Well, after waiting and waiting for it, the CSI Survey for 2007 was finally released. And after 12 years, it still fills an important role in determining that state of IT security today.
The first and most obvious change this year was the FBI’s absence in the title. This doesn’t indicate a lack of involvement, rather that CSI is the main research partner for this study. The integrity of the study, however, still stands.
I regularly comment on this survey since it provides a window into what is going on in the world of corporate IT security. Yet one of the biggest drawbacks of this survey is that the data comes from the mouths of the converted. That is, those that participate are part of CSI itself. Perhaps one day an enterprising firm will take on as many companies and organizations that don’t belong to a security-minded club and see how they compare. I personally think it would be interesting to see what kind of impact that has on how a company operates in terms of security.
But I digress.
In typical fashion, a few items immediately raise my eyebrows. When I think back to the past year or so, I realize that things seemed rather quiet when it comes to big security issues. There have been a few minor things bubbling here and there but either the media is getting complacent; fewer companies are reporting events (to avoid bad press); or attacks are rarely occurring.
Then again, it could be a combination of all of those factors.
The survey was completed by 494 organizations, a drop from previous years but like any survey, the number of participants can go up or down. It does represent about 10 percent of CSI’s membership so it proves more than adequate. I still contend that the majority of security problems today remain somewhere in the domain of spyware and phishing. And I think some of the results are pointing to that.
First, however, let’s see who is involved.
Industry sectors are more delineated than in previous years, but the percentage remains generally the same. While I still believe that there could be more, the consistency of the respondents helps to ensure the accuracy of the survey itself. New categories this year include law enforcement and military. Additionally, the company sizes still remain relatively the same.
As usual, not everyone reported revenue amounts, but that’s OK. In this context, revenues only count to help determine how much is dedicated to IT spending, and specifically, IT security spending.
One of the most interesting stats revolves around “who” responded. The Chief Privacy Officer represented less than 1 percent of the respondents. The title may not be something considered necessary or may have been rolled into another title.
The most common title was Security Officer representing 41 percent of respondents. This may reflect the notion that privacy is not something to worry about internally and is viewed as an external issue (which would be addressed by overall security). The industry should be reminded that internal corporate privacy is just as important (e.g., employee privacy) as external client/customer privacy (e.g., credit card numbers).
Second, exactly how important is security to companies as a whole?
It’s interesting to note that 26 percent of all companies reported spending 3-5 percent of their IT budget on security. Compare this to only 6 percent of companies that did so in 2006. I suspect that this includes companies that previously spent 10+ percent and those that spent less than 1 percent. Therefore, it may be representative of more realistic values being placed on the cost of security. However, it is still not adequate enough, likely resulting in overworked, underpaid administrators and other staff.
As we venture further into the survey, it becomes apparent that most of the budget is likely built on tangible items like firewalls and antivirus software rather than the intangibles such as awareness training. The fact that for about 48 percent of companies spend less than 1 percent of the total IT budget on awareness further supports the idea that companies are looking for the tangibles. Unfortunately, companies need to realize that the intangible security benefits last far longer than the ones you can install and configure, and have a greater impact on an organization’s image and long term security.
One unsurprising finding is that IT security isn’t generally outsourced.
This is likely due to the fact that it’s easier to manage security locally than remotely. This is particularly true for physical security as well as organizations that require proximity to internal customers. Most outsourcing today remains in the realm of support operations or to support 24/7 needs.
While a fair amount of IT security hasn’t been outsourced in the last two years — 61 percent indicated that it’s not for 2006 and 2007 — that figure may change as some security functions like log reviews and overnight monitoring of IDS are outsourced. Perhaps with the assurance of external insurance policies they would be willing to take the risk. But as it stands, this is still an area that the majority does not invest in.
Be sure to check back for Part 2 as we examine attack types and their effects on businesses.
This article was first published on EnterpriseITPlanet.com.