“The increased risk environment has visibly elevated the role and importance of the information security function to the entire business organization,” says Mark Lobel, an Advisory principal at PricewaterhouseCoopers. “After years of misalignment, business and IT leaders seem to be starting to think like each other. This year, as we move from 2009 to 2010, may turn out to be a high-stakes ‘coming of age’.”
The Global State of Information Security Survey® 2010 shows that across industries and from the private to the public sector, the downturn has had a major impact on security spending. A few key industry trends from this year’s survey include:
Financial Services
- This year, fewer financial services respondents predict spending will increase (40 percent in 2009; 46 percent in 2008) yet two-thirds (64 percent) expect spending to either increase or stay the same.
- For the first time in the history of this survey, the majority of metrics used to track advances in security-related capabilities – across all major security domains, including strategy, structure, people, process and technology – have, by and large, for the financial services industry, not improved.
- Seventy-five percent of financial services respondents have an overall information security strategy in place, compared to 74 percent in 2008.
- Fifty-nine percent of financial services respondents report they conduct threat and vulnerability assessments (unchanged from 2008).
- Also unchanged from 2008 - 61 percent of financial services respondents require employees to complete training on privacy policies/practices.
Health Industries
A key priority this year will be addressing a global trend in stiffer requirements for breach notification and specific technical controls.
More than 6 out of 10 provider respondents (61 percent) report that their organization does not have an incident response policy to report and handle breaches with third parties handling data.
As many countries address the security implications of electronic health record policies, U.S. providers need to address the HITECH Act
On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 ("ARRA"). Part of the ARRA, the HITECH Act strengthens and expands the scope of the HIPAA privacy and security rules.
As complexity and regulation increase within the industry - with heightened penalties and disclosure requirements for breaches and missteps - U.S. providers will need to understand the financial and operational implications for their organization.
Utilities
Reported incident type levels have declined across all elements, except one: the exploitation of data is now the leading type of incident.
Utility companies have advanced their security and privacy capabilities in the past year in areas including strategy, security leadership, privacy-related assessments, and integration.
Public Sector
Today a new generation of government employees is accessing social networks from work in great numbers, often without the knowledge of the IT department – and in circumvention of the traditional countermeasures employed by many. Some organizations have moved quickly to close this gap – but most need to do more – only 35 percent of government agencies have security technologies in place that support Web 2.0 exchanges.
In the U.S., advancing cyber security and private/public partnerships are additional emerging priorities.
While the “full damage report” for 2009 is not yet clear, the survey finds that business impacts such as financial losses, compromises to brand or reputation, and loss of shareholder value, have increased.
Global Trends
The survey reveals that North American and Asian security practices are no longer on par with one another, as was reported in last year’s survey. Asian respondents are far more likely than their North American colleagues to estimate that spending on security over the next year will either increase or stay the same (73 percent vs. 59 percent). South America also shows advances this year – 81 percent of respondents report they will increase spending or stay the same compared with 50 percent in Europe.
The study reveals that information security is a priority for organizations in China. More than 8 out of every 10 Chinese respondents expect information security spending to either increase or stay the same over the next 12 months – a higher score than nearly every other country in the world.
“As China muscles its way through the economic downturn, its security capabilities have stepped nimbly ahead of India’s – in a dramatic shift from last year’s trend –and, in the same one-year sweep, ahead of those in the U.S. and most of the world,” says Bob Bragdon, Publisher, CSO.
Looking Ahead
Survey results reveal that companies are placing high expectations on initiatives that take a strategic, risk-based approach. “This year, the message isn’t new or different. It’s just more urgent,” suggests Lobel. Organizations that want to “get it right” should be focusing on the following key issues:
Protecting data elements - a top priority
The number of respondents who say their organization has a data loss prevention (DLP) capability in place has leapt this year – from 29 percent in 2008 to 44 percent in 2009.
Addressing the risks associated with social networking
Four out of every ten respondents report that their organization has security technologies that support Web 2.0 exchanges, such as social networks, blogs, and wikis.
Cloud computing is “on the table”
While IT virtualization is a growing priority, only one out of every two respondents believes that it improves information security.
Lobel emphasizes, “If 2010 proves to be a ‘trial by fire’, these strategies will be enormously valuable – not just in limiting damages to assets and reputations and mitigating risks but also in positioning companies for the recovery period and stronger business performance in the years ahead.”
To learn more about the survey, including industry specific highlights and further regional information, please visit www.pwc.com/giss2010.
METHODOLOGY
The Global State of Information Security 2010 is a worldwide security survey by PricewaterhouseCoopers, CIO magazine and CSO magazine. It was conducted online from April 22 to June 15, 2009. Readers of CIO and CSO magazines and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 7,200 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 130 countries. Thirty-one percent (31%) of respondents were from North America, 27% from Asia, 26% from Europe, 14% from South America, and 2% from the Middle East and South Africa. The margin of error is ±1%.
About CIO and CSO Magazines
CIO and CSO magazines are published by CXO Media Inc., producer of award-winning media properties, executive programs and the CIO Executive Council for corporate officers who use technology and security to thrive and prosper in this new era of business. The CIO portfolio includes CIO.com, CIO magazine (launched in 1987), CIO Executive Programs and the CIO Executive Council. CIO properties provide business technology leaders with analysis and insight on information technology trends and a keen understanding of IT’s role in achieving business goals. The U.S. edition of the magazine and website are recipients of more than 200 awards to date, including the Top B-to-B magazine since 2000 from American Society of Business Publication Editors, two Grand Neals from the Jesse H. Neal National Business Journalism Awards and two Magazine of the Year awards from the National Society of Business Publication Editors.
Launched in 2002 the CSO portfolio includes CSOonline.com, CSO magazine and CSO Executive Programs. The properties provide chief security officers (CSOs) in the public and private sectors with analysis and insight on security trends and a keen understanding of how to develop and implement successful strategies to secure all business assets—from people to information and financial value to physical infrastructure. The U.S. edition of the magazine and website are the recipients of more than 100 awards to date, including the Top B-to-B magazine since 2000 and Magazine of the Year award from the American Society of Business Publication Editors as well as the Grand Neal from the Jesse H. Neal National Business Journalism Awards. CXO Media is a subsidiary of International Data Group (IDG).
About PricewaterhouseCoopers' Advisory Practice
PricewaterhouseCoopers' business advisory professionals provide clients with the confidence to succeed by helping them anticipate, create and manage change. Whether clients are proactively implementing change or reacting to an unplanned event, we leverage our network's resources, deep industry experience, and functional acumen across the areas of operations, finance, organizational strategy and structure, process improvement, human resources effectiveness, technology integration and implementation, risk mitigation and crisis management to help organizations effect sustainable change.
About PricewaterhouseCoopers
PricewaterhouseCoopers provides industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 163,000 people in 151 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.
No comments:
Post a Comment