ABA Banking Journal Home
October 5, 2011

PwC security survey finds declining confidence; with advanced persistent threats a particular challenge

The 2012 Global State of Information Security Survey reveals that 43% of global companies think they have an effective information security strategy in place and are proactively executing their plans, placing them in the category of information security “front-runners.” Twenty-seven percent of respondents identified themselves as “strategists” while the remaining identified themselves as “tacticians” and “firefighters” (15% and 14% respectively). The study, the largest of its kind, is conducted by PriceWaterhouseCoopers US in conjunction with CIO and CSO magazines.

The 9th annual survey of more than 9,600 security executives from 138 countries found that 72% of respondents report confidence in the effectiveness of their organization’s information security activities—however confidence has declined markedly since 2006.

The findings of the survey have helped carve a new definition of an information security leader. Even though 43% see themselves as “front-runners,” according to the survey only 13% made the “leader” cut. Those identified as leaders have an overall information security strategy in place, a CIO or executive equivalent who reports to the “top of the house,” measured and reviewed security policy effectiveness, and an understanding of the security breaches facing the organization in the past year.

“Companies now have greater insights than ever before into the landscape of cybercrime and other security events—and they’re translating this information into investments specifically focused on three areas: prevention, detection and operational web-related technologies,” says Mark Lobel, a principal in PwC’s Advisory practice. “Just a few years ago, almost half of this survey’s respondents couldn’t answer the most basic questions about the nature of security-related breaches; now approximately 80% or more of respondents can provide specific information about the frequency, type, and source of security breaches their organizations faced this year.”

Since 2007, there has a been a dramatic leap in organizations’ awareness and insight into the types and frequency of attacks, particularly in the industries of aerospace and defense, financial services, technology, telecom and the public sector.

“After three years of cutting information security budgets and deferring security-related initiatives, respondents are bullish about security spending. What is evident, however, is that many of the vulnerabilities that began emerging last year—two years after the global economic downturn—are still present and require attention,” says Lobel.
Meeting the APT threat
This year, a significant percentage of respondents across industries agreed that one of the most dangerous cyber threats is an advanced persistent threat attack. [Elsewhere, a PwC official described an APT attack as any intrusion advanced enough to avoid detection, either by a criminal group or sponsored by a state.] A number of survey respondents found that the threat of an APT is driving their organization’s security spending. These included 64% of respondents from the industrial manufacturing sector, 60% of technology respondents, 49% of entertainment and media respondents and utilities respondents, 45% of financial services respondents, and 43% of consumer products and retail respondents.

Only 16% of respondents say their organizations are prepared and have security policies that are able to confront an APT.

“As advanced persistent threats and other cyber security challenges continue to emerge and the funding climate remains conservative, it’s impossible to avoid the conclusion that business and IT personnel across the world are less sure that their organization is prepared to confront these threats to their information, operations, and brand,” says Lobel.
Impact of cloud, mobile, social media
According to the survey, the rise of cloud computing has improved but also complicated the security landscape. More than four out of ten respondents report that their organization uses cloud computing: 69% for software-as-a-service, 47% for infrastructure-as-a-service, and 33% for platform-as-a-service. Fifty-four percent of organizations say that cloud technologies have improved security, while 23% say it has increased vulnerability. The largest perceived risk is the uncertain ability to enforce provider security policies.

Mobile devices and social media represent a significant new line of risk—and a demand for prevention. Organizations are beginning to amplify their efforts to prevent mobile and social media based attacks. Forty-three percent of respondents have a security strategy for employee use of personal devices, 37% have a security strategy for mobile devices, and 32% have a security strategy for social media.

Increased awareness of attacks may correlate with organizations mobilizing in certain areas of IT spending. Investments in application firewalls increased from 72% last year to 80% this year and malicious code detection tools have increased 11 percentage points—from 72% last year to 83% this year.

Managing security-related risks associated with partners, vendors, and suppliers has always been an issue—according to this year’s survey it is getting worse. Seventeen percent of respondents identify customers as the source of security breaches, up slightly from last year (12%) and 15% have identified partners or suppliers as the source.

“For years the most commonly suspected source of breaches has been employees, both current and former—and this has remained constant,” says Lobel.


About Us

Connect With Us