By Tom Loftus
A recent survey of 9,600 CEOs, CIOs and other corporate officers who oversee information security just found a new definition for “optimist.”
Despite facing a decline in funding for even the most basic security practices and the rise of new, more persistent security threats, a whopping 43% of the respondents expressed confidence in their organization’s information security strategy.
The authors of the 2012 Global State of Information Security Survey had a different take, writing that “visibility into when and how the next cyber threat to information will emerge is poor, at best.”
The authors said only about 13% of respondents who deserved to be confident. These people were most likely to work for an organization that employed a chief information security officer and chief security officer, had an overall information security strategy, measured and reviewed its policies and procedures over the past year, and employed dedicated security personnel tasked with supporting internal departments.
Out of the 13% the survey authors identified as leaders, three out of four also expected information security spending to increase at their company.
Why so much optimism? For one thing, respondents have demonstrated an increased awareness of threats. Only 9% of respondents said they were not aware of the frequency, type and number of incidents to strike the organization over the past 12 months. In 2007, 40% admitted to having no knowledge.
Security requirements tied to global standards such as the PCI Security Standards and Sarbanes-Oxley help explain this explosion of awareness explains Mark Lobel, a principal at PwC, and one of the survey’s authors. “If you have better monitoring, you have better a sense of bad things happening.”
The 2011 survey revealed that the usage of security safeguards–from code detection tools to intrusion-prevention tools–have jumped by as much as 13 percentage points from the year previous.
But when it comes to battling the shadowy world of cybercrime, such improvements can also create “false sense of security,” Lobel said.
While 43% of respondents said that they have an effective strategy and are proactive in executing the plan, only 16% said that their firm’s strategy addresses something called an “advanced persistent threat,” sophisticated attacks from groups that are organized enough to hit their targets for a prolonged period of time. These attacks are designed to avoid newly installed monitoring controls, Lobel said.
These attacks used to be reserved for very large companies and government organizations, but survey authors say that they are becoming a concern for private firms as well. “Attackers no longer come at the front door,” Lobel said, “They break into partners and suppliers and try to tunnel through.”
Survey respondents estimated that 15% of security breaches of all types were the result of a cyber attack on a partner or supplier, up from 8% in 2009. Respondents also noted that their firm’s capabilities in regards to due diligence, privacy requirements, and reporting security breaches concerning third parties have all decreased between 2009 and 2011.
For example in 2009, 39% of respondents said that their firm required third parties to comply with privacy policies. In 2011, only 29% said that was so.
That number is going to go up, said Lobel, as the economic climate stagnates. If large firms have a hard time getting adequate security funding, it’s worse for their suppliers who are operating on smaller budgets.
In North America, 31% of respondents said that security spending would increase in 12 months, and that’s a point of concern in the months ahead, according to Lobel.
Solutions : www.xcyss.in
No comments:
Post a Comment