Losing ground : 2009 TMT security survey
42 pages

Losing ground : 2009 TMT security survey


Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres


Deloitte's third edition of the Global Security Survey for the TMT industry was based on in-depth research, mostly in-person, with over 200 TMT organizations around the world.



Publié par
Nombre de lectures 181
Langue English
Poids de l'ouvrage 2 Mo
Losing Ground 2009 TMT Global Security Survey Full report
In-depth results from the 2009
TMT Global Security Survey
Foreword  Objective of the survey The value of benchmarking Areas covered by the survey Survey scope Who responded Key findings Detailed results  Governance   Investment   Security value and perception   Use of security technologies   Quality of operations   Privacy  How DTT’s TMT Group designed, implemented, and evaluated the survey Helpful references and links Acknowledgements Contacts
Losing ground Full report
5 6 7 7 7 8 9 11 11 14 16 18 20 23 24 26 27 28
Information and intellectual property are the lifeblood of a TMT company. Protecting these precious assets is imperative to every TMT organization.
This report provides detailed results of the Global TMT Security Survey, underpinning the key findings outlined Welcome to the third edition of the Global Security in the main report. Survey for the Technology, Media & Telecommunications TMT On behalf of Deloitte Touche Tohmatsu and the TMT (person),  iwnidtuhs torvye, r b2a0se0d  TonM iTn -odregpatnhi zraetsieoanrsc ah,r omunosdt lyh in practices of its member firms, we would like to thank t e all of the people who contributed to this report – especially the Chief Information Security Officers world. and security management teams that shared their experiences and insights. Your contributions are helping This is the third year in which the Deloitte Touche to make the entire TMT industry more secure. Tohmatsu Global TMT Industry Group has published its Global Security Survey. The last edition of the security Igal Brightman survey found that many TMT companies were just Global Managing Partner about managing to keep up with the growing threats – despite increased spend on security. What effect is the Jacques Buith current economy having on digital security, and what TMT Security & Privacy Leader are TMT companies doing to address the multitude of challenges they face? DTT Technology, Media & Telecommunications Industry Group The challenged macroeconomic backdrop is causing companies to review costs in all areas, including security. This year’s results show a significant drop in security investment, which is having a detrimental impact on all aspects of TMT security. In the 12 months leading up to this year’s survey, 32% of respondents reduced their information security budget. No wonder 60% of respondents believe they are “falling behind” or still “catching up” to their security threats. Falling spend on security is occurring despite the massive programs to digitize TMT companies’ intellectual property around the world. While the current business climate requires TMT companies to focus on an unprecedented level of cost efficiency, there is a minimum level of diligence required below which companies may be exposing themselves to critical risk. Security is particularly vital in an era in which digital malevolence is more prevalent than ever. Without smart investments in security and innovation, TMT companies might not be able to keep pace with the growing threats imposed by increasingly sophisticated attacks and emerging technologies.
Losin ggroun dFul lreport 3
Objective of the survey
The first goal of the 2009 TMT Global Security Survey is to help TMT companies gain a better understanding of the security challenges and threats that the industry is already facing, and to provide a preview of the challenges that loom on the horizon. The second goal is to help TMT companies understand what others are doing to tackle the problem, so they can improve their own approach and reduce their vulnerability to attack.
“It is sensible to learn from your own mistakes. It is better to learn from the mistakes of others.”
This year’s analysis builds on the results from last year’s report, “Treading Water”. Wherever possible, the TMT Industry Group kept the survey questions and methodology the same in order to help identify patterns and trends. As in the past, Deloitte’s member firms helped validate the survey results and provided additional insight by applying their specialized knowledge and hands-on experience gained from working with some of the world’s leading TMT companies.
In the graphs: current edition previous edition
To determine differences and similarities in trends, comparisons are made between the previous and the current edition. This is indicated by the symbols as depicted above.
The value of benchmarking
Now more than ever, TMT companies recognize the importance of performance measurements and bench-marks to help them manage complex systems and processes. The Global TMT security survey is intended to enable benchmarking against comparable organizations. Benchmarking with a peer group can help organizations identify and implement practices with the potential to produce superior performance. Areas covered by the survey It is possible for an organization to excel in some areas related to information security (e.g., investment and responsiveness), while falling short in other areas (e.g., value and risk). To pinpoint specific areas that deserve attention, survey questions were grouped into six key categories: • Governance • Investment • Security value and perception • Use of security technologies • Quality of operations • Privacy and compliance
Survey scope The survey focused on TMT companies with a global presence. Respondents included companies headquartered in every major region: North America (NA); Europe, Middle East, Africa (EMEA); Asia Pacific (APAC); Japan; and Latin America and Caribbean Regional Office (LACRO). Due to the diverse focus of participating companies, and the qualitative format of the research, the results reported herein may not be representative of every region.
Losing groun dFul lreport5 
Who responded
This report reflects current trends in security and privacy at a large number of major TMT companies around the world.
To promote open and candid discussions the Deloitte Touche Tohmatsu (DTT) TMT Industry Group agreed to preserve the anonymity of participants by not identifying their organizations. The global survey included TMT companies of every shape and size, with strong representation across all three sectors.
Industry breakdown
Number of employees
Choose not to say over 50,001
1 - 5,000
5,001 50,000 -
Annual Revenue (USD)
Choose not to say
2B 15B -
<1B - 2B  
Key ndings 
1. Security investment is spiraling down with the 5. Regulatory issues are moving to the forefront economy Strict compliance with rules and regulations is critical, This year’s results show a significant drop in security particularly in a tough economy. Failure to comply can investment, which is having a detrimental impact on all expose a company to hefty fines and significant liability. aspects of TMT security. Declining security investments In order for companies to show compliance with rules hinder the adoption of new security technologies, and and regulations, they need to have effective monitoring the focus is more on improving technologies that are and reporting. However, only a small percentage of already in place. Companies should not forget about respondents have formal metrics and reporting in their long-term goals. Without smart investments place. If a company does not track the effectiveness of in security and innovation, TMT companies might its compliance programs, how can it hope to improve? not be able to keep pace with the growing threats The need for compliance extends to every link in the from increasingly sophisticated attacks and emerging value chain. technologies. 6. Virtual and physical security worlds collide 2. Social networking adds to the list of insider With TMT assets becoming more information-based threats and virtual, the distinction between physical security The greatest security threats for TMT companies and information security is increasingly obsolete. TMT come from within. And in today’s connected world, companies must work to ensure that reduced security the insider threats are greater than ever. Technologies spending does not delay or inhibit further convergence such as social networks, blogs, and email increase of these functions. It is a pity that almost half of the the organization’s internal security challenges. In companies have done little or nothing to integrate some cases, employees unintentionally release physical security and information security – which sensitive information without realizing the potential means they could be missing out on some important consequences. Ultimately, the company could be held opportunities. responsible. This means that the number one priority needs to be protecting the organization from itself. 3. Outsourcing outpaces security The rise of IT outsourcing offers a number of important advantages, but it also presents a company with a major risk: namely, entrusting control over valuable assets to another organization. To manage this uncertainty, every TMT company should regularly review and test its vendors’ security capabilities, controls, and organizational dependencies. Yet, only a small amount of respondents do so, exposing TMT companies to significant risks. 4. Going public about privacy The TMT industry is particularly vulnerable to a catastrophic breach in security and privacy. TMT companies deal with large quantities of distributed sensitive information, and their reputation and business success hinge on safeguarding this information. However, many TMT companies are still not effectively managing their digital assets - a problem that could lead to further privacy breaches and ultimately undermine their competitiveness.
Losin ggroun dFull report 7
Detailed results Governance
Information security governance framework Information security is an important topic for TMT A governance framework defines the roles and responsibilities, policies and procedures, guiding companies. Today’s headlines are filled with stories about principles, and accountability requirements for all kinds of security breaches: identity theft, data leakage, (m7a1n%a) gailnrge aindfyo rhamvaet isounc she ac ufrriatym. eMwoosrtk ,r easnpdo nandeotnhtse r account fraud, phishing, and more. 12% of respondents intend to have one within the next 12 months. Managing these information security risks is a delicate balancing act. On the one hand, companies must do One of the keys to effective information governance what they can to ensure that risks are being managed is assigning a Chief Information Security Officer at acceptable levels. On the other hand, they also (CISO). The number of organizations with a CISO (or must recognize that a certain amount of risk taking is equivalent) increased from 65% to 83% over the past fundamental to business growth and development. two years. Having the right governance is critical. The vast majority of CISOs (65%) report directly to the Board of Directors or C-Suite, with the largest number reporting to the Chief Information Officer (CIO). Who does your organization’s executive(s) responsible for the security of information report to? Board of Directors General Council Chief Executive Officer (CEO) Chief Information Officer (CIO) Chief Operations Officer (COO) Chief Technology Officer (CTO) Chief Risk Officer (CRO) Information Technology Executive Internal Audit Security Committee Legal and Compliance Other Not applicable/do not know
0% 5% 10% 15% 20% 25% 30%
CISOs have a wide range of responsibilities, the most Until this year, the vast majority of companies treated common being security governance and strategy, and physical security and information security as separate security incident response. Business Continuity Planning and distinct. In 2009, 50% of the TMT companies (BCP) and Disaster Recovery Planning (DRP) are still the have now converged their information security and responsibility for a significant amount of all surveyed physical security functions. This convergence generally CISOs, even though these functions are expected to occurred in one of three ways: structurally combining fall under operations management. Information assets the functions (18%), keeping the functions separate which are protected under the responsibility of the but having them report to a common executive (15%), executive(s) responsible for information security are or keeping the functions separate but linking them mainly servers and networks. through an enterprise risk council (17%). These statistics may seem good news, but the reality is that 40% of Information security function TMT companies have done little or nothing to integrate The majority (54%) of the information security models physical security and information security, which are structured in a centralized way, whereas only some means they could be missing out on some important are structured in a decentralized (14%) or federated opportunities. (28%) way. The function responsible for information security is primarily (73%) perceived as a function responsible for both advisory and enforcement services.
Has your organization undergone a process of convergence between the information security and the physical security functions? No es - through structural convergence Yes - functions are separate yet report into one common executive Yes - functions are separate, but enterprise risk council is involved Intend to within 12 months Not applicable/do not know
0% 10% 20% 30% 40% 50% 60%
Losing ground Full report
The information security function continues to grow In defining the organization’s information security steadily. This year, 75% reported a headcount of up to strategy, the majority of respondents (67%) engage 25 full-time equivalents, up from 73% in the last edition. both lines of business and IT decision makers. Almost one fourth (22%) of the respondents engages IT decision makers only. How many information security pr ofessionals does your organization have who are dedicated to information security? Surveyed companies rate “training and awareness” as this year’s number one security initiative. “Infrastructure 0 improvement” and “application security” tie for a close 1 to 5 full time equivalents second. 6 to 15 full time equivalents 16 to 25 full time equivalents Compliance 26 to 35 full time equivalents TMT companies face a growing number of rules and 36 to 50 full time equivalents regulations that relate to information security. In >50 full time equivalents principle, these regulatory requirements are designed to Not applicable/do not know improve information security and reduce risk. According to the survey results, only 21% of respondents believe 0% 10% 20% 30% 40% 50% 60% that current rules and regulations are “very effective” in this regard, while another 54% find them “somewhat The quest for qualified talent continues unabated. effective”. A substantive amount of 13% rate them as In this year’s survey, 44% of respondents say their ineffective”. organization is missing skills and competencies to handle existing and foreseeable security requirements. To help address the problem, 36% of the surveyed companies are supplementing their in-house capabilities to close the gap in competencies. Strategy Another prerequisite for effective information security is the implementation of an information security strategy that aligns with corporate initiatives. Such a strategy must be closely linked to the company’s overall business strategy, business requirements, and key business drivers. The survey results show that 78% of TMT companies have put a formal information security strategy in place. Another 9% intend to do so within the next 12 months. A small amount of 5% of the surveyed companies see the lack of such a strategy as one of their biggest barriers to achieving information security. 10