Trial by fire* Protected. But under pressure to perform

Transcription

1 Key findings from the 2010 Global State of Information Security Survey Technology Trial by fire* Protected. But under pressure to perform What global executives expect of information security In the middle of the world s worst economic downturn in thirty years October 2009 *connectedthinking PwC

2 This year, everything is different.

3 As in almost every industry, technology executives are cutting costs. Laying off personnel. And rejiggering spending priorities. Across the enterprise. Across all functions. Including, of course, information security and privacy protection. Or so we thought it safe to assume. That is, before the results of the 2010 Global Information Security Survey emerged. PricewaterhouseCoopers 3

4 What the survey reveals is surprising. Security budgets appear to be less vulnerable to cost-cutting as if executives were protecting them. Yet responses also reveal that security is under enormous pressure to perform. This year, moving from 2009 to 2010, may turn out to be a high-stakes coming of age. A litmus test for a multi-year investment. In the function itself. And in a new generation of security leaders. A trial by fire. PricewaterhouseCoopers 4

5 Agenda 1. Methodology 2. Spending: A decline in growth rate but a manifestly reluctant one 3. Mounting pressure: Impacts of the economic downturn 4. Breaches: Footsteps and fingerprints as visibility increases 5. Current state of the arsenal: New gains will be key this year 6. A crucial year: Security at an important threshold 7. What this means for your business PricewaterhouseCoopers 5

6 Section 1 Methodology A worldwide study The Global State of Information Security 2010, a worldwide study by PricewaterhouseCoopers, CIO Magazine and CSO Magazine, was conducted online from April 22 through June 15, PwC s 11 th year conducting the online survey, 7 th with CIO and CSO Magazines Readers of CIO and CSO Magazines and clients of PwC from 130 countries 7,200+ responses from CEOs, CFOs, CIOs, CSOs, VPs and directors of IT and security More than 40 questions on topics related to privacy and information security safeguards Thirty-two percent (32%) from companies with revenue of $500 million+ Respondents from the technology industry total 1,250 PricewaterhouseCoopers 6

7 Section 1 Methodology Demographics Technology respondents by company revenue Technology respondents by segment Don't Know 15% Nonprofit/Gov. /Edu 2% Small (< $100M US) 37% Electronics, 11% Other, 9% Computer manufacturing, 12% Internet, 18% Large (> $1B US) 27% Medium ($100M - $1B US) 17% Software, 43% Networking, 3% Semiconductors, 4% Numbers reported may not reconcile exactly with raw data due to rounding PricewaterhouseCoopers 7

8 Section 1 Methodology Demographics Technology respondents by region of employment Technology respondents by title Middle East/Africa 2% North America 25% IT & Security (Other) 21% CISO/CSO/ CIO/CTO 8% CEO, CFO, COO 12% Asia 40% South America 15% Compliance /Risk / Privacy 4% IT & Security (Mgmt) 55% Europe 18% Numbers reported may not reconcile exactly with raw data due to rounding PricewaterhouseCoopers 8

9 Agenda 1. Methodology 2. Spending: A decline in growth rate but a manifestly reluctant one 3. Mounting pressure: Impacts of the economic downturn 4. Breaches: Footsteps and fingerprints as visibility increases 5. Current state of the arsenal: New gains will be key this year 6. A crucial year: Security at an important threshold 7. What this means for your business PricewaterhouseCoopers 9

10 Section 2 Spending: A decline in growth rate but a manifestly reluctant one This year, a new factor the economic downturn has shaken up the normal list of leading drivers of information security spending in the industry. And very nearly jumped to the top position. 50% 45% 45% 43% 40% 35% 30% 25% 20% 15% 10% 5% 37% 33% 0% Business continuity / disaster recovery Economic Downturn Internal policy compliance Company reputation Question 32: What business issues or factors are driving your information security spending? (Total does not add up to 100%) PricewaterhouseCoopers 10

11 Section 2 Spending: A decline in growth rate but a manifestly reluctant one Security spending is certainly under pressure. Fewer technology respondents expect spending will increase this coming year. Compared to last year, security spending over the next 12 months will But what we find most interesting is that almost 7 out of 10 (69%) expect spending to either increase or stay the same in spite of the worst economic downturn in decades. Or perhaps because of it. Increase Stay the same Decrease 4% 11% 25% 25% 44% 49% Don't know 20% 22% 0% 10% 20% 30% 40% 50% 60% PricewaterhouseCoopers 11

12 Section 2 Spending: A decline in growth rate but a manifestly reluctant one Is cancelling, deferring or downsizing security-related initiatives important? Absolutely according to 3 out of every 4 technology respondents... 90% 80% 70% 77% 75% 60% 50% 40% 30% 20% 10% 0% Yes for initiatives requiring Operating expenditures Yes for initiatives requiring Capital expenditures Question11: To continue meeting your security objectives in the context of these harsher economic realities, how important are the following strategies? (Respondents who answered Somewhat Important, Important, Very Important or Top Priority ) PricewaterhouseCoopers 12

13 Section 2 Spending: A decline in growth rate but a manifestly reluctant one But far fewer industry executives are acting on this and actually deferring or reducing budgets for security initiatives. Has your company deferred security initiatives? Yes For capital expenditures 47% For operating expenditures 46% Has your company reduced budgets for security initiatives? For capital expenditures 51% For operating expenditures 48% Yes PricewaterhouseCoopers 13

14 Section 2 Spending: A decline in growth rate but a manifestly reluctant one And among the half that are taking action, most are taking the least dramatic response either by deferring initiatives by less than 6 months or reducing spending by under 10%. Has your company deferred security initiatives? Yes By less than 6 months By 6 to 12 months By 1 year or more For capital expenditures 47% 28% 13% 6% For operating expenditures 46% 28% 13% 5% Has your company reduced budgets for security initiatives? Yes By under 10% By 10% to 19% By 20% or more For capital expenditures 51% 22% 17% 12% For operating expenditures 48% 19% 18% 11% In short, it appears that some industry executives are reluctant to cut too deeply into security and may, to some extent, be protecting this investment. PricewaterhouseCoopers 14

15 Agenda 1. Methodology 2. Spending: A decline in growth rate but a manifestly reluctant one 3. Mounting pressure: Impacts of the economic downturn 4. Breaches: Footsteps and fingerprints as visibility increases 5. Current state of the arsenal: New gains will be key this year 6. A crucial year: Security at an important threshold 7. What this means for your business PricewaterhouseCoopers 15

16 Section 3 Mounting pressure: Impacts of the economic downturn Although given a reprieve, of sorts, from the budget knife, the information security function is under pressure to perform. 70% 60% 50% 58% 54% 50% 49% 47% 40% 30% 20% 10% 0% Regulatory environment has become more complex and burdensome Cost reduction efforts make adequate security more difficult to achieve Risks to the company's data have increased due to employee layoffs Threats to the security of our information assets have increased Because our business partners have been weakened by the downturn, we face additional security risks Question 10: What impacts has the current economic downturn had on your company s security function? (Respondents who answered Agree or Strongly Agree ) PricewaterhouseCoopers 16

17 Section 3 Mounting pressure: Impacts of the economic downturn Technology respondents agree: Almost 6 out of 10 cite the elevated role and importance of the information security function 70% 60% 50% 58% 57% 54% 50% 49% 47% 40% 30% 20% 10% 0% Regulatory environment has become more complex and burdensome Cost reduction efforts make adequate security more difficult to achieve The increased risk environment has elevated the role and importance of the information security function Risks to the company's data have increased due to employee layoffs Threats to the security of our information assets have increased Because our business partners have been weakened by the downturn, we face additional security risks Question 10: What impacts has the current economic downturn had on your company s security function? (Respondents who answered Agree or Strongly Agree ) PricewaterhouseCoopers 17

18 Agenda 1. Methodology 2. Spending: A decline in growth rate but a manifestly reluctant one 3. Mounting pressure: Impacts of the economic downturn 4. Breaches: Footsteps and fingerprints as visibility increases 5. Current state of the arsenal: New gains will be key this year 6. A crucial year: Security at an important threshold 7. What this means for your business PricewaterhouseCoopers 18

19 Section 4 Breaches: Footsteps and fingerprints as visibility increases So, given the industry s concerns about the higher risks this year, has the number of incidents increased? Not necessarily. Yes, reported levels have increased in line with a year-afteryear decline in the number of technology respondents who don t know the answers to key incident-related questions. As visibility sharpens, incident counts rise. But actual incidents may not be growing. Yet. In fact, what s more interesting is what isn t showing up. If the downturn-driven, security-related risks that industry respondents are concerned about were fully reflected here, these numbers and the ones on the next three slides would be considerably higher. Number of security incidents No incidents occurred 20% 23% 17% From 1 to 9 incidents 27% 31% 40% From 10 to 50 incidents 7% 7% 11% More than 50 incidents 4% 5% 6% Don t know 42% 34% 26% PricewaterhouseCoopers 19

20 Section 4 Breaches: Footsteps and fingerprints as visibility increases The new visibility into incidents also extends to types of security incidents and reveals critical information Whether or not risks related to the economic downturn are showing up yet on the IT department s crisis list for the day, better visibility into incidents is revealing very important information: The impacts to data has surged over the past year- by almost 100%. And the exploitation of data is now the leading type of incident. #1 Types of security incidents Data exploited 17% 16% 29% Network exploited 22% 21% 27% System exploited 19% 17% 21% Application exploited 18% 21% 19% Device exploited NA 15% 18% Human exploited (Social engineering) 16% 16% 13% Unknown 46% 43% 33% (Does not add up to 100%) PricewaterhouseCoopers 20

21 Section 4 Breaches: Footsteps and fingerprints as visibility increases Likely sources of incidents As higher risks to security associated with layoffs and terminations begin to manifest themselves in terms of both actual incidents and perceptions of incident rates, we expect the response levels for former employees to rise. Likely source of incidents Current employee 29% 35% Former employee 18% 21% Total 47% 56% Hacker 28% 31% Unknown 42% 34% (Does not add up to 100%) PricewaterhouseCoopers 21

22 Section 4 Breaches: Footsteps and fingerprints as visibility increases Business impacts While the full damage report for 2009 is not yet clear, the first signs aren t promising. Many key business impacts are up: financial losses, compromises to brand or reputation and, naturally, loss of shareholder value. Not surprisingly for the technology industry, intellectual property theft was again noted as having a significant business impact. Business impacts Financial losses 37% 47% Brand/reputation compromised 28% 33% Loss of shareholder value 9% 15% Intellectual property theft 30% 27% Fraud 22% 12% (Does not add up to 100%) PricewaterhouseCoopers 22

23 Agenda 1. Methodology 2. Spending: A decline in growth rate but a manifestly reluctant one 3. Mounting pressure: Impacts of the economic downturn 4. Breaches: Footsteps and fingerprints as visibility increases 5. Current state of the arsenal: New gains will be key this year 6. A crucial year: Security at an important threshold 7. What this means for your business PricewaterhouseCoopers 23

24 Section 5 Current state of the arsenal: New gains will be key this year Survey results reveal that technology companies have made strong advances in four critical arenas over the last 12 months 1. Privacy protection 2. People and training Employ a Chief Privacy Officer 22% 33% Employ a CISO 34% 57% Require employees to complete privacyrelated training Have accurate inventory of locations where data is stored 28% 41% 44% 54% Employ a CSO Have people dedicated to monitoring employee use of Internet Conduct personnel background checks 30% 49% 62% 51% 59% 47% Audit privacy standards through third party assessments 25% 38% Integrate physical and infosec personnel 37% 56% 0% 20% 40% 60% 0% 20% 40% 60% PricewaterhouseCoopers 24

25 Section 5 Current state of the arsenal: New gains will be key this year Each of these areas privacy, people, identity management and critical processes are just-in-time gains this year 3. Identity management 4. Critical processes Identity management strategy Identity management solutions Automated account provisioning Automated account deprovisioning Biometrics 25% 52% 41% 51% 41% 56% 46% 44% 32% 36% Have an overall security strategy Measure and review effectiveness of security policies and procedures in the past year Undertake security risk assessments by third parties 26% 38% 70% 62% 66% 54% 0% 20% 40% 60% 0% 20% 40% 60% 80% PricewaterhouseCoopers 25

26 Section 5 Current state of the arsenal: New gains will be key this year Advances in other areas are less dramatic Does this suggest technology companies are not well positioned to address the unexpected surge in downturn-driven security-related challenges in 2009? Not necessarily. Progress always unfolds in fits and starts and a fair view of the readiness of technology companies to address the security-related risks of the downturn requires acknowledging the gains made over the last several years. A sampling of capabilities Compliance testing 35% 41% 50% 52% Personal/end-user firewalls 43% 61% 67% 68% Centralized user data store 46% 46% 56% 56% Tools to discover unauthorized devices 27% 43% 58% 57% Established standards/procedures for infrastructure deployment 35% 44% 53% 54% PricewaterhouseCoopers 26

27 Agenda 1. Methodology 2. Spending: A decline in growth rate but a manifestly reluctant one 3. Mounting pressure: Impacts of the economic downturn 4. Breaches: Footsteps and fingerprints as visibility increases 5. Current state of the arsenal: New gains will be key this year 6. A crucial year: Security at an important threshold 7. What this means for your business PricewaterhouseCoopers 27

28 Section 6 A crucial year: Security at an important threshold This is a key moment In short, this year, in the technology industry, the information security function and its leaders are encountering a powerful combination of factors: The greatest economic turmoil in decades. 2. High levels of executive concerns about risks - and the impact of the downturn on the company 3. Breach-related evidence that doesn t reveal the full picture of these impacts and downturn-related consequences. 4. A multi-year investment for better or worse in the building blocks of an effective privacy and information security program that, whether or not it has reached critical mass, has yet to show a compelling ROI. Enormous pressure (and opportunity) to deliver concrete, measurable business value not just later, but now. PricewaterhouseCoopers 28

29 Agenda 1. Methodology 2. Spending: A decline in growth rate but a manifestly reluctant one 3. Mounting pressure: Impacts of the economic downturn 4. Breaches: Footsteps and fingerprints as visibility increases 5. Current state of the arsenal: New gains will be key this year 6. A crucial year: Security at an important threshold 7. What this means for your business PricewaterhouseCoopers 29

30 Section 7 What this means for your business So how are the industry s security executives trying to tighten the alignment of security s contribution with the business? They re looking hardest at and placing their highest expectations on initiatives that (1) address the big risks first; (2) protect data; (3) pull this portfolio of multiyear investments together (strategy); (4) reduce cost and increase efficiency; and (5) manage the security-related impacts of regulation. 90% 89% 88% 87% 86% 85% 84% 83% 89% 88% 86% 86% 86% 86% 85% Increasing the protection of data Prioritizing security investments based on risk Strengthening the company's governance, risk and compliance program Refocusing on core of existing strategy Accelerating the adoption of securityrelated automation technologies to increase efficiencies and reduce cost Reducing, mitigating or transferring major risks Adopting a recognized security framework as a means of preparing for upcoming regulatory requirements Question 11: To continue meeting your security objectives in the context of these harsher economic realities, how important are the following strategies? (Respondents who answered Somewhat Important, Important, Very Important or Top Priority ) (Total does not add up to 100%) PricewaterhouseCoopers 30

31 Section 7 What this means for your business After years in the limelight, data protection is now in the spotlight at arguably the most critical time While data protection capabilities are uneven not just across the industry, but within many companies as well advances in the past year are worth noting. Data Loss Prevention (DLP): Technology industry respondents who say their organization has a DLP capability leapt this year from 36% to 51%. In addition, 81% consider pursuing more complete configuration of DLP tools to be important which suggests the adoption rate will spike again this year. Classification: The industry continues to make steady advances in prioritizing data and information assets according to their risk level on a continuous basis from 26% in 2007 to 39% today. Protection, disclosure and destruction: To protect data, however, you also have to have a clear rule book. This year s responses reveal that only 1 out of every 2 technology respondents say that their organization s security policies address the protection, disclosure and destruction of data. PricewaterhouseCoopers 31

32 Section 7 What this means for your business Another hot priority is addressing the risks associated with social networking Today a new generation of technology industry employees is accessing social networks from work in great numbers, often without the knowledge of the IT department and in circumvention of the traditional countermeasures employed by many. Some technology companies have moved quickly to close this gap but most need to do more. 60% 50% 40% 48% 44% 30% 27% 20% 10% 0% Have security technologies that support Web 2.0 exchanges - such as social networks, blogs, wikis and others Audit and monitor postings to external blogs or social networking sites Have security policies that address access and postings to social networking sites PricewaterhouseCoopers 32

33 Section 7 What this means for your business Secure your data and control access to your assets now. Tech sector progress in these key areas protection of data, intellectual property, identity management and privacy can be attributed to the industry s migration toward providing services, content, and internet connectivity around products. Why? There is significantly greater integration among OEMs, service providers, and customers, that has enabled efficient monitoring and support, remote software upgrades, better spare-parts logistics, usage-based billing, and insight into how a product is used. But it has, in turn, created a more open and susceptible business environment. This trend is likely to accelerate as companies adopt "cloud computing" applications and services. Today s IT environments are often a collection of builtto-order legacy solutions that were designed to deliver functionality in a silo not agility and change. Since security will continue to be a business model-related challenge for technology companies, right now is a good time to address how to secure your customer data and control and manage access to your assets. PricewaterhouseCoopers 33 Slide 33

34 2009 PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity. *connectedthinking is trademark of PricewaterhouseCoopers LLP (US). PwC