SlideShare a Scribd company logo

PwC Survey 2010 CIO Reprint

Kim Jensen
Kim Jensen

CIO Magazine article, "Why Security Matters Now"

TechnologyNews & Politics
1 of 7
Download to read offline
the GLOBAL STATE 2010 of INFORMATION SECURITY our annual Global Information Security Survey underscores the rising risks from social media and cloud computing. the good news: more support from business leaders. A Joint Research Project of CIO and CSO in partnership with Reprinted with permission of CXO Media, Copyright ©2009
Cover story :: SECURITY WHY SECURITY MATTERS AGAIN By BiLL Brenner Copyright ©2009 CIO Magazine. reprinted with perMission
Our seventh-annual Global Information Security survey nds IT leaders struggling to defend against new threats from social networking and cloud computing, but with renewed support from business leaders T oday’s most compelling technologies are giving you the biggest secu- rity headaches. Social networking sites such as Twitter, Facebook and 3 LinkedIn enhance collaboration and help your company connect with customers, but they also make it easier than ever for your employees to share customer data and company secrets with outsiders. Virtualization and cloud computing let you simplify your physical IT infrastructure and cut overhead costs, but you’ve only just begun to see the security risks involved. Putting more of your infrastructure in the cloud has left you vulnerable to hack- ers who have redoubled efforts to launch denial-of-service attacks against the likes of Google, Yahoo and other Internet-based service providers. A massive Google outage earlier this year illustrates the kind of disruptions cloud-dependent businesses can suffer. But there’s also good news. Even though the worst economic recession in decades has compelled you to spend less on outsourced security services and do more in-house, your security budget is holding steady. And more of you Y are employing a chief security officer. Top IT Such are the big takeaways from the seventh- annual Global Information Security survey, which CIO and CSO magazines conducted with Pricewater- houseCoopers earlier this year. Nearly 7,300 business Security Priorities Y and technology executives worldwide responded from a variety of industries, including government, health care, financial services and retail. New investments are These trends are shaping your information secu- focused on protecting data, rity agenda. “Every company worries about protecting authenticating users their data, especially their client data,” says Charles S Biometrics 1 Beard, CIO at Science Applications International Corp. web content filters 2 (SAIC). “Under the old business model, everyone had data leakage prevention i L LU s t r at i o n B y M i C h a e L M o r g e n s t e r n 3 to get together in the same building in the same geo- graphical area. Now everyone is using the Internet disposable passwords/smart cards/tokens 4 and mobile devices to work with each other. That’s reduced or single-sign-on software 5 N where we see the promise of things like social network- voice-over-ip security 6 ing. The flip side is we’re exposed to the dark side of cyberspace. Adoption of this technology is well ahead web 2.0 security 7 of efforts to properly secure and govern it.” identity management 8 Read on to learn what we found. encryption of removable media 9 Copyright ©2009 CIO Magazine. reprinted with perMission
Cover story :: SECURITY TREND #1 what can be posted on social networking sites. the promise and peril I One positive sign: Every year, more companies dedicate staff to monitoring how employees use online assets—57 percent this of social networking year compared to 50 percent last year and 40 percent in 2006. n less than two years, social networking has gone from Thirty-six percent of respondents monitor what employees are an abstract curiosity to a way of life for many people. posting to external blogs and social networking sites. When someone updates their status on Twitter, Face- To prevent sensitive information from escaping, 65 percent book or LinkedIn, they might do it at work by day or on of companies use Web content filters to keep data behind the company-owned laptops from home at night. firewall, and 62 percent make sure they are using the most What gives IT executives heartburn is the ease with secure version of whichever browser they choose. Forty per- which users could share customer data or sensitive company cent said that when they evaluate security products, support activities while they’re telling you what they’re having for lunch. and compatibility for Web 2.0 is essential. Cyberoutlaws know this and use social networks to launch Unfortunately, social networking insecurity isn’t something phishing scams. In one popular attack, they send their victims one can fix with just technology, says Mark Lobel, a partner in messages that appear to be coming from a Facebook friend. The the security practice at PricewaterhouseCoopers. “friend” may send along a URL they insist you check out. It may “The problems are cultural, not technological. How do you be pitched as a news story about Michael Jackson’s death or a educate people to use these sites intelligently?” he asks. “His- list of stock tips. In reality, the link takes the victim to a shady torically, security people have come up from the tech path, not website that automatically drops malware onto the computer. the sociologist path. So we have a long way to go in finding the The malware goes off in search of right security balance.” 23 % 4 any valuable data stored on the Guy Pace, security administrator with the Washington computer or wider company net- State Board for Community and Technical Colleges, says his work, be it customer credit card organization takes many of the precautions described above. numbers or the secret recipe for a But he agrees with Lobel that the true battleground is one of new cancer-fighting drug. office culture, not technology. “The most effective mitigation It’s no surprise, then, that every here is user education and creative, effective security awareness Companies IT leader surveyed admitted they fear social-engineering-based programs,” he says. that have attacks. Forty-five percent spe- TREND #2 Jumping into the Cloud, G cifically fear the phishing schemes policies for against Web 2.0 applications. Nevertheless, for many com- sans parachute using Web 2.0 pany executives, blocking social networking is out of the question iven the expense to maintain a physical IT infrastructure, the thought of replacing server technologies because of its potential business rooms and haphazardly configured appliances and social benefits. Companies now clamor with cloud services is simply too hard for many to get their messages out through companies to resist. But rushing into the cloud networking these sites, so the challenge for CIOs is to find the right balance without a security strategy is a recipe for risk. According to the survey, 43 percent of respondents are using sites between security and usability. “People are still incred- cloud services such as software as a service or infrastructure as a service. Even more are investing in the virtualization technol- ibly naïve about how much they ogy that helps to enable cloud computing. Sixty-seven percent should share with others, and of respondents say they now use server, storage and other forms we have to do a better job educat- of IT asset virtualization. Among them, 48 percent actually ing them about what is and isn’t appropriate to share,” says H. believe their information security has improved, while 42 per- Frank Cervone, vice chancellor of information services with cent say their security is at about the same level. Only 10 percent Purdue University Calumet. “We have to do a better job of say virtualization has created more security holes. enhancing our understanding of what internal organization Security may well have improved for some, but experts like information should not be shared.” (For a different view, read Chris Hoff, director of cloud and virtualization solutions at “Enterprise Evolution,” an interview with Harvard Business Cisco Systems, believe that both consumers and providers need School Associate Professor Andrew McAfee, Page 20.) to ensure they understand the risks associated with the techni- But in a university setting, it’s critical to engage people cal, operational and organizational changes these technologies through social media, Cervone adds. Even in the commercial bring to bear. sector, he doesn’t see how organizations can avoid it. “When you look at how people think of virtualization and And yet this year—the first in which we asked respondents what it means, the definition of virtualization is either very about social media, only 23 percent said their security efforts now narrow—that it’s about server consolidation, virtualizing your include provisions to defend Web 2.0 technologies and control applications and operating systems, and consolidating every- Copyright ©2009 CIO Magazine. reprinted with perMission
Dark Cloud What is the greatest security risk to your cloud computing strategy? Fears about vendors 22% ability to enforce provider security policies 23% dominate cloud inadequate training and it auditing security risks 14% access control at provider site ability to recover data ability to audit provider 12% proximity of company data to someone else’s 11% Continued existence of provider 4% 10% provider regulatory compliance 4% thing down to fewer physical boxes—or it’s about any number potential vulnerabilities in their virtualized environments, 36 of other elements: client-side desktops, storage, networks, secu- percent cited misconfiguration and poor implementation, and rity,” he says. “Then you add to the confusion with the concept 51 percent cited a lack of adequately trained IT staff (whose lack of cloud computing, which is being pushed by Microsoft and a of knowledge leads to configuration glitches). In fact, 22 percent number of smaller, emerging companies. You’re left scratching of respondents cited inadequate training, along with insuffi- your head wondering what this means to you as a company. cient auditing (to uncover vulnerabilities) to be the greatest How does it impact your infrastructure?” security risk to their company’s cloud computing strategy. 5 Fortunately, there’s some evidence of companies proceeding It’s this awareness that makes Atmos Energy’s Gius proceed with caution. One example is Atmos Energy, which is using with caution. “We have no CSO. If we were a financial services firm Salesforce.com to speed its response time to customers and help it might be a different story, or if we had a huge head count,” Gius the marketing department manage a growing pool of clients, says. “But we are a small-to-medium-sized company, and the staff according to CIO Rich Gius. limitations make these kinds of implementations more difficult.” The endeavor is successful thus far, so Gius is investigating the Even with the right resources, security in the cloud is a matter viability of running company e-mail in the cloud. “It would help of managing a variety of risks across multiple platforms. There’s us address the growing challenge where e-mail-enabled mobile no single cloud. Rather, “there are many clouds, they’re not fed- devices like BlackBerrys are proliferating widely among the work- erated, they don’t natively interoperate at the application layer force,” he says. But he’s not ready to take such a big step because the and they’re all mostly proprietary in their platform and opera- risks, including security, remain hard to pin down. One example tion,” Hoff says. “The notion that we’re all running out to put our of the disruption that cloud-dependent companies can experi- content and apps in some common [and secure] repository on ence came in May, when search giant Google—whose content someone else’s infrastructure is unrealistic.” accounts for 5 percent of all Internet traffic—suffered a massive Lobel, with PricewaterhouseCoopers, says perfect secu- outage. When it went down, many companies that have come to rity is not possible. “You have to actively focus on the security rely on its cloud-based business applications (such as e-mail) controls while you are leaping to these services,” he says. It’s were dead in the water. difficult for companies to turn back once they have let their The outage wasn’t caused by hackers, but there are signs data and applications loose because they are often quick to rid that cybercriminals are exploring ways to exploit the cloud for themselves of the hardware and skills they would need to bring malicious purposes. On the heels of the outage, attackers added the services back in-house. insult to injury by flooding Google search results with mali- “If you dive down a well without a rope, you may find the cious links, prompting the U.S. Computer Emergency Response water you wanted, but you’re not going to get out of the well Team (U.S. CERT) to issue a warning about potential dangers without the rope,” he says. “What if you have a breach and you to cloud-based service sites. need to leave the cloud? Can you get out if you have to?” The attack poisoned several thousand legitimate websites by A exploiting known flaws in Adobe software to install a malicious TREND #3 program on victims’ machines, U.S. CERT says. The program would then steal FTP login credentials from victims and use the insourcing security Management information to spread itself further. It also hijacked the victim’s few years ago, technology analysts were browser, replacing Google search results with links chosen by predicting unlimited growth for managed the attackers. Although the victimized sites were not specifi- security service providers (MSSPs). Many cally those offering cloud-based services, similar schemes could companies then viewed security as a foreign be directed at cloud services providers. concept, but laws such as Sarbanes-Oxley, the IT organizations often make an attacker’s job easier by Health Insurance Portability and Account- configuring physical and cloud-based IT assets so poorly that ability Act and the Gramm-Leach-Bliley Act (affecting financial easy-to-find-and-exploit flaws are left behind. Asked about the services) were forcing them to address intrusion defense, patch Copyright ©2009 CIO Magazine. reprinted with perMission
Cover story :: SECURITY management, encryption and log management. Security Budgets Hold Steady Convinced they couldn’t do it on their own, companies chose outsourcers to do it for them. Gartner estimated the MSSP mar- ket in North America alone would reach $900 million in 2004 More companies are increasing and that it would grow another 18 percent by 2008. Then came the economic tsunami, which appears to have spending than cutting it cast a shadow over outsourcing plans even though security Direction of spending 38% budgets are holding steady. Although 31 percent of respondents increase this year are relying on outsiders to help them manage day-to- 25% stay the same day security functions, only 18 percent said they plan to make decrease 12% security outsourcing a priority in the next 12 months. When it comes to specific functions, the shift has already don’t know 24% begun. Last year, 30 percent of respondents said they were numbers may not add to 100% due to rounding outsourcing management of application firewalls, compared to 16 percent today. Respondents cited similar reductions in outsourcing of network and end-user firewalls. Companies have also cut back on outsourcing encryption management and lower-cost solutions to manage it ourselves,” he says. “We and patch management. invested in two people to help ensure we had the skills to man- At the same time, more companies are spending money on age that environment.” But he’d like to outsource more if it these and other security functions. Sixty-nine percent said makes sense financially. He notes that security is increasingly 6 they’re budgeting for application firewalls, up slightly com- integrated into the platforms provided by the likes of Microsoft, pared to the past two years. Meanwhile, more than half of Cisco and Oracle, as well as telecom providers like Comcast and respondents said they are investing in encryption for laptops Verizon. It makes sense to him to have those providers manage and other computing devices. the security of their systems. The results surprise Lobel of PricewaterhouseCoopers. Beard, with SAIC, says that no matter what drives security “When you think about it logically, some IT organizations have spending decisions, companies should understand their specific the resources and maturity to manage their operating systems security strategies and where managed security providers can and patches, but many don’t,” he observes. “Hopefully, the offer unique value. Smart business executives understand that numbers simply mean IT shops have grown more mature in they must maintain control of the big picture at all times, even if their security understanding.” a third party is managing many of the levers. Keeping an eye on Gius of Atmos Energy offered another possible explanation: security service providers and the risks they are encountering Companies see a lot of chaos in the security market with an is essential. “CIOs and security officers may outsource certain avalanche of mergers and acquisitions. One independent secu- functions to various degrees, but they should never outsource rity vendor after another has merged with or been acquired by their responsibility,” Beard advises. other companies. Examples include BT’s acquisition of Coun- C terpane and IBM’s acquisition of Internet Security Systems. TREND # 4 a new Corporate Commitment IT leaders are simply getting out of the way until the industry settles down. Gius says Atmos Energy is handling most of its security IOs may still struggle with the quality of their in-house right now. “We pursued a number of open-source data security, but the response to this year’s sur- vey suggests their executive peers have agreed, finally, that security can’t be ignored. Data Dangers Companies’ budget plans tell part of the story. Not only are more companies investing in secu- rity technologies, but overall security investments are largely Attacks on data have increased faster than any intact, despite the economy. other security exploit. The top target: databases. Twelve percent of respondents expect their security spending How attackers get your data to decline in the next 12 months. But 63 percent say their budgets will hold steady or increase (although fewer foresee increases databases 57% than did last year). File-sharing applications 46% For starters, more companies are hiring CSOs or chief informa- tion security officers (CISOs). Eighty-five percent of respondents Laptops 39% said their companies now have a security executive, up from 56 removable media 23% percent last year and 43 percent in 2006. Just under one-third of security chiefs report to CIOs, 35 percent to CEOs and 28 percent Backup tapes 16% to boards of directors. Multiple responses allowed Two factors are influencing companies to maintain security Copyright ©2009 CIO Magazine. reprinted with perMission
as a corporate priority: Seventy-six percent say the increased risk environment has elevated the importance of cybersecurity among the top brass, while 77 percent said the increasingly tangled web of regulations and industry standards has added to the sense of urgency. Respondents were asked how important various security strategies had become in the context of harsher economic realities. Seventy percent cited the growing importance of data protection while 68 percent cited the need to strengthen the company’s governance, risk and compliance programs. Notes Mauricio Angée, senior manager of IT security and compliance and CSO at Universal Orlando: “For segregation of duty purposes, it’s interesting to see how companies are being asked—by compliance auditors, qualified security assessors and through legislation—to hire IT security managers with a much- more-defined set of roles and responsibilities.” Such roles include setting the company’s security policy, making the security budget pitch (instead of the CIO) and delegating responsibility among How Cybercrime Costs You 7 Losses from incidents average $833,000 The business impact of security breaches Financial loss 42% Brand or reputation compromised 30% intellectual property theft 29% home page altered or defaced 20% Fraud 17% How We Got Multiple responses allowed lower-level IT security administrators and engineers. the Numbers the seventh-annual “global state of information secu- None of these developments, however, make a focus on infor- rity” survey—a worldwide study by CIO, CSO and price- mation security a sure bet in the eyes of IT leaders. Just because waterhouseCoopers—was conducted online from april companies feel they have to spend money on security doesn’t 20, 2009, through June 23, 2009. CIO and CSO print and mean executives view it as an essential, even beneficial busi- ness process instead of a pain-in-the-neck task being forced online customers and clients of pricewaterhouseCoopers upon them. from around the globe were invited to take the survey. Angée said CIOs and security leaders still have to fight hard results are based on responses from 7,276 security for every penny. Meanwhile, security execs don’t have the same and information technology professionals from more decision-making power as other C-level leaders in every com- than 100 countries. thirty-two percent of respondents pany, says PricewaterhouseCoopers’ Lobel. CIOs can bring in were from north america, followed by asia (27 percent), a CSO or CISO without a strategy and budget for that person europe (26 percent), south america (14 percent) and the to work with and end up achieving nothing. If something goes Middle east and south africa (2 percent). the margin of wrong, he concludes, “all you’ll have is somebody to blame and error for this survey is +/- 1 percent. fire.” CIO –Carolyn Johnson, research manager Bill Brenner is a senior editor with CSO magazine and Csoonline.com. Follow him on twitter: www.twitter.com/BillBrenner70. Copyright ©2009 CIO Magazine. reprinted with perMission

Recommended

The 10 most influential leaders in security, 2021
The 10 most influential leaders in security, 2021The 10 most influential leaders in security, 2021
The 10 most influential leaders in security, 2021
Merry D'souza
 
White Paper: Mobile Security
White Paper: Mobile SecurityWhite Paper: Mobile Security
White Paper: Mobile Security
Rogers Communications
 
On Demand Cloud Services Coury
On Demand Cloud Services CouryOn Demand Cloud Services Coury
On Demand Cloud Services Coury
Arman Sadat Hossain
 
Security annual report_mid2010
Security annual report_mid2010Security annual report_mid2010
Security annual report_mid2010
thaiantivirus
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2
Donald Jennings
 
1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main
Caio Sanchez Christino
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
Booz Allen Hamilton
 
The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.
Merry D'souza
 

Recommended

The 10 most influential leaders in security, 2021
The 10 most influential leaders in security, 2021The 10 most influential leaders in security, 2021
The 10 most influential leaders in security, 2021
Merry D'souza
 
White Paper: Mobile Security
White Paper: Mobile SecurityWhite Paper: Mobile Security
White Paper: Mobile Security
Rogers Communications
 
On Demand Cloud Services Coury
On Demand Cloud Services CouryOn Demand Cloud Services Coury
On Demand Cloud Services Coury
Arman Sadat Hossain
 
Security annual report_mid2010
Security annual report_mid2010Security annual report_mid2010
Security annual report_mid2010
thaiantivirus
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2
Donald Jennings
 
1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main
Caio Sanchez Christino
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
Booz Allen Hamilton
 
The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.
Merry D'souza
 
2012 security services clientprex
2012 security services clientprex2012 security services clientprex
2012 security services clientprex
Kim Aarenstrup
 
2013 global security report
2013 global security report2013 global security report
2013 global security report
Yury Chemerkin
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
IBMGovernmentCA
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Booz Allen Hamilton
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments
Caston Thomas
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
gueste69f645
 
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
Doug Newdick
 
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDMagazine
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management Services
Marlabs
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
 
Perimeter Security Case Study
Perimeter Security Case StudyPerimeter Security Case Study
Perimeter Security Case Study
nmullen
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File Virtualization
FindWhitePapers
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
Booz Allen Hamilton
 
News letter June 11
News letter June 11News letter June 11
News letter June 11
captsbtyagi
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Energy Network marcus evans
 
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
HyTrust
 
Securing Organisations Against Cyber Threats
Securing Organisations Against Cyber ThreatsSecuring Organisations Against Cyber Threats
Securing Organisations Against Cyber Threats
PeteAndersen
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
HyTrust
 
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...
(Sony) Risk assignment final high profile security breach of Sony’s Playstat... (Sony) Risk assignment final high profile security breach of Sony’s Playstat...
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...
James Dellinger
 
The Risk of Social Media
The Risk of Social MediaThe Risk of Social Media
The Risk of Social Media
association2580
 
1110 cpa bayside
1110 cpa bayside1110 cpa bayside
1110 cpa bayside
Mel Kettle
 
Social media-threats
Social media-threatsSocial media-threats
Social media-threats
Andreas Hiller
 

More Related Content

What's hot

2013 global security report
2013 global security report2013 global security report
2013 global security report
Yury Chemerkin
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments
Caston Thomas
 
Perimeter Security Case Study
Perimeter Security Case StudyPerimeter Security Case Study
Perimeter Security Case Study
nmullen
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File Virtualization
FindWhitePapers
 
News letter June 11
News letter June 11News letter June 11
News letter June 11
captsbtyagi
 
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
HyTrust
 
Securing Organisations Against Cyber Threats
Securing Organisations Against Cyber ThreatsSecuring Organisations Against Cyber Threats
Securing Organisations Against Cyber Threats
PeteAndersen
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
HyTrust
 

What's hot (19)

2012 security services clientprex
2012 security services clientprex2012 security services clientprex
2012 security services clientprex
 
2013 global security report
2013 global security report2013 global security report
2013 global security report
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
 
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
 
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management Services
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
Perimeter Security Case Study
Perimeter Security Case StudyPerimeter Security Case Study
Perimeter Security Case Study
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File Virtualization
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
 
News letter June 11
News letter June 11News letter June 11
News letter June 11
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
 
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
 
Securing Organisations Against Cyber Threats
Securing Organisations Against Cyber ThreatsSecuring Organisations Against Cyber Threats
Securing Organisations Against Cyber Threats
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
 
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...
(Sony) Risk assignment final high profile security breach of Sony’s Playstat... (Sony) Risk assignment final high profile security breach of Sony’s Playstat...
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...
 

Viewers also liked

Viewers also liked (11)

The Risk of Social Media
The Risk of Social MediaThe Risk of Social Media
The Risk of Social Media
 
1110 cpa bayside
1110 cpa bayside1110 cpa bayside
1110 cpa bayside
 
Social media-threats
Social media-threatsSocial media-threats
Social media-threats
 
risks associated with using social Media
risks associated with using social Media risks associated with using social Media
risks associated with using social Media
 
How to manage the benefits and risks of social media for employers
How to manage the benefits and risks of social media for employersHow to manage the benefits and risks of social media for employers
How to manage the benefits and risks of social media for employers
 
User owned devices
User owned devicesUser owned devices
User owned devices
 
Research Design for the Study of Social Media Use by Dutch Development Organi...
Research Design for the Study of Social Media Use by Dutch Development Organi...Research Design for the Study of Social Media Use by Dutch Development Organi...
Research Design for the Study of Social Media Use by Dutch Development Organi...
 
Social Network Privacy, Security and Identity:One
Social Network Privacy, Security and Identity:OneSocial Network Privacy, Security and Identity:One
Social Network Privacy, Security and Identity:One
 
Research Paper on Social Media
Research Paper on Social MediaResearch Paper on Social Media
Research Paper on Social Media
 
USE OF SOCIAL NETWORKS AND ITS EFFECTS ON STUDENTS
USE OF SOCIAL NETWORKS AND ITS EFFECTS ON STUDENTS USE OF SOCIAL NETWORKS AND ITS EFFECTS ON STUDENTS
USE OF SOCIAL NETWORKS AND ITS EFFECTS ON STUDENTS
 
Link Labs LPWA Webinar
Link Labs LPWA WebinarLink Labs LPWA Webinar
Link Labs LPWA Webinar
 

Similar to PwC Survey 2010 CIO Reprint

Idc cost complexitycompliance
Idc cost complexitycomplianceIdc cost complexitycompliance
Idc cost complexitycompliance
ReadWrite
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based security
Arun Gopinath
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
The TOP 10 tech trends of 2011
The TOP 10 tech trends of 2011The TOP 10 tech trends of 2011
The TOP 10 tech trends of 2011
dvasilyev
 

Similar to PwC Survey 2010 CIO Reprint (20)

Idc cost complexitycompliance
Idc cost complexitycomplianceIdc cost complexitycompliance
Idc cost complexitycompliance
 
Secure by design
Secure by designSecure by design
Secure by design
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based security
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the InternetSecuring the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the InternetSecuring the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Handheld Devices & BYOD: Are Enterprises There Yet? - Management Information ...
Handheld Devices & BYOD: Are Enterprises There Yet? - Management Information ...Handheld Devices & BYOD: Are Enterprises There Yet? - Management Information ...
Handheld Devices & BYOD: Are Enterprises There Yet? - Management Information ...
 
Navigating the Flood of BYOD
Navigating the Flood of BYODNavigating the Flood of BYOD
Navigating the Flood of BYOD
 
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdfCYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
 
Io t business-index-2020-securing-iot
Io t business-index-2020-securing-iotIo t business-index-2020-securing-iot
Io t business-index-2020-securing-iot
 
The TOP 10 tech trends of 2011
The TOP 10 tech trends of 2011The TOP 10 tech trends of 2011
The TOP 10 tech trends of 2011
 
5 Security Trends to Watch in 2020
5 Security Trends to Watch in 20205 Security Trends to Watch in 2020
5 Security Trends to Watch in 2020
 
Securing the digital economy
Securing the digital economySecuring the digital economy
Securing the digital economy
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet
 
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
 
Le mutazioni del rischio IT nell’era della privacy e dell’intelligenza artifi...
Le mutazioni del rischio IT nell’era della privacy e dell’intelligenza artifi...Le mutazioni del rischio IT nell’era della privacy e dell’intelligenza artifi...
Le mutazioni del rischio IT nell’era della privacy e dell’intelligenza artifi...
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 

More from Kim Jensen

Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)
Kim Jensen
 

More from Kim Jensen (20)

Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security Predictions
 
OpenDNS presenter pack
OpenDNS presenter packOpenDNS presenter pack
OpenDNS presenter pack
 
Infoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedInfoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updated
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
5 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 20035 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 2003
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014
 
Cisco 2013 Annual Security Report
Cisco 2013 Annual Security ReportCisco 2013 Annual Security Report
Cisco 2013 Annual Security Report
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report
 
Security Survey 2013 UK
Security Survey 2013 UKSecurity Survey 2013 UK
Security Survey 2013 UK
 
Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report
 
DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012
 
Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)
 
Data Breach Investigations Report 2012
Data Breach Investigations Report 2012Data Breach Investigations Report 2012
Data Breach Investigations Report 2012
 
State of Web Q3 2011
State of Web Q3 2011State of Web Q3 2011
State of Web Q3 2011
 
Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011
 
Corporate Web Security
Corporate Web SecurityCorporate Web Security
Corporate Web Security
 
Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011
 
Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011
 
Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011
 
Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

PwC Survey 2010 CIO Reprint

  • 1. the GLOBAL STATE 2010 of INFORMATION SECURITY our annual Global Information Security Survey underscores the rising risks from social media and cloud computing. the good news: more support from business leaders. A Joint Research Project of CIO and CSO in partnership with Reprinted with permission of CXO Media, Copyright ©2009
  • 2. Cover story :: SECURITY WHY SECURITY MATTERS AGAIN By BiLL Brenner Copyright ©2009 CIO Magazine. reprinted with perMission
  • 3. Our seventh-annual Global Information Security survey nds IT leaders struggling to defend against new threats from social networking and cloud computing, but with renewed support from business leaders T oday’s most compelling technologies are giving you the biggest secu- rity headaches. Social networking sites such as Twitter, Facebook and 3 LinkedIn enhance collaboration and help your company connect with customers, but they also make it easier than ever for your employees to share customer data and company secrets with outsiders. Virtualization and cloud computing let you simplify your physical IT infrastructure and cut overhead costs, but you’ve only just begun to see the security risks involved. Putting more of your infrastructure in the cloud has left you vulnerable to hack- ers who have redoubled efforts to launch denial-of-service attacks against the likes of Google, Yahoo and other Internet-based service providers. A massive Google outage earlier this year illustrates the kind of disruptions cloud-dependent businesses can suffer. But there’s also good news. Even though the worst economic recession in decades has compelled you to spend less on outsourced security services and do more in-house, your security budget is holding steady. And more of you Y are employing a chief security officer. Top IT Such are the big takeaways from the seventh- annual Global Information Security survey, which CIO and CSO magazines conducted with Pricewater- houseCoopers earlier this year. Nearly 7,300 business Security Priorities Y and technology executives worldwide responded from a variety of industries, including government, health care, financial services and retail. New investments are These trends are shaping your information secu- focused on protecting data, rity agenda. “Every company worries about protecting authenticating users their data, especially their client data,” says Charles S Biometrics 1 Beard, CIO at Science Applications International Corp. web content filters 2 (SAIC). “Under the old business model, everyone had data leakage prevention i L LU s t r at i o n B y M i C h a e L M o r g e n s t e r n 3 to get together in the same building in the same geo- graphical area. Now everyone is using the Internet disposable passwords/smart cards/tokens 4 and mobile devices to work with each other. That’s reduced or single-sign-on software 5 N where we see the promise of things like social network- voice-over-ip security 6 ing. The flip side is we’re exposed to the dark side of cyberspace. Adoption of this technology is well ahead web 2.0 security 7 of efforts to properly secure and govern it.” identity management 8 Read on to learn what we found. encryption of removable media 9 Copyright ©2009 CIO Magazine. reprinted with perMission
  • 4. Cover story :: SECURITY TREND #1 what can be posted on social networking sites. the promise and peril I One positive sign: Every year, more companies dedicate staff to monitoring how employees use online assets—57 percent this of social networking year compared to 50 percent last year and 40 percent in 2006. n less than two years, social networking has gone from Thirty-six percent of respondents monitor what employees are an abstract curiosity to a way of life for many people. posting to external blogs and social networking sites. When someone updates their status on Twitter, Face- To prevent sensitive information from escaping, 65 percent book or LinkedIn, they might do it at work by day or on of companies use Web content filters to keep data behind the company-owned laptops from home at night. firewall, and 62 percent make sure they are using the most What gives IT executives heartburn is the ease with secure version of whichever browser they choose. Forty per- which users could share customer data or sensitive company cent said that when they evaluate security products, support activities while they’re telling you what they’re having for lunch. and compatibility for Web 2.0 is essential. Cyberoutlaws know this and use social networks to launch Unfortunately, social networking insecurity isn’t something phishing scams. In one popular attack, they send their victims one can fix with just technology, says Mark Lobel, a partner in messages that appear to be coming from a Facebook friend. The the security practice at PricewaterhouseCoopers. “friend” may send along a URL they insist you check out. It may “The problems are cultural, not technological. How do you be pitched as a news story about Michael Jackson’s death or a educate people to use these sites intelligently?” he asks. “His- list of stock tips. In reality, the link takes the victim to a shady torically, security people have come up from the tech path, not website that automatically drops malware onto the computer. the sociologist path. So we have a long way to go in finding the The malware goes off in search of right security balance.” 23 % 4 any valuable data stored on the Guy Pace, security administrator with the Washington computer or wider company net- State Board for Community and Technical Colleges, says his work, be it customer credit card organization takes many of the precautions described above. numbers or the secret recipe for a But he agrees with Lobel that the true battleground is one of new cancer-fighting drug. office culture, not technology. “The most effective mitigation It’s no surprise, then, that every here is user education and creative, effective security awareness Companies IT leader surveyed admitted they fear social-engineering-based programs,” he says. that have attacks. Forty-five percent spe- TREND #2 Jumping into the Cloud, G cifically fear the phishing schemes policies for against Web 2.0 applications. Nevertheless, for many com- sans parachute using Web 2.0 pany executives, blocking social networking is out of the question iven the expense to maintain a physical IT infrastructure, the thought of replacing server technologies because of its potential business rooms and haphazardly configured appliances and social benefits. Companies now clamor with cloud services is simply too hard for many to get their messages out through companies to resist. But rushing into the cloud networking these sites, so the challenge for CIOs is to find the right balance without a security strategy is a recipe for risk. According to the survey, 43 percent of respondents are using sites between security and usability. “People are still incred- cloud services such as software as a service or infrastructure as a service. Even more are investing in the virtualization technol- ibly naïve about how much they ogy that helps to enable cloud computing. Sixty-seven percent should share with others, and of respondents say they now use server, storage and other forms we have to do a better job educat- of IT asset virtualization. Among them, 48 percent actually ing them about what is and isn’t appropriate to share,” says H. believe their information security has improved, while 42 per- Frank Cervone, vice chancellor of information services with cent say their security is at about the same level. Only 10 percent Purdue University Calumet. “We have to do a better job of say virtualization has created more security holes. enhancing our understanding of what internal organization Security may well have improved for some, but experts like information should not be shared.” (For a different view, read Chris Hoff, director of cloud and virtualization solutions at “Enterprise Evolution,” an interview with Harvard Business Cisco Systems, believe that both consumers and providers need School Associate Professor Andrew McAfee, Page 20.) to ensure they understand the risks associated with the techni- But in a university setting, it’s critical to engage people cal, operational and organizational changes these technologies through social media, Cervone adds. Even in the commercial bring to bear. sector, he doesn’t see how organizations can avoid it. “When you look at how people think of virtualization and And yet this year—the first in which we asked respondents what it means, the definition of virtualization is either very about social media, only 23 percent said their security efforts now narrow—that it’s about server consolidation, virtualizing your include provisions to defend Web 2.0 technologies and control applications and operating systems, and consolidating every- Copyright ©2009 CIO Magazine. reprinted with perMission
  • 5. Dark Cloud What is the greatest security risk to your cloud computing strategy? Fears about vendors 22% ability to enforce provider security policies 23% dominate cloud inadequate training and it auditing security risks 14% access control at provider site ability to recover data ability to audit provider 12% proximity of company data to someone else’s 11% Continued existence of provider 4% 10% provider regulatory compliance 4% thing down to fewer physical boxes—or it’s about any number potential vulnerabilities in their virtualized environments, 36 of other elements: client-side desktops, storage, networks, secu- percent cited misconfiguration and poor implementation, and rity,” he says. “Then you add to the confusion with the concept 51 percent cited a lack of adequately trained IT staff (whose lack of cloud computing, which is being pushed by Microsoft and a of knowledge leads to configuration glitches). In fact, 22 percent number of smaller, emerging companies. You’re left scratching of respondents cited inadequate training, along with insuffi- your head wondering what this means to you as a company. cient auditing (to uncover vulnerabilities) to be the greatest How does it impact your infrastructure?” security risk to their company’s cloud computing strategy. 5 Fortunately, there’s some evidence of companies proceeding It’s this awareness that makes Atmos Energy’s Gius proceed with caution. One example is Atmos Energy, which is using with caution. “We have no CSO. If we were a financial services firm Salesforce.com to speed its response time to customers and help it might be a different story, or if we had a huge head count,” Gius the marketing department manage a growing pool of clients, says. “But we are a small-to-medium-sized company, and the staff according to CIO Rich Gius. limitations make these kinds of implementations more difficult.” The endeavor is successful thus far, so Gius is investigating the Even with the right resources, security in the cloud is a matter viability of running company e-mail in the cloud. “It would help of managing a variety of risks across multiple platforms. There’s us address the growing challenge where e-mail-enabled mobile no single cloud. Rather, “there are many clouds, they’re not fed- devices like BlackBerrys are proliferating widely among the work- erated, they don’t natively interoperate at the application layer force,” he says. But he’s not ready to take such a big step because the and they’re all mostly proprietary in their platform and opera- risks, including security, remain hard to pin down. One example tion,” Hoff says. “The notion that we’re all running out to put our of the disruption that cloud-dependent companies can experi- content and apps in some common [and secure] repository on ence came in May, when search giant Google—whose content someone else’s infrastructure is unrealistic.” accounts for 5 percent of all Internet traffic—suffered a massive Lobel, with PricewaterhouseCoopers, says perfect secu- outage. When it went down, many companies that have come to rity is not possible. “You have to actively focus on the security rely on its cloud-based business applications (such as e-mail) controls while you are leaping to these services,” he says. It’s were dead in the water. difficult for companies to turn back once they have let their The outage wasn’t caused by hackers, but there are signs data and applications loose because they are often quick to rid that cybercriminals are exploring ways to exploit the cloud for themselves of the hardware and skills they would need to bring malicious purposes. On the heels of the outage, attackers added the services back in-house. insult to injury by flooding Google search results with mali- “If you dive down a well without a rope, you may find the cious links, prompting the U.S. Computer Emergency Response water you wanted, but you’re not going to get out of the well Team (U.S. CERT) to issue a warning about potential dangers without the rope,” he says. “What if you have a breach and you to cloud-based service sites. need to leave the cloud? Can you get out if you have to?” The attack poisoned several thousand legitimate websites by A exploiting known flaws in Adobe software to install a malicious TREND #3 program on victims’ machines, U.S. CERT says. The program would then steal FTP login credentials from victims and use the insourcing security Management information to spread itself further. It also hijacked the victim’s few years ago, technology analysts were browser, replacing Google search results with links chosen by predicting unlimited growth for managed the attackers. Although the victimized sites were not specifi- security service providers (MSSPs). Many cally those offering cloud-based services, similar schemes could companies then viewed security as a foreign be directed at cloud services providers. concept, but laws such as Sarbanes-Oxley, the IT organizations often make an attacker’s job easier by Health Insurance Portability and Account- configuring physical and cloud-based IT assets so poorly that ability Act and the Gramm-Leach-Bliley Act (affecting financial easy-to-find-and-exploit flaws are left behind. Asked about the services) were forcing them to address intrusion defense, patch Copyright ©2009 CIO Magazine. reprinted with perMission
  • 6. Cover story :: SECURITY management, encryption and log management. Security Budgets Hold Steady Convinced they couldn’t do it on their own, companies chose outsourcers to do it for them. Gartner estimated the MSSP mar- ket in North America alone would reach $900 million in 2004 More companies are increasing and that it would grow another 18 percent by 2008. Then came the economic tsunami, which appears to have spending than cutting it cast a shadow over outsourcing plans even though security Direction of spending 38% budgets are holding steady. Although 31 percent of respondents increase this year are relying on outsiders to help them manage day-to- 25% stay the same day security functions, only 18 percent said they plan to make decrease 12% security outsourcing a priority in the next 12 months. When it comes to specific functions, the shift has already don’t know 24% begun. Last year, 30 percent of respondents said they were numbers may not add to 100% due to rounding outsourcing management of application firewalls, compared to 16 percent today. Respondents cited similar reductions in outsourcing of network and end-user firewalls. Companies have also cut back on outsourcing encryption management and lower-cost solutions to manage it ourselves,” he says. “We and patch management. invested in two people to help ensure we had the skills to man- At the same time, more companies are spending money on age that environment.” But he’d like to outsource more if it these and other security functions. Sixty-nine percent said makes sense financially. He notes that security is increasingly 6 they’re budgeting for application firewalls, up slightly com- integrated into the platforms provided by the likes of Microsoft, pared to the past two years. Meanwhile, more than half of Cisco and Oracle, as well as telecom providers like Comcast and respondents said they are investing in encryption for laptops Verizon. It makes sense to him to have those providers manage and other computing devices. the security of their systems. The results surprise Lobel of PricewaterhouseCoopers. Beard, with SAIC, says that no matter what drives security “When you think about it logically, some IT organizations have spending decisions, companies should understand their specific the resources and maturity to manage their operating systems security strategies and where managed security providers can and patches, but many don’t,” he observes. “Hopefully, the offer unique value. Smart business executives understand that numbers simply mean IT shops have grown more mature in they must maintain control of the big picture at all times, even if their security understanding.” a third party is managing many of the levers. Keeping an eye on Gius of Atmos Energy offered another possible explanation: security service providers and the risks they are encountering Companies see a lot of chaos in the security market with an is essential. “CIOs and security officers may outsource certain avalanche of mergers and acquisitions. One independent secu- functions to various degrees, but they should never outsource rity vendor after another has merged with or been acquired by their responsibility,” Beard advises. other companies. Examples include BT’s acquisition of Coun- C terpane and IBM’s acquisition of Internet Security Systems. TREND # 4 a new Corporate Commitment IT leaders are simply getting out of the way until the industry settles down. Gius says Atmos Energy is handling most of its security IOs may still struggle with the quality of their in-house right now. “We pursued a number of open-source data security, but the response to this year’s sur- vey suggests their executive peers have agreed, finally, that security can’t be ignored. Data Dangers Companies’ budget plans tell part of the story. Not only are more companies investing in secu- rity technologies, but overall security investments are largely Attacks on data have increased faster than any intact, despite the economy. other security exploit. The top target: databases. Twelve percent of respondents expect their security spending How attackers get your data to decline in the next 12 months. But 63 percent say their budgets will hold steady or increase (although fewer foresee increases databases 57% than did last year). File-sharing applications 46% For starters, more companies are hiring CSOs or chief informa- tion security officers (CISOs). Eighty-five percent of respondents Laptops 39% said their companies now have a security executive, up from 56 removable media 23% percent last year and 43 percent in 2006. Just under one-third of security chiefs report to CIOs, 35 percent to CEOs and 28 percent Backup tapes 16% to boards of directors. Multiple responses allowed Two factors are influencing companies to maintain security Copyright ©2009 CIO Magazine. reprinted with perMission
  • 7. as a corporate priority: Seventy-six percent say the increased risk environment has elevated the importance of cybersecurity among the top brass, while 77 percent said the increasingly tangled web of regulations and industry standards has added to the sense of urgency. Respondents were asked how important various security strategies had become in the context of harsher economic realities. Seventy percent cited the growing importance of data protection while 68 percent cited the need to strengthen the company’s governance, risk and compliance programs. Notes Mauricio Angée, senior manager of IT security and compliance and CSO at Universal Orlando: “For segregation of duty purposes, it’s interesting to see how companies are being asked—by compliance auditors, qualified security assessors and through legislation—to hire IT security managers with a much- more-defined set of roles and responsibilities.” Such roles include setting the company’s security policy, making the security budget pitch (instead of the CIO) and delegating responsibility among How Cybercrime Costs You 7 Losses from incidents average $833,000 The business impact of security breaches Financial loss 42% Brand or reputation compromised 30% intellectual property theft 29% home page altered or defaced 20% Fraud 17% How We Got Multiple responses allowed lower-level IT security administrators and engineers. the Numbers the seventh-annual “global state of information secu- None of these developments, however, make a focus on infor- rity” survey—a worldwide study by CIO, CSO and price- mation security a sure bet in the eyes of IT leaders. Just because waterhouseCoopers—was conducted online from april companies feel they have to spend money on security doesn’t 20, 2009, through June 23, 2009. CIO and CSO print and mean executives view it as an essential, even beneficial busi- ness process instead of a pain-in-the-neck task being forced online customers and clients of pricewaterhouseCoopers upon them. from around the globe were invited to take the survey. Angée said CIOs and security leaders still have to fight hard results are based on responses from 7,276 security for every penny. Meanwhile, security execs don’t have the same and information technology professionals from more decision-making power as other C-level leaders in every com- than 100 countries. thirty-two percent of respondents pany, says PricewaterhouseCoopers’ Lobel. CIOs can bring in were from north america, followed by asia (27 percent), a CSO or CISO without a strategy and budget for that person europe (26 percent), south america (14 percent) and the to work with and end up achieving nothing. If something goes Middle east and south africa (2 percent). the margin of wrong, he concludes, “all you’ll have is somebody to blame and error for this survey is +/- 1 percent. fire.” CIO –Carolyn Johnson, research manager Bill Brenner is a senior editor with CSO magazine and Csoonline.com. Follow him on twitter: www.twitter.com/BillBrenner70. Copyright ©2009 CIO Magazine. reprinted with perMission