What best practices in information security are being employed by organizations that have a high degree of confidence in their security measures? The second annual Global State of Information Security study, undertaken in 2004 by CIO and CSO magazine, in partnership with PricewaterhouseCoopers LLP, endeavored to find out. It gathered responses from senior executives in 62 countries, including IT and security executives, comparing the results of those who indicated high confidence in their security measures with those who did not. Here are some of the key findings:
– Best practice organizations have adopted a long-term view of security investments versus a shorter-term. They have a one-fiscal-year-at-a-time planning cycle, evident in more consistent investment year to year.
– Best practice companies were more apt to integrate corporate and IT security and more frequently had the senior security executive report to a CSO or security committee rather than to the CIO. Additionally, best practice companies engaged both business units and IT in security issues and decisions. This has contributed to greater alignment and increased commitment from management, with the best practice organizations experiencing greater alignment of security objectives and spending with business objectives.
– Best practice organizations have adopted long-term, risk-based security strategies more so than their counterparts. The greatest barriers to good security — limited budget, limited staff — were common to the best practice group as well as overall group. However, time to focus on security was much less of a factor for the best practice group.
– The best practice group reported that a higher percentage of the overall IT budget is allocated to information security — 14 percent compared to 11 percent for other respondents. The best practice group is not planning to increase spending any more than are the rest of the survey respondents, indicating that their spending is more continuous and consistent year to year, not an ‘all or nothing’ approach to security investment.
– Best practice organizations dedicate more full-time security staff to information security than their counterparts, reporting 20 full-time security equivalents per 1,000 employees compared to 14 per 1,000 in other organizations.
– The best practice group more frequently increased the integration of their corporate and information security personnel, with 38 percent reporting that personnel were integrated compared to 26 percent of the overall respondents. Half of the overall group said their physical security and information security were separate departments, compared to only 37 percent of the best practice group.
– 68 percent of best practice organizations actively engage both business and IT decision-makers in addressing information security issues versus 56 percent of the overall survey base. The best practice group has been more effective in obtaining top management’s commitment and support for security initiatives than their peers, with 51 percent reporting that they have top management support, compared to 37 percent of the overall respondents.
– The best practice group have invested greater effort than the others in developing strategies, including information security strategy (69 percent vs. 56 percent), security architecture strategy (66 percent vs. 50 percent), identity management strategy (47 percent vs. 31 percent), threat and vulnerability strategy (62 percent vs. 44 percent) and a security crisis and incident response strategy (55 percent vs. 38 percent). Additionally, the best practice group more frequently prioritizes data and information assets according to their risk level, with 42 percent of best practice organizations reporting that they do this continually compared to 21 percent of the overall survey base.
– The best practice group is ahead of the overall group in terms of implementing technologies and procedures to secure their company’s information assets. Some of the stand-out areas include implementing a centralized security information management system (56 percent vs. 39 percent) and the deployment of encryption technology (55 percent vs. 40 percent), including both the encryption of transmitted data (68 percent vs. 55 percent) as well as encryption of stored data (45 percent vs. 31 percent). 051508