Executive Summary
CSO magazine's recent study found that the majority (60%) of companies surveyed have an employee dedicated to IT security. This is a fairly new position for most, with an average of two years and five months experience as head of security. While the security position is a recent addition, in most companies its creation preceded September 11 2001, signalling that IT security was a priority well before the terrorist attacks.
According to the 1,009 executives surveyed, 32% of security experts hold senior-level titles including CIO, CTO, CSO/CISO and vice president. Forty per cent of security experts listed security as their primary and singular responsibility, and 11% indicated that they were also responsible for the company's physical security. Currently, 39% of security heads report directly to the CEO, COO, CFO or other officer, while 26% report to the CIO or top IT executive.
Security executives say that electronic attacks pose the biggest concern for their company, compared to physical attacks or electronic attacks with physical consequences (eg., electronic attack of a nuclear power plant) and that current employees are a greater threat to their company's technology infrastructure than external persons and former employees. Close to one quarter (22%) of companies in our survey already have insurance to cover losses caused by cyber crime.
CSO Research Prediction
While 41% of the survey respondents are directors and managers currently, CSO magazine believes that responsibility for protecting the organisation’s information assets will be elevated to senior level and that the chief security officer title and position will become more prevalent. New privacy and security laws such as the anti-terrorism USA Patriot Act of 2001, and the Foreign Intelligence Surveillance Act will have a direct impact on business, specifically privacy issues and sharing of customer information. Organisations' security will be under greater scrutiny than in the past by regulators, legislators, auditors, business partners and customers. In addition to understanding technology and the business, the head of security must have the ability to team up with both business managers and the CIO to secure the organisation’s assets. Additionally, the head of security must set security policy and communicate the importance of such practices to senior management and the user community alike.
Key Findings
Title and Reporting Structure More than half (60%) of the 1,009 respondents to our survey reported that their company employs a person dedicated to technology. Among the companies that do not have a dedicated security person, the majority (83%) have no plans currently to hire a head of security and 14% plan to hire in 2003 or beyond.
Thirteen per cent of the 1,009 respondents were CIOs, CTOs or vice presidents of technology while 19% had the title of chief security officer, chief information security officer or VP of technology. Forty-one per cent were directors or managers of IT and slightly more than one quarter (27%) held business or military titles. When asked about their job responsibilities, 40% of the security experts surveyed said that security is their primary, singular responsibility. Sixty per cent reported that security was one of their responsibilities.
Approximately one quarter (26%) of those surveyed report directly to the CIO or head of IT and 22% report to a COO/CFO/VP or other officer. Only 17% report to the CEO or president. Fifteen per cent of the survey base report to a director and 15% listed "other."
Years Experience and Background On average, security experts have been in their current job for 2 years and 10 months. More than half (52%) were hired from outside the company while 48% were promoted from within. When asked about previous work experience, respondents most frequently included IT/IT consulting (100%), logistics/engineering/manufacturing (51%), accounting/administration (49%), FBI/Secret Service/military (30%) and security consulting (28%) in their work experience. Security experts included in our survey earn an average of $USUS105,000 annually.
Security Budget Most companies (80%) include security as part of the IT budget, but 20% maintain a separate security budget, according to the 1,009 survey respondents. On average, 9.5% of the overall IT budget is allocated to security and close to half (42%) of security budgets include physical and IT security. Survey respondents reported an average annual IT budget of $US8.4 million.
Security Threats Current employees pose the greatest threat to technology infrastructure, according to 53% of the security experts in our survey. Twenty-eight per cent said that external persons posed the greatest threat. In terms of the kinds of attacks companies were most concerned with, respondents listed electronic attacks (59%) most frequently. The majority (87%) of those surveyed monitor cyber crime attempts and close to one quarter (22%) have insurance for cyber crime losses.
When asked what effects pending security regulations will have on business, respondents were most concerned about a decrease in customer confidence regarding privacy and an inability for corporations to guarantee privacy to their customers and employees. Roughly half of the respondents believe that government, companies and their own company are better prepared to respond to a cyber attack today than before 9/11.
Methodology
CSO magazine's Security Sensor survey was administered online in July 2002. Subscribers to CSO magazine were invited to take the survey. The results shown here are based on the responses of 1,009 security professionals. When asked about title, 37% were senior-level including CIOs, CTOs, CSO/CISO and vice presidents. Forty-five per cent of respondents were director or managers. The margin of error for this study is +/- 3.1%.
In terms of company size, approximately 41% of the survey respondents worked at companies with annual revenue of $US1 billion or greater. Roughly 23% were from companies with annual revenue between $US100 million and $US999.9 million, and 36% listed revenue at less than $US100 million.
Respondents represented a wide range of industries including finance/banking (16%), local, state or federal government (16%), computer-related industries (7%) and telecommunications/electric/gas/transportation industries (6%).
Survey Questions
Does your organisation have a person dedicated to IT security, like a chief security officer?
| 60% | >Yes |
| 40% | >No |
| N =1,009 | |
Which title best describes your level of responsibility?
| 13% | CIO/CTO/VP | ||
| 19% | CSO/CISO/VP Security | ||
| 41% | DirectorManager/IT | ||
| 27% | Business/Miliary/Other | ||
| N = 1,009 | |||
Which statement best describes your level of responsibility with regards to your organisation’s or division's security:
| 5% | Senior level head of both IT and physical security and security is your primary, singular responsibility | ||
| 9% | Senior level head of IT security and security is your primary and singular responsibility | ||
| 19% | Senior level in charge of IT and security is one of your responsibilities | ||
| 3% | Director level responsible for both IT and physical security and security is your primary, singular responsibility | ||
| 7% | Director level head of IT security and IT security is your primary and singular responsibility | ||
| 13% | Director level within IT and IT security is one of your responsibilities | ||
| 3% | Manager level responsible for both IT and physical security and security is your primary, singular responsibility | ||
| 13% | Manager level within IT and IT security is your primary and singular responsibility | ||
| 18% | Manager level within IT and IT security is one of your responsibilities | ||
| 11% | Other | ||
| N = 1,009 | |||
To whom do you report directly?
| 12% | Chairman or CEO | ||
| 4% | COO | ||
| 5% | President | ||
| 5% | CFO | ||
| 3% | VP Finance/Administration | ||
| 11% | Other officer or assistant officer | ||
| 26% | CIO or top IS executive | ||
| 19% | IS Director | ||
| 15% | Other | ||
| N = 1,009 | |||
To whom does your direct manager report to directly?
| 14% | Board of directors | ||
| 24% | Chairman or CEO | ||
| 4% | COO | ||
| 10% | President | ||
| 6% | CFO | ||
| 4% | VP Finance/Administration | ||
| 7% | Other officer or assistant officer | ||
| 22% | CIO or top IS executive | ||
| 3% | IS Director | ||
| 8% | Other | ||
| N = 1,009 | |||
| 6% | Less than $US50,000 | ||
| 23% | $US50,000 to $US74,999 | ||
| 28% | $US75,000 to $US99,999 | ||
| 18% | $US101,000 to $US124,999 | ||
| 12% | $US125,000 to $US149,999 | ||
| 5% | $US150,000 to $US174,999 | ||
| 3% | $US175,000 to $US199,999 | ||
| 2% | $US200,000 to $US224,999 | ||
| 1% | $US225,000 to $US249,999 | ||
| 1% | $US250,000 to $US299,999 | ||
| 1% | More than $US300,000 | ||
| N = 1,009 | |||
How long have you held the title of CSO or equivalent head of security title?
| 37% | Less than 1 year | ||
| 25% | Between 1 and 2 years | ||
| 15% | Between 2 and 3 years | ||
| 7% | Between 3 and 4 years | ||
| 5% | Between 4 and 5 years | ||
| 3% | Between 5 and 6 years | ||
| 1% | Between 6 and 7 years | ||
| 1% | Between 7 and 8 years | ||
| 0% | Between 8 and 9 years | ||
| 2% | Between 9 and 10 years | ||
| 4% | More than 10 years | ||
| N = 1,009 | |||
Years as head of security:
| 37% | Less than 1 year | ||
| 40% | 1 to 3 years | ||
| 12% | 3 to 5 years | ||
| 11% | More than 5 years | ||
| N = 1,009 | |||
Average years as head of security: 2 years, 5 months How long have you been in your current position?
| 27% | Less than 1 year | ||
| 25% | Between 1 and 2 years | ||
| 18% | Between 2 and 3 years | ||
| 8% | Between 3 and 4 years | ||
| 6% | Between 4 and 5 years | ||
| 4% | Between 5 and 6 years | ||
| 3% | Between 6 and 7 years | ||
| 2% | Between 7 and 8 years | ||
| 1% | Between 8 and 9 years | ||
| 1% | Between 9 and 10 years | 5% | More than 10 years |
| N = 1,009 | |||
Were you hired for your current position from outside the company or promoted from within?
| 52% | Hired from outside company | ||
| 48% | Promoted from within company | ||
| N = 1,009 | |||
In which areas do you have previous work experience? (Check all that apply.)
| 88% | Information technology | ||
| 48% | Information technology consulting | ||
| 28% | Administration | ||
| 28% | Security consulting | ||
| 27% | Engineering | ||
| 27% | Military | ||
| 21% | Accounting/finance | ||
| 16% | Manufacturing/production | ||
| 9% | Logistics | ||
| 7% | Law enforcement | ||
| 4% | Legal (other than law enforcement, ie. lawyer/law office, Attorney General's office) | ||
| 2% | FBI | ||
| 1% | Secret service | ||
| 21% | Other | ||
| N = 1,009 | |||
Is your company's security budget separate from the IT budget or a line item/part of IT budget?
| 20% | Security budget is separate from IT budget | ||
| 80% | Security budget is included in IT budget | ||
| N = 1,009 | |||
If your security budget is part of the overall IT budget, please estimate the per cent of your IT budget, including for security products, systems, services and staff, that was allocated to information security in 2002:
| % of IT budget | 9.5% |
| Total Number of Responses: | 829 |
What is your organisation’s approximate annual budget for security products, systems services and/or staff?
| 2% | Greater than $US250 million | ||
| 1% | $US100 million to $US249.9 million | ||
| 1% | $US50 million to $US99.9 million | ||
| 2% | $US25 million to $US49.9 million | ||
| 3% | $US10 million to $US24.9 million | ||
| 5% | $US5 million to $US9.9 million | ||
| 15% | $US1 million to $US4.9 million | ||
| 11% | $US500,000 to $US1 million | ||
| 11% | $US250,000 to $US499,999 | ||
| 20% | $US100,000 to $US249,999 | ||
| 12% | $US50,000 to $US99,999 | ||
| 17% | Less than $US50,000 | ||
| N = 1,009 | |||
Does your security budget include physical and IT security?
| 42% | Yes | ||
| 58% | No | ||
| N =1,009 | |||
When do you anticipate a major cyber attack by a terrorist organisation (ie., al Qaeda) will happen?
| 6% | Never | ||
| 7% | Within next three months | ||
| 12% | Within 3-6 months | ||
| 30% | Within 6 months 1 year | ||
| 11% | More than 1 year | ||
| 32% | Unsure | ||
| N = 1,009 | |||
Which of the following do you believe are better prepared to respond to and recover from a cyber attack today than on September 11 2001. (Check all that apply.)
| 52% | U.S. Government | ||
| 51% | U.S. businesses | ||
| 50% | Your company | ||
| N = 1,009 | |||
Who poses the greater threat to your company's technology infrastructure?
| 53% | Current employees | ||
| 10% | Former employees | ||
| 28% | External persons not employed by your organisation | ||
| 9% | Unsure | ||
| N =1,009 | |||
In general, what kinds of attacks pose the biggest concern for your company?
| 8% | Physical attacks (such as theft of property, etc.) | ||
| 59% | Electronic attacks (such as unauthorised access, virus, etc.) | ||
| 3% | Electronic attacks with physical consequences (eg. attack on electronic control of dam or nuclear power plant) | ||
| 28% | Same level of concern for both physical and electronic attacks | ||
| 1% | Unsure | ||
| N = 1,009 | |||
What do you believe is the #1 cyber security concern for the nation?
| 4% | Economic: corporate espionage resulting in theft of proprietary data | ||
| 26% | Economic: disruption essential financial services | ||
| 6% | Economic: financial fraud | ||
| 6% | National security: espionage resulting in disclosure of sensitive data | ||
| 29% | National security: disruption of essential public services | ||
| 9% | National security: destruction of essential public services | ||
| 8% | Privacy: Identity theft | ||
| 1% | Privacy: Unauthorised use of credit cards | ||
| 7% | Privacy: Protecting confidential information | ||
| 2% | Other | ||
| 2% | Unsure | ||
| N = 1,009 | |||
What is the monetary value of losses your company has sustained due to cyber crime in the past year?
| 29% | Zero | ||
| 26% | $US1 to $US99,999 | ||
| 8% | $US100,000 to $US499,999 | ||
| 1% | $US500,000 to $US999,999 | ||
| 2% | $US1 million to $US9.9 million | ||
| 1% | $US10 million to $US99.9 million | ||
| 0% | $US100 million or more | ||
| 33% | Unsure | ||
| N = 1,009 | |||
Regarding cyber crime, does your company: (Check all that apply.)
| 87% | Monitor attempts | ||
| 57% | Monitor crimes | ||
| 55% | Report crimes | ||
| 32% | Quantify the financial cost of crimes | ||
| N = 1,009 | |||
Does your company have insurance covering losses caused by cyber crimes?
| 22% | Yes | ||
| 36% | No | ||
| 42% | Unsure | ||
| N = 1,009 | |||
Within the next 18 months, are you planning to adopt biometrics (ie., retina-scans, fingerprint scans) for any applications at your company?
| 9% | Yes, already adopted biometrics | ||
| 15% | Yes, plan to within next 18 months | ||
| 33% | No, not in next 18 months | ||
| 32% | No, not on our radar at all | ||
| 11% | Unsure | ||
| N = 1,009 | |||
Do you think technology vendors need to tighten up the security configuration of their products?
| 95% | Yes | ||
| 2% | No | ||
| 3% | Unsure | ||
| N = 1,009 | |||
Corporate lawyers are facing novel business issues due to new laws (ie., anti-terrorism USA Patriot Act of 2001, Foreign Intelligence Surveillance Act) impacting privacy and the sharing of customer information with the Federal Government. What do you anticipate the potential impact of these new or existing laws will be on your organisation?
| 29% | Inability to guarantee privacy of corporate/customer information | ||
| 32% | Decrease in customer confidence regarding privacy and security of personal information | ||
| 19% | Increase in customer confidence regarding privacy and security of personal information | ||
| 7% | Loss of customers | ||
| 7% | Increase in customers | ||
| 12% | Decline in e-commerce revenues | ||
| 6% | Increase in e-commerce revenues | ||
| 20% | Increase in criminal liability claims/costs | ||
| 28% | Increase in civil liability claims/costs | ||
| 10% | Increase in civil liability claims/costs | ||
| 18% | No impact on organisation | ||
| 18% | Unsure | ||
| 5% | Other | ||
| N = 1,009 | |||
Comments
Post new comment