The 2009 annual Global Security survey with PricewaterhouseCoopers (PwC) conducted against the backdrop of the most significant global recession in decades, has produced some fascinating results for New Zealand CIOs. This year covered all aspects of information security, from budgets to personnel, technology, processes and incidents. CIO NZ and PwC have analysed the global and local data to provide readers not only with the global insights, but with specific reference to local trends and findings within this context: are you employing the same technologies and processes, under the same budgetary constraints and feeling the effects of the economic downturn in the same way? (Please see related article on the global results of the survey ‘Why security matters NOW’.)
To the last of these three questions the answer from New Zealand CIOs was a resounding “No” — not only did you report far fewer project deferments, you don’t share the same pessimism about threats increasing, ability to respond decreasing or believe that you face greater threats as a result of the downturn.
Worryingly however, 38 percent of local organisations don’t have an accurate inventory of where data is stored and a similar 36 percent don’t know the type of security incidents that occur. This behaviour is counter to developing an appropriate data loss prevention strategy. Although this is seen as a key priority in 2010, with 88 percent increasing focus on data protection.
Perhaps, as reported in the 2007 survey, the fact that more of you wear more hats and have fewer security-specific staff than your global peers, has meant that you’ve taken the latest changes in your stride and were already running leaner, tighter ships than your counterparts overseas. The fact that New Zealand ranked within the bottom 10 percent when it came to information security budgets globally, certainly does nothing to dispel this.
Paul Nickels, partner, PwC NZ, comments: “Security budgets appear to be less vulnerable to cost-cutting — it’s as if executives know how little is being spent in this area. The survey also reveals for New Zealand companies that security is under enormous pressure to perform and get the basics right.”
The nearly 7300 participants came from every industry and indeed almost every country you could imagine: from your peers in New Zealand to as far afield as Mongolia, countries as small as PNG and as remote as Tajikstan.
As such, we can truly consider this to be representative of the global information security picture as it stands today. More specifically, New Zealand participants were far more likely to be CIOs (23 percent) than the global figure (6 percent) and similarly more likely to be IT/IS managers (23 percent) than the global figure of 11 percent. This continues very much with the trend of the previous two years in which New Zealand has been included in the survey and reinforces the earlier supposition that you wear more hats than your counterparts in other markets. The final point to make in this regard is that information security here is far more the domain of IT rather than the business in general and this is reflected elsewhere in the survey, where local respondents reported less involvement from outside the IT department (including the board) than was the case overseas.
Nickels says this will require a fundamental shift in thinking. “Without business education and understanding of IT as a business enabler, security maturity will not develop.”
The organisations represented were typical of the medium to large enterprise space in New Zealand, and indeed representative of the readership of this magazine. Of course in global terms our organisations fall to the smaller end of the scale, but that doesn’t mean you’re any less likely to be running effective information security policies nor any more likely to be suffering security incidents. In fact, the results suggest the opposite is true. Just like we saw in previous years, you’re doing more with less and making it count. That doesn’t mean it’s time to break into celebratory congratulations just yet: whilst you’ve nailed some technology challenges, there are plenty of new ones on the horizon.
This was well illustrated by the survey’s specific questioning around the more mature technology of virtualisation, counterpointed by the same questions for the relative new kid on the block: Cloud computing (see graph below).
There are two standout findings here — firstly that local organisations are 20 percent more likely to employ virtualisation than the global average; and secondly that you’re 50 percent less likely to be currently employing cloud computing as part of your IT strategy. But how does this translate into security matters?
Forty-eight percent of global respondents believe virtualisation has improved their overall information security, but locally we don’t share that view so strongly with 26 percent concurring and 61 percent believing it makes no discernable difference. When asked to describe where the potential vulnerabilities might be, fully 75 percent of New Zealand respondents cited misconfiguration or poor implementation (presumably on the part of the vendor!). Across all respondents, fully 50 percent cited lack of adequately trained IT staff as the next highest concern. As such, local respondents seem confident in the security of their virtualisation.
Cloud computing is perhaps the technology cloud on the horizon for security and one which it would pay to watch and learn from those overseas who have already started down this road. With 43 percent globally already using cloud services, there is much that we can learn from this.
Perhaps one of the reasons we lag somewhat behind in this technology is revealed in the 54 percent of recipients who expressed a concern at having an uncertain ability to enforce security policies at a provider — only 23 percent globally reported this same concern. Could the service providers be doing more to make you more comfortable with cloud computing and therefore more likely to adopt?
Jan Smolnicki, partner, PwC NZ, states, “Currently many organisations do not articulate their expected security standards and procedures with their providers. We have observed simple processes as patches or virus updates are not being deployed on a timely basis. Developing a robust security framework in collaboration with your vendors is a must. Dashboard reporting on simple metrics drives positive behaviour and allocation of spend in the right areas.”
There is of course the larger consideration of the global economic downturn and specific attention has been paid to this as an extraordinary influence on not only IT, but of course on the whole business. A new section to the 2009 survey examined security strategies specifically in the light of the harsher economic realities we’ve all been facing since September 2008. The impact of this was assessed in terms of the strategies required to navigate through it, of its impact on delivering projects and its impact on the security function itself. And the local results are extremely heartening. Confident, busy running new projects and less preoccupied with external happenings: does that sound like you? Well, the results of the 2009 Global Information Security Survey certainly indicate this is the case.
Looking first at the impact of the downturn on the security function, we see that as a result of the economic downturn:
• 65 percent of local respondents believe to varying extents that threats to the security of their information assets have increased.
• 71 percent believe that cost reduction has made adequate security more difficult to achieve.
• 70 percent believe the regulatory burden has become more cumbersome.
• 63 percent believe the enforced layoffs have increased risks to their organisation’s data.
• 49 percent believe their suppliers have been weakened by the downturn, thus increasing threats to their security function.
Paul Nickels believes that we have very mixed views locally on the impact of the downturn on business partners and his view is supported by the 44 percent who disagreed with the final point above.
There is no denying that these figures indicate that the downturn has had a knock-on effect however, fully 83 percent stated that they believe the downturn has not had an effect on their security function. And when we examine the above figures we see that in every case the numbers reported locally are less pessimistic than the global averages, so we’re relatively upbeat in a global context: which explains why 87 percent of respondents here felt that the downturn had not been as severe for their business as it had been for others.
PwC’s Smolnicki describes this as amazing not because of a carefully considered security spend, but rather that security was not given the right priority and that there was not enough change in the small spend. “The public sector, for example, often does not operate the same boardroom model and we observe that security and audit issues repeat. There is a need for clearer ownership and accountability of security.”
Forty-two percent of those surveyed locally believe that downsizing CAPEX security-related initiatives is not an important strategy, but globally just 15 percent shared this view — fully 85 percent stating that it fell between being “somewhat important” and “top priority” and the results were the same to within a single percentage point for OPEX.
However, across the board prioritising based on risk was seen as important, very important or top priority: there is of course prioritisation occurring based on immediate need, perhaps something those overseas haven’t experienced as acutely as local respondents in the past.
On the other hand, increasing the focus on data protection is an important strategy for seven out of every 10 respondents, pointing in no small part to the impact of regulatory compliance and governance risk and compliance programmes. Very evidently, when a security issue has boardroom-level visibility it is bound to get increased attention and budget.
Ninety-three percent of local respondents indicated that in the context of the downturn, prioritising security based on risk was an important strategy, an overwhelming indication that careful prioritisation is a must. Nickels poses the pertinent question to this finding — “who determines the risk?” and from the detail of the survey we see some potentially alarming results. Despite this 93 percent prioritising on risk, fully 22 percent of New Zealand companies do not conduct any form of enterprise risk assessment and another 27 percent do so less than once a year — the highest percentage in the whole of Asia. So as Nickels points out, if we’re prioritising based on risk yet not carrying out formal risk assessments, how is this process occurring?
Forty-three percent globally reported CAPEX projects being deferred as compared with 31 percent locally, but the difference in budget reduction was even more marked: 79 percent of New Zealand respondents replied that none of their security projects requiring CAPEX had seen budget reductions compared with the nearly 50 percent globally who had seen reductions.
The survey also looked at OPEX by way of comparison and local respondents similarly stood out as having far fewer deferred projects — 22 percent reported deferment of varying lengths, fully 40 percent did so globally. And you were even less likely to have OPEX security reductions — 80 percent of you had seen none at all whilst overseas again nearly half those surveyed are struggling with OPEX security budget cuts.
In previous years respondents here have been more likely to manage security technology and processes in-house than their global counterparts, but now we’re seeing this trend appearing globally and in specific functions: last year 30 percent of global participants outsourced their application firewalls.
This year the figure had fallen significantly to 16 percent and in New Zealand its lower still at 11 percent. Might we reasonably conclude that the reduction in CAPEX and OPEX for security projects and the ensuing deferments overseas are linked to the increased moving of information security in-house?
Nickels asks, “With the apparent move to bring more security in-house, do New Zealand organisations have the resources, skill sets and risk management standards to effectively manage the environment?”
Despite all this what is the perceived outlook? Will spending increase next year? In 2007 when first surveyed, our local results stood out against the global figures as largely expecting no increase at all and this year the results are no different: you are less likely to believe security spending will increase and far more likely to believe it will remain constant.
One thing everyone agreed on was that over the next 12 months they didn’t expect to see decreases in security spending, with just 12 percent globally reporting this to be their belief despite the earlier finding that both CAPEX and OPEX security budgets have recently suffered and projects seen ensuing deferment. It appears that the cuts have been made and the measures are now in place so a status quo can be maintained in this regard.
As in previous years, the 2009 survey investigated information security safeguards in three primary areas: people, processes and technologies and compared what was currently in-house and/or outsourced with what was on the priority list for the next 12 months.
With regard to security safeguards in place relating to people, we see some significant regional disparities from the global average: whilst 19 percent of local organisations have a CISO and 15 percent have a CSO, the global figures are 44 percent and 41 percent respectively and higher still across Asia (see graph below).
So both regionally and globally we are still far behind the standard. This does, however, represent a significant rise locally — for in 2007 just 8 percent of those surveyed had a CISO in place, but in the role of CSO it appears that we’re simply not making headway.
There are more senior information security executives in place now in New Zealand, a clear reflection of the changing security and regulatory landscape, but there is still a long way to go.
Locally we are less likely to employ security guards or similar for the infrastructure itself, with 45 percent doing so compared to 55 percent across the whole survey. Again, though, there has been an extremely significant shift here as the figure two years ago was 25 percent. So in 24 months this has almost doubled. And in the next 12 months the plans, it seems, are more ambitious still.
Thirty-five percent of organisations are planning to employ a CISO and 41 percent a CSO — another clear indication of investment in security at a very senior level and an indication of how seriously information security is being taken at an organisational and boardroom level.
Time will tell whether this means for you, the CIO, that the burden of creating security processes and procedures will move to someone else’s desk. As for now, the senior information security executive in organisations reports primarily to the CIO as do the security department (44 percent), but globally this is not the case: 35 percent report to the CEO and 28 percent directly to the board of directors with an additional 13 percent reporting to the CFO.
Security processes showed a clear leaning towards being in-house rather than outsourced in all the major areas: strategy and standards, assessment and compliance and operations. Sixty-five percent of organisations reported having an overall information security strategy in-house, whilst just 16 percent outsourced that.
Assessment and compliance
The one security area in which outsourcing still plays a major role is in assessment and compliance, unsurprising given its nature. So whilst 95 percent had in-house processes in place relating to it, 81 percent reported that it was outsourced also.
Within this, risk assessments, security audits and active analysis of information security intelligence are seen as the key activities: clearly proactive prevention is the order of the day and there was little in the survey to suggest that this will not continue in the next 12 months.
Nickels points to the just 38 percent of New Zealand organisations who outsource their strategy and standards (globally a full 80 percent do, to some extent) and asks “how is it, given that most organisations don’t have a CISO or similar, that we’re not outsourcing strategy and standards either?” Is there a real and potentially dangerous gap here? Certainly the fact that 82 percent of respondents have it on their list as a top priority to address in the next 12 months indicates that he is correct, and that you’re addressing this very issue. Similarly 62 percent have assessment and compliance on the priority list as there are no processes currently in place.
Looking next into your technology toolkits, at the moment firewalls are de rigueur to have in-house (97 percent in New Zealand, 89 percent globally) with only 22 percent in New Zealand now outsourcing this.
Within technology, the survey then broke the findings down into the areas of user technology, encryption, detection, prevention, web/internet and “other”. Highlights from this include the increasing vulnerability of the internet and the threat from Web 2.0 technologies, with all the new possibilities they bring for careless or malicious spreading of information, and we expect to see these play a major part in security strategy as part of the ongoing picture.
Like virtualisation, mentioned at the beginning of the survey, VoIP is another technology where it seems we’re getting to grips with the security measured required: in the 2007 survey 25 percent said they had VoIP security measures in place, a figure which has now risen to 40 percent, a higher incidence in New Zealand than there was reported for wireless handheld device security even.
There is also a continued reluctance locally to employ encryption, with less than half using it compared to 78 percent globally. Why this should continue to be the case is uncertain, particularly as Smolnicki believes that we are, “significantly more likely to have hardware lost or stolen as shown in our final analysis of the security incidents themselves”.
It appears that we may be getting significantly better at preventing information security breaches in a local sense: two years ago 22 percent of respondents claimed zero incidents in the previous 12 months and this number has now jumped to an extraordinary 46 percent, whilst the global number has remained at around the 20 percent mark.
Consistent with this, 45 percent of those in New Zealand also reported they had suffered no downtime at all, an impressive number indeed. And with respondents having the ability to state they didn’t know how many, it would appear that this isn’t a case of simply not knowing.
Although the 32 percent globally who were unable to select even a range for the number of security incidents suffered in a 12-month period, this does suggest having processes in place to measure the effectiveness of security in empirical terms is not top of the priority list. Or perhaps it is a tacit acknowledgement that as threats become increasingly sophisticated, it is often not possible to know whether one’s organisation has indeed suffered an incident at all.
The types of incidents were varied covering data, device, application, system, network and human exploits; the first of these being the most commonly cited. And of these data exploits, it was databases themselves under most attack with 57 percent reporting them as the method used for the exploit. Although in New Zealand respondents reported that as much lower at just 25 percent .
If a device is exploited locally it is most likely to be a laptop being stolen or lost. So it would seem logical that in the face of this occurring we should seek to put processes in place to attempt to reduce the frequency of it occurring and to encrypt data to reduce the potential effect of it. Although encryption is less glamorous than many security strategies, the results suggest it should be in more security professionals’ toolkits.
The global average for losses from incidents was reported at $833,000 — an extremely significant sum. As well, with so many of those surveyed reporting that they didn’t know how many incidents they’d suffered or perhaps even the cause of them, the final number is most likely higher still. If you need a reminder of why the corporate focus is moving increasing to information security then the table below should provide just that.
Despite the severity of security incidents, the economic downturn, the increased pressure placed on staffing and budgets and the pressure being exerted from compliance, the 2009 survey shows that local security professionals are holding their own. They are largely employing the tools and policies of their global counterparts, often more thoroughly and in the final analysis, it seems to better effect. However, the new challenges of Web 2.0, social networking and cloud computing are here so there’s no time to relax.
Forsyth Thompson was previously publisher for CIO, MIS and Computerworld. He can be reached at firstname.lastname@example.org when he is not out fishing.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.