAC respondents indicate that their organizations appear to place less emphasis on having an executive responsible for privacy – 85% had one in 2007; that number has fallen to 23% in 2008. And the obvious follow-on from this finding: while 100% of respondents felt that their organizations had a program for managing privacy compliance in 2007, only 38% feel the same in 2008. A bright spot for APAC is the fact that they have the highest confidence of respondents in all regions that they have both the commitment and funding to address regulatory requirements. Protecting what matters The 6th Annual Global Security Survey 7
  • 10. EMEA North America EMEA respondents indicate that they are confident It appears that a focus on market conditions and the that their security needs have been addressed – EMEA ensuing financial turmoil has forced executives in North is the region that indicates the highest positive response America to start de-prioritizing security initiatives, which regarding competencies to handle existing and may well result in a downward trend in the coming foreseeable security requirements. However, the years. Due to the current operating environment and number of EMEA respondents whose employees have shift in focus for many respondents, there is a received at least one training and awareness session on significant drop in 2008 in the number of respondents security and privacy in the last 12 months (64%) is the who feel that security has risen to executive second lowest score across all regions. This could mean management and/or the board as a key imperative that while EMEA organizations place a lot of reliance on (63% in 2008 versus 84% in 2007**). An organization their security staff (which accounts for the strong derives real value from security and privacy initiatives showing regarding competencies) they are missing an when they become an integral part of the strategic opportunity to engage their entire workforce as plans of the organization. This finding is discouraging – * “The Importance of information security stewards by making them aware of and is, in fact, the lowest across all regions – because Wholesale Financial industry best practices. when the C-suite is no longer engaged, other areas Services to the EU suffer, e.g., budget, visibility. Not surprisingly, and in Economy 2008”, London Economics, What may be a troubling indicator for EMEA for keeping with this finding, there is a very low perception July 2008, retrieved from upcoming years is the finding that respondents who on the part of most respondents that information http://www.cityoflondon. feel they have both commitment and funding to security and business initiatives are aligned (again, the gov. uk on December 10, 2008 address regulatory requirements is, at 56%, the lowest lowest of all regions at 28%). Surprisingly, external of all regions and a rather significant drop from 77% breaches are indicated by respondents as the second ** In the 2007 survey, in 2007. highest (51%) of all regions, even though they have we included individual findings for Canada and fallen rather significantly from 2007 (78%)***. Where the U.S. This year, there is EMEA respondents also indicate that 64% of their North American respondents indicate great strides – a single aggregate finding organizations have a formally documented and and proving they have taken notice of the fact that for both Canada and the U.S. defined as North approved information security strategy. While this people are an organization’s greatest asset and its America. number is in line with the global average (61%), EMEA greatest weakness – is in the area of internal breaches. has become a crucial hub of the global financial services Internal breaches have fallen to 27% in 2008 from 44% *** This finding is consistent with a study by the industry. The EU27 is the world’s leading exporter of in 2007, the greatest drop across all regions but still Identity Theft Resource wholesale financial services, accounting for over 50% of well above Japan’s “best in class” 17%. Center (ITRC), which the global total.* One would expect that the number of found that in the U.S. during 2008, data organizations with an information security strategy LACRO breaches were up by would be much higher and that EMEA would be “best LACRO is the very essence of a late bloomer. LACRO is 47%. The ITRC study was in class” of all regions. “best in class” in five areas, topped only by Japan, and conducted late in 2008, when the full impact of lowest in only one area. LACRO respondents indicate the financial crisis was Another finding about EMEA is that it ranks lowest of that their organizations are still best at having a defined being felt. Of the 656 all regions in incorporating application security and security strategy (68%), but the really good news for data breaches the study reported, only 78 affected privacy as part of the software development lifecycle LACRO is that everything is heading in the right financial institutions. (26% in 2008 and a drop from 33% in 2007). Also, direction: security budgets are increasing, security The ITRC confirms that when asked to characterize their secure application spending is on plan or ahead of requirements, and the financial industry has remained the most development directives, only 32% of EMEA respondents business and security initiatives are viewed as being proactive in terms of data indicate that they are “well defined and practical”, on appropriately aligned. If these trends continue, this will protection. par with North America (32%), but less than the global positively affect LACRO’s information security stature. “US financial institutions average (35%). LACRO’s repeated breaches are slightly higher than the hit by 78 reported data global average, but if LACRO continues to do what it is breaches last year”, doing, there is every indication that this situation will Finextra.com, retrieved from resolve itself. http://www.finextra.com/ fullstory.asp?id=19525 on January 15, 2009. 8
  • 11. Key findings of the survey 1. Top five security initiatives: two familiar faces This shift reflects the effect of major media incidents, as and a newcomer well as the increasing proliferation of smaller yet In 2007, “identity and access management” and feature-rich mobile media and the potential they “security regulatory compliance,” were the top two present for data leakage. Since the focus of end-user security initiatives; in 2008 they have simply switched technology seems to be always toward smaller, thinner, places. Identity and access management are tied in lighter, with greater capacity and processing power, second place with a newcomer, “data protection and the protection of information on the move will be a information leakage,” which was not even in the top continuing focus for organizations. In addition, part of five in 2007. the increasing visibility of this issue is a result of new requirements around breaches – since organizations are The choice of security regulatory compliance as the top now required to report breaches, they now need to priority reflects the fact that many organizations are have the capability to identify them within a reasonable struggling with the right way to handle the multiple timeframe. Data leakage protection is the second most legal and regulatory requirements as well as those of cited technology being piloted by respondent auditors. As budgets get tighter, the focus is on how to organizations. All these factors mean that incident address compliance from a cost and risk perspective. reporting will become more accurate, increasing In other words, companies are trying to figure out how visibility and heightening awareness even further. to close the gaps with the highest risk, leverage solutions across multiple requirements, and streamline People continue to be an organization’s greatest asset reporting. Clearly, the ideal solution is one that is as well as its greatest risk. The economic turmoil in the sustainable and can accommodate increased regulation. U.S. – and its global repercussions – had not yet reached Although being compliant does not make an its peak when questions in this survey were posed to organization more secure, being more secure is likely to respondents. Organizations should remain aware of the make an organization compliant. effect that an unsettled financial environment can have on its workforce – employees may be disgruntled, Given the highly profiled rogue-trading and rogue IT worried, and otherwise distracted. In hard economic activities of this year, it is no surprise that identity and times, security vigilance is all-important. access management continue to be a top priority. A well regarded European financial services company, Identity theft, data loss, and information leakage are headquartered in France, announced at the beginning now a mainstream concern. Organizations recognize, of 2008 that the actions of a single futures trader had and try to offset, the human frailty of their workforces, led to losses of over US$7 billion dollars. The trader in who are more mobile, more flexible and more laden question had exceeded his authority by engaging in with technological tools than ever before. The focus is unauthorized trades totaling more than the bank’s now on education and access control as well as leakage entire market capitalization of US$52.6 billion. prevention tools. Balancing convenient access (both for customers and employees) with strong security will be an issue that Security infrastructure improvement moved into the top organizations must continue to deal with. five priorities in 2008. An incident that underscores the importance of security infrastructure improvement is the Although data protection and information leakage is a recent alleged highjacking of a major U.S. city network new top five initiative in our 2008 survey, it has already by one of its network administrators. The administrator been front and center for months. The worst credit card allegedly locked out the city from its FiberWAN network breach in history (which was not public information and then refused to hand over passwords to the Wide when respondents participated in 2007 security survey) Area Network system until his demands were met. brought data protection and information leakage into the foreground and put companies on notice. As with As tempting as it is to save money in hard economic previous years, the trend with security is less on times, security infrastructure short-cuts are not the way infrastructure and perimeter-strengthening and more on to do it. Attacks are bound to increase when preventing information from being leaked internally. organizations let their guard down with “cost saving” measures that don’t have adequate controls built in. Protecting what matters The 6th Annual Global Security Survey 9
  • 12. 2. The evolution of the CISO Taking its rightful spot in the top five responsibilities of In 2008, more organizations have a Chief Information the CISO is security incident response and management. Security Officer (CISO) than ever before (80% versus “Management” of incidents means not just reporting 75% in 2007), and 7% have more than one CISO. them but also debriefing management in a post The incidence of CISOs reporting to various positions mortem or root cause analysis to answer key questions within the C-suite is an increasing trend in 2008: such as, how could this have happened? and how 33% report to the CIO (31% in 2007), 11% report to could it have been avoided?. Effective incident response the CEO (9% in 2007) and 3% to the CSO (same as and subsequent demonstration of measures to avoid in 2007). reoccurrence is a sure-fire way to demonstrate alignment of security objectives with those of the The CISO role is now more focused on security business. governance, strategy and planning, internal security awareness, and incident response (in 2007 strategy and 3. The evolution of the information planning was first, followed by security governance and security function security implementation and integration). There is Every year the information security function continues greater evidence of gradual convergence via risk to evolve. The increasing use of risk councils, admittedly councils (47% combined versus 23% in 2007 report a small step toward total convergence, is evidence having gone through some form of convergence, of this. 19% via risk councils). Risk councils bring together various areas of the organization to discuss security and It is interesting to note that respondents state that the risk issues. These factors all appear to be positive for biggest barrier to information security is “budget the visibility and stature of the CISO role. constraints and lack of resources.” This is, no doubt, the prevailing lament of most functions, not just IT security, The majority of CISOs still report to the CIO (33%) or particularly in hard economic times. The fact that the to some other technical role: IT Executive (13%), CTO IT security function’s biggest barrier is now the universal (6%), CSO (3%). As much as CIOs are part of the complaint of most functions – and not the far more C-suite, this reporting relationship means that security ominous “lack of management support”, shows that is still projected as mainly an “IT issue.” It may mean the function is evolving in the right direction. that there is limited potential for greater visibility of information security outside IT, a circumstance that may Prioritization of initiatives, having a clear business case, support IT’s desire for potential integration with other articulating the need for, and the impact of, security key functions. will now be reality for security functions, just as it has been for the rest of IT and the rest of the business for What is interesting is that as the CISO role is becoming some time. more focused on security governance (87%), strategy and planning (80%), internal security awareness (73%) Another key driver of the evolution of the security and incident response (62%), the CISO focus moves function is regulation. As the Enterprise Risk away from traditional areas such as web customers’ Management (ERM) practices of the organization grow administration, external security awareness and disaster increasingly important – Standard & Poor’s recently recovery planning, and the protection of paper-based announced that they will review the quality of ERM as information. In 2008, although more and more a new component in their reviews of credit ratings*, information is being created in electronic format, paper the information security function must have a security is still the most prevalent medium for information, e.g., reporting structure that reflects its importance to the mortgage records in branches, banking information, compliance of the organization. * BusinessFinanceMag.com, “S&P Rolls Out ERM etc. However, that finding does not necessarily mean Review”, by John that the CISO is neglecting this area of responsibility – The percentage of respondents who indicate that their Cummings, May 13, 2008. the emergence of risk councils may well mean that, CISO reports to a security committee has risen in 2008 Retrieved from http://businessfinancemag. although security operations may be migrating to other (9%) compared to 2007 (5%). Nevertheless, this com/article/sp-rolls-out- areas of the organization, the CISO, as part of the risk percentage is still low and does not fully represent the erm-review-0513 on council, remains informed. governance potential of security committees. December 08, 2008. 10
  • 13. A security committee is typically made up of 5. Identity and access management representatives of functions from across the “Identity and access management” was the number organization and allows the security function to one initiative that respondents mentioned in 2007 increase its visibility across business lines and functions survey; in 2008, it is number two. We expect that it will and better align itself with the strategic priorities of the remain in front for years to come. The reason is organization. because the identity and access management onslaught to the organization continues from all sides. There is 4. The information security strategy increasing regulation. There are increasing industry Respondents indicate that 61% of organizations have a guidelines. There are more mobile workers than ever security strategy and 21% have one in draft form. But before using more devices than ever before, such as what is important is not just that a strategy exists in BlackBerrys, PDAs, laptops, and iPhones. There are more document form but rather, how the document was suppliers, business partners, and other outsiders who created and how it is being used. For example, what need secure access to the organizations’ systems. level of input was sought from executives and business when the document was being created? Does the “Excessive access rights” was stated by respondents as organization use the document, i.e., embrace its the top “internal/external audit finding over the past policies? What was the quality of the input that formed 12 months.” “Unauthorized access to personal it? Has the strategy translated into benefits, such as information” was stated as the number one concern closer alignment with the business and positive from a privacy perspective. Identity and access feedback? Is there reporting on the effectiveness of the management must constantly be enhanced to reflect strategy? the state of flux. Future-state identity and access management will include enhancements such as an As they did in 2007, companies in 2008 still appear to automated process that gives out application access struggle with the definition of a security strategy and and then knows immediately when an employee has what the strategy should include. Essentially, an left the organization and revokes that access; employee information security strategy is a plan as to how the identities that are synchronized across all systems; a organization can mitigate risks while complying with system that, instead of simply verifying who has a valid legal, statutory, contractual, and internally developed user name and password, also verifies whether the requirements. Yet only 63% of the respondents who person needs to be accessing what they are attempting maintain that their organizations have an information to access in the network. security strategy indicate that they have identified their information security strategy requirements. Only 45% Identity theft continues unabated in 2008. Those of have a people strategy, which is low given that many us who believe that we are on to the tricks of identity face issues with finding qualified resources. Only 40% theft scammers and already take the utmost have included metrics and performance management, precautions could be unpleasantly surprised by the which are needed to help ensure that what is being sophistication of upcoming scams. The good news is done is meeting the expectations of business. And only that there is now improved communication among 63% indicate that they have aligned their strategic businesses, consumers, and law enforcement as to objectives with the organization. Until these areas are causes and possible solutions to reduce identity theft addressed, and information security strategy becomes crimes. The level of awareness on the part of thoroughly understood and commonplace, puzzling consumers grows every day. Organizations are discrepancies will continue to surface. deploying and piloting an increasing array of new technology. Security log and event management systems are, according to respondents, one of the key technologies being piloted over the next 12 months. Protecting what matters The 6th Annual Global Security Survey 11
  • 14. Governance Presence of a defined information governance framework (%) Governance framework Organizations clearly recognize the link between strong Yes security governance and effective information security – governance for security is one of the top five security initiatives in 2008. In 2007, organizations also appeared Yes, but in draft form to recognize the importance of an established Intend to have governance framework – 81% of respondents indicated within 12 months that they had one. In 2008, however, that number dropped significantly to 69%. Does this mean that Intend to have within 24 months organizations are attributing less importance to the governance framework in 2008? This is unlikely, given No the position of governance in the top five security initiatives. It is more probably a case of “a little 0 20 40 60 80 100 knowledge is a dangerous thing.” As organizations become more security savvy and more informed, they 2008 2007 recognize that an established governance framework is key to guiding the development and maintenance of a comprehensive information security program, and what they considered to be a framework in the past did not meet the definition of an effective governance framework. 12
  • 15. Reporting Top direct reporting links (%) Eighty percent of respondents in 2008 indicate having a CISO or equivalent position on their corporate roster, CIO and 7% have even more than one. The top four positions to whom the CISO reports – the CIO, the Board of Directors Board of Directors, IT Executive, and the CEO – either IT Executive show a slight increase from 2007 or remain the same in 2008, indicating that the CISO role shows no signs of CEO moving away from reporting to the C-suite. By far, the majority of CISOs report to the CIO, Security Committee unchanged for the last three years of this survey. CRO The CISOs still report in aggregate (50%) to predominantly IT-related positions: CIO, CTO, and IT CTO Executive. The reality remains that the CISO position is still considered to fulfill a predominantly IT role. COO General Counsel In 2008, more CISOs report to a Security Committee, the fifth most-mentioned reporting line after the CIO, CSO the Board of Directors, IT Executive, and the CEO. The greatest number of respondents indicate that the CFO top indirect reporting position for CISOs is the Board of 0 5 10 15 20 25 30 35 Directors, demonstrating that, just as it was in 2007, the issue of information security remains a C-suite and 2008 2007 board-level concern. Top indirect reporting links (%) Board of Directors Security Committee CIO CEO Internal Audit CRO CTO CFO General Counsel COO 0 1 2 3 4 5 6 7 8 2008 Protecting what matters The 6th Annual Global Security Survey 13
  • 16. What the CISO is responsible for? Top functions of CISO (%) Top functions Survey respondents indicate that the CISO’s primary Security governance responsibilities are security governance, strategy and planning, internal security awareness, security incident Security strategy and planning response and management, as well as security assessments (all rating at least 60%, with security Internal security awareness governance as high as 87%). Respondents indicate that Security incident response and management CISOs are least responsible for areas such as web Security assessments customers’ administration, external security awareness, disaster recovery planning, and the protection of paper- Vulnerability and threat based information (all ratings less than 40%). management Security implementation and integration These findings do not mean that these latter areas are being necessarily neglected. For example, respondents Security architecture indicate that the CISO is more concerned with internal IT risk management security awareness (73%) than with external awareness Identity and access (31%). This supports findings later in this survey that management the internal workforce is an organization’s biggest Security administration worry (36%) versus outsiders (13%). It is natural, then, that the CISO would focus on the areas of most Security training concern. In addition, the emergence of risk councils Security consulting may indicate that, while security operations are being handled by other areas of the organization, the CISO, Security investigations as a member of the risk council, is still involved. IT compliance management This year, respondents indicate that IT compliance Third-party security management (at 48%) is part of the responsibility of the CISO. This is an important responsibility, given that IT perimeter security organizations have identified security regulatory Security employees/ compliance as their primary security initiative in 2008. users administration Security operations Computer forensics Privacy Business continuity management Security performance management Disaster recovery planning External customers’ security awareness Interaction with law enforcement authorities Security web customers’ administration Physical security 0 20 40 60 80 100 Due to an expanded question set this year, responses that do not show comparisons to last year indicate that data was not 2008 2007 collected for that question last year. 14
  • 17. Information assets Information assets the CISO is responsible for (%) Respondents indicate that the CISO’s chief responsibilities are networks, servers, desktops, and Networks laptops. There is nothing surprising about this finding; it is the lower end of the chart that is more interesting. Servers Only 45% of respondents include paper documents in the CISO’s mandate. Digital perimeter of the Desktops organization (69%), data repositories (68%), mobile storage devices (68%), and mobile communication Laptops devices (61%) also seem to be underrepresented. In many instances, some of these information assets Applications (e.g., paper documents, data repositories) have not Digital perimeter of traditionally been included within the CISO’s mandate. the organization However, as more organizations continue to expand Data repositories their information security functions to include IT Risk Mobile storage Management, and as the respective leaders continue to devices adopt titles such as Information Security Officers, the Mobile communication question remains – are all information assets being devices appropriately managed? Paper documents Convergence between logical and 0 20 40 60 80 100 physical security As they did in 2007 (66%), a large number of respondents in 2008 (44%) indicate that there are no Covergence between logical and physical security (%) plans for their organizations to converge logical and physical security. However, convergence may typically Yes – through structural (physical and be viewed by respondents as an “all or nothing” information security) convergence situation when, in fact, like any shift in thinking, small Yes – physical and information security remain as seprate functions yet steps are required to move toward embracing the idea. report into one common executive These small steps were implied in the responses in 2008 Yes – through the formation of and include information sharing through means such as risk councils risk councils (19%), common executives for separate Intend to within 12 months functions (17%), and structural convergence for better coordination (11%), all evidence that convergence is Intend to within 24 months gaining some traction. Geographically, respondents in No EMEA, APAC, and Japan indicate the least resistance to convergence while those in North America and LACRO 0 10 20 30 40 50 indicate the greatest. A greater number of respondents in 2008 state their intention to converge within 24 months. The reality is that while structural convergence of logical and physical security represents a radical change to the traditional structure of an organization, the survey indicates that there is a shift in thinking around the idea of convergence. Protecting what matters The 6th Annual Global Security Survey 15
  • 18. Number of information security professionals Full-time employees The majority of respondents indicate that their security FTEs* inside security function organizations have 1 to 50 FTEs (including all 0 4% categories: internal, external, and outsourced/ 1 to 50 85% consultants). Thirty five percent of respondents indicate that their organizations do not have outsourced 51 to 100 6% information security FTEs at all. In 2008, there is a slight 101 to 150 2% increase in the number of respondents who indicate FTEs outside security function that their organizations “added resources” (45% in 0 33% 2007 versus 48% in 2008). It is likely that this upward trend has been interrupted by the current economic 1 to 50 50% crisis, which, at the time these questions were posed 51 to 100 2% to respondents, had not reached its peak and continues 101 to 150 1% to unfold. Over 400 4% Outsourced/consultants FTEs Capability of security personnel In response to the statement, “the organization has all 0 35% the required competencies to respond effectively and 1 to 50 52% efficiently to existing and foreseeable security 51 to 100 2% requirements” the number of respondents who agree (34%) is relatively low. Although it is up from 2007 *FTE – full-time employee (30%), the difference is perhaps too small to conclude an upward trend. There is a similar gain over 2007 when respondents rate the statement, “the Capability of security personnel (%) organization is missing competencies but is adequately closing the gap” (36% in 2008 compared to 31% in Organization has all the required competencies 2007). The good news here is that, despite the to respond effectively increasing sophistication of security threats, the and efficiently competencies required to respond effectively (or to adequately close the gap) are increasing. Organization is missing competencies but is adequately closing the gap Organization has large gaps in competencies Staff supplementation or outsourcing is being used 0 5 10 15 20 25 30 35 40 2008 2007 16
  • 19. Defined information security strategy Presence of a defined information security strategy (%) Respondents indicate that the presence of a defined information security strategy has not changed appreciably from last year (61% in 2008; 63% in 2007). Yes, formally documented There is also very little change in those who have one in draft form (21% in 2008; 23% in 2007) and no change in those who intend to have one in 12 months (10% both in 2008 and 2007). Yes, in draft form Level of involvement in information security strategy In just about every area regarding the information Intend to have within 12 months security strategy – providing input, approving it, and embracing it – functional executives and business lines have more involvement than they did in 2007. The biggest gains over last year come in the area of No input to the security strategy (58% for business lines and 52% for functional executives in 2008 versus 39% combined in 2007) and in the area of buy-in or 0 10 20 30 40 50 60 70 80 embracing it (26% and 23% in 2008 versus only 2008 2007 10% combined in 2007). Business lines and functional executives are now more likely to approve information for the security strategy (33% and 46% in 2008 versus Level of involvement in information security strategy (%) 27% combined in 2007). Even though the presence of the information security strategy, either formally documented or in draft form, remains relatively Approve information security strategy unchanged from 2007, what has changed is the level of involvement with it on the part of functional executives and business lines. Why did it happen? One of the Embrace security strategy possible explanations is that functional executives and business lines are taking an extra step to correct increased perceived misalignment of business and Lead security strategy information security initiatives. Increased executive involvement is a good thing for security function, as it is likely to increase chances of information security projects to get funding and ultimately succeed. Provide input Not involved 0 10 20 30 40 50 60 Business lines Functional executives Protecting what matters The 6th Annual Global Security Survey 17
  • 20. Top security initiatives Major barriers to information security It is no surprise that security regulatory compliance is Not surprisingly, budget constraints and the increasing the top security initiative. Organizations still grapple sophistication of threats occupy the first two spots in with how to handle legal, regulatory, and auditor 2008 (56% and 38%, respectively). Further, when the requirements. There is the growing understanding that majority of questions in this survey were answered, compliance and risk management processes have a respondents had not yet felt the full force of the current direct effect on stock price. Standard & Poor’s recently economic woes. announced that they will review the quality of enterprise risk management (ERM) as a new component Surprisingly, “increasing sophistication of threats” was in their reviews of credit ratings for all listed seen as less of a barrier in 2008 (38%) than in 2007 companies.* This development means a significant (49%). This result may well indicate that organizations change in business leadership and performance are being better prepared to deal with them, management. attributable to the more widespread use of antiviruses and other security technologies. In addition, emerging In 2008, data protection and information leakage – not technologies are also seen as less of a barrier in 2008 even in the top five in 2007 – tied with the second (27%) than they were in 2007 (36%). This may be due place priority, identity and access management. This is to the fact that as respondents become more familiar understandable, given the incidents that have attracted with the platforms of emerging technology, they feel media attention over the last year, including the largest that it is less of a barrier each year. hacking and identity theft case ever prosecuted by the U.S. Department of Justice. The targeted retail group Predictably, lack of management support, a major admitted that some of their files were encrypted and lament in the early years of this survey, is far down the some were not; the same applied to their data list of barriers in 2008 (only 15%). transmissions. But it would not have mattered anyway since the decryption tool was allegedly stored in the Return on information security investments same location as the files, a common mistake according Respondents indicate that there is essentially, little, to industry analysts. if any, measurement of return on information security investment. This may well be a factor of the speed at The spate of high-profile vulnerabilities in the form of which information security needs to move and the high-capacity storage devices, such as USB keys or MP3 agility that is required when threats warrant it. players and the growing popularity of social networking Measuring return on security investment becomes a sites, such as Facebook and MySpace, continue to make relatively low priority when the first priority is to quickly data protection ever-more challenging. These mechanisms thwart hackers at their own game and by whatever introduce opportunities to steal identities and gain means are necessary. While 23% are working on access to confidential information. Since high-profile establishing formal metrics (down from 34% in 2007), vulnerabilities will continue to profligate, this aspect the overwhelming majority (62%) are split between of information security will continue to grow in “do not measure” and “little, if any, measurement.” importance as an initiative. However, the measurement of return on information security investments is a key factor in engaging C-suite executives for the necessary support and funding. Given the economic conditions, it is important to be able to justify the prioritization of initiatives. * BusinessFinanceMag.com, “S&P Rolls Out ERM Review”, by John Cummings, May 13, 2008. Retrieved from http://businessfinance mag.com/article/sp-rolls- out-erm-review-0513 on December 08, 2008. 18
  • 21. Top five security initiatives of 2008 (%) Security regulatory compliance Access and identity management Data protection and information leakage Security infrastructure improvement Governance for security 0 10 20 30 40 50 60 2008 2007 Major barriers in ensuring information security (%) Budget constraints and/ or lack of resources Increasing sophistication of threats Emerging technologies Inadequate availability of security professionals Privacy issues and concerns Inadequate availability, functionality and/or interoperability of security products Lack of information security strategy Lack of management support 0 10 20 30 40 50 60 2008 2007 Protecting what matters The 6th Annual Global Security Survey 19
  • 22. Reporting on information security status A more encouraging sign would be that monthly or security incidents (scheduled) reporting is in the second place for Board of Respondents indicate that reporting to the Board of Directors, CEO, and in the first place for senior and Directors, the Audit Committee, and the CEO is most executive management. Moreover, monthly reporting to frequently on an ad hoc basis, i.e., information senior and executive management (at 30%) is higher reporting is not scheduled and, therefore, does not than ad hoc reporting to all other areas. likely feed into business reporting. Frequency of reporting on information security status or security incidents Senior and Board of Audit Executive Directors Committee CEO Management Weekly 2% 0% 2% 5% Monthly 19% 13% 20% 30% Quarterly 19% 19% 19% 17% Semi-annually 7% 7% 4% 3% Annually 11% 13% 6% 3% Ad hoc 19% 24% 23% 24% Never 10% 12% 9% 3% Only when an incident occurs 9% 8% 11% 12% Choose not to be informed 0% 0% 1% 0% 20
  • 23. Information security model structure Access control compliance with procedures ties with The biggest increase from 2007 in information security segregation of duties (30%) as the second most structure is the rise of the federated model (where a prevalent audit finding. Access and control compliance centralized group sets common standards and performs reflects the security concern of many organizations of central functions while the business units maintain having controls in place to ensure users have access some control over “local” execution). The federated only to what they need to properly do their jobs. model is a hybrid of centralized and decentralized, Auditors look for conflicts in segregation of duties in employing the best characteristics of both. Twenty two which one individual has access to responsibilities that percent of respondents in 2008 versus 13% in 2007 are inherently in conflict with one another. To use a stated that they followed the federated model. In an banking example, the same person should not accept age of increasing regulation and oversight, it is cash, record deposits, make deposits, and reconcile the understandable that the decentralized model is losing account. It is a lack of segregation of duties that allows ground. Predictably, the centralized model remains the some individuals to circumvent intended controls. traditional structure. Internal/external audit findings Information security model structure (%) The most prevalent internal/external audit findings in the 2008 survey also reflect organizations’ top security initiatives, a good sign that there is little confusion as to Centralized what is a priority. Excessive access rights as the most prevalent audit finding, followed by access control compliance with procedures and segregation of duties, all reflect organizations’ concern about identity and Federated access management, compliance, and data leakage protection. These top three findings in 2008 were also the top Decentralized three findings in 2007. Excessive access rights is cited by 31% of respondents, compared to 45% in 2007; access control and compliance with procedures is cited by 30% of respondents in 2008, compared to 29% in Other 2007; and segregation of duties ties with access control and compliance in 2008 (30%) compared to 35% in 2007. 0 10 20 30 40 50 60 70 80 2008 2007 Excessive access rights is likely to be an important topic for some time. Auditors and regulators expect that individuals will have rights only to the data/information that are needed to perform their jobs. And when those rights are no longer needed to perform the job, they also expect the rights to be revoked. And “revoked” does not just mean at some point in the future – it means in a timely fashion. As simple as this sounds in theory, in practice, it is not. Given changing job responsibilities, a more mobile workforce, employee turnover, and corporate reorganizations and mergers, this is a tall order. Protecting what matters The 6th Annual Global Security Survey 21
  • 24. Top internal/external audit findings over the past 12 months (%) Excessive access rights Segregation of duties Access control compliance with procedures Lack of audit trails/logging Lack of documentation of controls Excessive developers’ access to production systems and data Lack of review of audit trails Lack of clean-up of access rules following a transfer or termination Use of production data in testing DRP/BCP testing DRP/BCP documentation/currency Lack of documented security policies and supporting guidelines and procedures Servers not hardened consistent with the standards Lack of security awareness programs Lack of separate testing environment Use of weak password parameters Lack of server hardening standards Lack of authorization of changes prior to implementation 0 10 20 30 40 50 2008 2007 22
  • 25. Investment in information security Percentage of IT budget dedicated to information security (%) Percentage of IT budget dedicated to information security The percentage of IT budget dedicated to information 1 to 3% security has not changed appreciably from 2007. The lowest percentage of IT budget (1% to 3%) remains the dominant category (29%). The situation is 4 to 6% unlikely to change in the coming years – security technologies have moved into the mainstream, and all participants benefit from the effects of scale, which 7 to 9% drive down the costs. While changes in regulations might demand new investments, keeping the infrastructure and technologies that are already in place 10 to 11% up-to-date is a less expensive task than building everything from ground up. Increased automation will also help to ease the burden of security costs to global financial institutions. Greater than 11% The year-over-year trending for the security budget 0 5 10 15 20 25 30 supports these numbers. Eight percent of respondents have had their security budgets reduced in 2008. Year-over-year trending in information security budgets (%) Twenty nine percent of respondents in 2007 reported a security budget increase of over 15%; in 2008 their number dropped to 8%. Less than 0% (i.e., budget has been reduced) Increase of 1%-5% Increase of 6%-10% Increase of 11%-15% Increase of greater than 15% 0 5 10 15 20 25 30 35 40 Protecting what matters The 6th Annual Global Security Survey 23
  • 26. Additional information security funding (%) IT function Project sponsors Lines of business Risk function Compliance/regulatory function Information security budget is the only source Human resources function Legal function Finance function Marketing function Do not have an information security budget 0 10 20 30 40 50 By far, the biggest source of additional funding over and above the IT budget comes from the IT function (49%). 24
  • 27. Expenditures on information security Expenditures on information security (%) Respondents in 2008 indicate a decrease in “On plan” and an increase in “Falling behind,” a clear trend that projects are underfunded. This finding supports the Ahead of requirements reasons cited for “causes of project failure” (lack of resources) and “major barriers to information security” (budget constraints). On plan What is covered under information security budget The most striking observation about what is covered under the information security budget is that key Catching up initiatives in 2007 – business continuity management and disaster recovery – have not only dropped out of the top five in 2008 but they are well down the list. They are low on the list of funding priorities as well. Falling behind The top areas – consultants, access control products, and infrastructure protection devices – are all consistent 0 10 20 30 40 50 with the top stated security initiatives for 2007. 2008 2007 Information security budget segmentation (%) Security consultants Logical access control products Infrastructure protection devices/ products Awareness/communication costs Desktop and gateway antivirus, etc. Hardware and infrastructure Personnel and organizational costs Compliance and risk management Incident response Disaster recovery planning Security research and development Business continuity management Studies/research costs Audit or certification costs Physical access control Insurance costs 0 10 20 30 40 50 60 70 2008 Protecting what matters The 6th Annual Global Security Survey 25
  • 28. Major causes of failure of information security projects (%) Causes of information security project failure “Lack of resources” is cited as the number one cause of Lack of resources information security project failure. This is consistent with an earlier observation that budget restraints are Shifting priorities the biggest barrier to information security. Despite the stated lack of resources – human nature being what it Integration problems is, this will likely be an ongoing lament – there is some very good news here. “Shifting priorities” has fallen Lack of business rather dramatically from the previous year (48% in 2007 owners’ support to 27% in 2008) indicating that organizations are Unrealistic expectations identifying, communicating, and agreeing upon priorities. Lack of executive support As to whether the information security function is Lack of ability to meeting the needs of the organization, the “somewhat effectively execute effective” category and the “very effective” category Lack of competencies/ have both lost ground over the year. This is likely a capabilities reflection of the fact that as threats increase in 0 10 20 30 40 50 sophistication (more sophisticated in 2008 than ever before), organizations struggle to keep up with them. 2008 2007 How information security meets the needs of an organization (%) 80 70 60 50 40 30 20 10 0 Very effective Somewhat effective Ineffective 2008 2007 26
  • 29. Alignment of business and security initiatives Alignment of business and information security initiatives (%) Responses to this category, possibly more than any 60 other, reflect the stature of information security within the organization, i.e., when business and security 50 initiatives are aligned, IT security will be recognized for its true value and will have come full circle. It is 40 somewhat discouraging that there is a slight drop from last year in the assessment that business and security 30 initiatives are “appropriately aligned” (32% in 2008; 38% in 2007) and “not at all aligned” (5% in 2008; 20 6% in 2007). The good news is that the perception that 10 business and security objectives are “somewhat aligned” appears to be growing (58% in 2008; 56% 0 in 2007). Appropriately aligned Somewhat aligned Not aligned 2008 2007 When business and security initiatives are aligned, IT security will be recognized for its true value and will have come full circle. Protecting what matters The 6th Annual Global Security Survey 27
  • 30. Risk Risk tolerance Application security and privacy as part of the When asked about their organization’s risk tolerance, software development lifecycle respondents indicate that their tolerance for risk may be Approximately the same number of respondents as in growing. For example, in 2007, 41% of respondents 2007 and the greatest percentage (46%) indicate that indicated that they were content “to take the same risk application security and privacy as part of the software as the rest of the industry”; in 2008, that number has development lifecycle varies from project to project fallen to 27% and the statement “…take more risk indicating, therefore, that it is not standard procedure compared to the industry and have a lower cost” has for all software development. While it might be grown by 5%. However, a large percentage (18% in reasonable for mature financial institutions to conduct 2008 and 19% in 2007) indicate that they “do not their own risk-benefit analysis and determine the level compare” and 10% have “no empirical data available”: of due diligence required for each particular software development project, an alarming 14% of respondents • To take more risk compared to the industry and have indicate that incorporating security and privacy as part a lower cost – 11% (6% in 2007). of the software development life cycle is an afterthought for them: • To take the same risk as the rest of the industry – 27% (41% in 2007). • Incorporated in software development lifecycle – 31% (37% in 2007). • To take lesser risk compared to the industry, even at a higher cost – 24% (20% in 2007). • Varies from project to project – 46% (49% in 2007). • We do not compare – 18% (19% in 2007). • In most cases it is an afterthought – 14% (14% in 2007). • No empirical data available – 10% (14% in 2007). 28