According to a new study, many areas previously seen as behind the times in security -- South America and Asia, for example -- have made great strides overall. Europe seems to be in a definite security slump, which is interesting given the strength of that area's privacy laws. And, surprise, there's a real gap in alignment between IT and business.
PricewaterhouseCoopers with CIO and CSO magazines released a study on the current state of information security. Interviewing more than 7,000 CEOs, CFOs, CIOs, CSOs, and assorted IT executives, they found that companies are putting more money into virtually every area of security. Unfortunately, investment in software and services alone doesn't necessarily do the job as over 30 percent of the respondents "cannot answer basic questions about the risks to their company's key information." That is resulting in a misalignment between executive perception and what actually needs to be done.
The irony here is that for years the general perception has been that IT doesn't understand business and, therefore, isn't effective. But in information security, technology often has to take the lead, with an understanding of what data is most important to protect. Unfortunately, the top security executives don't perceive company needs the ways that the rest of the executives do.
This lack of mutual understanding manifests in some pretty strange ways. For example, CISOs (chief information security officers, in case you hadn't seen that particular acronym before) focus quite a bit on regulatory compliance. Given all the talk you hear from executives about the pain and importance of compliance, you'd think that would be one place where IT and business could agree. But no. The CEO, CFO, and CIO generally say that business continuity and disaster recovery should be the main factor driving information security spending.
It seems a little dangerous for a company to pick one over the other. Business continuity is critical, but that shouldn't trump compliance issues, which can have some serious repercussions of their own. Clearly anyone selling technology into that space has a huge barrier in terms of the lack of business alignment as well as the amount of education that might be necessary.
This missing alignment combined with more basic issues, like not knowing where the most important data (like employee or customer personal information for 71 percent of the respondents) is actually located, means that the double digit percentage gains in implementing technology security is often turning into spending without significant return. How can you protect something if you don't know where it is? Many executives are clueless about basic security facts:
- 35 percent didn't know the number of security events their companies faced over the last 12 months
- 44 percent couldn't say what type of incidents posed the greatest threats to their businesses
- 42 percent couldn't pinpoint whether the source of incidents was an employee or former employee, customer, partner or supplier, or hacker
An interesting note is that Europe, which used to be on a par with the US, has slipped. Part of the reason supposedly is that there was less participation by such countries as France and the U.K. where security is more developed. But even given that, the Europeans have fallen behind. South Americans are likely to surpass Europe in information security within the next two years.
Security fence image via Stock.Xchng user dlritter, standard site license.