In-Depth

Corporate Security Awareness Grows but Funding Lags

Survey shows security managers still face budget battle

• By Mathew Schwartz
• 03/02/2005

Security is getting more attention from top executives.

In fact, according to a new survey, overall corporate awareness of security, and investments and organizational initiatives designed to foster better information security practices, are increasing. For example, the chief security officer position is considered “senior level” at 44 percent of companies now, as opposed to 39 percent in 2003. In addition, 73 percent of security officials say they’re better prepared against cyber-attacks than they were one year ago, which speaks to improved funding and high-level support.

Those results come from a survey of 850 members of the Information Systems Security Association (ISSA), conducted by Penn, Schoen, and Berland Associates Inc. The survey was co-sponsored by the ISSA and the Business Software Alliance (BSA).

Based on the results, “Cyber security has been recognized as a top priority [in] both the public and private sector,” notes David Cullinane, president of ISSA. Even so, “we must continue to work with governments and businesses on an international level to improve our security.

In general, the larger the company, the better both the awareness and preparedness. According to the survey, “respondents at companies with more than 1,000 employees and more than $500 million in revenue are more likely to say their companies are prepared,” compared with smaller organizations.

Even so, “with an increase in global online vulnerabilities, it is imperative for companies to continue to elevate the issue to the highest levels within their organizations,” notes Robert Holleyman, BSA’s president and CEO. “When they do, nine out of 10 report the financial resources to have followed, enabling investments in new, more secure technologies, more secure networks, better processes and better trained personnel.”

More Policies, More Monitoring

While less than half of companies consider the head of information security to be an executive-level position, awareness of security is at least improving. All told, 91 percent of organizations now have an information security officer, and 55 percent have a privacy officer. At three-quarters of organizations with both positions, the two roles are separate and distinct.

More organizations are also highlighting the importance of information security. About 90 percent of all companies have formal information-security policies, up from 72 percent a year ago, and 78 percent of companies have a formal information-security program. Roughly nine in 10 also now employ-access controls to restrict access to sensitive applications.

Beyond access controls, organizations are increasing their deployments in other security technologies. The number of companies deploying laptop firewalls, for example, grew from 44 percent in 2003 to 51 percent in 2003, and 88 percent of companies now filter e-mail, up from 74 percent in 2003.

Monitoring of employees is also on the rise. For example, 70 percent of companies monitor employees’ Web use, and 36 percent survey instant messages. Roughly half of all companies also monitor both internal and Web-based e-mail sessions conducted on corporate PCs. All of those numbers increased from 2003.

The increased attention to security is paying off. Companies in North American say they’re better prepared and less scared of the effects of an attack, with 37 percent saying information security spending will stay the same; 38 percent plan to increase spending. In other regions, however, companies aren’t as optimistic about attacks, and 45 percent of companies expect to increase their information security budgets this year.

Funding, Training Lag

Overall, however, spending on security-related education appears to lag. Only 19 percent of respondents characterize their company’s employees as adequately trained in security rules and regulations.

In general, security managers often cite a difficulty in getting executive-level funding for strategic security implementations, instead of just cleaning up after the latest virus or worm of the month. That holds true here, with respondents saying their primary challenge is budget availability, followed by senior management support.

Organizations in regulated industries say those regulations have also been driving security spending. About 60 percent of survey respondents note Sarbanes-Oxley’s section 302 (which requires CEOs and CFOs to sign off on internal controls) and section 404 (requiring an internal controls assessment) are directly driving spending. In fact such regulations make their company more secure, say 44 percent of companies, up from 33 percent in 2003. In other words, don’t stop now: 53 percent of respondents say passing similar such laws in the future would help, while 30 percent disagree.

Related Articles:

Security Spending Trends for 2005
http://www.esj.com/Security/article.aspx?EditorialsID=1248

Blame Unusable Security, Not Users
http://www.esj.com/security/article.aspx?EditorialsID=1182