Many are Defending Future Threats with Yesterday's Strategies, finds PwC, CIO and CSO's The Global State of Information Security® Survey 2014
While information security programs have advanced, few organizations are prepared for tomorrow; New and continually evolving models of information security are needed to keep pace with today's determined adversaries
NEW YORK and FRAMINGHAM, Mass., Sept. 19, 2013 /PRNewswire/ -- Executives have increased security spending and have substantially improved technology safeguards, processes, and strategies. Their adversaries, however, continue to outpace them, according to The Global State of Information Security® Survey 2014 released today by PwCUS in conjunction with CIO and CSO magazines.
"Our survey results reveal that while there have been improvements in security at companies today–which is a positive sign–many organizations are lagging their opponents, and this poses significant problems for the future," said Mark Lobel, a PwC Advisory principal focused on cybersecurity. "It is essential that executives actively re-evaluate and update their security strategies and practices on a continual basis to keep pace with today's threat actors. Without an agile approach to information security, organizations will be underprepared for the evolving and increasingly sophisticated attacks that may be more complicated, complex, and damaging."
According to the global survey of more than 9,600 executives, the number of security incidents detected in the past 12 months increased by 25 percent over last year; however, the number of respondents who do not know how many incidents occurred has doubled over the past two years.
"Given today's escalating threats, organizations need to implement new technologies that can continually monitor the network, applications and data for anomalous activity that might indicate a security incident in progress," said Bob Bragdon, publisher of CSO.
Smart phones, tablets, the "bring your own device" (BYOD) trend, and the proliferation of cloud computing have elevated security risks, yet efforts to implement mobile security programs do not show significant gains over last year and continue to trail the increasing use of mobile devices. While 47 percent of respondents use cloud computing—and among those who do, 59 percent say security has improved—only 18 percent include provisions for cloud in their security policy. The survey found that while most respondents have implemented traditional security safeguards (such as VPNs, firewalls, encryption of desktop PCs), they are less likely to have deployed tools that monitor data and networks to provide real-time intelligence about today's risks.
In today's elevated threat landscape, it is critical that organizations rethink their security strategy so that it is integrated with business needs and strategies and is prioritized by top executives. Yet the survey found many respondents have not done so. Collaboration with others to improve security has become a key way to gain knowledge of dynamic threats and vulnerabilities, however only 50 percent of respondents said they collaborate.
"Integrated security should be a pivotal part of an organization's business agenda and organizational culture – and every employee, supplier and partner should understand and agree to follow your security policy," said David Burg, PwC's Global and U.S. Advisory Cybersecurity Leader. "Building and sustaining a culture of security awareness will also require the full support of top executives, including the CEO and board members. It cannot happen without them."
Respondents say the top three obstacles to improving security are: insufficient capital funding, a lack of vision on how future business needs will impact security, and a lack of leadership from the CEO or Board.
"You can't fight today's threats with yesterday's strategies," said Gary Loveland, a PwC Advisory principal focused on cybersecurity. "What's needed is a new model of information security, one that is driven by knowledge of threats, assets and the motives and targets of potential adversaries."
Insiders, particularly current or former employees, are cited as a source of security incidents by most respondents. And while many believe nation-states cause the most threats, only 4 percent of respondents cited them, whereas 32 percent pinpoint hackers (those who gain unauthorized access to a computer or network to steal information or cause harm) as a source of outsider security incidents.
NOTE TO EDITORS: Please reference the study as "The Global State of Information Security® Survey 2014, a worldwide survey by CIO, CSO and PwC." Source line must include CIO magazine, CSO magazine and PwC. Survey results will be covered in depth in the October issues of CIO magazine and CSO magazine. The coverage will be available online at www.cio.com and www.csoonline.com. Information about the survey will also be available at www.pwc.com/gsiss2014.
METHODOLOGY The Global State of Information Security® Survey 2014 is a worldwide study by PwC, CIO magazine, and CSO magazine. It was conducted online from February 1, 2013, to April 1, 2013. Readers of CIO and CSO magazines and clients of PwC from around the globe were invited via e-mail to take the survey. The results discussed in this report are based on the responses of more than 9,600 executives including CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from 115 countries. Thirty-six percent of respondents were from North America, 26 percent from Europe, 21 percent from Asia Pacific, 16 percent from South America, and two percent from the Middle East and Africa. The margin of error is less than one percent.
About CIO and CSO Magazines CIO is the premier content and community resource for information technology executives and leaders thriving and prospering in this fast-paced era of IT transformation in the enterprise. The award-winning CIO portfolio—CIO.com, CIO magazine (launched in 1987), CIO executive programs, CIO custom solutions, CIO Forum on LinkedIn, CIO Executive Council and CIO primary research—provides business technology leaders with analysis and insight on information technology trends and a keen understanding of IT's role in achieving business goals. Additionally, CIO provides opportunities for IT solution providers to reach this executive IT audience. The CIO Executive Council is a professional organization of CIOs created to serve as an unbiased and trusted peer advisory group. CIO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world's leading media, events, and research company. Company information is available at www.idgenterprise.com.
CSO is the premier content and community resource for security decision-makers leading "business risk management" efforts within their organization. For more than a decade, CSO's award-winning Web site (CSOonline.com), publication, executive conferences, custom solutions and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations' employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world's leading media, events and research company. Company information is available at www.idgenterprise.com.
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
About PwC's Advisory Practice PwC's Advisory professionals across consulting, deals and forensics create value for our clients by helping them address their most complex business issues, from strategy through execution. We understand our clients' industries and unique business challenges, and look across the entire organization—focusing on strategy, structure, people, process and technology—to help clients build their next competitive advantage. Our firm's global network of assurance, tax and advisory professionals means that we can bring the right skills and capabilities to help our clients achieve success anywhere around the world. See www.pwc.com/us/consulting for more information or follow us @PwCAdvisory.
About PwC US PwC US helps organizations and individuals create the value they're looking for. We're a member of the PwC network of firms in 158 countries with more than 180,000 people. We're committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/US.