Companies Miss Strategic Security Focus, PricewaterhouseCoopers Says

The problem: how to support an "always on" environment.

The carrot-and-stick technique still drives security at today's companies according to a new survey from PricewaterhouseCoopers (PwC) and CIO Magazine. The survey found that such external factors as government regulations and industry pressure, rather than internal risk assessment, are the primary drivers of a company's security approach.

The study, “The State of Information Security 2003,” surveyed over 7,500 executives worldwide. PwC says it is likely the largest security survey in the world.

First, the bad news. “Companies are not defining their security problems correctly,” says Joe Duffy, global leader of the security and privacy practice at PwC. “The problem is not with user identities, viruses, or patches. The problem is how to support an ‘always on’ environment. It's about productivity, operational resilience, fault tolerance, and the ability of customers to get what they want when they want it.”

So when it comes to security, companies still have a long way to go. “One-third or less [respondents] said they've got monitoring standards, enforcement standards, incident response, or are classifying the value of their data; 10 percent of those surveyed said they have no formal security policy whatsoever, and few companies are including partners and suppliers in their policy,” says Mark Lobel, senior manager in the PwC security and privacy services group.

The problem today is that since 9/11, says Lobel, companies have been in a highly reactive mode, investing without thinking beyond technology to the people and processes needed to act on information the technology generates. Without all three things, security simply won’t function effectively. “You have to be strategic and fix [that] dam, that's what we're just starting to see with this year's survey. People have stopped using fingers and cork and started getting cement—but just barely started.”

Duffy predicts “2004 to be the year companies begin to look at security as a strategic enabler,” since today 42 percent of companies are “investing in measures that are more proactive, and enhancing network security and intrusion detection.”

That’s the good news—companies are starting to “get it,” and security budgets are rising as a result. Lobel notes that of respondents, “45 percent said budgets would increase slightly, 17 percent significantly, and 30 percent stay the same, so that's only 8 percent of the respondents that say security spending will decrease, and that's worldwide.”

Speaking of regulations driving change, another interesting finding is that when it comes to reporting incidents, 41 percent of organizations simply don’t tell anyone. That approach won’t fly as well in the future, warns Lobel. He cites new California legislation that requires any company that does business, or has customers, in the state warns customers when it knows or suspects a security breach. “The essence of it is, you're going to have to do something now, you can't bury it.” In addition, he says, Homeland Security and Congress are making more noise about requiring breach disclosures.

Based on the survey results, Lobel has two two-year predictions. The first: “Folks getting their patch management processes in place.” Doing so will require refining the aforementioned people/process/technology trinity. “It's one thing to roll out a patch correctly, it's another thing to just roll out the patch.”

His second prediction is that companies will increasingly get “security information management” software to handle the reams of data generated by various devices (firewalls, intrusion detection systems), generate reports, and look for signs of attack. Today that market, he says, is fragmented. In the future, “it’s either going to die under its own weight, or consolidate.” He forecasts the latter.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.