Companies continue to leave too much of their security apparatus in the hands of geeks in the IT department and not enough in the hands of the wider workforce. Until that changes, enterprises will continue to have gaping holes in their data defenses.
That's one of the main messages from a panel discussion on the 2008 Global State of Security Survey, held at the offices of PricewaterhouseCoopers in the US Tuesday. CSO and PricewaterhouseCoopers recently released the results of the survey, where 7,097 business and technology executives worldwide shared their security troubles. This is the sixth year in which CSO and PricewaterhouseCoopers teamed up for the survey.
Though security has improved significantly in some areas -- especially among companies in India, China and South America -- too many enterprises continue to view security as a task best left to the IT shop. As a result, security efforts are too focused on putting out fires and stewing over network logs and not enough on big-picture strategizing and better awareness among the larger workforce, according to Bob Bragdon, who spoke at length during the event.
"When we compared last year's survey results to this year's results, we found that the people and priorities part of security still isn't growing as much as tech spending," Bragdon said. "If you don't focus on people and process, you're not going to get the full value out of your technology."
If a company can't get out of the weeds, it can't approach security strategically, he added.
Sharing that viewpoint was Gerard Verweij, a principal at PricewaterhouseCoopers, who at one point deadpanned that "a fool with a tool is still a fool." Verweij noted that information is the new business currency and securing it must be about more than meeting a compliance checklist.
"What stunned us a bit after seeing the results was that so many CISOs continue to see their positions as mostly a compliance function," he said.
On the positive side, the survey showed that companies are buying and applying such technological tools as software for intrusion detection, encryption and identity management at record levels. The down side is that too many organizations still lack coherent, enforced and forward-thinking security processes. While 59 percent of respondents said they have an "overall information security strategy," that's up just two points from last year's survey - too little, Verweij and others at PriceWaterhouse Coopers said.
Elsewhere, 56 percent of respondents said they employ a security executive at the C level, down 4 percent from last year. Respondents also noted they comb network logs for fishy activity, but only 43 percent said they audit or monitor user compliance with their security policies. This is up 6 percent from 2007, but still "not where we need to be," PriceWaterhouseCoopers Principal Mark Lobel said in an earlier interview.