Research

The Global State of Information Security 2006

Some things are getting better slowly but security practices are still immature and, in some cases, they're regressing

By Allan Holmes

September 01, 2006CSO

When it comes to information security, the reflection you see in your morning mirror is probably not that of a sharp, confident, professional IT executive. Rather, that man in the mirror is more likely to look like a gangly, awkward, not-yet-to-be-fully-trusted teenager.

That's what "The Global State of Information Security 2006" survey tells us. In its fourth edition, this largest-of-its-kind survey reveals that global information executives, still relatively new to security's disciplines, are learning and improving but are still prone to risky behaviors—behaviors that could have devastating consequences.

The study by CSO, CIO and PricewaterhouseCoopers (PwC), with 7,791 respondents in 50 countries, indicates that an increasing number of executives (CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security) across all industries and in private- and public-sector organizations continue to make incremental improvements in deploying information security policies and technologies, although the rate of improvement is slower than in previous years. They're becoming more financially independent, with some security budgets increasing at double-digit rates. And they say they're more confident in their level of security, perhaps because their networks have not had a serious virus or worm in the past 12 months.

But teenagers, as any parent knows, live in the moment and have an ability to ignore what they know they should do and do what they know they shouldn't. The survey shows us that most executives with security responsibilities have made little or no progress in implementing strategic security measures that could have prevented many of the security mishaps reported this year. Only 37 percent of respondents said they have an overall security strategy. And they're planning to focus more on tactical fixes than on strategic initiatives, ensuring that in the coming year they will be more reactive than proactive.

What's more, companies continue to do business with insecure organizations. One of the most unsettling findings in this year's study is the sad state of security in India, by a wide margin the world's primary locus for IT outsourcing. Many survey respondents in India admitted to not adhering to the most routine security practices. The problem is obvious, but right now it's apparently easier to ignore than to address.

Harder to ignore is the constant news of large organizations losing laptops packed with unencrypted personal data on millions of customers. Every year we report that such incidents should motivate companies to tighten security, but every year the survey indicates that's not happening. Similarly, even after Hurricane Katrina, which hit the Gulf Coast seven months before we launched our survey, a majority of companies still do not have a business continuity/disaster recovery plan in place, and plans to complete one this year have become less important to security officials than in 2005.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Taking the Botnet Threat Seriously

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Efficient - Flexible - Compliant

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development