BOSTON-Technology security spending may stall but not freeze as the financial meltdown works its way through the economy; cloud computing has security implications that may stall enterprise adoption; and India has not only caught up, but has surpassed the United States in some key areas of technology infrastructure security.
Those conclusions-some based on a yearly study of more than 7,000 business executives and some based on informed opinion-were part of a presentation of the yearly PriceWaterhouseCoopers technology security study. The 2008 Global State of Information Security Study represents the 10th year the study has been conducted, and this year spanned 119 countries. The survey was conducted earlier in the year and did not encompass the time period related to the current, ongoing financial crisis.
While the scope of the survey was large, the bottom line is that technology security professionals have to focus on process and strategy as much, if not more, than the latest product.
"Information security has a reputation of being the cool tool guys," said RBS Chief Information Security Officer James Mignone, who was part of the panel presenting the survey findings. He went on to say that the current environment requires executives who not only can use the latest products but who also can undertake risk assessment at a company.
The exhaustive survey hits many of the current hot buttons on IT security, but while respondents were aware of security issues, the survey results indicated security issues are still a long way from being resolved. For example, while 73 percent of the respondents estimated they are complying with their company's internal security policies, only 44 percent of those responding actually conduct compliance testing and only 43 percent audit or monitor user compliance with security policies. While CISOs cited regulatory compliance as the primary driver for information security spending, the CEO, CFO and CIO respondents cited business continuity and disaster recovery as the primary drivers.
While companies continue to invest heavily in security technology, that investment does not necessarily mean better security.
"This year, respondents trumpet a headlong rush into technology. But these investments don't necessarily mean better security," the report states and backs up the statement with three findings. "(1) It's dramatically clear: One of the highest priorities for companies over the past year has been technology. (2) Many companies, however-if not most-do not know exactly where important data is located. And (3) companies need to focus more acutely on advancing critical processes-and supporting the people that run them."