According to the 2011 Global State of Information Security Survey (conducted by PricewaterhouseCoopers in conjunction with CIO and CSO magazines), out of 12,800 executives from 135 countries, 52% said their company will increase security spending over the next year. Yet many executives said their company’s business partners (52%) and suppliers (50%) have been weakened by economic conditions, a substantial increase from 43% and 42%, respectively, in 2009.
Security executives said their companies also have been impacted by spending restraints, often resulting in the stalling or degradation of some fundamental security capabilities such as conducting personnel background checks and the use of vulnerability scanning tools. Additionally, 47% of respondents said their organization had reduced security-related funding for capital expenditures and 46% said their company had reduced security-related operating expenditures.
The top factors driving information security spending this year are economic conditions (reported by 49% of respondents), business continuity and disaster recovery (40%), company reputation (35%), internal policy compliance (34%) and regulatory compliance (33%).
The only spending driver to show substantial increases this year is “client requirement,” the study found. Client requirement moved up from the bottom of the list in 2007 to near parity with the top-ranking legal/regulatory environment. The rise of client requirement demonstrates the continuing strategic importance and integration of the security department to the business.
Not surprisingly, due to the cost-cutting initiatives taken by most global actors, the 2011 Global State of Information Security Survey also found a significant shift in the ongoing evolution of the CISO’s reporting channel, which has moved away from the CIO in favor of the company’s senior business decision-makers such as the CFO and the CEO.
Risks of social networking and a new role for insurance
The 2011 Global State of Information Security Survey revealed that many companies are unprepared to deal with the potential risks of social networking and other Web 2.0 applications: 60% of respondents said their organization has yet to implement security technologies supporting Web 2.0 exchanges such as social networks, blogs or wikis, according to the survey.
Additionally, 77% of respondents said their organization has not established security policies that address the use of social networks or Web 2.0 technologies. This lack of action on social networking and Web 2.0 technologies can expose organizations to a variety of risks, including loss or leakage of information, damage to the company’s reputation, illegal downloading of pirated material, and identity theft.
The survey also found that many companies are using an additional tool (insurance) to protect the organization from theft or misuse of assets such as sensitive data or customer records: 46% of respondents said their organization has an insurance policy. Additionally, 17% of respondents said their company has made a claim and 13% said their company has collected on a claim.
In Europe, the focus on information security is far more muted, the survey found. Europe now trails other regions in maturity across many security capabilities. Like North America, Europe continues to suffer poor visibility into security events and, as a result, may be unaware of the true impact of events on the business. While 68% of European respondents say their organizations place a high level of importance on protecting sensitive customer information, the responses from other global regions are higher, including Asia (80%), North America (80%), and South America (76%).
Industry specific highlights and further regional information are available here