Losing ground : 2009 TMT security survey

42 pages

English

Losing ground : 2009 TMT security survey

deloitte - Deloitte

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

42 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Deloitte's third edition of the Global Security Survey for the TMT industry was based on in-depth research, mostly in-person, with over 200 TMT organizations around the world.

Sujets

Surveyor 3

Informations

Publié par	deloitte
Nombre de lectures	181
Langue	English
Poids de l'ouvrage	2 Mo

Extrait

Losing Ground 2009 TMT Global Security Survey Full report

In-depth results from the 2009

TMT Global Security Survey

Contents

Foreword Objective of the survey The value of benchmarking Areas covered by the survey Survey scope Who responded Key ﬁndings Detailed results Governance Investment Security value and perception Use of security technologies Quality of operations Privacy How DTT’s TMT Group designed, implemented, and evaluated the survey Helpful references and links Acknowledgements Contacts

Losing ground Full report

5 6 7 7 7 8 9 11 11 14 16 18 20 23 24 26 27 28

“Information and intellectual property are the lifeblood of a TMT company. Protecting these precious assets is imperative to every TMT organization. ”

Foreword

This report provides detailed results of the Global TMT Security Survey, underpinning the key ﬁndings outlined Welcome to the third edition of the Global Security in the main report. Survey for the Technology, Media & Telecommunications TMT On behalf of Deloitte Touche Tohmatsu and the TMT (person), iwnidtuhs torvye, r b2a0se0d TonM iTn -odregpatnhi zraetsieoanrsc ah,r omunosdt lyh in practices of its member ﬁrms, we would like to thank t e all of the people who contributed to this report – especially the Chief Information Security Ofﬁcers world. and security management teams that shared their experiences and insights. Your contributions are helping This is the third year in which the Deloitte Touche to make the entire TMT industry more secure. Tohmatsu Global TMT Industry Group has published its Global Security Survey. The last edition of the security Igal Brightman survey found that many TMT companies were just Global Managing Partner about managing to keep up with the growing threats – despite increased spend on security. What effect is the Jacques Buith current economy having on digital security, and what TMT Security & Privacy Leader are TMT companies doing to address the multitude of challenges they face? DTT Technology, Media & Telecommunications Industry Group The challenged macroeconomic backdrop is causing companies to review costs in all areas, including security. This year’s results show a signiﬁcant drop in security investment, which is having a detrimental impact on all aspects of TMT security. In the 12 months leading up to this year’s survey, 32% of respondents reduced their information security budget. No wonder 60% of respondents believe they are “falling behind” or still “catching up” to their security threats. Falling spend on security is occurring despite the massive programs to digitize TMT companies’ intellectual property around the world. While the current business climate requires TMT companies to focus on an unprecedented level of cost efﬁciency, there is a minimum level of diligence required below which companies may be exposing themselves to critical risk. Security is particularly vital in an era in which digital malevolence is more prevalent than ever. Without smart investments in security and innovation, TMT companies might not be able to keep pace with the growing threats imposed by increasingly sophisticated attacks and emerging technologies.

Losin ggroun dFul lreport 3

Objective of the survey

The ﬁrst goal of the 2009 TMT Global Security Survey is to help TMT companies gain a better understanding of the security challenges and threats that the industry is already facing, and to provide a preview of the challenges that loom on the horizon. The second goal is to help TMT companies understand what others are doing to tackle the problem, so they can improve their own approach and reduce their vulnerability to attack.

“It is sensible to learn from your own mistakes. It is better to learn from the mistakes of others.”

This year’s analysis builds on the results from last year’s report, “Treading Water”. Wherever possible, the TMT Industry Group kept the survey questions and methodology the same in order to help identify patterns and trends. As in the past, Deloitte’s member ﬁrms helped validate the survey results and provided additional insight by applying their specialized knowledge and hands-on experience gained from working with some of the world’s leading TMT companies.

In the graphs: current edition previous edition

To determine differences and similarities in trends, comparisons are made between the previous and the current edition. This is indicated by the symbols as depicted above.

The value of benchmarking

Now more than ever, TMT companies recognize the importance of performance measurements and bench-marks to help them manage complex systems and processes. The Global TMT security survey is intended to enable benchmarking against comparable organizations. Benchmarking with a peer group can help organizations identify and implement practices with the potential to produce superior performance. Areas covered by the survey It is possible for an organization to excel in some areas related to information security (e.g., investment and responsiveness), while falling short in other areas (e.g., value and risk). To pinpoint speciﬁc areas that deserve attention, survey questions were grouped into six key categories: • Governance • Investment • Security value and perception • Use of security technologies • Quality of operations • Privacy and compliance

Survey scope The survey focused on TMT companies with a global presence. Respondents included companies headquartered in every major region: North America (NA); Europe, Middle East, Africa (EMEA); Asia Paciﬁc (APAC); Japan; and Latin America and Caribbean Regional Ofﬁce (LACRO). Due to the diverse focus of participating companies, and the qualitative format of the research, the results reported herein may not be representative of every region.

Losing groun dFul lreport5

Who responded

This report reﬂects current trends in security and privacy at a large number of major TMT companies around the world.

To promote open and candid discussions the Deloitte Touche Tohmatsu (DTT) TMT Industry Group agreed to preserve the anonymity of participants by not identifying their organizations. The global survey included TMT companies of every shape and size, with strong representation across all three sectors.

Industry breakdown

Technology

Telecommunications

Number of employees

Choose not to say over 50,001

1 - 5,000

5,001 50,000 -

Media

Annual Revenue (USD)

Choose not to say

>15B

2B 15B -

<1B - 2B

Key ﬁndings

1. Security investment is spiraling down with the 5. Regulatory issues are moving to the forefront economy Strict compliance with rules and regulations is critical, This year’s results show a signiﬁcant drop in security particularly in a tough economy. Failure to comply can investment, which is having a detrimental impact on all expose a company to hefty ﬁnes and signiﬁcant liability. aspects of TMT security. Declining security investments In order for companies to show compliance with rules hinder the adoption of new security technologies, and and regulations, they need to have effective monitoring the focus is more on improving technologies that are and reporting. However, only a small percentage of already in place. Companies should not forget about respondents have formal metrics and reporting in their long-term goals. Without smart investments place. If a company does not track the effectiveness of in security and innovation, TMT companies might its compliance programs, how can it hope to improve? not be able to keep pace with the growing threats The need for compliance extends to every link in the from increasingly sophisticated attacks and emerging value chain. technologies. 6. Virtual and physical security worlds collide 2. Social networking adds to the list of insider With TMT assets becoming more information-based threats and virtual, the distinction between physical security The greatest security threats for TMT companies and information security is increasingly obsolete. TMT come from within. And in today’s connected world, companies must work to ensure that reduced security the insider threats are greater than ever. Technologies spending does not delay or inhibit further convergence such as social networks, blogs, and email increase of these functions. It is a pity that almost half of the the organization’s internal security challenges. In companies have done little or nothing to integrate some cases, employees unintentionally release physical security and information security – which sensitive information without realizing the potential means they could be missing out on some important consequences. Ultimately, the company could be held opportunities. responsible. This means that the number one priority needs to be protecting the organization from itself. 3. Outsourcing outpaces security The rise of IT outsourcing offers a number of important advantages, but it also presents a company with a major risk: namely, entrusting control over valuable assets to another organization. To manage this uncertainty, every TMT company should regularly review and test its vendors’ security capabilities, controls, and organizational dependencies. Yet, only a small amount of respondents do so, exposing TMT companies to signiﬁcant risks. 4. Going public about privacy The TMT industry is particularly vulnerable to a catastrophic breach in security and privacy. TMT companies deal with large quantities of distributed sensitive information, and their reputation and business success hinge on safeguarding this information. However, many TMT companies are still not effectively managing their digital assets - a problem that could lead to further privacy breaches and ultimately undermine their competitiveness.

Losin ggroun dFull report 7

Detailed results Governance

Information security governance framework Information security is an important topic for TMT A governance framework deﬁnes the roles and responsibilities, policies and procedures, guiding companies. Today’s headlines are ﬁlled with stories about principles, and accountability requirements for all kinds of security breaches: identity theft, data leakage, (m7a1n%a) gailnrge aindfyo rhamvaet isounc she ac ufrriatym. eMwoosrtk ,r easnpdo nandeotnhtse r account fraud, phishing, and more. 12% of respondents intend to have one within the next 12 months. Managing these information security risks is a delicate balancing act. On the one hand, companies must do One of the keys to effective information governance what they can to ensure that risks are being managed is assigning a Chief Information Security Ofﬁcer at acceptable levels. On the other hand, they also (CISO). The number of organizations with a CISO (or must recognize that a certain amount of risk taking is equivalent) increased from 65% to 83% over the past fundamental to business growth and development. two years. Having the right governance is critical. The vast majority of CISOs (65%) report directly to the Board of Directors or C-Suite, with the largest number reporting to the Chief Information Ofﬁcer (CIO). Who does your organization’s executive(s) responsible for the security of information report to? Board of Directors General Council Chief Executive Ofﬁcer (CEO) Chief Information Ofﬁcer (CIO) Chief Operations Ofﬁcer (COO) Chief Technology Ofﬁcer (CTO) Chief Risk Ofﬁcer (CRO) Information Technology Executive Internal Audit Security Committee Legal and Compliance Other Not applicable/do not know

0% 5% 10% 15% 20% 25% 30%

CISOs have a wide range of responsibilities, the most Until this year, the vast majority of companies treated common being security governance and strategy, and physical security and information security as separate security incident response. Business Continuity Planning and distinct. In 2009, 50% of the TMT companies (BCP) and Disaster Recovery Planning (DRP) are still the have now converged their information security and responsibility for a signiﬁcant amount of all surveyed physical security functions. This convergence generally CISOs, even though these functions are expected to occurred in one of three ways: structurally combining fall under operations management. Information assets the functions (18%), keeping the functions separate which are protected under the responsibility of the but having them report to a common executive (15%), executive(s) responsible for information security are or keeping the functions separate but linking them mainly servers and networks. through an enterprise risk council (17%). These statistics may seem good news, but the reality is that 40% of Information security function TMT companies have done little or nothing to integrate The majority (54%) of the information security models physical security and information security, which are structured in a centralized way, whereas only some means they could be missing out on some important are structured in a decentralized (14%) or federated opportunities. (28%) way. The function responsible for information security is primarily (73%) perceived as a function responsible for both advisory and enforcement services.

Has your organization undergone a process of convergence between the information security and the physical security functions? No es - through structural convergence Yes - functions are separate yet report into one common executive Yes - functions are separate, but enterprise risk council is involved Intend to within 12 months Not applicable/do not know

0% 10% 20% 30% 40% 50% 60%

Losing ground Full report

The information security function continues to grow In deﬁning the organization’s information security steadily. This year, 75% reported a headcount of up to strategy, the majority of respondents (67%) engage 25 full-time equivalents, up from 73% in the last edition. both lines of business and IT decision makers. Almost one fourth (22%) of the respondents engages IT decision makers only. How many information security pr ofessionals does your organization have who are dedicated to information security? Surveyed companies rate “training and awareness” as this year’s number one security initiative. “Infrastructure 0 improvement” and “application security” tie for a close 1 to 5 full time equivalents second. 6 to 15 full time equivalents 16 to 25 full time equivalents Compliance 26 to 35 full time equivalents TMT companies face a growing number of rules and 36 to 50 full time equivalents regulations that relate to information security. In >50 full time equivalents principle, these regulatory requirements are designed to Not applicable/do not know improve information security and reduce risk. According to the survey results, only 21% of respondents believe 0% 10% 20% 30% 40% 50% 60% that current rules and regulations are “very effective” in this regard, while another 54% ﬁnd them “somewhat The quest for qualiﬁed talent continues unabated. effective”. A substantive amount of 13% rate them as In this year’s survey, 44% of respondents say their ineffective”. “ organization is missing skills and competencies to handle existing and foreseeable security requirements. To help address the problem, 36% of the surveyed companies are supplementing their in-house capabilities to close the gap in competencies. Strategy Another prerequisite for effective information security is the implementation of an information security strategy that aligns with corporate initiatives. Such a strategy must be closely linked to the company’s overall business strategy, business requirements, and key business drivers. The survey results show that 78% of TMT companies have put a formal information security strategy in place. Another 9% intend to do so within the next 12 months. A small amount of 5% of the surveyed companies see the lack of such a strategy as one of their biggest barriers to achieving information security. 10