Are CIOs Too Cocky About Security?

There's been no shortage of high-profile and damaging data breaches in the past year. And the targets are widely varied-they include security firms RSA Security and HBGary Federal, defense contractors Lockheed Martin and Northrop Grumman, entertainment giant Sony, major retailers, healthcare companies and marketing firms.

Despite these attacks, the ninth annual Global Information Security Survey conducted by CIO's sister publication CSO magazine and PricewaterhouseCoopers indicates that of the 9,600-plus business and technology execs surveyed, 43 percent identify themselves as security frontrunners and believe they have a sound security strategy and are executing it effectively.

"Clearly, something unusual is happening, with so many organizations viewing themselves as security leaders," says Mark Lobel, a principal in the advisory services division of PwC. In reality, "nowhere near 43 percent [are] leaders."

Pete Lindstrom, research director at Spire Security, has another take. "Either 43 percent are fooling themselves, or they are reaching a good level of success in setting their strategy and hitting it."

To better understand the actual security-management capabilities of the respondents who said they were leaders, PwC filtered the results according to factors it thinks are markers of real leadership. To meet the criteria, a company had to have a security strategy in place, IT security had to report to senior business leadership, the company had to have reviewed its IT security policy in the past year, and if the business had suffered a breach, it had to understand the cause. "When we finished that analysis, the amount of frontrunners fell from 43 percent to 13 percent," Lobel says.

Where does this unwarranted confidence come from? "Perhaps they didn't have bad things happen, or they're not aware that bad things have happened," says Lobel. "That can definitely create a false sense of security."

That complacency could partially explain why so many organizations have decided to defer security spending. This year, 51 percent of respondents said they were postponing security-related capital expenditures, up from 46 percent last year. Operating expenditures didn't get by unscathed either, with 48 percent of respondents saying they've deferred projects. That's up from 43 percent.

That's not to say respondents aren't spending on security. They are, and they're focusing on protecting Web attack vectors and deploying technologies that aim to prevent attacks. Investment in application firewalls grew from 72 percent to 80 percent in the past year, and investment in malicious-code-detection tools rose from 72 to 83 percent.

"It's good to see the investment in technologies," says Lobel. "However, the data shows they're not making investments in the processes necessary to make sure security policies are in place so [technology] works in sync to defend the enterprise."

Robert Fecteau, business technology officer at BAE Systems Intelligence and Security, calls the security budget cuts shortsighted. Security breaches can leak product designs, ruin reputations and make a company less competitive, he points out. "If your systems are penetrated, everything that you thought you saved in budget cutbacks will be lost."

Read more about data management in CIO's Data Management Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags GISSapplicationssecuritynorthrup grummansoftwareCSOsonylockheed martinData managementPricewaterhouseCoopersApplications | Data Management

More about BAE Systems AustraliaLockheed MartinNorthrop GrummanPricewaterhouseCoopersPricewaterhouseCoopersRSASonySpireSpire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place