Just because there's a global economic crisis doesn't mean the security teams at the world's companies will be getting any kind of break in their work. According to PricewaterhouseCooper's (New York) Global State of Information Security 2010 survey, information security executives are facing more challenges today than ever. Surprisingly, however, they are not being starved of the resources they need to keep company data safe.
PwC surveyed its own clients in 130 countries, plus the readers of CIO Magazine and CSO Magazine. It received responses from 7,200 executives, including those with the titles CEO, CFO, CIO, CSO, VP and director of IT and security. They were asked 40 questions on topics related to privacy and information security safeguards. Companies varied in size, with 32 percent from those with revenue of $500 million or more. Technology and financial services companies consisted of the top two in terms of survey participants, at 1,250 and 1,165 respondents, respectively.
Mark Lobel, a principal with PwC in its security practice, told attendees at a conference unveiling the survey results on Wednesday that he and his team weren't too optimistic about what they would find, given all the news of layoffs and budget cutbacks.
"When we set out to do this survey, we thought, 'This is going to get ugly,'" remarked Lobel. "But we were pleasantly surprised by the survey results. It turned out budgets were not that susceptible to cost cutting."
Even in this crisis, 38 percent of global companies said they still plan to increase their information security spending. A quarter said spending would remain the same. Only 12 percent said they would decrease spending here.
Still, companies are taking a cautious approach to this spending, as they are with spending in all areas these days. Forty-three percent of respondents said their companies are deferring security initiatives for capital expenditures, while 40 percent said they were deferring these initiatives for operating expenditures. However, these would be delays of less than six months for most of the respondents. Only 8 percent said the deferrals would drag on for a year or more.
For Lobel, this indicated a shift in companies' attitudes toward security—that they are finally starting to realize the importance of data protection.
"I believe that moving from 2009 to 2010 will be a coming of age for information security," he said.
Even so, information security executives are experiencing more pressure from the top to prove the value of their expenditures on security technology. There is pressure to perform like never before, noted Lobel. "Senior executives expect to see an impact from these investments," he said.
Further findings from the survey found that there has been a steady increase in security incidents from 2008 to 2009, with 35 percent of companies reporting 1 to 9 incidents, versus 30 percent last year. Also, data is the biggest target of cyber thieves: 23 percent this year, as opposed to 16 percent in 2008.
Although respondents said 33 percent of incidents occurred because of a current employees, 39 percent didn't know whether it was from the inside, a former employee or a hacker.
Lobel hinted that there might be more news in the coming months of former employees get desperate and take revenge on their old employers by stealing data and endangering intellectual property, however.
But Lobel is heartened by the increase in knowledge companies are displaying around where the dangers are to their systems. He specifically cited financial services companies as being the frontrunners in terms of identifying the data element within the organization.
"We've seen financial institutions simplify their data classification policies and implement a DLP (data loss prevention program) where they focus on the data at rest," Lobel related.
Banks identify their data, clean it up and know what it is, where it is and how it needs to be protected. They do this for one area of the data and move on to the next, he said.
"The data element is an increasing target of attacks," Lobel said. "We're reaching the maturity we've sought here. It's no longer acceptable to reactively hear about a breach. Companies are increasingly becoming more proactive in looking for evidence of a breach before a third party tells them about it."
Again, referring to the leadership role financial services has shown in data security, Lobel indicated another finding: that although the downturn is a driver for companies' infosec spending, it had less of an impact on financial services than other sectors (38 percent for financial services versus 43 percent for technology, 42 percent for healthcare and 41 percent for the retail industry).
"Financial services took the brunt of the hit by the crisis," Lobel noted, "but [FS respondents] said the downturn isn't driving their information security spending. This supports the idea of financial services being the benchmark for information security practices."