Transcript
8/2/2019 Giss 2011 Survey Report
1/58
Respectedbutstill restrainedIn the atermath o the worst global economic jolt in 30 years,inormation security conronts a new economic order.
Findings rom the 2011 Global State o Inormation Security Survey
Advisory Services
Security
8/2/2019 Giss 2011 Survey Report
2/58
Methodology
The 2011 Global State o Inormation Security Survey is aworldwide security survey by PricewaterhouseCoopers, CIOMagazine and CSO Magazine. It was conducted online romFebruary 19, 2010 to March 4, 2010. Readers o CIO andCSO Magazines and clients o PricewaterhouseCoopers romaround the globe were invited via email to take the survey. Theresults discussed in this report are based on the responses omore than 12,840 CEOs, CFOs, CIOs, CSOs, vice presidentsand directors o IT and inormation security rom 135 countrieThirty-seven percent o respondents were rom Asia, 30% romEurope, 17% rom North America, 14% rom South America,and 2% rom the Middle East and South Arica. The margin oerror is less than 1%.
8/2/2019 Giss 2011 Survey Report
3/58
Table o contents
The heart o the matter
As global economic conditions continueto uctuate, inormation security hoversin the balancecaught between a new
hard-won respect among executivesand a painstakingly cautious undingenvironment.
An in-depth discussion
Signs o securitys strategic gains andadvances stand side by side with newlyemerging cracks in its oundation.
I. Spending: A subtle but enormously meaningul shit
ll. Economic context: The leading impacts and strategies
lll. Funding and budgets: A balance between caution and optimism
IV. Capabilities and breaches: Trends too large to ignore
V. New areas o ocus: Where the emerging opportunities lie
VI. Global trends: A changing o the guard
What this means to your business
Learn rom the downturn. And makecrucial changes. But also be among the
frst to ace orward.
8/2/2019 Giss 2011 Survey Report
4/58
The heart o the matter
As global economicconditions continue touctuate, inormation
security hovers in thebalance caught betweena new hard-won respectamong executives anda painstakingly cautious
unding environment.
8/2/2019 Giss 2011 Survey Report
5/58
Over the past year, it has been hard to predict when, where and with what
strength global economic conditions might improve.
So it isnt surprising to discover this year, thataccording to the results o
the 2011 Global State o Inormation Security Surveyexecutives across
industries and markets worldwide have been reluctant to release unding to
support the inormation security unction.
This fnancial restraint is in spite o clear evidence that as inormation security
emerges rom the smoke o a brutal yearand, in eect a trial by fre, as las
years survey revealedit is sporting a new hard-won respect, not just rom
many but rom most o this years respondents. This includes more than 12,80
CEOs, CFOs, CIOs, CISOs, CSOs and other executives responsible or their
organizations IT and security investments in more than 135 countries.
As the spending restraint continues, however, some block and tackle secur
capabilities that took a ull decade to develop are degrading and, day by day,
opening up organizations to new windows o risk.
This year, the tension is acute. Between ongoing maturation in the security
unction and regression. Between caution in this economy and optimism.
Between preserving cash and protecting the business.
Caught in the balance is the inormation security unctionthirsty or unds
and poised to continue systematically driving into the heart o the business.
What is the evidence o these trends? What are the implications or spending
during the next six to 12 months? Where are the greatest security-related
vulnerabilities emerging? And which are the most crucial opportunities and
priorities your organization should ocus on now and over the next year to
increase the contribution that security makes to your business?
The heart o the matter
8/2/2019 Giss 2011 Survey Report
6/58
An in-depth discussion
Signs o securitysstrategic gains andadvances stand side by
side with newly emergingcracks in its oundation.
8/2/2019 Giss 2011 Survey Report
7/58
An in-depth discussion
I. Spending: A subtle but enormously
meaningul shit
Finding #1
Three strategic trends in spendingeach o them several years in
the makingare now hard to miss.
Finding #2
This years spending drivers arent new. But heres the surprise:
Almost every one o these actors are trending at, or near,our-year lows.
Finding #3
Client requirement has now emergedeither as the new avor
o the year or perhaps as a strategic driver o spending that will
endure over time.
8/2/2019 Giss 2011 Survey Report
8/58
Look at these numbers over a multi-year period. This yearor the
frst time in the course o the surveythree long-term strategic
trends in inormation spending have appeared in the spotlight.
1. Security is on the CFOs protect list
We frst saw evidence o this last year. This years data provides
additional confrmation o the trend. As the unction maturesandcontributes in more obvious and direct ways to business objectives
it is encountering much more stable unding curves. As the surve
revealed last year, security unding is protected during the down
cycle. Andas we will point out in the pages that ollowthis und
ing is increased as market vigor returns.
2. Yet security is still vulnerable to the avor o the year
Because security sits at the heart o the business, its spending
driversthe actors emphasized most prominently and most oten
by executives seeking unding or security-related initiativestend
to be very closely aligned with the hot priorities o the business,whatever they might be at the time. In short, securitys spending
drivers are susceptible to what we might call the avor o the year
Take the US market, or example. In 2007, six years ater the event
o 9/11, 68% o US respondents identifed business continuity and
disaster recovery as the single largest driver o security spending,
compared with 43% today. In the same yearfve years ater the
passage o the Sarbanes-Oxley Act and two years ater the Health
Insurance Portability and Accountabilitys (HIPAA) Security Rule too
eectUS respondents identifed regulatory compliance as the
second-greatest spending driver, compared with 47% today.
3. The water drop eect
Big splash then diusion. Ater peaking as drivers, each o these
actors, rom business continuity to regulatory compliance, shits
rom an external game-changer to an internal given. They re-
main important to the organizationoten crucially sobut precise
because o their value, they become integrated into the business.
How? Through, or example, newly automated systems or eature-
enhanced sotware. Updated job descriptions. Policies and busine
practices. And more comprehensively designed internal controls.
Finding #1. Three strategic trends in spending
each o them several years in the making
are now hard to miss.
8/2/2019 Giss 2011 Survey Report
9/58
An in-depth discussion
Finding #2. This years spending drivers
arent new. But heres the surprise: Almost
every one o these actors are trending at,
or near, our-year lows.
Which actors are driving inormation security spending this year?
At frst glance, the answer isnt much o a shock: economic condi-
tions (reported by 49% o respondents), business continuity and
disaster recovery (40%), company reputation (35%), internal policy
compliance (34%) and regulatory compliance (33%). (Figure 1)
These are the primary actors you would expectnot just one year
ater the greatest economic downturn in the last 30 years but also
ater a decade o expanding globalization; continual introduction o
new technologies that enable a ree ow o inormation worldwide;
the introduction o the Advanced Persistent Threat; and a wave o
regulation across markets, industries and regions.
What is surprising, however, is that almost every one o these ac-
tors is trending at or near our-year lows. Take business continuity/
disaster recovery, or example. Sixty-eight percent o respondents
pointed to this actor just our years ago. That was 28 points ago
reduction o 41% compared with this year. The other drivers showcomparable declines. (Figure 2)
First, lets clariy a key issue: Does this mean these actors areless
important? Absolutely not. In many respects, theyve never been
more vital. Theyre just not as vigorous spending drivers as theyve
been in the past.
8/2/2019 Giss 2011 Survey Report
10/58
Figure 1: Percentage o respondents who identiy the ollowing business issues or actors as the
most important drivers o inormation security spending in their organization. (1)
(1) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
Regulatory
compliance
Internal policy
compliance
Company
reputation
Business
continuity/
disaster recovery
Economic
conditions
49%
40%
35% 34% 33%
8/2/2019 Giss 2011 Survey Report
11/58
An in-depth discussion
Figure 2: Percentage o respondents who identiy the ollowing business issues or actors as the
most important drivers o inormation security spending in their organization. (2)
(2) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
* This calculation measures the dierence between response levels over a three-year period rom 2007 to 2010.
Source: The 2011 Global State o Inormation Security Survey
2007 2008 2009 2010Three-year
% change*Economic conditions n/a n/a 39% 49% n/
Business continuity/disaster recovery 68% 57% 41% 40% -41%
Company reputation 44% 39% 32% 35% -20%
Internal policy compliance 51% 46% 38% 34% -33%
Regulatory compliance 54% 44% 37% 33% -39%
8/2/2019 Giss 2011 Survey Report
12/58
What is the new avor o the year? Client requirementalthough
the meaning o this term likely varies a bit across respondents.
This year, when respondents were asked how inormation security
spending was justifed in their organization, nearly every one o the
top seven actors they identifedrom common industry practice t
potential liability or revenue impactsreected declines in comparson with 2007. The reductions ranged rom 10% to 26%.
Client requirement was not only the sole actor in the top seven to
increase over this period, it also moved up in ranking rom the bot-
tom o the list (#6 position) to near parity (#2 position) with the lead
ing actor: justifcation or inormation security. (Figure 3)
Does client requirement reer to an internal client or an external one
A contractual mandate or a minimal threshold on a request or pro-
posal? While the survey is ambiguous on this point, its abundantly
clear that client requirement in general is driving spending morethan it ever has in the past.
Is client requirement just the new avor, or will it prove to be a
more enduring driver? Could client requirement become the global
acknowledged leading driver o security spending in the next three
to our years?
Perhaps. At this point it appears to be one more sign that, ater
15 years, the inormation security unction continues to take on a
ar more customer-acing, business-supporting, strategic value-building role.
Finding #3. Client requirement has now
emergedeither as the new avor o the year
or perhaps as a strategic driver o spending
that will endure over time.
8/2/2019 Giss 2011 Survey Report
13/58
An in-depth discussion
Figure 3: Percentage o respondents who identiy the ollowing actors when asked to reveal
how inormation security is justifed in their organization. (3)
(3) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
* This calculation measures the dierence between response levels over a three-year period rom 2007 to 2010.
Source: The 2011 Global State o Inormation Security Survey
2007 2008 2009 2010Three-year
% change*Legal/regulatory environment 58% 47% 43% 43% -26%
Client requirement 34% 31% 34% 41% +21%
Proessional judgment 45% 46% 40% 40% -11%
Potential liability/exposure 49% 40% 37% 38% -22%
Common industry practice 42% 37% 34% 38% -10%
Risk reduction score 36% 31% 31% 30% -17%
Potential revenue impact 30% 27% 26% 27% -10%
8/2/2019 Giss 2011 Survey Report
14/58
8/2/2019 Giss 2011 Survey Report
15/58
An in-depth discussion
II. Economic context: The leading impacts
and strategies
Finding #4
While the impacts o the downturn linger, the largest increase in ris
is associated with weaker partners and suppliers.
Finding #5
The strategies companies are taking this year are largely the same
as those taken last year. Some o these strategies, however, may bopening up companies to new areas o risk.
8/2/2019 Giss 2011 Survey Report
16/58
While a robust return to economic strength has been elusive, most
economists agree that market conditions today are ar better than
they were in late 2008. So its natural to expect that executive per-
ceptions o the impacts the downturn has had on the security unc
tion would be dierent than they were last year.
Theyre not. At least most o them arent. In act, theyre surprisingconsistent with last years. Most agree, or example, that the regu-
latory environment has become more complex and burdensome.
And that the increased risk environment continues to elevate the
importance o the security unction. And that ongoing cost-reductio
eorts make adequate security more difcult to achieve. (Figure 4)
So whats the greatest change reported in the global economys im
pact to the unction this year? Respondents are considerably more
likely than last year to report that business partners and suppliers
have been weakened by economic conditions.
Thats understandable, especially given actors such as the re-
cent surge in globalization and cross-border participation in supply
chains and emerging market development as well as the act that
one would naturally expect the real impacts to partners and suppli-
ers to take at least one year to emerge.
But theres a much less obvious implication here, one that is enor-
mously revealing about the strategic evolution in the maturity o the
security unction.
This data isnt just coming rom senior business and IT decision-
makers. Clearly, this inormation is also coming romeither direct
or indirectlycore business managers at the center o companies
and their operations. This includes the business unit heads, the op
erational decision-makers, the supply chain experts who work mos
closely with the organizations business partners and suppliers.
Finding #4. While the impacts o the downturn
linger, the largest increase in risk is associated
with weaker partners and suppliers.
8/2/2019 Giss 2011 Survey Report
17/58
An in-depth discussion
Figure 4: Percentage o respondents reporting the ollowing impacts o current economic
conditions on their organizations inormation security unction. (4)
(4) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
In other words, this year, were starting to see quantitative evidence
o anecdotal trends we have been tracking or several years: That
the spotlights on securitys value are turned on and shining brightly
not just at the C-suite level but also at the very heart o organizatio
al operations, in areas such as production, supply chain, procure-
ment, business development and strategic partnering.
56%
56%
55%
52%
50%
52%
43%
43%
52%
43%
50%
42%
2010
2009
2010
2009
2010
2009
2010
2009
2010
2009
2010
2009
Regulatory environment has become more complex and burdensome
Increased risk environment has elevated the role and importance of the security function
Cost reduction efforts make adequate security more difficult to achieve
Threats to the security of our information assets have increased
Our business partners have been weakened by the economic conditions
Our suppliers have been weakened by the economic conditions
8/2/2019 Giss 2011 Survey Report
18/58
Consider the strategies organizations are engaging to continue
meeting security objectives in the ace o this years uncertain eco-
nomic conditions. (Figure 5)
For the second year in a row, increasing the ocus on data protec-
tion is the single most common strategy worldwide. Also consisten
with last years results are other prioritiessuch as prioritizing security investments based on risk; strengthening the companys gover-
nance, risk and compliance program; and accelerating the adoptio
o security-related automation technologies to increase efciencies
and cut costs.
Yet a second set o trends includes other strategies. Such as in-
creasing reliance on managed security services. Reducing the
number o ull-time security personnel. And shiting security-related
responsibilities to non-security personnel.
The business rationale behind these tactics, o course, is based onthe need or greater efciencies and a more reliable supply o more
diversifed security-related skills. Like IT, security needs to lower th
cost o ongoing operations and devote more o the budget to new
value-creation activities. But at the same timeand this is critical
these tactical strategies, in some cases, may be opening up organ
zations to new areas o risk.
For example, i companies are increasing their reliance on managed
security services providers, are they also (1) enhancing governance
and oversight mechanism, (2) conducting periodic audits o the providers operations, and (3) ensuring the alignment o the providers
processes with the companys security policies, regulatory man-
dates and strategic risk management priorities?
Finding #5. The strategies companies are
taking this year are largely the same as those
taken last year. Some o these strategies,
however, may be opening companies to new
areas o risk.
8/2/2019 Giss 2011 Survey Report
19/58
An in-depth discussion
Figure 5: Percentage o respondents reporting that, in order to meet their security objectives in
the context o the harsh economic realities, the ollowing strategies are important. (5)
(5) Respondents who answered Important, Very Important or Top Priority. Not all responses included. Does not add up to 100%.
Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
Increasing the focus on data protection 71%
69%
67%
66%
66%
65%
59%
48%
43%
Prioritizing security investments based on risk
Strengthening the companys governance, risk and compliance program
Refocusing on core of existing strategy
Accelerating the adoption of security-related automation technologies to increase efficiencies and cut costs
Pursuing more complete configuration of DLP tools
Increasing reliance on managed security services
Allocating security-related tasks to non-security IT employees
Reducing the number of full-time security personnel
8/2/2019 Giss 2011 Survey Report
20/58
8/2/2019 Giss 2011 Survey Report
21/58
An in-depth discussion
III. Funding and budgets: A balance between
caution and optimism
Finding #6
Financial caution remains high as executives in the industry keep
a tight lid on the budgetary coersat least or now.
Finding #7
Yet this caution appears to be easing or projects more than six
months out and or reductions o 10% or more.
Finding #8
Asked about their expectations about security spending in the
coming year, respondents are more optimistic than at any time
since beore 2005.
8/2/2019 Giss 2011 Survey Report
22/58
Funding is still tight. Theres no question about it. Although some
industries and markets appear to be strengthening, companies are
reacting with extreme caution.
Asked whether their organization had reduced budgets or security
initiatives over the last year, nearly hal o all 12,847 respondents
agreed that they hador capital (47%) and operating expenditures(46%). And, in act, these numbers matched last years responses t
the same question(47% and 46% respectively). (Figure 6)
Quite surprisingly (at least given the signs o an impending market
return to healthy levels o growth), more respondents than last year
reported that their organization had deerred security-related und-
ing or capital expenditures (rom 43% in 2009 to 46% this year) an
operating expenditures (rom 40% to 42%).
A subtle tightening o the purse strings? Yes, apparently. A sign
o even greater unding restraint to come? Perhaps. But not likely.Evidence suggests this hyper-ocus on costs, in some cases, migh
be akin to one segment o the global consumer markets aversion
to spending money in the months immediately preceding their pur-
chase o a new car. Saving now in anticipation o spending later.
Finding #6. Financial caution remains high as
executives in the industry keep a tight lid on th
budgetary coersat least or now.
8/2/2019 Giss 2011 Survey Report
23/58
An in-depth discussion
Source: The 2011 Global State o Inormation Security Survey
Figure 6: Percentage o survey respondents who report that their organization is reducing
budgets or security initiatives or deerring them.
Has your company reduced budgets or any security initiatives? 2009 2010
Yes, or capital expenditures 47% 47%
Yes, or operating expenditures 46% 46%
Has your company deerred security initiatives? 2009 2010
Yes, or capital expenditures 43% 46%
Yes, or operating expenditures 40% 42%
8/2/2019 Giss 2011 Survey Report
24/58
In the seconds ater the wheel o a ast-moving 200-ton ocean-
transport vessel directs the ship in a markedly dierent direction
and beore the evidence o this turn is apparent to the ships com-
passthe water level on one side o the wave-cutting bow register
an unmistakable change.
Thats happening hereso to speak. We took a closer look at howrespondents answered our question about spending restraint or
capital and operating expenditures. And what we discovered is qui
ascinating.
Spending caution appears to be easing or projects more than six
months out and or reductions o 10% or more. And its building
up at the bow or projects under six months or budget reductions
under 10%.
Why is demand bunching up or near-term projects? Its hard to
tell. Some o our clients are concerned about the short-term reliabiity and calendar timing o the return to economic strength. Others
are interested in unding a higher portion o security-related invest-
ments in operating and capital expenditures rom actual revenue
streams as they maniest themselves on a cash basis, rather than
accrual. And many management teams, o course, have their head
down trying to balance securitys demand or those unds against
frst distribution calls or value-creating unding rom across the
enterprise.
How do we view this trend in the data? As a noteworthy shit inthe ocus o unding restraintaway rom long-term initiatives and
increasingly concentrated on initiatives planned or the short-term.
We take that as an unimpeachable sign o cautious optimismone
sign, actually, o two.
Finding #7. Yet this caution appears to be
easing or projects more than six months out
and or reductions o 10% or more.
8/2/2019 Giss 2011 Survey Report
25/58
An in-depth discussion
Figure 7: Percentage o survey respondents who report that their organization is reducing
budgets or security initiatives or deerring them.
Source: The 2011 Global State o Inormation Security Survey
Has your company reduced budgets or any security initiatives?2009 2010
One-year
change
Yes, or capital expenditures 47% 47%
- by under 10% 19% 22% + 3 pts
- by more than 10% 28% 25% - 3 pts
Yes, or operating expenditures 46% 46%
- by under 10% 19% 22% + 3 pts
- by more than 10% 27% 24% - 3 pts
Has your company deerred security initiatives?2009 2010
One-year
change
Yes, or capital expenditures 43% 46%- by less than 6 months 21% 27% + 6 pt
- by more than 6 months 22% 19% - 3 pt
Yes, or operating expenditures 40% 42%
- by less than 6 months 22% 26% + 4 pt
- by more than 6 months 18% 16% - 2 pt
8/2/2019 Giss 2011 Survey Report
26/58
The second sign o optimism is a bit more exuberant. This year, ex
pectations that spending will increase leaped by more points than
any time since the earliest years o this survey. This optimismheld
by 52% o respondents, a higher number than any response level
since beore 2005is signifcant. (Figure 8)
Absent another worldwide shock to the global economy, we maysee a release o this pent-up demand at the bow and an increase
in security-related spending on capital and operating expenditures
as early as later this year.
Finding #8. Asked about their expectations
about security spending in the coming year,
respondents are more optimistic than at any
time beore 2005.
8/2/2019 Giss 2011 Survey Report
27/58
An in-depth discussion
Figure 8: Percentage o survey respondents who report that security spending will increase over
the next 12 months. (6)
(6) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
201020092008200720062005
42%
46%44% 44%
38%
52%
8/2/2019 Giss 2011 Survey Report
28/58
8/2/2019 Giss 2011 Survey Report
29/58
An in-depth discussion
IV. Capabilities and breaches: Trends too
large to ignore
Finding #9
Ater posting solid advances in the last several years, some frms a
allowing these capabilities to degrade.
Finding #10
As organizations continue to gain new visibility into security
incidents, they are learning more about the real costs o breaches.
Finding #11
This year, there is a signifcant shit in the ongoing evolution o
the CISOs reporting channel away rom the CIO in avor o the
companys senior business decision-makers.
8/2/2019 Giss 2011 Survey Report
30/58
This year, adoption levels or many inormation security-related pro
cesses appear to have stalledan unplanned consequence, per-
haps, o the austerity in the unding environment. Respondents are
just as likely as they were last year, or example, to have an overall
security strategy in place (65% in 2009, 65% this year), use vulnera
bility scanning tools (53% in 2009, 53% this year), and have wireles
(cellular and Wi-Fi) security standards and procedures (45% in 20045% this year). (Figure 9)
In many cases, however, these adoption rates are actually in declin
Fewer respondents compared with last year, or example, conduct
personnel background checks (60% in 2009, 56% this year),
dedicate people to monitoring employee use o the Internet and
inormation assets (57% in 2009, 53% this year), and conduct an
employee security awareness program (53% in 2009, 49% this
year). (Figure 10)
Just a one-year impact? Maybe so. But where it occurs, this regression oten returns these capabilities to 2008 levels or below.
Finding #9. Ater posting solid advances in
the last several years, some frms are allowing
these capabilities to degrade.
8/2/2019 Giss 2011 Survey Report
31/58
An in-depth discussion
(7) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
2006 2010200920082007
37%
57%59%
65% 65%
Have an overall information security strategy
2006 20102009200820072006
21%
28%
36%
44%42%
Integrate privacy and compliance plans
20102009200820072006
11%
29%
35%
43% 43%
Have implemented security eventcorrelation software
2006 20102009200820072006
38%
58%
67%
59% 60%
Ensure the secure disposal of
technology hardware
2006 20102009200820072006
30%
50%
54% 53% 53%
Use vulnerability scanning tools
2006 20102009200820072006
29% 29%
40%
45% 45%
Have wireless (cellular and Wi-Fi) securitystandards and procedures
Figure 9: Percentage o survey respondents who report that their organization has the ollowing
security- and privacy-related capabilities in place. These sample responses highlight the act tha
many capability advances have stalled. (7)
8/2/2019 Giss 2011 Survey Report
32/58
(8) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
2006 20102009200820072006
51% 52% 51%
60%56%
Conduct personnel background checks
2006 20102009200820072006
25%
42% 43%
50%
46%
Have established security baselines for external
partners, customers, suppliers and vendors
2006 20102009200820072006
39%42%
54% 53%
49%
Conduct an employee security
awareness program
2006 20102009200820072006
40%
48%50%
57%
53%
Have people dedicated to monitoring employee
use of the Internet and information assets
2006 20102009200820072006
34%
44%
51%53%
48%
Use a centralized security information
management process
2006 20102009200820072006
49%47%
54%
58%
54%
Actively monitor and analyze information
security intelligence
Figure 10: Percentage o survey respondents who report that their organization has the ollowing
security- and privacy-related capabilities in place. These sample responses reect the emerging
degradation in some capabilities. (8)
8/2/2019 Giss 2011 Survey Report
33/58
An in-depth discussion
For years, the percentages o respondents who reported not know
ing about key security event-related acts have been painully high.
Just a ew years ago in 2007, or example, 40% didnt know how
many security events had occurred in the past 12 months. Today,
23% dont. In 2007, almost hal (45%) didnt know what type o se-
curity events had occurred. Today 33% dont. (Figure 11)
As organizations continue to turn on the lights, however, what the
are fnding is sobering. In short, the impact o security events on th
business has risen to signifcant levelsparticularly with respect to
fnancial losses (now reported by 20% o all respondents), thet o
intellectual property (15%) and compromises to brands or reputa-
tions (14%). (Figure 12)
As these numbers continue to rise, we oresee even greater pressu
on the CFO to release undingnot just to maintain security capa-
bilities at their current level but also to advance securitys ability to
protect and enable the business.
Finding #10. As organizations continue to gain
new visibility into security incidents, they are
learning more about the real costs o breaches
8/2/2019 Giss 2011 Survey Report
34/58
(9) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
2010200920082007
Dont know how many security
events have occurred in the
past 12 months
2010200920082007
Dont know what type of
security events occurredi.e.,
whether exploitation occurred
to applications, data, mobile
devices (such as smart phones
and USBs), systems, networks,
or through social engineering
23%
32%
35%
40%
33%
39%
44%45%
2010200920082007
Dont know what the likely
source of the event was
i.e., current employees,
former employees, hackers,
customers, partners
and suppliers
34%
39%42%
44%
Not available
Figure 11: Percentage o survey respondents who report the ollowing inormation with respect
to negative security-related events impacting their organization. (9)
8/2/2019 Giss 2011 Survey Report
35/58
An in-depth discussion
Figure 12: Percentage o all survey respondents who report the ollowing business impacts to
their organization. (10)
2010200920082007
Financial losses
2010200920082007
Theft of intellectual property
20%
14%
8%
6%
15%
10%
6%5%
2010200920082007
Brand or reputation
compromised
14%
10%
6%5%
(10) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
8/2/2019 Giss 2011 Survey Report
36/58
The gap has widened. Three years ago, companies still viewed the
inormation security unction principally as a technology cost cente
One unimpeachable sign o this was the act that the single most
common reporting channel or the Chie Inormation Security Ofce
(or equivalent inormation security executive) was to the Chie Inor
mation Ofcer.
How quickly the times have changed. Since 2007, the number o
respondents reporting this viewpoint has declined very signifcantly
rom 38% to 23% this year.
So where is the CISO reporting today? To the business side o the
house, typically to the Board, the CEO, the CFO, the Chie Operat
ing Ofcer and the Chie Privacy Ofcer. (Figure 13)
Whats the strategic signifcance o this reporting shit? Across in-
dustries, we continue to see evidence o executive recognition that
securitys strategic value is more closely aligned with the businessthan with IT.
Finding #11. This year, there is a signifcant shi
in the ongoing evolution o the CISOs reporting
channel away rom the CIO in avor o the
companys senior business decision-makers.
8/2/2019 Giss 2011 Survey Report
37/58
An in-depth discussion
Figure 13: Percentage o survey respondents who report that their organizations Chie
Inormation Security Ofcer or equivalent inormation-security leader reports to the ollowing
senior executives. (11)
(11) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
* This calculation measures the dierence between response levels over a three-year period rom 2007 to 2010.
Source: The 2011 Global State o Inormation Security Survey
2007 2008 2009 2010
Three-year
% change*
Chie Inormation Ofcer (CIO) 38% 34% 32% 23% -39%
Board o Directors 21% 24% 28% 32% +52%
Chie Executive Ofcer (CEO) 32% 34% 35% 36% +13%
Chie Financial Ofcer (CFO) 11% 11% 13% 15% +36%
Chie Operating Ofcer (COO) 9% 10% 12% 15% +67%
Chie Privacy Ofcer (CPO) 8% 8% 14% 17% +113%
8/2/2019 Giss 2011 Survey Report
38/58
8/2/2019 Giss 2011 Survey Report
39/58
An in-depth discussion
V. New areas o ocus: Where the emerging
opportunities lie
Finding #12
Not surprisingly, social networking represents one o the astest
emerging new areas o risk.
Finding #13
One o the leading priorities or many companies is mitigating the
consequences o a breachthrough better incident response.
Finding #14
A newly popular tool in the CISOs arsenal? Insurance.
8/2/2019 Giss 2011 Survey Report
40/58
As i protecting data across applications, networks and mobile
devices wasnt complex enough, social networking by employees i
presenting organizations worldwide with a new and growing rontie
o risk.
The risks, rom an inormation security perspective, include the loss
or leaking o inormation; statements or inormation that could damage the companys reputation; activity such as downloading pirated
material with legal and liability implications; identity thet that direc
and indirectly compromises the companys network and inorma-
tion; and data aggregation in building up a picture o an individual t
mount security attacks through social engineering.
Few companies are adequately prepared to counter this threat.
Most companies (60%) have yet to implement security technologie
supporting Web 2.0 exchanges such as social networks, blogs or
wikis. And even more (77%) have not established security policies
that address the use o social networks or Web 2.0 technologiesacritical strategy that costs virtually nothing. (Figure 14)
Finding #12. Not surprisingly, social networking
represents one o the astest emerging new
areas o risk.
8/2/2019 Giss 2011 Survey Report
41/58
An in-depth discussion
Figure 14: Percentage o survey respondents who report that their organization has the ollowing
inormation security capabilities in place. (12)
(12) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
40%
40%
23%
23%
2010
2009
2010
2009
Have implemented security
technologies supportingWeb 2.0 exchanges such as
social networks, blogs or wikis
Have security policies
that address the use of
social networks or
Web 2.0 technologies
8/2/2019 Giss 2011 Survey Report
42/58
At frst glance, the nearly six out o every 10 (58%) respondents wh
report their organization has a contingency plan in place or securit
incidents is a healthy number. (Figure 15)
But when you actor this number by the percentage who report tha
their plan is eective (63%), the results are disheartening.
In eect, most organizations (63%) have no plan or the plan they
have doesnt work.
Finding #13. One o the leading priorities
or many companies is mitigating the
consequences o a breachthrough better
incident response.
8/2/2019 Giss 2011 Survey Report
43/58
An in-depth discussion
Figure 15: Percentage o survey respondents reporting on whether or not their organization has
a contingency plan to respond to incidents.
Source: The 2011 Global State o Inormation Security Survey
Yes
58%
No
23%
Dont know
19%
8/2/2019 Giss 2011 Survey Report
44/58
Strategies in countering inormation security risks continue to
emerge. For the frst time this year, we asked respondents whether
their organization has an insurance policy that protects it rom thet
or misuse o assets such as electronic data or customer records.
Almost hal46%said yes. And more than a ew have made a
claim (17%) and collected on it (13%). We expect to see these numbers rise signifcantly over the next several years. (Figure 16)
Finding #14. A newly popular tool in the CISOs
arsenal? Insurance.
8/2/2019 Giss 2011 Survey Report
45/58
An in-depth discussion
Figure 16: Percentage o all survey respondents reporting on the ollowing insurance-related
issues. (13)
(13) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
46%
17%
13%
Yes, we have collected
on a claim
Yes, we have made a claimYes, our organization has
an insurance policy that
protects it from theft or
misuse of assets such
as electronic data or
customer records
8/2/2019 Giss 2011 Survey Report
46/58
8/2/2019 Giss 2011 Survey Report
47/58
An in-depth discussion
VI. Regional trends: A changing o the guard
Finding #15
With confdence, persistence and momentum, Asia lines up on the
runway to become the new global leader in inormation security.
Finding #16
With more caution and restraintand without the same promise o
growth that Asia expectsNorth America idles its engines.
Finding #17
South America presses the gas pedal and the brakes at the same
time, while Europe displays a marked lack o direction and urgency
8/2/2019 Giss 2011 Survey Report
48/58
Ater chasing North America or several years, Asia now reports
higher maturity levels across more capabilities than any other
world region.
Pick your metric. Asian respondents point to client requirement a
among the leading justifcations or security spending in ar greater
numbers than do those in any other world region. They are morelikely to acknowledge that the increased risk environment inherent
current economic conditions has increased the role and importance
o the security unction. Theyre singularly more ocused on data
protections than those in other regions. And they are more progres
sive at addressing emerging practicessuch as employing dedicat
ed security personnel to support internal business departments an
implementing security technologies supporting Web 2.0 exchanges
At the same time, while Asian companies are pursuing comparable
strategies to meet their security objectives in the context o harshe
economic conditions, theyre doing so with signifcantly more vigorand energy. For example, the enthusiasm with which Asian respon-
dents consider strengthening governance, risk and compliance ca-
pabilities to be a top priority, very important or important (75%
stands in marked contrast to the responses rom South America
(70%), North America (66%) and Europe (56%).
Just a blip in the multiyear trend lines? No. Quite the contrary. Asia
has been doggedly plowing signifcant resources into inormation
security programs or several years.
And Asia has momentum. Asian respondents are much more opti-
mistic that security spending will increase in the months ahead tha
their regional counterparts worldwide. Soon Asia will lead the world
in inormation security. Next year? The year ater? Asia is just pick-
ing the runway. (Figures 17 and 18)
Finding #15. With confdence, persistence and
momentum, Asia lines up on the runway to
become the new global leader in inormation
security.
8/2/2019 Giss 2011 Survey Report
49/58
An in-depth discussion
In acute contrast to Asias advances in inormation securityand it
more vigorous ocus on strategic issues such as alignment o secu
rity with the business and the crucial need to protect dataNorth
America has chosen to gear down on its investments in inorma-
tion security over the past year and look ater its fnancial resource
The writing is on the wall. Most o North Americas maturity levels inormation security capabilities have remained at or declined ove
the past 12 months.
Although ew in number, there were some bright spots worth noting
These include North American advances in embracing enterprise s
curity management sotware and gains in improving the impact tha
virtualization has had on the inormation security unction.
Remember, though, that the gas in the North American car isnt
the same. Where Asian executives point proactively to client re-
quirement as the leading justifcation or security spending, NorthAmerican managers look reactively frst to legal and regulatory
mandates.
Thats quite revealingand perhaps a bit prophetic. In a ew years,
we may collectively look back on the frst decade o this century an
agree that in its adolescence, inormation security responded to a
stickregulationas evidenced by North American leadership in
the unction through 2009. But as inormation security matured into
a ully integrated business unction with a guaranteed seat at the
management table, the carrot proved the primary driverclientrequirements and the revenue-enhancing role that security can play
when its truly aligned with the business. And we may well point to
Asias dominance in the unction, frst maniested in 2009 and 2010
as the frst step in a new evolutionary phase or the unction. (Fig-
ures 17 and 18)
Finding #16. With more caution and restraint
and without the same promise o growth that
Asia expectsNorth America idles its engines
8/2/2019 Giss 2011 Survey Report
50/58
Unlike Asia, which appears to have almost shrugged o many o
the global economys short-term impacts on inormation security,
South Americas ocus on the unction over the past year has been
more volatileand conicted. On the one hand, South America
stands right behind the Middle East and Arica as the regions most
likely to deer security-related initiatives or reduce budgets or capi
tal and operating expendituresa sign that the ags o fnancialcaution are ying high in these areas o the world. On the other,
South Americans nearly rival Asians in their optimism that inorma-
tion security spending will increase over the next 12 months.
At the same time, in a year when every other global region is post-
ing double-digit gains in concern that business partners and suppl
ers have been weakened by economic conditions, South Americas
anxiety on this point has actually declined. Thats a worrisome sign
given, or example, that only 28% o South Americans say their
organization conducts due diligence o third parties handling the
personal data o customers and employees.
In Europe, the ocus on inormation is ar more muted. Europe now
trails other regions in maturity across most security capabilities.
Although it is pursuing comparable strategies in addressing the
impacts o the economic conditionssuch as prioritizing security
investments based on riskit is doing so at a much lower level o
commitment than its regional counterparts elsewhere in the world.
Like North America, Europe continues to suer poor visibility into
security events and, as a result, may be unaware o the true impact
o events on the business. And while 68% o European respondentsay their organization places a high level o importance on protect-
ing sensitive customer inormation, the responses rom other globa
regions (Asia, 80%; North America, 80%; South America, 76%)
reect more conviction, direction and urgency. (Figures 17 and 18)
Finding #17. South America presses the gas
pedal and the brakes at the same time, while
Europe displays a marked lack o direction
and urgency.
8/2/2019 Giss 2011 Survey Report
51/58
An in-depth discussion
Figure 17: Dierences in regional inormation security practices. (14)
(14) Not all actors shown. Does not add up to 100%. Respondents were allowed to indicate multiple actors.
Source: The 2011 Global State o Inormation Security Survey
AsiaNorth
America
South
AmericaEurope
A leading driver o security spending: Economic conditionsOfcer 53% 55% 51% 41%
A leading driver o security spending: Business continuity 50% 42% 35% 29%
A leading driver o security spending: Company reputation C 41% 33% 37% 28%
One o the leading justifcations or security: Legal/regulatory requirement 45% 55% 35% 35%
One o the leading justifcations or security: Potential liability/exposure 45% 50% 32% 25%
One o the leading justifcations or security: Client requirement 52% 37% 39% 29%
Security spending will increase or stay the same 86% 71% 81% 68%
View protecting sensitive customer inormation important/extremely important 80% 80% 76% 68%
Use enterprise security management sotware 49% 42% 41% 34%
Have accurate inventory o where sensitive data stored 42% 40% 33% 24%
Have an overall inormation security strategy 68% 73% 58% 60%
Have established security baselines or partners and customers 46% 55% 47% 39%
Have dedicated security personnel supporting internal business departments 56% 45% 51% 38%
Have handheld/portable device security standards 52% 47% 41% 36%
Encrypt removable media 59% 44% 53% 43%
Use tools to discover unauthorized devices 56% 56% 52% 45%
Use data leakage prevention (DLP) tools 50% 46% 41% 40%
Have security technologies supporting Web 2.0 exchanges 48% 36% 43% 32%
Number o security incidents in the past 12 months: Unknown 14% 37% 19% 29%
Type o security incidents: Unknown 22% 43% 35% 40%
Likely source o incidents: Unknown 26% 44% 31% 41%
Business impacts o security incidents: Financial losses 49% 39% 45% 32%
Business impacts o security incidents: Intellectual property thet 35% 35% 29% 29%
Business impacts o security incidents: Brand/reputation compromised 35% 32% 22% 28%
Conduct enterprise risk assessment at least twice a year 41% 28% 42% 33%
Continuously prioritize inormation assets according to their risk level 24% 16% 20% 16%
Have a centralized security inormation management process 52% 57% 44% 40%
8/2/2019 Giss 2011 Survey Report
52/58
Figure 18: Dierences among regional perceptions o the impacts o the economic downturn on
the inormation security unction. (15)
(15) Respondents who answered either agree or strongly agree.
Source: The 2011 Global State o Inormation Security Survey
AsiaNorth
America
South
AmericaEurope
Increased risk environment has elevated the role and importance o the
inormation security unction
65% 53% 56% 45%
The regulatory environment has become more complex and burdensome 62% 58% 52% 50%
Cost reduction eorts make adequate security more difcult to achieve 53% 53% 55% 43%
Our business partners have been weakened by the downturn 57% 54% 48% 48%
Our suppliers have been weakened by the downturn 55% 52% 46% 46%
Risks to the companys data have increased due to employee layos 46% 39% 43% 38%
Threats to the security o our inormation assets have increased 48% 50% 41% 33%
8/2/2019 Giss 2011 Survey Report
53/58
8/2/2019 Giss 2011 Survey Report
54/58
What this means or your business
Learn rom the downturn.And make crucial changes.
But also be among the frstto ace orward.
8/2/2019 Giss 2011 Survey Report
55/58
Its an uncertain year, and security hangs in the balance. On the on
hand, the ags o caution are prominent:
Tight fscal discipline and spending constraints
A ocus on preserving cash, although some key security process
es are beginning to degrade
Fewer incidents, but increasingly higher negative impacts to
the business
Emerging new areas o risk and the greater possibility, relative to
last year, that the security unction may not be prepared to pro-
tect the business
On the other hand, the signs o optimismand growing unctional
maturityare impossible to miss:
Emergence rom the 2009 economic trial by fre with more re-
spect rom the business
Deeper appreciation o securitys value, not only rom the C-suite
but also rom the operational core o the enterprise
Emergence o client requirement as a growing driver o
spending
New visibility into why events occur, where they come rom and
what harm they causeand the highest level o optimism about
spending in the last fve years
What does this mean or your business? Learn rom the downturn.
And make crucial changes. But also be the frst among your com-
petitors to ace orward and strategically position your inormationsecurity unction to support your perormance in the years ahead.
What this means or your business
8/2/2019 Giss 2011 Survey Report
56/58
Figure 19: Its an uncertain yearand security hangs in the balance.
OptimismCaution
A ocus on preserving cash, although
some key security processes are
beginning to degrade
Tight fscal discipline and spending
constraints
Fewer incidents, but increasinglyhigher negative impacts to the
business
Emerging new areas o risk, and the
greater possibility, relative to last year,
that the security unction may not be
prepared to protect the business
Deeper appreciation o securitys
value, not only rom the C-suite,
but also rom the operational core o
the enterprise
Emergence rom the 2009 economic
trial by frewith more respect rom
the business
Emergence o client requirementas a growing driver o spending
New visibility into why events occur,
where they come rom and what harm
they causeand the highest level o
optimism about spending in the last
fve years
2011
8/2/2019 Giss 2011 Survey Report
57/58
8/2/2019 Giss 2011 Survey Report
58/58
This publication is printed on Mohawk Options PC.It is a Forest Stewardship Council (FSC) certifed
stock using 100% post-consumer waste (PCW) fberand manuactured with renewable, non-polluting
wind-generated electricity.
Recycled paper
For more inormation,
please contact:
Gary Loveland
Principal, National Security Leader
949.437.5380
gary.loveland@us.pwc.com
Mark Lobel
Principal
646.471.5731
mark.a.lobel@us.pwc.com
or visit:
www.pwc.com/giss2011
pwc.com/giss2011
top related