Corporate confidence in data security may belie less than effective measures taken to protect data. Risks continue to increase while businesses do not always keep current on preventing data loss.
Many businesses are confident in their security effectiveness, but factors outside of the control of executives increase risk - such as decreased budgets, increased incidents and unprotected new technology. The Global State of Information Technology study conducted by several security publications, asked executives in various industries how they thought their organizations stacked up in security practices. Answers were largely positive - many respondents are confident in the security practices of their organization (42 percent), and most believe they have instilled the importance of effective security behaviors into their organizational culture (68 percent). Most also say their information security activities are effective (71 percent), but confidence levels are much lower than four years ago (83 percent in 2008).
The study constructed its own parameters for defining information security leaders - organizations must have an overall strategy, employ a CISO who reports to a top level executive, and within the past year have measured security effectiveness and understood “exactly what type of security events have occurred.” Many of the respondents who self-described their organizations as front-runners (have an effective strategy and proactively execute it) don’t meet this criteria - only 8 percent do. This means most organizations have much room for improvement, but among the security leaders, good practice levels were much higher. Leaders more often integrate security into projects from the start, or align security spend with business goals.
Developing effective strategies require comprehensive business evaluation
Security spending has improved since the economy was in its deepest woes, but has not kept up with needs. The economy was the top driver of spending in this category at 46 percent, business continuity or disaster recovery claimed 31 percent of responses. Businesses have to keep current while security requirements to remain effective - if they are trying to save money in a difficult economic time, they stand to lose much more if their data is compromised. Security leaders must implement a risk-assessment strategy, and understand who wants to get their information and how. With effective strategizing, information security can protect data as well as create business value.