Organizations Over-Confident About Security Strategy: Survey

In the latest PwC survey, CEOs, CIOs and CSOs expressed confidence in their organizations' information security strategy, but appear to be over-estimating their capabilities.

Senior executives are confident in their organization's information security strategy, even when they shouldn't be, according to a recent survey.

In a survey of 9,600 senior executives, including CEOs, CIOs, CFOs, and CSOs, a surprising 43 percent said their organization had an effective security strategy that was being executed proactively, PwC said in a report released Sept. 15. However, their confidence appears to be misplaced, as the authors of the 2012 Global State of Information Security Survey found that only 13 percent of the respondents deserved to be confident in their security posture.

The survey asked executives to categorize their organizations in one of the four groups before analyzing other responses to determine how accurate the assessment was. "Front-runners" were organizations that had an effective strategy in place and were proactive executing the plan. "Strategists" got the strategy "right," but were having difficulty executing the plan, while "Tacticians" got things done even without having a defined plan. The final group, "Firefighters," did not have an effective plan and were typically reacting to threats as they occurred.

"Visibility into when and how the next cyber-threat to information will emerge is poor, at best," said Mark Lobel, a principal in PwC's Advisory practice and one of the authors of the report.

More companies are deploying security safeguards, such as code detection tools and intrusion-prevention tools, than in previous years, the survey found. Companies are investing in technologies focusing on prevention, detection and operational Web-related technologies, the report found.

"Companies now have greater insights than ever before into the landscape of cyber crime and other security events," Lobel said, but it may be leading executives to have a false sense of security.

Despite recent high-profile data breaches, the increase in advanced persistent threats and growing number of malicious attacks, PwC found that security and privacy capabilities at organizations have declined over the past three years. Between 2009 and 2011, there were fewer executives who reported reviewing the privacy policy annually, keeping accurate inventory of where data was stored, deploying identity management, and developing business continuity and disaster recovery plans.

Only 16 percent said the firm was addressing advanced persistent threats, the survey found. APTs are sophisticated attacks that are hard to detect and lurk in the network for a prolonged period of time stealing information. APT-related investments also degraded, with fewer executives reporting in 2011 they were training employees or investing in network access control software.

As long as the economic climate keeps security budgets "conservative," organizations may not be as well prepared to confront these threats, Lobel said. However, it appeared that executives were "bullish" about security spending, with about half of the respondents expecting increased budgets over the next 12 months.

Security-related third-party risks are on the rise, the authors wrote. Surveyed executives estimated that 15 percent of security breaches hitting their organization were the result of an attack on a third-party partner or supplier, nearly double the number in 2009. The organization's ability to perform due diligence, enforcing privacy requirements and reporting security breaches concerning third parties appear to have decreased between 2009 an 2011, according to the report. In 2009, 39 percent of respondents said the firm required third-party providers to comply with the organization's privacy policies, but only 29 percent were able to say the same in 2011.

The survey participants may be more confident than warranted because they were much more aware of the types of threats out there than they were in years past, according to the report's authors. Only 9 percent of respondents were unaware of the frequency, type and number of incidents that had struck the organization within the past 12 months. In 2007, the number was closer to 40 percent. Regulatory and compliance requirements such as the Payment Card Industry Data Security Standards (PCI-DSS) and Sarbanes-Oxley helped increase awareness, said Lobel.

The "leaders" in security were most likely to work for an organization that had a chief information security officer and chief security officer, had an overall information security strategy, regularly measured and reviewed policies and procedures over the past year and employed dedicated security personnel to support internal departments, according to the report. Three out of four of them also expected to see information security spending to increase at their companies, the authors found.