Global State of Information Security Report

CSO Online has released the results of its annual survey with The Global State of Information Security 2008 [PDF]. The survey indicates that security spending is on the rise – a trend is projected to continue, despite current economic uncertainty.

The survey includes answers from more than 7,000 senior executives and shows some surprising results – such as that 14% of security incidents in the past year involved devices. This shows a growing trend in the use of mobile devices, and the lag evident in mobile security planning.

With the IT group still strong as a source for information security funding, the survey found that the “IT Toolbox” is more comprehensive than before. More companies now have malicious-code detection tools, application-level firewalls, intrusion detection & prevention tools, encryption, automated password reset tools and wireless handheld device security.

Despite all those positive increases in the use of IT security tools, some numbers are still quite low. For example, only 50% of companies have laptop encryption tools, with even fewer (42%) having wireless handheld device security. There is no data available on additional laptop security measures such as Absolute’s laptop tracking & recovery solution. Encryption alone is only a base level of laptop security planning.

When it comes to security incidents, there still exists a wide knowledge gap. 45% of security incidents in the last year could not be connected back with known vulnerabilities. Of those that could be identified, the method of exploitation was most often at the network level. Employees and former employees, however, remain the largest threat to security incidents (although less this year than in past years). What this indicates is that technology solutions have been rolled out without being a part of a more comprehensive security policy.

“If the goal is to secure information, to make it truly safe, you’d better develop processes and procedures for putting your nails in the right place before whacking anything with a technology hammer. Technology must be part of a larger plan to secure information”

Interesting findings from the study:

• Business continuity and compliance is the lead reason for investing in security (57%)
• 28% of consumer products and retail executives say security spending is poorly aligned with business objectives
• 45% of respondents can’t identify vulnerabilities that led to security incidents
• 43% of respondents audit or monitor user compliance with security policies
• 22% of respondents keep an inventory of the outside companies that use data

The last result is quite telling – considering the number of data breaches that have been the result of third party mistakes, this is an obvious area of concern in security policies. Additionally, only 37% of survey respondents require third parties to comply with internal privacy policies. There appears to be greater confidence in third parties than reality may warrant – 75% believe their partners’ security is effective, while only 28% perform due diligence to understand their security precautions.

Continue reading the CSO Online analysis of this survey here. You can also check out Absolute Software’s whitepaper on endpoint security.