The study, the largest of its kind, is conducted by PricewaterhouseCoopers (PwC) in conjunction with CIO and CSO magazines. More than 7,200 executives from 130 countries across all industries were asked about their information security expectations. The results demonstrate that global leaders appear to be "protecting" the information function from budget cuts but at the same time are placing it under intensive pressure to "perform."
"The increased risk environment has visibly elevated the role and importance of the information security function to the entire business organization," said Mark Lobel, an Advisory principal at PricewaterhouseCoopers. "After years of misalignment, business and IT leaders seem to be starting to think like each other. This year, as we move from 2009 to 2010, may turn out to be a high-stakes 'coming of age'."
- This year, fewer financial services respondents predict spending will increase (40% in 2009; 46% in 2008) yet two- thirds (64%) expect spending to either increase or stay the same.
- For the first time in the seven year history of this survey, the majority of metrics used to track advances in security-related capabilities across all major security domains, including strategy, structure, people, process and technology have, by and large, for the financial services industry, not improved.
- Seventy-five percent (75%) of financial services respondents have an overall information security strategy in place, compared to 74% in 2008. - Fifty-nine percent (59%) of financial services respondents report they conduct threat and vulnerability assessments (unchanged from 2008).
- Also unchanged from 2008, 61% of financial services respondents require employees to complete training on privacy policies/practices.
"It's hard to avoid the conclusion that the economic 'freight train' has impacted financial services companies more than those in any other industry and largely stopped the global financial services industry's multi-year investment in security capabilities effectively, if temporarily this year, 'in its tracks'," points out Lobel.
- A key priority this year will be addressing a global trend in stiffer requirements for breach notification and specific technical controls.
- More than six out of 10 provider respondents (61%) report that their organization does not have an incident response policy to report and handle breaches with third parties handling data.
- As many countries address the security implications of electronic health record policies, U.S. providers need to address the HITECH Act. On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 ("ARRA"). Part of the ARRA, the HITECH Act strengthens and expands the scope of the HIPAA privacy and security rules.
- As complexity and regulation increase within the industry with heightened penalties and disclosure requirements for breaches and missteps U.S. providers will need to understand the financial and operational implications for their organization.
- Reported incident type levels have declined across all elements, except one: the exploitation of data is now the leading type of incident.
- Utility companies have advanced their security and privacy capabilities in the past year in areas including strategy, security leadership, privacy-related assessments, and integration.
- Today a new generation of government employees is accessing social networks from work in great numbers, often without the knowledge of the IT department―and in circumvention of the traditional countermeasures employed by many. Some organizations have moved quickly to close this gap but most need to do more. Only 35% of government agencies have security technologies in place that support Web 2.0 exchanges.
- In the U.S., advancing cyber security and private/public partnerships are additional emerging priorities.
While the "full damage report" for 2009 is not yet clear, the survey finds that business impacts such as financial losses, compromises to brand or reputation, and loss of shareholder value, have increased.