The 9th annual survey of more than 9,600 security executives from 138 countries found that 72 percent of respondents report confidence in the effectiveness of their organization's information security activities - however confidence has declined markedly since 2006. The findings of the survey have helped carve a new definition of an information security leader. Even though 43 percent see themselves as "front-runners," according to the survey only 13 percent made the "leader" cut. Those identified as leaders have an overall information security strategy in place, a CIO or executive equivalent who reports to the "top of the house," measured and reviewed security policy effectiveness, and an understanding of the security breaches facing the organization in the past year.
"Companies now have greater insights than ever before into the landscape of cyber crime and other security events - and they're translating this information into investments specifically focused on three areas: prevention, detection and operational web-related technologies," said Mark Lobel, a principal in PwC's Advisory practice. "Just a few years ago, almost half of this survey's respondents couldn't answer the most basic questions about the nature of security-related breaches; now approximately 80 percent or more of respondents can provide specific information about the frequency, type and source of security breaches their organizations faced this year."
Since 2007, there has a been a dramatic leap in organizations' awareness and insight into the types and frequency of attacks, particularly in the industries of aerospace & defense, financial services, technology, telecom and the public sector.
"After three years of cutting information security budgets and deferring security-related initiatives, respondents are bullish about security spending. What is evident, however, is that many of the vulnerabilities that began emerging last year -- two years after the global economic downturn -- are still present and require attention," said Mr. Lobel.
This year, a significant percentage of respondents across industries agreed that one of the most dangerous cyber threats is an Advanced Persistent Threat (APT) attack. A number of survey respondents found that the threat of an APT is driving their organization's security spending. These included 64 percent of respondents from the industrial manufacturing sector, 60 percent of technology respondents, 49 percent of entertainment and media respondents and utilities respondents, 45 percent of financial services respondents and 43 percent of consumer products and retail respondents. Only 16 percent of respondents say their organizations are prepared and have security policies that are able to confront an APT.
"As Advanced Persistent Threats and other cyber security challenges continue to emerge and the funding climate remains conservative, it's impossible to avoid the conclusion that business and IT personnel across the world are less sure that their organization is prepared to confront these threats to their information, operations and brand," added Mr. Lobel.
According to the survey, the rise of cloud computing has improved but also complicated the security landscape. More than four out of ten respondents report that their organization uses cloud computing: 69 percent for software-as-a-service, 47 percent for infrastructure-as-a-service and 33 percent for platform-as-a-service. Fifty-four percent of organizations say that cloud technologies have improved security; while 23 percent say it has increased vulnerability. The largest perceived risk is the uncertain ability to enforce provider security policies.
Mobile devices and social media represent a significant new line of risk - and a demand for prevention. Organizations are beginning to amplify their efforts to prevent mobile and social media based attacks. Forty-three percent of respondents have a security strategy for employee use of personal devices, 37 percent have a security strategy for mobile devices and 32 percent have a security strategy for social media.
Increased awareness of attacks may correlate with organizations mobilizing in certain areas of IT spending. Investments in application firewalls increased from 72 percent last year to 80 percent this year and malicious code detection tools have increased 11 percentage points--from 72 percent last year to 83 percent this year.
Managing security-related risks associated with partners, vendors and suppliers has always been an issue - according to this year's survey it is getting worse. Seventeen percent of respondents identify customers as the source of security breaches, up slightly from last year (12 percent) and 15 percent have identified partners or suppliers as the source.
"For years the most commonly suspected source of breaches has been employees, both current and former - and this has remained constant," commented Mr. Lobel.
Asia spearheads investments and strategy while the world's information security arsenals age For several years, Asia has been firing up its investments in security. This year's results reveal just how far the region has advanced its capabilities. The number of Asian respondents who expect security funding to increase over the next 12 months has leapt from 53 percent in 2009 to 74 percent this year - an expectation rate far higher than any other region. Meanwhile, growth expectancies in North America continue to lag behind.
"In sharp contrast to the trends evident in Asia, North America's long-term track record of advances in information security have begun to erode," said Bob Bragdon, publisher of CSO. "There are a few signs of new strength to be sure, especially with respect to some detection, prevention and web-related technologies. Adoption rates for malicious code detection tools, for example, surged from 78 percent in 2009 to 86 percent this year. Yet for the second year in a row, many of North America's capabilities appear to be slipping, particularly in areas of strategy, identity management and access control, data protection, third-party security and even security-related compliance capabilities."
According to the survey, South American organizations are more likely today than in 2009 to have a CISO at the helm and have an overall information security strategy in place. South Americans reported a tremendous decline in confidence in the effectiveness of their organization's information security (71 percent vs. 89 percent in 2009) and in that of their partners and suppliers (70 percent vs. 86 percent in 2009).
To learn more about the survey, including industry specific highlights and further regional information, please visit: www.pwc.com/giss2012.
METHODOLOGY The 2012 Global State of Information Security Survey' is a worldwide security survey by PwC, CIO Magazine and CSO Magazine. It was conducted online between February 10 and April 18, 2011. Readers of CIO and CSO Magazines and clients of PwC from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 9,600 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents and directors of IT and information security from 138 countries. Twenty-nine percent (29%) of respondents were from North America, 26% from Europe, 21% from South America, 20% from Asia, and 3% from the Middle East and South Africa. The margin of error is less than 1%.
NOTE TO EDITORS: Please reference the study as "The 2012 Global State of Information Security Survey', a worldwide survey by CIO, CSO and PwC." Source line must include CIO magazine, CSO magazine and PwC. Survey results will be covered in depth in the September 15th issue of CIO magazine and the October issue of CSO magazine. The coverage will be available online at www.cio.com and www.csoonline.com. Information about the survey will also be available at www.pwc.com/giss2012.
About CIO and CSO Magazines CIO and CSO magazines are published by IDG Enterprise, producer of award-winning media properties, executive programs and the CIO Executive Council for corporate officers who use technology and security to thrive and prosper in this new era of business. The CIO portfolio includes CIO.com, CIO magazine (launched in 1987), CIO Executive Programs and the CIO Executive Council. CIO properties provide business technology leaders with analysis and insight on information technology trends and a keen understanding of IT's role in achieving business goals. The U.S. edition of the magazine and website are recipients of more than