PriceWaterhouseCoopers Survey 2006

Summary of the PriceWaterhouseCoopers Survey 2006 -
The Global State of Information Security

Key findings

• Security spending as a percentage of IT budget is slowly increasing and thus IT security executives become more financially independent
• Most executives find implementing strategic security measures still hard to do and continue to concentrate more on tactical fixes. But compared to last year’s study more companies start to think about security as a strategic instrument for the future.

Further findings

• Security is still seen as inflicting costs and not as something with strategic value for the enterprise. One of the reasons is that IT executives do not know how many breaches or unauthorized access events occur in their company. But until they can name the amount of money their company loses due to poor security the management board will not agree on spending more money on security tools and workers. But only by integrating security into companies’ business plans can value be added to the organizations. The survey shows that companies that have aligned their security policies and spending with business processes coped with fewer financial losses and less network downtime.
  
• IT executive’s priorities shift from strategic to tactics: Data backup and network firewalls are the top two priorities. Disaster recovery and business continuity dropped from being their first priority in last year’s survey to number four in this year’s study. Employee awareness programs even dropped from second to tenth priority.
  
• The number of respondents admitting they need to comply to a specific law but don’t is still ranking high throughout the world. The main reason is a lack of enforcement and penalties. In addition, expenses for complying are still higher than the cost of noncompliance.
  
• The survey revealed that companies in the financial services sector implemented the best information security practices. The share of their security budget within the company’s overall IT budget is higher and increases faster than in other industries.
  
• IT outsourcing to India is a critical point too: Though 90% of worldwide outsourcing revenue goes to India, Indian companies lack even the most basic security practices and tools. Last year 15-20% of these companies suffered from extortion, fraud or intellectual property theft; even 29% of financial losses! There are signs that Indian organizations start to reduce security breaches but though the problem is obvious most companies still prefer to ignore it.

“The Global State of Information Security Survey 2006”, a worldwide study by CIO, CSO Magazines and PriceWaterhouseCoopers was conducted online from April 5 to May 22, 2006. The results shown in this report are based on the responses of 7,791 CEOs, CFOS, CIOs, CSOs and VPs and directors of IT and information security from 50 countries.

Read and download the complete study under www.pwc.com