Measuring Information Security Effectiveness

Sunday, December 11, 2011

Bill Gerneglia


Article James Finnan

Two of the most crucial drivers of information security effectiveness are having an effective strategy in place and proactively executing it. Nearly half of recent IT Executive survey say their organization meets both criteria.

Many global companies think they have an effective information security strategy in place and are proactively executing their security plans, according to a new survey by consulting firm PricewaterhouseCoopers LLP. A small percentage of the organizations surveyed (13%) are what the firm calls true information security “leaders.”

The PwC 2012 Global State of Information Security Survey includes more than 9,600 business and IT executives worldwide. The survey was conducted online between February and April 2011.

One of the key findings is that companies are actively investing in information security.

According to PwC, “The face of cyber threats has rapidly evolved from curious college kids taking their hand at hacking to an enormous global ecosystem of cyber-crime,” says Mark Lobel, principal at PwC and co-author of the study. “Companies need a comprehensive approach to security technology, education and awareness and a very small number have truly mastered all three.”

The goal of the survey was to answer the following questions. Why are executives confident about their information security plans? Where have organizations made progress in addressing information security over the past year? What are the signs of vulnerability and weakness in security-related capabilities? And which priorities and opportunities should executives address now in order to prepare for the cyber threats ahead?

Some of the key findings include:

1. Almost half of respondents see themselves as “front-runners”, and these companies approach Information Security differently.

2. Respondents are confident that their security activities are effective.

3. Security capabilities have been degrading since 2008.

4. Key areas of improvement include C-suite buy in and increased funding.

5. Asia races ahead while the world’s information security arsenals age.

According to PwC, an information security leader has the following traits:

1. The organization has an overall information security strategy in place.

2. The organization has a CIO or executive equivalent who reports to top management.

3. The organizations has actively measured and reviewed security policy effectiveness.

4. A organization that has an understanding of the security breaches facing the organization in the past year.

Additional Selected Survey Highlights

1. 43% of respondents think their company has an effective information security strategy in place and are proactively executing their plans.

2. 72% of respondents report confidence in the effectiveness of their organization's information security activities

3. 43% of respondents say their company has a security strategy for employee use of personal devices.

4. 37% of respondents say they their company has a security strategy for mobile devices.

5. 32% of respondents say their company has a security strategy in place for social media.

Cross-posted from  via CIOZone

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Leadership report metrics Information Security Infosec PricewaterhouseCoopers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.