From the CAE Bulletin, Oct. 9, 2011
Executives Are Bullish About the Effectiveness of Their Organization’s Information Security Program
This and other findings of a large-scale survey recently conducted by PricewaterhouseCoopers and CIO and CSO magazines may provide useful benchmarks to CAEs who plan to audit their organization’s information security strategy and related activities during the coming year. 
Al Holzinger
Freelance Writer
Nearly three-fourths (72 percent) of respondents to a large-scale survey recently conducted by the public accounting and business services firm PricewaterhouseCoopers LLP (PwC) and CIO and CSO magazines are confident that their organization’s overall information security approach is effective. This overwhelming self-assurance suggests that information security is widely regarded as a core business activity now, “rather than a ‘patchwork of technical guesses’ or merely a line item in the chief information officer’s budget,” concludes a slide presentation accompanying the encyclopedic survey report. However, despite respondent organizations’ overall positive self-assessment of their information security prowess, the survey results suggest that the maturity of their approaches varies substantially.
Internal audit departments plan to audit their organization’s information security strategy during the coming year may benefit from studying these differences and the more than a dozen other survey-related findings explored in the report, an extensive summary of which can be customized by industry if desired and downloaded from PwC’s website. Respondents to the online survey include 9,600 PwC clients and readers of CIO and CSO magazines in 138 countries. The sample principally comprises CEOs, chief financial officers (CFOs), chief information officers (CIOs), chief information security officers (CISOs), and chief security officers (CSOs).
Nearly half (43 percent) of respondents characterize their organization as an information security “front-runner,” which PwC defines as having an effective strategy in place and executing it proactively. About one-fourth (27 percent) describe themselves as a “strategist,” defined as being better at getting the strategy right than at executing it. The remainder view themselves as a “tactician” (15 percent) or a “firefighter” (14 percent). Tacticians are defined as organizations that are more effective at getting things done than they are at developing an overall effective strategy, while firefighters are those that do not have a comprehensive strategy in place and are typically reactive to emerging security threats.
The report notes that these self-characterizations, in turn, “provide some intriguing insights” into how respondents value and cost-justify information security. For example, less than half of the front-runner respondent group report that poor economic conditions prompted their organization to defer a security-related initiative requiring a capital (47 percent) or operating (44 percent) expenditure during the past 12 months. Among the strategist group, the corresponding project deferral rates are 69 percent and 67 percent. Similarly, front-runners principally justified their current information security spending by citing client requirements (50 percent), legal or regulatory requirements (45 percent), professional judgment (43 percent), potential liability (41 percent), and industry best practices (41 percent). For firefighters, at the other end of the maturity spectrum, the corresponding justification percentages are 21, 24, 22, 22, and 17, respectively.
On the basis of these and other respondent data, the PwC report’s authors carved out a much narrower “leader cut” of respondents. Included in this leading practice group — 93 percent of whom express confidence in the effectiveness of their information security program — are the 13 percent of participating organizations that: 
  • Have an overall information security strategy in place. 
  • Permit their chief information security officer or equivalent security leader to report to the “top of the house,” defined as the CEO, CFO, chief operating officer, or chief legal counsel. 
  • Both measure and review the effectiveness of their information security policies and procedures annually. 
  • Possess a solid understanding of exactly what type of adverse security events have occurred over the past 12 months. 
The largest practice gaps separating these “leaders” and other survey respondents include employing a CISO (84 percent vs. 45 percent), employing a CSO (75 percent vs. 40 percent), deploying information security personnel to support internal business units (72 percent vs. 46 percent), and projecting security spending increases in the coming year (76 percent vs. 51 percent). Among the other interesting data provided by respondent organizations at all levels of information security maturity, are: 
  • Only a minority have in place staff to monitor employee use of the Internet (49 percent), an identity management strategy (41 percent), a business continuity/disaster recovery plan (39 percent), a privacy policy that is reviewed at least annually (39 percent), or an accurate inventory of the business locations where sensitive data are stored (29 percent). 
  • Customers (17 percent) and business partners or suppliers (15 percent) are viewed as potential sources of information breaches. However, only 24 percent maintain an inventory of third parties that handle sensitive information, and just 29 percent conduct due diligence on these parties and require them to comply with the organization’s privacy policies. 
  • Only 43 percent have a security policy that covers employee use of personal communications devices at work, and an even lower 37 percent have a strategy in place for securing employer-provided mobile devices. 
  • More than half (54 percent) perceive that cloud computing initiatives have improved information security overall while conversely, 23 percent believe these activities have weakened security. The leading perceived risks of cloud computing are the inability to enforce service providers’ security policies (32 percent), inadequate staff training and IT audit capabilities (19 percent), and questionable privileged-access controls among service providers (15 percent). 
Respondent organizations to the survey vary in revenue size from less than US $100 million (37 percent) to more than US $1 billion (23 percent). Twenty-nine percent are based in North America, 26 percent in Europe, 21 percent in South America, 20 percent in Asia, and 3 percent each in the Middle East and South Africa. The organizations operate in a wide range of industries led by technology, industrial products, and financial services. The respondent base is so large and diverse, PwC says, that the survey margin of error is less than 1 percent. 



Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO