Radian Compliance Management Services

Worries Regarding Corporate Reputation Making Information Security Top Priority Worldwide

April 28, 2008 - http://www.contingencyplanning.com/articles/61452/ 

Avoiding reputation damage to the organization was viewed as a top priority for security programs by three-quarters of information security professionals surveyed in a worldwide study launched recently by (ISC)² .

The 2008 Global Information Security Workforce Study (“GISWS”) was conducted by analyst firm Frost & Sullivan on behalf of (ISC)². It surveyed 7,548 information security professionals, including more than 1,500 ‘C-suite’ executives and security managers, as well as IT and other professionals with responsibility for information security, from companies and public sector organizations in more than 100 countries.

Respondents came from the three major regions of the world: Americas (41 percent); Asia-Pacific (34 percent); and Europe, Middle East and Africa (25 percent). Web-based surveys were distributed to targeted information security respondents worldwide in the third quarter of 2007.

“This fourth edition of the study demonstrates more than ever before that information security has become a business imperative for organizations of all sizes, with far-reaching concerns such as corporate reputation, the privacy of customer data, identity theft, and breach of laws and regulations driving information security governance,” said Rob Ayoub, Frost & Sullivan industry manager, network security.

Pressure over data loss and compliance has driven accountability for information security to the executive level, with 49 percent of information security professionals reporting to executive management or boards of directors. Other study highlights include:

• Smaller organizations (up to 500 employees) accounted for nearly 60 percent of respondents, signifying a move from security as a priority for mostly larger organizations to organizations of all sizes due to business requirements and compliance, including the impact of the payment card industry’s PCI-DSS.
• A third of respondents said their primary functional responsibilities are mostly managerial. An additional 48 percent also reported that their functional responsibilities will be mostly managerial in the next two to three years, suggesting a changing focus in their roles.
• Approximately 20 percent of respondents were at the executive (Chief Information Officer, Chief Information Security Officer, Chief Security Officer, Chief Risk Officer) or manager level.
• Communications skills were seen as “very important” or “important” by 81 percent of respondents to be a successful professional. Business skills were also seen as very important or important by 69 percent of respondents.
• Information security is moving beyond the perimeter and becoming more data-focused, protecting data both at rest and in transit, with wireless security solutions, cryptography, storage security and biometrics represented in the top five technologies being deployed in most regions.
• Information security awareness is appreciated as a significant factor in effective information security management: Users following information security policy was identified as the most important factor in a security professional’s ability to protect the organization. In addition, 51 percent of respondents identified internal employees as the biggest threat to their organizations.
• Globally, average annual salaries for professionals with at least five years of experience are reported at $94,500 for respondents identifying themselves as members of (ISC)2 and $73,856 for all other participants. The majority of (ISC)2 members (70 percent) considered themselves to be information security professionals; the majority of non-members (66 percent) to be information technology professionals.
• The profession is maturing, with average experience levels reported at 9.5 years in the Americas, 7.1 years in Asia-Pacific, and 8.3 years in EMEA. Professionals across all regions also reported high levels of post-secondary education.

“This year’s study acknowledges that effective information security programs enable businesses to grow and prosper,” said Eddie Zeitler, CISSP, executive director of (ISC)2. “Consequently, professionals are being tasked more with the business of security, managing and consulting on its broad contribution to the business, while the administration of technical solutions is being integrated into the IT department.

“Opportunities in the information security field will continue to grow despite slower economic growth worldwide due to the increased pressure on professionals to ensure responsible and secure business interactions coming from consumers, B2B customers, strategic partners and regulatory bodies.”

Frost & Sullivan estimates the number of information security professionals worldwide to be approximately 1.66 million. This figure is expected to increase to almost 2.7 million professionals by 2012, displaying a compound annual growth rate (CAGR) of 10 percent. A strong outlook is also depicted for professional development in the sector, with the great majority of respondents expecting either stability or an increase in training budgets. Other highlights include:

• Respondents reported that information security spending on personnel remained stable in the Americas and EMEA in 2007 compared to 2006. In contrast, Asia-Pacific respondents anticipated an increase in information security spending across the board.
• Almost 60 percent of respondents with less than 10 years of experience reported an expected increase in training budgets over the next year, often to get up to speed on emerging technologies and threats. More than half of respondents in operational roles expected an increase.
• Top training topics included security administration, application and systems security, business continuity and disaster recovery planning, privacy, and information risk management.
• Seventy-eight percent of hiring managers cited certifications as either “very important” or “somewhat important.” While “quality of work” and “company policy” were the top reasons given for certification’s importance, a new reason — “customer requirement” — was identified by 33 percent of respondents requiring certifications.

Posted in Business Continuity Management, Disaster Recovery, Information Security | No Comments »

Paying breach bill may not buy Hannaford full data protection

Hannaford Bros. is spending millions of dollars on IT security upgrades following the theft of up to 4.2 million payment card numbers from its systems. But it remains to be seen whether that will fully protect the grocer from future attacks.

Posted in Information Security | No Comments »

2008 Information Security Breaches Survey published

After weeks of drip-feeding results from the 2008 Information Security Breaches Survey to the media, the final full results have now been published.

The 2008 Information Security Breaches Survey was carried out by a consortium, led by PricewaterhouseCoopers LLP, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR).

IT systems and information security are more important to UK companies than ever before, with 81 percent of boards giving a high or very high priority to information security. As businesses continue to grasp the opportunities provided by new technology (97 percent now have a broadband internet connection), there has been a real improvement in controls, particularly in basic disciplines such as anti-virus and backups. The average spend by companies on security defences has tripled over the last six years, resulting in the overall cost to UK plc of reported security breaches dropping by a third. Despite this reduction, the annual cost to companies still runs into several billions of pounds.

Despite the improvements in security controls, the survey shows that many companies remain exposed to loss of confidential data. For example, four-fifths of companies that have computers stolen have not encrypted their hard drives, and two-thirds of companies do nothing to prevent confidential data leaving on USB sticks.

The broadband revolution has allowed companies to use the Internet to reach their customers and enable their staff to be more mobile:
* 54% of UK companies allow staff to access their systems remotely;
* 42% use a wireless network;
* 17% use Voice over IP telephony, and this will rise to 30% by the end of 2008;
* 5% have moved some of their IT operations offshore; and
* 84% are heavily dependent on their IT systems.

Over the last six years, the security landscape has changed dramatically:
* 98% of companies now have software to scan for spyware;
* 94% of wireless networks are now encrypted, versus only 47% in 2002;
* 55% of UK companies have a documented security policy, versus 27% in 2002;
* Expenditure on information security has increased from 2% to 7% of IT budget over that period;
* 40% of businesses provide ongoing security awareness training to staff – twice as many as six years ago;
* 14% use strong (i.e. multi-factor) authentication; and
* 11% have implemented the British/International Standard for information security management (BS 7799/ISO 27001), versus only 5% in 2002.

After the peak in 2004, the number of companies reporting a security breach has returned to roughly the level seen in 2002:
* 45% of small businesses reported a breach in the last year, down from 62% in 2006;
* Larger businesses are more likely to have security breaches, with 96% of very large companies (more than 500 employees) affected;
* Most companies affected experienced several breaches in the year – the median number of breaches is 6 and the mean is 100;
* The average cost of the worst incident of the year is highly dependent on the size of the business, varying from roughly £15,000 for small businesses to £1.5 million for very large businesses;
* The total cost to UK plc has dropped by roughly a third compared with two years ago, returning to the levels seen in 2004;
* Companies are, however, generally pessimistic, with only 17% expecting fewer security incidents next year.

The survey findings also indicate that confidential information is increasingly at risk, especially in large businesses, where:
* 13% have detected unauthorised outsiders within their network;
* 9% had fake (phishing) emails sent asking their customers for data;
* 9% had customers impersonated (e.g. after identity theft); and
* 6% have suffered a confidentiality breach.

While 77% of UK companies say that protecting customer data is a very important driver of their information security expenditure, many companies are simply not doing enough to achieve this goal:
* 10% of websites that accept payment details do not encrypt them;
* 21% of companies spend less than 1% of their IT budget on information security;
* 67% do nothing to prevent confidential data leaving on USB sticks;
* 78% of companies that had computers stolen had not encrypted their hard drives; and
* 79% are not aware of the contents of security standards BS 7799/ISO 27001.

The survey suggests five simple steps businesses of all sizes should take to protect themselves in this changing world:
1. Understand the security threats you face, by drawing on the right knowledge sources.
2. Use risk assessment to target your security investment at the most beneficial areas.
3. Integrate security into normal business behaviour, through clear policy and staff education.
4. Deploy integrated technical controls and keep them up to date.
5. Respond quickly and effectively to breaches, e.g. by planning ahead for contingencies.

Read a PDF copy of the survey report.

Posted in Information Security | No Comments »