By Angela Gunn, Betanews
Information security doesn't have the easiest time in the budget process even under the best of circumstances, but many observers had hoped that the threat of greater risk in tough times would shield security budgets from cost-cutting moves that could prove dangerous in the long run. Sadly, that's not what Deloitte's recent Global Security Survey for the Technology, Media & Telecommunications Industry is seeing out there.
There's not a lot of optimism afoot when you feel compelled to call the Key Findings synopsis of your report "Losing Ground," but the information Deloitte's researchers turned up is actually more nuanced than that -- it's not just that the budgets are getting smaller, but that the threats are getting bigger. (Last year's report, for the record, was titled "Treading Water"; before that we had "Protecting the Digital Assets.")
During the 12-month period covered by the survey, less than a third of Deloitte's global respondents (32%) had actually reduced their info-security budget, but a full 60% said they were either falling behind the threats or still trying to catch up on threats already out there. Just 29% say that their security spending is on track.
Among those extant threats, says the survey, are some associated with social networking. Unlike some companies, the report doesn't have a knee-jerk reaction to the phenomenon -- used correctly, says the authors, blogging and social networks can "help a company challenge and sharpen its thinking." But Web 2.0-related vulnerabilities and the increased potential they provide for social engineering are on the minds of 83% and 80% of the survey's 200-plus respondents, most of whom work at intellectual property-oriented firms with over 500 employees.
Based on the survey data, though, one suspects that security folk need to worry even more about the social network running from cubicle to cubicle. 41% of respondents said they'd discovered at least one internal breach over the last year, compared to 50% saying they'd been hit by an externally based attack. In turn, managers said that the biggest problem they faced internally was "excessive access rights." (Most noted, though, that the most common internal breaches were accidents -- an unencrypted thumbdrive goes missing, for instance, and it's an incident.) Only 28% believe they're adequately prepared to take on an actual attack launched from inside the company.
Rising fast on the breach front? Outsourcing and its discontents, with 56% of respondents saying they'd had breach trouble more than once in the past year with a "trusted" vendor. Not rising so fast? Scrutiny of those vendors' security situations. Just 20% actually review and test their partners' security arrangements, with even fewer adequately controlling vendor access to corporate data and systems. The report regards the situation as dangerous, especially were it to result in the leakage of personally identifiable information (PII). noting that "in a tough economy... desperate companies may use legal channels as a way to make up for reduced operating income."
Security folk have been fighting fires all around the organization for years, with mixed results. More companies than ever have their very own CISO -- 83%, compared to 65% just two years ago. Of those CISOs, 13 out of 20 reports directly to the C-level folks (especially the CIO) or to the board of directors. That's a surprisingly casual situation, though, since about 30% of those managers only take infosec status reports on an "ad hoc" basis. (Let us hope that not all of those meetings are prefaced by the phrase "Um, I'm afraid we have a problem.")
Face time matters -- especially around budget time, especially when times are strange. The precipitous decline in security budgets over the past year isn't only due to set-it-and-forget-it thinking higher up the food chain, but when just 6% of respondents say their IT budget has more than 7% set aside for security, you have to wonder about the effects of staying out of sight, especially since last year 36% of respondents said their security efforts received more than 7% of the IT budget. The Deloitte authors call it "a remarkable decline."
Also on the decline: Executives responsible for privacy issues. That's amazing in its own way, considering that regulatory issues are hotter than ever -- and, again, companies that aren't making money might be more quickly inclined to sue their way to some ready cash if necessary. The number of executive-level privacy officers is down 6% this year, and of those left just 20% report to either a board of directors or a C-level executive. nearly one company in five has no privacy policy at all.
Other survey numbers indicate that it might be thought around the company that security just isn't pulling its weight. (Perhaps a face-time issue; perhaps not.) 90% of companies surveyed do attempt to measure whether security projects are delivering as promised. Of that group, just 22% believe that projects deliver as promised, and 78% of respondents say that infosec efforts are at most "somewhat" effective.
The Deloitte survey is available from the company's Web site.
Copyright Betanews, Inc. 2009