In the latest PwC survey, CEOs, CIOs and CSOs expressed confidence in their organizations' information security strategy, but appear to be over-estimating their capabilities.
Senior executives are confident in their organization's
information security strategy, even when they shouldn't be, according to a
In a survey of 9,600 senior executives, including CEOs,
CIOs, CFOs, and CSOs, a surprising 43 percent said their organization had an
effective security strategy that was being executed proactively, PwC said in a
report released Sept. 15. However, their confidence appears to be misplaced, as
the authors of the 2012 Global State of Information Security Survey found that
only 13 percent of the respondents deserved to be confident in their security
The survey asked executives to categorize their
organizations in one of the four groups before analyzing other responses to
determine how accurate the assessment was. "Front-runners" were
organizations that had an effective strategy in place and were proactive
executing the plan. "Strategists" got the strategy "right,"
but were having difficulty executing the plan, while "Tacticians" got
things done even without having a defined plan. The final group,
"Firefighters," did not have an effective plan and were typically
reacting to threats as they occurred.
"Visibility into when and how the next cyber-threat to
information will emerge is poor, at best," said Mark Lobel, a principal in
PwC's Advisory practice and one of the authors of the report.
More companies are deploying security safeguards, such as
code detection tools and intrusion-prevention tools, than in previous years,
the survey found. Companies are investing in technologies focusing on
prevention, detection and operational Web-related technologies, the report
"Companies now have greater insights than ever before
into the landscape of cyber crime and other security events," Lobel said,
but it may be leading executives to have a false sense of security.
Despite recent high-profile data breaches, the increase in
advanced persistent threats and growing number of malicious attacks, PwC found
that security and privacy capabilities at organizations have declined over the
past three years. Between 2009 and 2011, there were fewer executives who
where data was stored, deploying identity management, and developing business
continuity and disaster recovery plans.
Only 16 percent said the firm was addressing advanced
persistent threats, the survey found. APTs are sophisticated attacks that are
hard to detect and lurk in the network for a prolonged period of time stealing
information. APT-related investments also degraded, with fewer executives
reporting in 2011 they were training employees or investing in network access
As long as the economic climate keeps security budgets
"conservative," organizations may not be as well prepared to confront
these threats, Lobel said. However, it appeared that executives were
"bullish" about security spending, with about half of the respondents
expecting increased budgets over the next 12 months.
Security-related third-party risks are on the rise, the
authors wrote. Surveyed executives estimated that 15 percent of security
breaches hitting their organization were the result of an attack on a
third-party partner or supplier, nearly double the number in 2009. The
organization's ability to perform due diligence, enforcing privacy requirements
and reporting security breaches concerning third parties appear to have
decreased between 2009 an 2011, according to the report. In 2009, 39 percent of
respondents said the firm required third-party providers to comply with the
organization's privacy policies, but only 29 percent were able to say the same
The survey participants may be more confident than warranted
because they were much more aware of the types of threats out there than they
were in years past, according to the report's authors. Only 9 percent of
respondents were unaware of the frequency, type and number of incidents that
had struck the organization within the past 12 months. In 2007, the number was
closer to 40 percent. Regulatory and compliance requirements such as the
Payment Card Industry Data Security Standards (PCI-DSS) and Sarbanes-Oxley
helped increase awareness, said Lobel.
The "leaders" in security were most likely to work
for an organization that had a chief information security officer and chief
security officer, had an overall information security strategy, regularly
measured and reviewed policies and procedures over the past year and employed
dedicated security personnel to support internal departments, according to the
report. Three out of four of them also expected to see information security
spending to increase at their companies, the authors found.