Anyone you care to ask will likely--and reasonably--agree that the threats against IT systems and data are serious and organizations need to take appropriate steps to protect their infrastructure and information. But if you look at the practices actually in use at many organizations, it becomes painfully apparent that there's still a wide gulf between ideals and reality.
That's no shock to anyone paying attention. But the reasons for the continuing gap between what needs to be done and what's actually done have remained unchanged for years. Business executives and security managers just can't get in sync. That is, CEOs and executives talk a good game about the seriousness of protecting their data, but when it comes time to put resources and capital into it, they're not willing.
That's just one of the findings of the Tenth Annual Global Information Security Survey conducted by CSO and CIO magazines and PricewaterhouseCoopers.
[Get CSO's monthly Risk Management e-newsletter - sign up now!]
This year's survey asked 12,052 business and technology executives about the security efforts at their organizations. Many of them cited lack of security leadership and effective information security strategy as significant roadblocks. Only a third of respondents believe security policies at their organizations are tightly aligned with business objectives.
"Where this disconnect happens, the security group is often too far removed from the groups that provide revenue," says Bill Burns, director of IT security and networking at Netflix.
"As a result, security isn't seen as strategic, but only a cost."
Some security professionals think their own peers are one of the primary problems. Jayson Street, who's CIO at security services provider Stratagem 1 Solutions and an assistant VP of information security at a national bank, contends that this gap between business and security teams is not primarily the fault of business executives.
"It is IT security that, too often, is failing the business. We don't communicate risk well enough, and why the risk is worth mitigating in a business perspective," Street says.
Jay Leek, SVP and CISO at the Blackstone Group, largely agrees. "Security practitioners don't always invest the time necessary to make the best business cases they can for what they need to accomplish," Leek says.
"Where are you trying to take the organization with your security investment? Why are you trying to achieve it? What risk levels are you trying to set? These and other business factors need to be communicated in terms that business leaders can relate to so they can accept making more proactive investments in security efforts."
Fighting Yesterday's Battle
Failure to align security and business objectives and properly fund security efforts has significant consequences, says Mark Lobel, a principal in the advisory services division of PricewaterhouseCoopers.
"What ends up happening to these organizations is that they fall behind and it becomes next to impossible for them to catch up. They are forced to jump from one problem to the next, from malware infections to breaches to data leaks, from regulatory audit findings to availability issues," says Lobel.
The results this year show that organizations are indeed fighting from behind. Only about half of all organizations report their security programs are mature enough that they can measure and review the effectiveness of their policies and procedures. And 22 percent are not sure if they have reviewed the effectiveness of those policies.
"Organizations are playing by ear, and they're still playing the way networks were defended a decade ago. However, attackers seem to be upping their game constantly, which means we have to be constantly looking at the effectiveness of what we're doing to stop them," says Lobel.
Many organizations, nearly 43 percent, believe their security programs are effective and say they are proactive with security. However, many industry watchers believe these organizations are overestimating their programs. This was a big theme in our survey last year. (See Are you an IT security leader--really?.)
"Organizations typically have an inflated view of how well they are doing things," says Mike Rothman, an analyst at the security research firm Securosis.
"That view is, of course, shattered when something goes wrong. Then it turns into a game of finger-pointing and blame."
A Poor Justification
Perhaps one big obstacle to implementing effective security is the way organizations justify their security spending. At nearly 46 percent of enterprises, changes in security spending depend on general economic conditions. At about a third of others, the need to protect the company's reputation or meet regulatory compliance dictates the security budget.
"Most of the time I think our investment in security is either driven emotionally or as a way to cut costs," says the security officer at a U.S. manufacturer.
"Our biggest investment last year was putting in place self-service password resets," he says. "We did very little in way of hardening our Internet-facing systems or endpoints because the cost was viewed as too high."
Determining the effectiveness of that security spending, at 35 percent of organizations, is done by subjective professional judgment. Other common effectiveness metrics, some of which are used in combination, are reduced incidents (29 percent), total cost of ownership (24 percent), improvement against security metrics (24 percent), and ROI (23 percent).
[See more detailed research on financial metrics in our exclusive 2012 State of the CSO research]
A surprising one in five respondents do not know how effectiveness is measured in their organization.
One of the more encouraging findings this year is that relatively few security incidents were reported. A full 31 percent of respondents report no security incidents in the past year, while another 32 percent say that they experienced less than nine incidents. About 1.6 percent of organizations reported experiencing more than 100,000 incidents.
However, the financial costs for companies that did suffer breaches were high, averaging more than $1.6 million for each breach that companies were required to publicly disclose. At 6 percent of firms, losses totalled more than $10 million. About 45 percent of organizations attributed those losses to a variety of factors, including to paying for legal services, investigations, forensics, and auditing and consulting services, and to losing customers. Brand and reputation damage was blamed for about 27 percent of security-related losses.
Another reassuring bit of news is that in the year ahead, security investment is expected to rise by about 6 percent. And, despite the fact that nearly 28 percent of companies plan to keep their security spending flat, 7 percent of companies plan to increase their spending by more than 30 percent, and nearly 15 percent of companies plan to increase spending by between 11 percent and 30 percent. Only 9 percent anticipate cutting spending.
Many experts are concerned that the security investments aren't being applied to the right areas, especially as so many firms aren't measuring the effectiveness of the steps they're taking now.
"Generally, we've seen a decline in investments in technologies such as rogue device detection, intrusion detection systems, vulnerability scanning, event correlation and similar technologies," says Lobel. "It's tough to succeed at security if you are not investing in technologies to test your infrastructure and monitor what is happening on it," he says.
Where do you go from here?
If a lack of security leadership is a serious obstacle to improving the security, what are CSOs to do about it?
Leek, the CISO of the Blackstone Group, believes many CISOs and security managers have not set up the proper levels of governance or explained risk management as it relates to the business. That's a good place to start.
Learning to speak in plain language would help, too.
"Many talk too technical and get too excited over new technologies and attack techniques as opposed to talking about the underlying business problems that the organization faces and minimizing the associated risks," he says.
"The other piece of this is that, because many don't get a good grip on their security program, many fall into a reactive firefighting mode and they get stuck," says Leek.
The best way to get out of that rut, experts argue, is to convince management that IT security is both necessary and strategic. "I strive to find ways to translate the services my team provides into either cost savings or efficiency gains," says Burns, of Netflix.
"The holy grail is to translate what you are into a competitive advantage. And while that's not always possible, it is often possible to prove that some of the initiatives make a better customer experience, maintain trust over time or...reduce long-term costs. That seems to resonate with executives."
To succeed, Burns advises making arguments for security from the perspective of the business. "When I'm planning my pitch for something new, I always go through a series of 'So what?' rounds of questions with myself, as if asked by the executives. If I'm telling them that I'm worried about this, or we need to invest in that, I need to be able to answer all of those 'So what?' questions from their perspective," he says.
A key to being able to answer those questions is measuring the right things. This way, you have the right information to help make better risk management decisions and successfully argue the value of your security efforts. "The metrics I found more effective are based on efficiency or achievement, as opposed to just measuring activity," says Burns.
"If I show someone that I believe my security program is effective because I'm counting the number of vulnerabilities, or missing patches, that's interesting, but it's not really actionable," he says.
"The more successful metrics are when you can report how much time it takes to resolve a vulnerability, for instance. Numbers like that show the efficiency, rather than just the amount of work being done," he says.
By improving how the security program is measuring and talking about the risks the business faces in clear business terms, it becomes much easier to obtain the needed resources. "It's not easy to do, and it's something that doesn't happen overnight," says Leek. But making a compelling business case is the only way to obtain what's needed.
And what happens to those organizations where the CSO can't make their case? "They end up understaffed and without the resources they need. And that makes it tough to succeed at this," he says.