The threats and challenges you face have not changed much in the past year, but you are finding a better recipe for protecting your corporate data and networks, according to our eighth annual Global Information Security Survey. "There is a real sense of tension in this year's numbers; a sense that with the change in the economy there has been a resetting of expectations," says Mark Lobel, a principal in the advisory services division of PricewaterhouseCoopers (PwC), which conducted the study on behalf of CIO and CSO.
Of the 12,847 business and technology executives surveyed worldwide — including more than 100 in New Zealand — 67 percent felt that security procedures that help your organisation minimise risk were a key priority. But you realise you must make do with more targeted spending on technology and bring in outside security expertise to manage what your IT staff can't. Here is why:
- You want to embrace cloud computing because it makes your IT operations leaner and less expensive. But your understanding of cloud security hasn't advanced much in the last year. You have to be cautious.
- Your customers want to spend their money online and use more fancy apps to do it — and on mobile devices, too. So you have to guard against vulnerabilities attackers can exploit to steal your customers' private data and other core assets. What is more, government and industry regulations often require such levels of protection. Meanwhile, increasingly complex business relationships are forcing you to give outsiders greater access to your internal systems. You need protection from an attack against a business partner that might spill over to your network.
- The financial meltdown two years ago may have stalled some of your security initiatives, but 56 percent of you said increasing risks have elevated the role and importance of security at your company. There's no turning back from what you have started.
Our survey shows that despite the recent economic conditions, companies aren't making drastic cutbacks in security. In fact, most of you neither cut nor deferred security expenditures. Looking ahead, 52 percent expect security spending to increase at least 10 percent in the next year; 9 percent plan to increase their spending by more than 30 percent.
The local results reveal local organisations are receiving executive support for security funding and new initiatives. A third (33.7 percent) of respondents here say their security spending will increase, while more than half (54.5 percent of local respondents, compared to a quarter of the global respondents) report their security spending will stay the same.
Across New Zealand, many organisations have quite large transformation programmes underway or planned, notes Paul Nickels, partner Risk and Control Solutions, PricewaterhouseCoopers (PwC) New Zealand. “Awareness of security risks is much higher and organisations are proactively addressing these to avoid having to retro-fit security, after completing a major project,” says Nickels.Richard Tims, director Risk and Control Solutions at PwC Auckland, says the stabilisation of security spend for organisations here aligns with what is happening across the globe. He points out, however, that this can easily change if new technologies and new business initiatives take priority, and that funding is re-allocated. So how should CIOs manage this possibility?
“There is certainly an expectation now at the board level that security and risk issues are proactively managed and clearly communicated. Even if there is perceived to be stable funding there is still a need to identify and focus on the significant risks and key priorities of the organisation, so that you ensure you are getting the best return on your investment.”
Tims says there are some fundamentals that need to be in place, foremost of which is having a holistic picture of the organisation’s security landscape and strong security governance including security and risk frameworks. “The key to it is being able to identify risks, quantify them in terms of business impact and clearly communicate them, so that an organisation can easily understand its importance. Without that, your decisions may be misinformed.”
What drives security spending?
In New Zealand, the top business issue driving information security spending is business continuity/disaster recovery. This issue ranks second in the global results, where the top driver for security spending is the economy.
Both Nickels and Tims say this could be the result of some high-profile incidents in the media at the time of the survey. “When these incidents are reported in media, people are forced to review their own plans because it becomes real,” says Tims.
In addition, he says, “Most organisations are concerned about customer churn in a period of financial instability. Anything that is going to threaten or increase customer churn like systems outages, requires appropriate management.”
“I don’t think too much has changed from a risk perspective,” says Tims. “The exposure still exists. The difference is there is a heightened sense of reality and knowledge I think, with both local and global incidents.
“The investment curve we are seeing is also being stimulated by the availability of more security-related solutions in the market.”
Tims says a few years back, it was difficult to find, for example, intrusion detection systems that could integrate into legacy platforms. He says these tools have now become ubiquitous and more affordable.
Data classification is something that we see on the increase in the organisation, says Nickels. It starts with understanding what data is stored, which for some organisations “has been a bit of an awakening”.
For instance, many organisation are realising they have treated every single type of data as the same, without prioritising it. But he says organisations are now looking at what data they have stored and the framework for storing it. This way they “understand which information requires higher levels of security”.
Another theme coming out of the survey was the use of unstructured data. Tims says there is certainly a growing market for tools to search for information based on a defined set of characteristics.
Globally, more than a quarter (nearly 28 percent) reported zero security incidents in the past year. Here, the figure is higher at 38.6 percent.
Nearly a quarter (23 percent) of total respondents, and 30 percent locally, reported one to two security incidents during that period. Meanwhile, 23.5 percent of global respondents, and 15 percent locally, reported not knowing whether these incidents took place.
The most common incidents reported involved exploitation of the following: data (27 percent), network (25 percent), systems (22 percent), mobile device including USB drive (20 percent) (see sidebar ‘Threats from removable media’ on page 33), application (15.7 percent) and human or social engineering (15.4 percent).
When asked how the business was impacted by the security incidents, the respondents cited financial losses as the main impact (42 percent), followed by intellectual property theft (32 percent), brand reputation compromised (30 percent); fraud (17 percent) loss of shareholder value and legal exposure or lawsuit (both at 14 percent).
Tims says the fact that globally the number of breaches has grown does not necessarily indicate that security programmes such as PCIDSS (Payment Card Industry Data Security Standard) are not working. “It is just that the landscape is continually changing. There is always a constant catch-up being played,” he says. At the same time organisations are learning more about the real impacts and costs of a security breach, particularly to corporate reputation. “The reputational damage from the loss of data can destroy an organisation,” adds Nickels.
The two share insights on lessons enterprises learned from the incident where the website WikiLeaks published thousands of diplomatic cables, including sensitive and classified documents.
Tims says it is important that CIOs keep pace with change and are cognisant of the new security landscape. Incidents such as this are a catalyst for organisations to go back to their external partners and request assurance over the security of their information, to ensure something similar cannot happen to them.
Working with third parties
One of the key considerations Nickels and Tims gleaned from the local results is around managing risks with external partners.
The survey shows respondents are somewhat more concerned than they were last year that their own security is threatened because the security of business partners and suppliers had been shaken by the recession. More than three-quarters (77 percent) of respondents agreed that their partners and suppliers had been weakened by the recession, up from 67 percent a year ago.
After going through the recession, Tims observes, “People feel their partners and suppliers aren’t making investments in their infrastructure that they may have done in the past. This is causing organisations to review the risks associated with third party suppliers.”
Companies may put business partners' security under scrutiny, but many IT and business leaders acknowledge they can't always keep that information secure internally — at least not without help from outside experts.
More than half (52 percent) of survey respondents said that outsourcers, also known as managed security service providers (MSSPs), are important or very important to accomplishing their security objectives. Another 19 percent said outsourcers play some role. Meanwhile, more than 30 percent cited outsourcing of some or all security functions, such as email filtering and management of application firewalls, as a top priority in the next 12 months, up from 18 percent a year ago.
The greater interest in outsourcing "is an outcome of the cut in IT services”, says Lobel. For example, companies are no longer as willing to pay someone in-house to monitor security operations overnight, when a vendor can do it for less. "The cost of doing a bad job in-house is cheaper than what vendors will charge you, but the cost of doing security really well in-house is more expensive than what vendors will charge," says Lobel.
More than 30 percent of survey respondents are making outsourcing an important priority so they can establish security safeguards that aren't currently in place, including functions such as email filtering and penetration testing. Meanwhile, 60 percent said they already outsource the secure disposal of technology hardware and 59 percent said they've delegated administration of password resets. In the areas of strategy and standards, 32 percent said they have outsiders helping them establish security baselines for external partners, suppliers and other IT vendors. Twenty-four percent outsource their centralised security information-management procedures.
Locally, Nickels and Tims note increasing local demand for assurance opinions on third-party service providers. Nickels says if an organisation is engaging with an outsourcing partner, it should request evidence they have appropriate controls in place to protect their data. He says normally this evidence should be furnished every six months, or once a year as a minimum, depending on the degree of change in the IT environment.
Caution in the cloud
The cloud, meanwhile, has become more mainstream and a lot more people are adopting it, with organisations able to buy off the shelf, cloud-type solutions. But as Nickels and Tims point out, the technology may be new, but the risks and security implications are not.
“The underlying risks themselves haven’t really changed,” notes Tims. “The difference is that the technology underpinning it, in this case the cloud, has less clearly defined security perimeters compared to the days when there were point to point connections with a bureau,” he says.
“Nowadays, the difference is the ease with which information can be communicated and accessed so you don’t always know exactly where your information is going,” says Tims. “This is driving a degree of uncertainty and questions over what is being outsourced.” (See sidebar on ‘Mitigating risks’)
He has seen more organisations seeking confirmation that their data is secure given it is contained in the same system as another organisation. For Tims, it is important for organisations to ask the basic questions and “getting an in-depth understanding of exactly what the outsource provider is doing, and how they are delivering the service so that you fully understand the risk.”
He cites the case of a client who was not entirely aware their data was offshore. The service provider had a local presence, but the data itself was stored elsewhere, he says.
They say organisations should ensure they actively manage key third-party service providers. These include ensuring contracts include the right to audit or requiring the third party to provide the results of a regular independent security audit.
The duo believes it is important to have those provisions to ensure the provider is proactively managing security on behalf of their clients.
Another imperative is to regularly review existing contracts to ensure they have kept pace with the changing security landscape.Says Nickels: “CIOs should ask themselves at least once a year, ‘do I have an end-to-end overview of my security risks and how they are being mitigated’?”
Sidebar: Managing third-party risk
CIOs should actively manage their key third-party service providers by:
- Ensuring contracts include the right to audit or the requirement to provide the results of a regular independent security audit.
- Regularly review contracts to ensure they have kept pace with the changing security landscape.
- Fully understand the service delivery model — ask the obvious questions around the location and infrastructure behind the service.
Source: PwC New Zealand
Sidebar: Threats from removable media
With more than 350 staff and 200 computers and laptops spread across 31 physical offices, looking after the IT security of the Taupo District Council is no easy task.
The number of users and equipment isn’t the only challenge, as the diversity of applications to manage also means a high level of complexity. The district council was one of the first to trial and implement Sophos security products, through IT security specialist Scientific Software & Systems (SSS), in September last year.
Alan Wade, senior network administrator for the Taupo District Council, says the new system is a definite improvement. Along with higher protection levels, other features attracted the council to the solution, such as the removable media monitoring.
“It is very useful as we monitor all the USB devices that are plugged into our machines,” says Wade. USB devices are, according to the network administrator, “without a shadow of a doubt one of the major threats”.
“They were responsible for pretty much all of the virus [attacks] in the past few months,” he adds.
Training staff is vital to ensure the Taupo District Council’s information remains safe. “Everyone who works here knows that USB pens need to come to the IT helpdesk to be scanned before they can be used.” Employees go through an induction period where IT security requirements are discussed.
Despite having to manage systems with differing security requirements, such as waste and water resources management, Wade considers that the security requirements of the district council don’t vary much from those of any other corporate. “IT security is IT security and we all have to protect ourselves. Everybody’s data is valuable.” Vera Alves
Sidebar: Mitigating risksChanna Jayasinha, CIO at the Ministry of Fisheries has responsibility for security, “and not just for IT security”, he says. “I am accountable for managing all departmental security across the organisation.”
Bringing the function under the CIO’s duties recognises that security is not essentially different from managing any other operational aspect of an organisation, he says. “It comes down to having a best-practice framework, with the right people engaged at the right levels and the right level of governance.”
IT security is a vital part of the organisation’s security as a whole. “For security in the IT world you can buy a product, but that doesn’t mean you are 100 percent safe from attack. You have to backup the tool with procedures and processes to mitigate the effect if someone does break through.”
Fisheries has a third party do a yearly security audit to identify issues and is establishing a security committee to consider potential problems. The IT environment changes almost daily and every change potentially introduces new risks, Jayasinha says.
He sees similar increasing risks to those identified in our international survey: “The current economic climate will bring more financially motivated targeted threats,” he says.
With the rise of computing in the public and private cloud, “we are entering a brand new environment where I don’t think anyone could say ‘we’ve got security covered’. There are no boundaries; you could be hosting content in the US or Asia. You’re relying on third parties you’ve never met across the table and asking them to manage your crown jewels.”
“So if you start to make use of those cloud technologies, you have to understand the associated risks and issues.”
Government “panel” procurement, where Government Technology Services vets a number of trustworthy suppliers in advance, may ease that task. GTS, he says, is currently looking into infrastructure-as-a-service suppliers – one of the main types of cloud computing service.
Another factor increasing risk is “consumerisation” of technology. “That brings a whole set of security and access issues that need to be managed,” says Jayasinha.
Introduction of sophisticated, simple-to-use devices such as the iPad is often driven by high-ranking executives, which makes it harder to ban completely.
Fisheries is planning to test such devices with the newest version of Citrix, “to see if we can provide the core capability with a secure environment around it; when the iPad connects to the network it will do it through a secure channel”.
In organisations like Fisheries there is increasingly a need to share information with parties outside the enterprise. “This is where for us we need to use tools like the government Logon Service and multi-factor authentication.” Adoption of such measures for its extranet is part of the Ministry’s recently formulated web strategy. Stephen Bell
Methodology: How we got the numbers
The Global Information Security Survey was conducted online in the first-half of 2010. CIO and CSO print and online readers and clients of PricewaterhouseCoopers from around the globe were invited to take part in the survey.
- Carolyn Johnson, research manager, CIO US
With reporting from Vera Alves and Stephen Bell, CIO New Zealand
To comment on this article, please email the editor.
Follow CIO on
Sign up to receive CIO newsletters.
Click here to subscribe to CIO.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.