Best Practices: The 2004 Global Information Security Survey

By Scott Berinato

September 01, 2004 — CSO — "It is a capital mistake," Sherlock Holmes told Watson, "to theorize before one has data. One begins to twist facts to suit theories, instead of theories to suit facts."

Not to worry, Holmes. We have a passel of data. For the second consecutive year, CSO, CIO (our sister publication) and PricewaterhouseCoopers teamed up to deconstruct information security through the

largest security research project ever donethe "2004 Global Information Security Survey," with 8,100 respondents from 62 countries on six continents.

In our 2003 survey (to see the 2003 survey, go to www.csoonline.com/printlinks), we noted that the infosecurity discipline had grown but had not really improved. This year, we found that the security function didn't really grow but did, in fact, improveat least incrementally. For example:

n Despite flat levels of spending, few new human resources being devoted to infosecurity, and the fact that the number of breaches was slightly up from last year, those breaches caused less downtime and cost less when they did occur. We believe this means that incidents are being better managed.

n More companies (although still far from a majority) have created an executive-level security presence, and more have included risk management, audit and other non-IT elements in their security governance.

n Last year's barriers to good securitybudgets and timewere still cited this year as the most common obstacles, although fewer companies said those issues prevented them from getting the job done.

That's progress, and that's the good news. There is, of course, bad news. For example:

n Information security professionals in large part did not execute this year what they said last year were their top strategic priorities.

n Negative factors (such as fear of litigation) remain the primary drivers of security spending. Positive factors (such as contributing to business objectives) were less common.

n The attitude among security professionals toward critical infrastructure, regulation and working with the authorities after incidents can best be described as laissez-faire, maybe even lackadaisical.

As fond as the IT industry is of declaring revolutions, the information security part of IT resists such drama. This year's data reinforces the view that security remains a discipline, adapting itself over time to a harsh environment of threats and vulnerabilities.

On the following pages we will offer selected perspectives on that evolution, starting with a set of best practices gleaned from our respondents.

Now that you have the data, it would be a capital mistake not to tailor your theories to suit the facts.

I. The Best Practices Group and the Virtuous Cycle