The Global State of Information Security Survey, 2013 by PwC found that 75 percent of respondents in India as opposed to 45 percent of global peers expect their companies to increase spending on information security in 2013, but they’re probably spending it on the wrong things.
The improved economic environment, business continuity, disaster recovery, and regulatory compliance are the main reasons for the increase in spending. Before CIOs spend their budgets, they should know that there are several potential issues with Indian CIO security habits revealed by PwC’s India specific report.
While 45 percent thought they had all the attributes of an information security leader, the report found only 15 percent could say they had all of the following basic requirements for good security: an overall information security strategy; a chief security office (or equivalent); reviews of the effectiveness of information security practices within the past one year; complete knowledge of security events in the past year.
While 80 percent were confident that their organizations had instilled effective security behavior in their work culture, the truth was entirely different. Only 32 percent actually incorporated information security into a project at inception. 29 percent brought it in at the design and analysis phase; 13 percent thought of it only during implementation; and one in six admitted that it was brought in on an as-needed basis. Most of them lacked an incident-response process to report and handle breaches at third-party sites and there was no compliance requirement for third parties regarding privacy policies.
While there was a three-fold increase in reported security breaches -- mostly traced to employees -- the financial losses incurred showed a dip. A closer look has revealed that while a majority of companies count the loss of customer business, many of them neglect to factor in damage to brand and reputation, audit and consulting services, investigation and forensics, legal defense services, and costs of court settlements. So the dip is probably, in fact, a hump.
The most disturbing trend, however, is the decline in the use of basic information security detection technologies and a relaxation of fundamental security principles. Companies have reduced use of malicious code detection tools, tools for spyware, and adware and intrusion detection tools. Use of tools for vulnerability scanning, security event correlation, and data loss prevention have also decreased. Policies defining backup and recovery, business continuity, user administration, application security, physical security, and management practices like segregation of duties have all seen a decline.
Though India is one of the fastest growing mobile technology markets, adoption of security strategies for mobile (46 percent), social media (37 percent), and cloud (31 percent) are lagging. Interestingly, 52 percent of the respondents had a security strategy to address personal devices in the workplace, but only 38 percent had malware protection for mobile devices, indicating a lag between strategy and basic execution.
The report paints a rather bleak picture of current Indian security practices. So it is a good thing that they are spending more. What are the lessons from these findings CIOs can use to make next year’s spending more meaningful? Clearly, CIOs or CISOs should:
The money and the commitment seems to be out there, but the execution and best-practices are behind. CIOs need to make sure they are getting this right for the sake of the enterprise.
- Align security strategy to business objective and make it integral to every project at the start.
- Analyze security breaches accurately and stop exploitation of mobile devices, data, and removable devices by employees.
- Compute costs incurred due to security compromises in a holistic manner to understand the extent of damage and focus efforts on anticipation and prevention of breaches.
- Ensure comprehensive policy, up-to-date processes, and use of basic tools that cover both old and new technologies.
- Not overestimate their own preparedness. Hire an external consultant to facilitate constant evaluation if needed.