Survey Reveals Security Insights from C-level Executives

CEOs more confident than other C-level executives about breach protection

Results of a new study, The Business Case for Data Protection, conducted by Ponemon Institute, examine senior executives' opinions about the value of corporate data protection efforts within their organizations. In light of the tough economy, those responsible for protecting data need to understand how the organization's decision makers "view the importance of safeguarding sensitive and confidential information," the study says.

Although the survey found that C-level executives "believe good data protection practices can support important organizational goals such as compliance, reputation management, and customer trust," it also found that "the majority of respondents are not confident in their ability to safeguard sensitive and confidential information." As a result, these executives understand the importance of security initiatives, including "developing a data protection strategy; training employees, temporary employees, and contractors to safeguard sensitive data; and reducing potential security flaws within business-critical applications."

CEOs do understand how data protection is part of meeting organizational goals (for example, they tend to believe that data protection increases corporate value) and believe their organizations successfully prevent data loss or theft. However, C-level executives don't share this optimistic outlook. The survey found that 82 percent say their organization has experienced a data breach (94 percent say their data has been attacked within the previous 6 months). Many aren't confident their organization can prevent future breaches.

The biggest challenge: securing consumer and business customer data. Easier to protect from loss or theft are intellectual property and employee information. During the last six months, more than half (51 percent) report daily, hourly, or more frequent attacks on their data; 6 percent says their data is never attacked.

Respondents working for companies with a dedicated privacy leader (CPO) are more confident their organization won't suffer a data breach. Less confident about suffering a future data breaches are those working in companies with a dedicated information security leader (CISO).

The study found that 79 percent of respondents say "that one person is considered to be in charge of data protection and that person is considered by most to be the CIO, especially by the CEO. The CISO and CPO follow closely as being in charge of data protection. Very few have a chief data protection officer." When serious data breaches do occur, the person responsible for data protection isn't held accountable: 85 percent don't believe "a failure to stop a data breach under their watch would put their job in jeopardy."

The good news, in these tight economic times, is that C-level executives believe data protection programs have a high return on their investments. "C-level executives believe the cost savings from investing in a data protection program of $16 million is substantially higher than the extrapolated value of data protection spending of $3.7 million. This suggests a very healthy ROI for data protection programs," the study reveals.

The survey, sponsored by Ounce Labs, can be downloaded at www.ouncelabs.com/PonemonStudy2009 (short registration required).