Security Watch | Matt Hines » Research: IT security maturing, but misaligned

March 17, 2008 | Comments: (0)

Research: IT security maturing, but misaligned

TAGS: Security

Many organizations are doing a better job of creating and managing their IT security programs, but survey results highlight continued disconnect between security shops and the line-of-business teams they support -- according to a new research report published by PriceWaterhouseCoopers and several IDG magazines, and detailed at the ongoing CSO Perspectives Conference in Atlanta.

Based on the results of the 5th annual Global State of Information Security report, produced by PWC and InfoWorld sister publications CSO magazine and CIO magazine, most of the 7200 organizations surveyed for the research showed signs of improving their overall security standing.

If one major problem was exposed by the report, however, it was that security departments often fail to communicate sufficiently with the business people they interact with, researchers said.

That lack of discourse and common understanding of larger security team goals among rank-and-file business workers cuts into the ability of CIOs and other project leaders to do everything from engender stronger data protection to gain funding, said Mark Lobel, chief information security architect at PWC.

"This idea of misalignment and opportunity for better [communication] between security and business workers is one of the top themes coming out of the data," Lobel said. "If senior executives don't understand where funding is coming from, if they don't know who is in charge, that's going to hurt your efforts in the long run."

In terms of why companies are willing to spend money on security, perceptions have changed though, the expert said.

With 60 percent of the CEOs responding to the survey that business continuity is their top driver for security and compliance spending, along with 75 percent of the chief information officers, the idea that security is all about defending perimeters has shifted, Lobel said.

Some 40 percent of the CEOs earmarked the protection of corporate reputation as a top motivation for upping their attention on security, while 50 percent of CIOs agreed.

Deferring to compliance needs is no longer the leading method for defending security spending, with less than 10 percent of either group identifying regulatory action as the best reason to give for opening their wallets.

Meanwhile, over 20 percent of CEOs cited the protection of corporate finances as a motivating factor, along with 15 percent of CIOs. Defending company data was the top goal of over 20 percent of all CEOs and CIOs surveyed, while protecting IT operations was a leading reason for 45 percent of CEOs, and a whopping 75 percent of CIOs.

Overall, 40 percent of CEOs indicated that they plan to boost security spending this year, while 50 percent of CIOs are hoping for larger budgets.

In terms of perceived threats, the potential for insider attacks has clearly resonated with business leaders, with 48 percent of all respondents citing the issue as their primary concern, compared to only 33 percent in last year's report.

Meanwhile, 41 percent said they most fear external hackers, compared to 63 percent last year.

Lobel said the difference in results highlights a significant change in perceptions, driven largely by increased vigilance among IT security departments.

"People didn't get worse year-on-year, what changed in the environment over the last few years was the ability to monitor and detect," he said. "Because of compliance, we've put in controls that we never had before, and the survey points out that this is beginning to work, as we're finding and seeing things we never saw before."

There do remain weak points in many security operations, according to the research.

Over 50 percent of survey respondents indicated that they do not encrypt information on laptop computers, and only 22 percent said that they have hired a chief privacy officer.

However, overall the results show slow but increasing maturity in IT security, he said.

Going forward, companies will be best served to spread support for security and compliance operations across their workforce, and to do whatever they can to ensure buy-in from top corporate officials, Lobel contends.

"What spending tells us is that security is splitting, we have multiple reporting lines and multiple masters, which makes sense," he said. "If we have all the management under IT, availability will be the primary concern, and we won't have segregation of duties to be objective, and people outside IT won't get cooperation and coordination they need. We need some sort of split, and support for security at senior executive levels outside of IT to review policies."

Posted by Matt Hines on March 17, 2008 04:38 PM

RATE THIS ARTICLE: