Global state of InfoSec 2005

The much awaited CIO/PwC "Global State of Information Security 2005" study has been released today. This is the third annual edition of the survey—once again the largest of its kind with more than 8,200 IT and security executives responding from 63 countries on six continents. Like any other document/study referenced on this blog, this is a very worthwhile read. Customers can use the data to benchmark themselves and to glean ways to beat back the flames.

This is a lengthy and comprehensive report at CIO online, and I will try and summarise the salient points :

• Just 37 percent of respondents reported that they had an InfoSec strategy—and only 24 percent of the rest say that creating one is in the plans for next year
• As information security gains more status in the organization, security improves
• The bigger the company, the more it watches its employees, and there’s a sudden and dramatic rise in companies monitoring their employees
• The majority of information security executives range from ambivalent (at best) to downright dismissive (at worst) about the intentions, effect and pertinence of security regulations.The negative attitude toward regulation (only half of respondents believe it has increased the effectiveness of information security) indicates that they haven’t had the intended effect, at least on information security.
• The financial services industry takes care of security better than the rest. Learn from their best practices.The financial services sector has long been presumed to practice superior information security, largely because of the preciousness of its assets (money) and the fact that its business is carried out almost entirely on IT systems
• When it comes to malicious activity on their network, information security executives have more information than ever, but they don't know what to do with it.
• Malicious code is the top attack type (56%) followed by unknown (26%), unauthorized entry (25%) and denial of service (21%). Top attack vectors are email (68%), known OS vulnerability (26%), abused accounts/permissions (21%), unknown (19%) and known vulnerabilities (16%)
• The top attack sources are Hackers (63%), Employees (33%), Unknown (25%), former employees (20%) and customers (11%)
• Over 55% of respondents don't contact anyone as a result of an attack
• Information security is getting more money, but exactly how much and from where isn’t always clear, which is more evidence of a lack of strategic direction. The good news: The information security function can shake some money out of other departments’ pockets to supplement its own appropriations.
• Topping next years' to-do lists are 1-disaster recovery/business continuity, 2-employee awareness programs, 3-data backup and encryption, 4-overall information security strategy, 5-more network firewalls, 6-SIM/SEM, 7-periodic audits, 8-monitoring employees, 9-monitoring log files and vulnerbailty reports, 10-spending on intellectual property protection

This is just a summary and you are recommended to read the CIO document on the supplied link as it has lots of nice graphs and tables together with all the details of the above salient points.

CATEGORIES: 1survey,1pwc,1strategy