Have hackers, bonets or rogue ex-employees managed to steal mission-critical data from the enterprise? Don't ask the CIO.
According to PricewaterhouseCoopers, which worked with our U.S. CIO magazine on an annual survey of more than 7,000 individuals in 130 countries, Canadian organizations are eight per cent less likely to know if they've had a security incident compared to their global counterparts. A total of 39 per cent said they were unaware of any breaches and of those that know something went wrong, nearly half, or 46 per cent, don't know exactly what happened.
These were sobering results for David Craig, PwC Canada's National Information Security practice leader. The Global State of Information Security 2010 reveals just how laggard many firms are in taking a more proactive approach, he said.
"There are few proscribed controls that work in a regulatory manner to protect certain information," he said. "If there was a government fiat of some kind, they would probably act more quickly."
In fact, compliance in its various forms emerged as the leading driver for IT security spending in Canada overall, followed by disaster recovery. That doesn't really address the knowledge gaps, however, said Salim Hasham, a vice-president who works primarily with PricewaterhouseCoopers security clients in the Greater Toronto Area.
"To not be able to discuss what kind of attacks you've withstood or what vulnerabilities you're dealing with is like telling the CEO you have no idea where 60 per cent of your assets are," he said.
Follow the money
Despite the economic downturn, the budget outlook for security is not as bad as might have been expected. Globally, six out of 10 firms said they expected to see security spending stay the same or increase. Of the less than half worldwide who are planning to cut spending, most are deferring by less than six months and reducing budgets by no more than 10 per cent. "These companies are very aware of audit committees and their accountability to them," says Craig.
Hashim says there are other positive signs, particularly within Canada. "We're really seeing the elevation of the CISO (chief information security officer) role," he says. "They're no longer just playing the position of referee but moving to the concept of security as enablement -- that by protecting information you can actually get more business done."
There is also greater collaboration between executives responsible for security in like-minded firms or industries -- even among those who would normally see themselves as competitors. "I've seen a lot of CISOs in financial services sharing ideas," Hashim says.
Where's the DLP?
Although Canadian respondents to the survey showed higher concerns around business continuity and disaster recovery, they have been more hesitant around product categories such as data loss prevention (DLP). According to PwC, 34 per cent of Canadian organizations have a DLP tool in place, compared to 44 per cent globally.
These results didn't overly concern Craig. "I think DLP is still seen as an emerging category," he says. "Most organizations here seem to have a wait-and-see attitude. Already they're noticing consolidation happening within the vendor community for DLP products, and in some cases they may be waiting for more mature tools before they're prepared to make an investment."
Leggo my laptop!
Besides covering broad trends, the Global State of Information Security 2010 also dug deep into the details. For instance, PwC examined the most common items that are exploited or stolen as a result of breaches. Although laptops are an obvious choice, they appear to be more attractive to thieves in Canada than anywhere else. Ninety one per cent of Canadian respondents cited mobile computers compared to 71 per cent around the world.
Hashim says he's heard of bad practices surrounding such technology. "You'll see organizations that employ no laptop encryption because it would slow down boot times," he says.
Craig adds that the infiltration of consumer technology into the enterprise makes some risks even greater. "Just think about all the smart phones that are brought into a call centre," he says, "It has a camera, recording features -- everything you need to compromise data. It doesn't matter if they don't give them Internet access at their terminals anymore."
Drive the business
Security concerns may be partly behind the relatively low adoption rates PwC tracked around cloud computing, compared to technology such as virtualization which is bringing more efficiency to enterprise data centres. In the long term, cloud computing may hold more appeal, even as it potentially opens up greater avenues for risk.
"All you have to do is look at Google to see how competing on data is becoming more important," says Craig. "Firms want to customize what they offer to their users, and cloud computing could be a way to do that. But what's the trade-off?"
Hashim says he hopes CIOs will look at the data and do a thorough review of how information is classified across the enterprise. This way they can better determine its value and prioritize their security investments accordingly. "If you don't do that, you don't have a hope in Hell of protecting it," he says. "If you want it to be, security can be a driver of business transformation."
PwC's next iteration of the survey is already in field.