Twenty-seven percent of respondents identified themselves as “strategists” while the remaining identified themselves as “tacticians” and “firefighters” (15 and 14 percent respectively). The study, the largest of its kind, of more than 9,600 security executives from 138 countries found that 72 percent of respondents report confidence in the effectiveness of their organization’s information security activities - however confidence has declined markedly since 2006. The findings of the survey have helped carve a new definition of an information security leader. Even though 43 percent see themselves as “front-runners,” according to the survey only 13 percent made the “leader” cut. Those identified as leaders have an overall information security strategy in place, a CIO or executive equivalent who reports to the “top of the house,” measured and reviewed security policy effectiveness, and an understanding of the security breaches facing the organization in the past year.
According to the survey, the rise of cloud computing has improved but also complicated the security landscape. More than four out of ten respondents report that their organisation uses cloud computing: 69 percent for software-as-a-service, 47 percent for infrastructure-as-a-service and 33 percent for platform-as-a-service. Fifty-four percent of organizations say that cloud technologies have improved security; while 23 percent say it has increased vulnerability. The largest perceived risk is the uncertain ability to enforce provider security policies.
Key findings included:
1. Almost half of respondents see themselves as “front-runners”, and these companies approach Information Security differently.
2. Respondents are confident that their security activities are effective.
3. Security capabilities have been degrading since 2008.
4. Key areas of improvement include C-suite buy in and increased funding.
5. Asia races ahead while the world’s information security arsenals age.
According to PwC, an information security leader has the following traits:
1. The organization has an overall information security strategy in place.
2. The organization has a CIO or executive equivalent who reports to top management.
3. The organizations has actively measured and reviewed security policy effectiveness.
4. A organzation that has an understanding of the security breaches facing the organization in the past year.
Additional Selected Survey Highlights
1. 43% of respondents think their company has an effective information security strategy in place and are proactively executing their plans.
2. 72% of respondents report confidence in the effectiveness of their organization's information security activities
3. 43% of respondents say their company has a security strategy for employee use of personal devices.
4. 37% of respondents say they their company has a security strategy for mobile devices.
5. 32% of respondents say their company has a security strategy in place for social media.