BOSTON-Technology security spending may stall but not freeze as the financial meltdown works its way through the economy; cloud computing has security implications that may stall enterprise adoption; and India has not only caught up, but has surpassed the United States in some key areas of technology infrastructure security.
Those conclusions-some based on a yearly study of more than 7,000 business executives and some based on informed opinion-were part of a presentation of the yearly PriceWaterhouseCoopers technology security study. The 2008 Global State of Information Security Study represents the 10th year the study has been conducted, and this year spanned 119 countries. The survey was conducted earlier in the year and did not encompass the time period related to the current, ongoing financial crisis.
While the scope of the survey was large, the bottom line is that technology security professionals have to focus on process and strategy as much, if not more, than the latest product.
“Information security has a reputation of being the cool tool guys,” said RBS Chief Information Security Officer James Mignone, who was part of the panel presenting the survey findings. He went on to say that the current environment requires executives who not only can use the latest products but who also can undertake risk assessment at a company.
The exhaustive survey hits many of the current hot buttons on IT security, but while respondents were aware of security issues, the survey results indicated security issues are still a long way from being resolved. For example, while 73 percent of the respondents estimated they are complying with their company’s internal security policies, only 44 percent of those responding actually conduct compliance testing and only 43 percent audit or monitor user compliance with security policies. While CISOs cited regulatory compliance as the primary driver for information security spending, the CEO, CFO and CIO respondents cited business continuity and disaster recovery as the primary drivers.
While companies continue to invest heavily in security technology, that investment does not necessarily mean better security.
“This year, respondents trumpet a headlong rush into technology. But these investments don’t necessarily mean better security,” the report states and backs up the statement with three findings. “(1) It’s dramatically clear: One of the highest priorities for companies over the past year has been technology. (2) Many companies, however-if not most-do not know exactly where important data is located. And (3) companies need to focus more acutely on advancing critical processes-and supporting the people that run them.”
India Sees Rapid Security Advances
While many of the study’s findings reflected a continuation of previous trends, it also showed the rapid advances in security in India. “Perhaps the most dramatic and compelling highlights of this year’s survey are the breadth and depth of India’s advances across almost every security domain. Last year, 65% of Indian respondents reported that their organization planned to increase security spending in 2008-compared to 44%, the global average-and clearly they have,” the report states.
The report continues, “As a result of this investment blitz, India’s security capabilities now surpass those in almost every country in the world. Indian respondents are more likely than those in the U.S., U.K. and Australia, for example, to report that their company has an information security strategy in place.”
Asked to comment on how he sees the current security spending environment in light of the ongoing worldwide economic difficulties, Mignone said, “In uncertain times, every single dollar is being looked at, but security is so fundamental, there will be security spending, but it will be very carefully tied to a clear benefit. I think there will be a pullback, but [security spending] will not totally dry up.”
The development of cloud-based, or hosted application, computing drew less enthusiasm from the panel, who noted that regulatory rules concerning where data is kept and how it is maintained can contradict the technology design of cloud computing, where data can exist with no fixed location.
“Cloud computing is a nightmare,” said Robert Bragdon, the publisher of CSO magazine and a co-sponsor of the security study.
While the cloud might be a nightmare, “[cloud computing] will happen anyways,” said Gerard Verweij, CIO of the advisory council for PriceWaterhouseCoopers.