Any business on any given day can be compromised. That’s the reality of information security. Attacks may be targeted or the result of automated scans. The attackers may be sophisticated programmers or “script kiddies” who purchased an attack toolkit on the internet. With so many threat vectors to defend against, enterprises are expending capital on security technologies at an increasing rate. But buying a technology alone, does not provide protection. The correct deployment of that technology is essential.
PwC’s 2012 Global State of Information Security Survey revealed that a vast majority of executives are confident in the effectiveness of their information security practices. The 2012 Global State of Information Security Survey is a global study by PwC, CIO Magazine and CSO Magazine. Respondents included readers of CIO and CSO Magazines and clients of PwC from 138 countries. The survey included more than 9,600 responses from COs, CFOs, CSOs, VPs and Directors of IT and Security on more than 40 questions on topics related to information security and its alignment with the business. Overall, respondents believe they have an effective strategy in place and that their organizations are proactively executing it.
Enterprises Make Information Security an Integral Part of Their Business Planning
- 63% of respondents reported they had information security strategies in place within their companies. 40% of those have both a strategy in place and taking proactive steps to execute on it. 23% just have strategies in place. 16% focus more on tactics than strategy and 21 % react to issues as they arise;
- 35% of respondents said they are very confident and 37% are somewhat confident that their information security practices are effective;
It is promising that so many enterprises already have strategies in place. However, companies should be cautious not to develop an overinflated sense of safety. It is essential to keep a close eye on measuring, monitoring and updating these strategies regularly, and ensure that technologies are being deployed correctly.
Measuring and Monitoring Information Security Performance
Information security performance measurement should be a system of measuring, monitoring and reporting information security governance metrics. The development of such an assessment framework is essential to the evaluation of the effectiveness of Security Governance.
Some example metrics might include:
Number and type of security incidents
Number of systems where security requirements are not met
Number and type of suspected and actual access violations
Number of unauthorized IP addresses, ports and traffic types denied
Time to approve, change and remove access privileges
Number of access rights authorized, revoked, reset or changed
As technology advances, so does the complexity of cyber-threats. Executives must remain aware of the real risks their companies face. These threats impact not just the company’s critical information, but also sensitive customer data. Without an accurate perspective, top management could develop a false sense of safety over a situation that could have significantly negative business impacts.