Information security, 2018: What we have here is a failure to plan

Information security increasingly has a place in corporate leadership, but plenty of companies are still failing to make the plans they need to keep up.

Thinkstock/THE GLOBAL STATE OF INFORMATION SECURITY® 2018

The state of infosec

IT security is crucial to every business — but it's so omnipresent that it can be difficult to really get a sense of where the industry stands or where it's going. That's why every year, CSO partners with PwC to survey tech security leaders across the world to come up with a snapshot of where we are today as an industry.

THE GLOBAL STATE OF INFORMATION SECURITY® 2018 survey was fielded online to readers of CIO and CSO and clients of PwC from April 24, 2017 to May 26, 2017. The report is based on responses of more than 9,500 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security practices from more than 120 countries.

Following is a tour of some of the survey's high points, including:

  • Who's in charge of security, what are they spending, and what've they got planned?
  • What are the current tech trends that security pros have to grapple with?
  • When different businesses have to deal with each other, what are the security implications?
Thinkstock/THE GLOBAL STATE OF INFORMATION SECURITY® 2018

Who's in charge here?

Infosec-specific officers are firmly in the C-suite. Fifty-two percent of surveyed companies employ a CISO, and 45 percent employ a chief security officer. And these folks report directly to the top. Only 24 percent are siloed under the CIO; the rest report to the CEO (40 percent) or even directly to the board (27 percent).

But further down the pyramid, things get more muddled. Just under half of surveyed companies have dedicated security personnel to support internal business operations.  Only 46 percent say infosec and physical security are combined, only 43 percent had privacy functions rolled into the infosec program — and in both areas, more than a quarter of respondents weren't even sure how their company was structured around these issues.

Thinkstock/THE GLOBAL STATE OF INFORMATION SECURITY® 2018

Failing to plan

The numbers on how many companies are really coming up with concrete security strategies are pretty mediocre. Just over half of all surveyed companies — about 56 percent — even have an overall information security strategy. When it comes to strategies around securing specific technologies, the numbers are even worse, bouncing around at just below half:

  • Social media: 44 percent
  • Big data: 44 percent
  • Cloud computing: 46 percent
  • Mobile devices: 47 percent

Also just below half: the number of surveyed companies whose corporate boards participated in setting overall security strategy, at 44 percent. Still, given many boards' hands-off attitude towards day-to-day operations, that may actually represent a decent number.

Thinkstock/THE GLOBAL STATE OF INFORMATION SECURITY® 2018

Security as an ongoing process

Some of the most nitty-gritty security measures involve regularly recurring processes — not sexy, but often crucial to ensuring an organization is prepared for an attack. For some of the most stolidly important of these processes, the industry gets a middling grade, with only about half of respondents saying their organizations put forth the effort to set them up. Here are the numbers of companies that say they make use of these processes:

  • Awareness training: 52 percent
  • A program to identify sensitive assets: 46 percent
  • Vulnerability assessments: 46 percent
  • Incident-management responses: 46 percent
  • Penetration testing: 42 percent
Thinkstock/THE GLOBAL STATE OF INFORMATION SECURITY® 2018

Where's the money going and why?

Information security is often seen as a cash sink within an organization, not necessarily bringing in revenues of its own. What's driving the choices on spending within the surveyed companies? Here are a couple of intriguing data points:

  • 49 percent of surveyed companies say that their security spending is based on risk alone
  • 66 percent say their organization’s spending is aligned with the revenues of each line of business

There seems to be a contradiction here: are companies fighting fires anywhere they start, or only protecting their most valuable assets? This may speak to atomization of security spending within different silos. Whatever the case, high-tech operations demand protection: 59 percent. of respondents say they invest more in security as a result of digitization of the business ecosystem.

Thinkstock/THE GLOBAL STATE OF INFORMATION SECURITY® 2018

Locking down the cloud

Despite the fact that only 46 percent of companies have a cloud computing security strategy, the move to the cloud is happening, and happening fast. Already, 46 percent of surveyed companies see the majority of their IT services delivered from the cloud — and 60 percent see themselves reaching that point within the next five years. Things are moving even faster when it comes to data: 40 percent already have sensitive data stored in various cloud services, and 36 percent plan to do so in the next twelve to eighteen months.

Here's the breakdown when it comes to cloud computing models companies employ. Keep in mind that each comes with its own security challenges:

  • Public: 34 percent
  • Private: 55 percent
  • Hybrid: 29 percent
Thinkstock/THE GLOBAL STATE OF INFORMATION SECURITY® 2018

Gadgets and robots

Robots, IoT devices and other distributed embedded systems are starting to go from sci-fi concept to real-world real estate you have to protect. When it comes to robots, some companies are rolling them out, but their anxieties about possible security threats are profound: 40 percent are worried that a cyberattack could result in disruption of manufacturing processes, and 22 percent even foresee the possibility of loss of human life.

IoT gadgets are maybe a little less scary in this regard, but is that making people too complacent? 67 percent of companies have or are planning an IoT strategy — but only 34 percent are assessing IoT risks across their business. And who exactly is in charge of IoT security? Answers are mixed: 29 percent say the CISO, 20 percent say engineering staff and 17  percent say it's the responsibility of the chief risk officer.

Thinkstock/THE GLOBAL STATE OF INFORMATION SECURITY® 2018

No company is an island

When it comes to security, it can help to know about industry best practices — even if that means talking with your corporate rivals. There are formal industry groups that help keep the peace, and 37 percent of surveyed companies currently participate. Overall, 58 percent collaborate with other companies in one way or another.

What information are they sharing, exactly? There's a spectrum of how many companies share what sorts of information, and that spectrum tells you what data companies consider helpful enough to keep to themselves:

  • Internal threat data: 70 percent
  • Threat tactics, techniques, and procedures:  56 percent
  • Internal security incidents:  55 percent
  • Incident response tactics: 44 percent
  • Threat research: 30 percent

Does this cooperation bear fruit? Only 37 percent of surveyed companies say they improved their threat intelligence and awareness through these efforts./

Thinkstock/THE GLOBAL STATE OF INFORMATION SECURITY® 2018

Third parties, third wheels

IT is becoming increasingly interdependent, especially with the offloading of many functions to third-party cloud services providers.  Companies are rising to that challenge: 38 percent conduct security assessments of their providers annually — and 56 percent do it twice a year or more. Still, only 39 percent of surveyed companies consider themselves "very prepared" to handle sensitive data protection in the cloud or in third-party environments.

And some of the follow-up questions about third-party companies show why there's a lack of confidence. Only 46 percent of surveyed companies conduct compliance audits of third parties to ensure they can protect customer data. In fact, only 46 percent of companies even require third parties to comply with their privacy policies.

Thinkstock/THE GLOBAL STATE OF INFORMATION SECURITY® 2018

Precious data

Companies are starting to learn that customer data is one of their most precious possessions, and that an unauthorized leak can have terrible consequences. Unfortunately the number of companies that have taken steps to protect it still only hovers around 50 percent:

  • 53 percent require employees to complete training on privacy policy and practices
  • 49 percent limit collection, retention and access of personal information to the minimum necessary to accomplish the legitimate purpose for which it is collected
  • 51 percent maintain an inventory of where personal data for employees and customers are collected, transmitted and stored

At least there's a recognition that a privacy culture needs to start at the top: 67 percent of surveyed companies have a chief privacy officer or similar exec in charge of compliance, and 12 percent plan to hire one in the next 12 months.