There's been no shortage of high-profile and damaging data breaches in the past year. And the targets are widely varied - they include security firms RSA Security and HBGary Federal, defence contractors Lockheed Martin and Northrop Grumman, entertainment giant Sony, major retailers, healthcare companies and marketing firms.
Despite these attacks, the ninth annual Global Information Security Survey conducted by CIO's sister publication CSO magazine and PricewaterhouseCoopers indicates that of the 9,600-plus business and technology execs surveyed, 43% identify themselves as security frontrunners and believe they have a sound security strategy and are executing it effectively.
"Clearly, something unusual is happening, with so many organisations viewing themselves as security leaders," said Mark Lobel, a principal in the advisory services division of PwC. In reality, "nowhere near 43% are leaders."
Pete Lindstrom, research director at Spire Security, has another take. "Either 43% are fooling themselves, or they are reaching a good level of success in setting their strategy and hitting it."
To better understand the actual security-management capabilities of the respondents who said they were leaders, PwC filtered the results according to factors it thinks are markers of real leadership. To meet the criteria, a company had to have a security strategy in place, IT security had to report to senior business leadership, the company had to have reviewed its IT security policy in the past year, and if the business had suffered a breach, it had to understand the cause. "When we finished that analysis, the amount of frontrunners fell from 43% to 13%," Lobel said.
Where does this unwarranted confidence come from? "Perhaps they didn't have bad things happen, or they're not aware that bad things have happened," said Lobel. "That can definitely create a false sense of security."
That complacency could partially explain why so many organisations have decided to defer security spending. This year, 51% of respondents said they were postponing security-related capital expenditures, up from 46% last year. Operating expenditures didn't get by unscathed either, with 48% of respondents saying they've deferred projects. That's up from 43%.
That's not to say respondents aren't spending on security. They are, and they're focusing on protecting web attack vectors and deploying technologies that aim to prevent attacks. Investment in application firewalls grew from 72% to 80% in the past year, and investment in malicious-code-detection tools rose from 72% to 83%.
"It's good to see the investment in technologies," says Lobel. "However, the data shows they're not making investments in the processes necessary to make sure security policies are in place so technology works in sync to defend the enterprise."
Robert Fecteau, business technology officer at BAE Systems Intelligence and Security, calls the security budget cuts shortsighted. Security breaches can leak product designs, ruin reputations and make a company less competitive, he points out. "If your systems are penetrated, everything that you thought you saved in budget cutbacks will be lost."