A surprisingly high--unreasonably high, in fact--number of organizations think their security program is part of the vanguard of risk management.
That was one surprising finding of this year's annual Global Information Security Survey, conducted by CSO and CIO magazines in partnership with PricewaterhouseCoopers. More than 9,600 business and technology executives from around the world took the survey, and 43 percent of those surveyed believe their organizations are IT security leaders. The other categories respondents could choose from were strategist, tactician and follower.
Obviously those enterprises, by definition, can't all be at the forefront of security. "Most of these 'leaders,' in my opinion, have a false sense of their level of security," says Mark Lobel, a principal in the advisory services division of PwC.
Ahead of the Bell Curve
In an attempt to identify the organizations that might actually be information security leaders, PwC filtered the results according to conditions it felt would qualify a company to deserve the label.
First, the CISO had to report directly to a senior executive.
Second, the organization had to have an IT security strategy in place and the ability to execute that strategy.
Third, it had to have reviewed its security policy in the past year.
And finally, if the company had suffered a data breach, it had to know the breach's cause.
Under those criteria, less than 5 percent of respondents' organizations actually made the cut.
About half of respondents reported suffering one or more breaches, and a third said they weren't breached in the past year.
About 8 percent couldn't tell whether they had been breached or not. The good news from those figures is that a growing number of companies believe they understand the security events happening on their networks, and know what applications or systems were infiltrated.
However, that confidence doesn't align with the increased sophistication of malware in recent years. "In our engagements and my conversations with peers, we are dealing with more organizations that are grappling with international infiltration," says Shawn Moyer, practice manager of research consulting at Accuvant Labs. (For more on this topic, read Customized, Stealthy Malware Growing Pervasive). "Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere," Moyer says.
"I think there are a lot of executives out there with a false sense of security," says one security manager at a Midwest manufacturing firm.
"In our company, many upper managers simply choose to believe the reports that come in from the different regions. If those reports say that the systems are tight and secure, then that is management's working assumption."
So it seems many organizations are overconfident about their security posture. What attributes, then, does an IT security program need to have to truly be ahead of the pack?
"From a maturity perspective, if you have a senior manager or a junior executive who is designated as a security lead, that's my number-one criterion," says Eric Cowperthwaite, CSO at Providence Health and Services. Before you can consider your organization on the leading edge, "you have to have a security front-person, who's recognized as such in your organization, and is high enough up in the organization to have actual authority," he says. "Number two is to have a strategy, not just a road map for what technologies you are going to deploy, but a strategy for how you are going to secure and protect your systems and data," Cowperthwaite adds, an assessment that largely parallels PwC's definition.
The semantics of titles aren't a major concern. Andy Ellis, CSO at Akamai Technologies, says, "I don't think it matters what title you have. What matters is that you are efficiently reducing your risk according to your organization's business requirements."
That's hard to argue against, but few survey respondents could pass Ellis' litmus test because so few are actually testing their security efforts. Consider this: While 63 percent of respondents have an overall IT security strategy and 85 percent employ a CISO or CSO, half or less of those surveyed are evaluating their efforts. For example, while 63 percent said they have an overall information security strategy, about 40 percent said they've established security baselines for external partners, and only 43 percent have centralized security information management processes.
Similarly low percentages of survey-takers have identity management strategies (41 percent), business continuity or disaster recovery plans (39 percent), or risk-based authentication systems (34 percent).
Companies that don't have a security leader, a strategy, and the ability to execute that strategy and measure their execution are likely to suffer more breaches than others--that seems obvious. But they may also be losing more business.
That's the argument made by Douglas Davidson, president and CEO of security services provider Jacadis. "Clearly, they miss [business] opportunities. We have small businesses that we work with that have been driven to follow a [standards]-based security program by their bigger customers and business partners. They've actually gained revenues because they've created a competitive advantage through the security they put in place," he says.
[Also read another view of the CSO as a value creator | Security provides business services and intelligence]
How can security drive revenue? By using secure processes to gain partner and customer trust, and even to deliver new services to clients. Davidson cites a recent example: "There were several banks that needed the ability to send paper statements for printing, but most of the printers in the area were not able to secure the necessary processes. This one printer was able to build proper security around their services. They then won the banks' business and were able to go out and sell that capability to other customers," Davidson says.
That anecdote shows that IT security isn't a discipline practiced within a business; it's an integral part of the business. "For any significantly sized company, information security is a critical business function because information management is a critical business function," says Cowperthwaite.
Now if only more businesses would act as if IT security is critical to their business--or at least live up to their own mental images of their security efforts.