A series of high profile information security breaches in the past year -- in New Zealand and overseas -- are compelling reasons for organisations to take a more strategic view of their security, and tailor their programmes accordingly.
What programmes do New Zealand enterprises have underway to protect themselves from these types of incidents?
How are they responding to new security threats amidst a backdrop of static budgets and evolving technology platforms?
These are some of the questions posed to respondents in the latest Global State of Information Security Survey by CIO and CSO magazines in conjunction with PricewaterhouseCoopers (PwC).
The survey, conducted between February and April this year, had more than 9300 CEOs, CFOs, CIOs, CISOs, CSOs, vice presidents, and directors of IT and information security from 128 countries -- including 180 from New Zealand -- responding.
The survey finds the general mood among the global executives is largely optimistic. Despite a rise in security incidents and decreasing IT budgets, information services executives around the world remain confident in their organisation's security. "
The majority of respondents (68 percent) are confident their organisations have instilled effective information security behaviours into their culture, and are very or somewhat confident their information security activities are effective (more than 70 percent).
Yet, while nearly half of respondents (42 percent) view their organisation as a "front-runner" in information security strategy and execution, the survey finds only 8 percent actually qualify as true information security leaders.
PwC defines 'leaders' as organisations that have a chief information security officer (or CISO) equivalent, and have an overall information security strategy in place, have measured and reviewed the effectiveness of their security in the last year, and understand exactly what types of security events have occurred.
The report also delves into how organisations are managing the security implications of the "relatively new frontiers" of cloud platforms, social networks and mobile devices or consumerisation of technology .
Given the growth in both structured and unstructured data, the survey finds more than 80 percent of respondents protecting customer and employee data is important, but far fewer understand what that data entails and where it is stored.
Fewer than 35 percent of respondents said they have an accurate inventory of employee and customer personal data, and only 31 percent reported they had an accurate accounting of locations and jurisdictions of stored data.
So how do New Zealand organisations compare with their offshore counterparts in information security strategy and execution?
New Zealand organisations continue to be confident in a "tactical approach" to security, says Richard Tims, director and Colin Slater, partner; of risk and control solutions at PwC New Zealand.
"We still got a real lack of planning, it came up last year. It came out again this year," says Slater.
"Being in this tactical space we have seen a lot people trying to crack their business cases and not tie it back to IT security strategy, which is tied to your IS strategy, which is tied to your business strategy," says Slater.
"There is evidence there are lots of things being done, [but] with no mechanism to track back what it has done for the business in terms of cost, agility and mitigation."
Tims and Slater say the security governance model is less formal in New Zealand than overseas, and relies on the experience of multi-skilled staff rather than experts. New Zealand also has a high rate of outsourcing compared to the region.
Tims says this is a result of the size of the New Zealand market. He points out organisations that will use outsourcing should do due diligence on the services.
"Everyone can say we do this 24 x 7 -- but how many people are CISSPs (Certified Information Systems Security Professionals) fully qualified that know this game back to front?"
Slater believes New Zealand will continue with the outsourcing trend as dictated by the scale and size of organisations.
At the same time, there is an expectation all staff are aware of cyber threats but there are limited programmes to support ongoing education. "We are one of the lowest when it comes to running formal programmes," says Tims. "Sometimes it is too late."
The local survey finds investment in security remains stable, but low, compared to global trends.
Tims and Slater also looked at the impact of the uptake of cloud services across the enterprise.
"Historically if you want to build a new business service somewhere in the chain, you will be caught because you are procuring equipment. When you buy cloud service IT may or may not ever know it is there," says Slater.
"You have got business units or elements of the business buying services delivered from somewhere and they are not equipped with the information to ask the right questions," says Slater.
"You get a nice brochure you can sign up and buy it," he says. "Where is your data, who has copies of it, can you get it back? Who else can access it technically what infrastructure is it on? How it is managed, where is it? There is a myriad of questions and they are complicated questions."
And this, he says, is "just one aspect of one service for one organisation".
BYOD and bands
Tims says there are newer areas -- like BYOD -- which enterprises will grapple with. Again, defining what information is important when enterprises "open the door" is important.
"There is a little bit of One Direction," says Slater, using as his analogy the huge impact the boy band made when they appeared on the scene.
"It is the same with BYOD," says Slater. "Let's do it, let us get rid of Blackberrys. Let them use their phone."
But then, he says, organisations are saying, "Let us just think about this for a minute."
There is a delicate balance on being open and enabling and then actually controlling your costs and risks, says Slater. There are things that "derail" them like insurance, the phenomenal range of devices, and questions on cost management.
"Then, once you get on under the covers and understand it properly, it is not as simple or as straightforward," says Tims. "People lose sight why they asked for it in the first place. What is the key driver for it? People feel like it is massive if we don't do something about it, organisations will fall over. It won't happen. Business will continue if people don't have BYOD."
Protecting the crown jewels
The global results find employees remain the biggest source of security incidents. While this is down from 67 percent to 48 percent, there has been a marginal increase from service providers.
"It is the backup [drive] you take before you move companies, people take info as they move from one company to the other," says Slater. A common area is in sales where the information taken is around targets and lists of clients.
Elsewhere there would be "more targeted mechanisms" to get that information extracted without personal relations. In New Zealand, it is much more people based.
Tims says industries should have a really good understanding of what the value of the IP (intellectual property) is to the organisation. He cites an equipment manufacturer that refuses to assemble in China because they know within days, there is a danger their "unique technology" will be mass copied. "There is a good understanding the IP is the crown jewels of the organisation. They fully understand what they cannot lose. They keep it in New Zealand and they outsource elements of it but keep the aggregation element of it here."
Tims and Slater support the mandatory reporting of security incidents.
"It will really change the behaviours within the organisation when you don't have to report," says Tims. "Stuff gets swept under the carpet."
"Unless someone blows the whistle, you can get away with it," says Slater.
"There are many, many incidents that have gone completely under the radar."
The range of incidents is also huge, says Slater. Email, which is the de facto standard for communications, it is so simple to accidentally send email to the wrong person."
"You need to have a strategy that defines what are the outcomes you want," says Slater. "Is it risk reduction? Is it risk mitigation? Trying to link all these together is important."
So what pointers can they provide to enterprises?
It as a "damned if I do, damned if I don't" situation, says Tims. "I can spend the money but it is essentially sunk cost. Yes, it is protection and insurance, but on the flipside, I could really be exposed if I touch this too lightly."
Slater says the key is to connect the information security strategy to the whole business strategy. "The strategy is to bring that together, why are you doing this?"
Look at the business plan's strategic objectives, and tie it with the organisation's risk appetite. "What risks are you prepared to take, where are you at now, where do you want to be and what does that mean for your technology? That is the key link," says Slater. "In business you always make decisions based on some element of risks."
For Tims, this relates to the CIO's reporting line. "As soon as you see a CIO that is not at the executive table, and reporting to the CFO, you have an inkling of the direction the organisation is taking which is IT as a cost centre."
"My view is organisations that have made that link are the ones that have got executive level sponsorship or knowledge around IT.
"There is so much going on they need someone that can talk in a language the business can understand, translate some of the technology things that can bring outcomes to the business people sitting around the table," says Tims.
"If I link a particular IT or security strategy back to a business outcome which could be increased revenue, my chances for success are far greater," says Tims. "If decisions are filtered down from the board to someone who is in operational delivery, you are not going to get that leverage or advantage."
He says it does not have to be the CIO who will deliver this, but this expertise should be at the executive table. Management can see this vision, but there is a board on top that can endorse that vision, he says. "Where do the business cases get authorised? They are at the board level."
"I have seen effective CFOs who are very IT savvy. Even if IT reports to that individual, I am confident the message will be relayed," says Tims.
The fundamentals
What are key steps organisations can take?
"When it comes to information security, make sure you have the fundamentals in place, your people know about them and their roles and responsibilities in enforcing them," says Tims.
"Removing subjectivity around risk and security requires a baseline or anchor that can be provided through a process of classification, which is effective even at the most basic level."
"What is important to the business? Then you can make decisions on what level of investment you need to protect it. If it is subjective, you are never going to get a clear view of your basic building blocks," says Slater.
"You don't need to be a technologist," says Slater. "You just need to be able to ask simple questions. What are we doing with this? We are going to put all of our HR in the cloud. Where is it? Who else can look at the information?"
Tims says business decisions are driving the strategy. For instance, it is not necessarily a security reason why service stations have changed to the supermarket style of paying for fuel. They want more people coming in at the store so they can get coffee, muffins and even lottery tickets.
"They changed their business model and technology changed with it," he says. "It is as simple as that, it is not security or risk management, it is a business decision."