Organisations around the world may not be investing enough in the right initiatives to counter advancing information security threats, according to a report from PricewaterhouseCoopers (PwC).
The consultancy firm has released a report, Eye of the Storm: Key findings from the 2012 global state of information security survey, which suggests that resellers and other technology providers may need to work harder at selling information security overall, despite all the focus on the area.
A flurry of reports from Ovum, Gartner and others have shown that IT security spend is continuing to rise. But William Beer, information security specialist at PwC, says the contradiction is only apparent.
IT spend has gone up, but investment in the wider area of information security worldwide – including on people, processes and the like – is not keeping pace with the depth of the threat landscape, he says.
“And when you go into more of the details and look into the numbers by geography, the numbers for the UK are more concerning – there has not been a rise [in spend] that matches the level of risk,” he says.
Furthermore, when drilling down into individual organisations’ information security budgets, the area where money is specifically being allocated does not always correspond with the areas of greatest threat, and vice versa, says Beer (pictured, right).
Many, in fact, believe that because things have remained relatively stable, they are doing just fine with information security, especially as they focus on other problems, such as the tough economic times. However, cybercrime and other IT security threats are still on the horizon.
One of the issues is of definition. “Does cybercrime cover espionage, for example, and does it cover hacktivism?” says Beer. “Business leaders and government tend to talk about IT security, but actually they should be focusing on information security, which includes the people and processes.”
What matters most is preparation. Vague or inaccurate definitions of what is meant by cybercrime, hacking, insider threat, cyberwarfare and so on, lead to vague or inaccurate budgeting, he suggests.
PwC’s survey was performed online between February and April this year. Some 9,600 self-selected readers of CIO and CSO magazines, as well as PwC clients who identified themselves as C-level executives, responded by email.
Twenty-six per cent of respondents were from Europe, 29 per cent from the US, 21 per cent from South America, 20 per cent from Asia and three per cent from the Middle East or South Africa. The margin of error, according to PwC, is less than one per cent.
Beer says organisations need to look at information security from a risk perspective. Done right, they may find they do not have a budgetary problem as such when it comes to solving the issues.
“Look at buy-in with business leaders and senior government leaders,” he says.
Technology providers should look more closely at what customers actually do. Are they investing in social media, online opportunities, or their mobility, for example, and what are the specific risks they should address directly in terms of information security?
Too many are still focusing on selling a technological solution rather than taking a holistic approach customised to the individual customer’s needs, Beer agrees. And they need to engage more directly, higher up the value chain, with C-level executives and other leaders who drive the customer’s business outside the IT department.
According to PwC’s study, this approach will remain key, in part because visibility into when and how the next cyber threat to information will emerge is going to be poor – not least because newer threats mutate and adapt ever more rapidly. The bottom line is that, despite ongoing threats to business revenue, profits and margins, information security is still critical.
“It is common practice during periods of economic overcast for companies to withhold investment in new markets and capabilities, and even maintenance of existing operations; that is, until the forecasts for revenue robust enough to cover significant portions of the investment become more compelling,” the study states. “That strategy does not work for information security. After all, the cyber risks that threaten information often increase during contractions in the business cycle.”
PwC believes funding crucial to maintaining information security is, in fact, being sidelined or redeployed to support other parts of the budget. Certain organisations around the world may be more confident than they should be about their information security practices, including around IT investments, especially considering the emergence of advanced persistent threats (APTs) and those regularly reported data breaches and leaks, suggests PwC.
“They have an effective strategy in place. They consider their organisations proactive in executing it. And their insights into the frequency, type and source of security breaches has leapt dramatically over the past 12 months,” the report continues. “Yet all is not in order. Some evidence points to a crisis in leadership and dangerous deficits in strategy. Capabilities across security domains are degrading.”
Based on how they answered questions of whether their organisation had an effective information security strategy in place, and whether their organisation was proactive in executing it, PwC divided respondents into frontrunners, strategists, tacticians and firefighters. Forty-three per cent identified themselves as frontrunners, with an effective strategy being executed proactively.
Another 27 per cent said they were strategists – better at getting the strategy right than executing it. Only 15 per cent admitted they were tacticians, who were not great at strategy, and just 14 per cent conceded they were mere firefighters, putting out fires reactively as they occurred.
Clearly, more leaders could be engaging strategically with their information security needs and putting them into action, even if their own perceptions of their actions and efficacy turn out to be optimistic.
Added to that, when these four groups were queried on their justification for information security, most indicated that compliance with legal and regulatory requirements was the main driver. Only the frontrunners were significantly more likely to understand that customer requirements should be the main point of investing in information security – that information such as financial data or intellectual property should be protected to help the customer gain or retain a competitive advantage.
PwC’s report added, however, that this attitude is an improvement compared with attitudes 15 years ago. Only a few years ago almost half the respondents were unable to answer “the most basic” of questions about security-related breaches, whereas 80 per cent were able to provide details on event frequency, type and source in the latest poll.
In all four groups, about half were actively reducing their security initiative budgets, as well as deferring security-related actions, regardless of whether those budgets were aligned with capex or opex. And more than seven out of 10 respondents admit they feel confident, at some level, in the effectiveness of their organisation’s information security capabilities.
Beer says technology providers need to address this through improved education. Also, tactics that have been used in the past with some success – the so-called fear, uncertainty and doubt approach to selling security – need to be augmented to remove what may appear to be a degree of complacency in the market.
“They need to deliver business benefits. But the information security providers tend to talk in techno-speak and therefore the business leaders make the assumption that security is a cost rather than an addition to their bottom line,” says Beer, “[although] we are seeing that some clients, particularly [investment] banking clients, can see that information security gives them a competitive advantage.”
The other challenge, he says, is that many vendors have not moved on in their marketing messages. Providers need to think directly about figuring out what business problems the customer has that need to be solved, and then getting buy-in on how to solve them.
Because organisations have learned so much about security in recent years, they may well think they know what they are doing, but the threat landscape continues to evolve and the stakes are still getting higher.
The other good news is that half believe the purse strings will ease and allow for more spending over the next 12 months, according to the report.
Paul Davis (pictured, above left), director of European operations at security startup FireEye, agrees that IT investment may not be matching up with the threats as they develop. APT attacks are becoming more prevalent, for example, and more dangerous, yet few organisations are able to defend themselves against such sophisticated attacks at present.
“It is not keeping pace,” he says. “We were reading that Gartner said there is a $20bn (£12.9bn) security gap now. There is so much money being spent on security, but it still fails to address the modern threat landscape.”
Davis believes many customers are “tremendously frustrated” with the current crop of IT security vendors. The technological capabilities are not doing the job, especially with the new breed of polymorphic threats. Resellers should invest more in understan-ding the threat landscape better themselves, he says.
Chicken and egg
David Caughtry, director of core technology at distributor Computerlinks, says companies are certainly spending on security, but he agrees they could perhaps be spending their money better. Tough times have led many customers to reassess their budget, and it is especially tricky to spend scarcer funds wisely.
“It is a bit chicken and egg,” Caughtry says. “To all intents and purposes, we have been in somewhat of a security bubble for a number of years, when perhaps other IT projects have not been.”
Spending overall may have broadened. Meanwhile, trends such as cloud computing provide a greater opportunity to improve security for customers by reducing cost overall, he notes.
Caughtry (pictured, below right) adds that security becomes a business enabler when it helps customers move ahead with productivity gains, especially as they adopt more mobile ways of working. And the channel will be key to ensuring they can achieve that.
PwC’s findings also emphasise mobility, arguing that mobile device adoption and social media represent a major new area of risk and related defence. Europe, in particular, has been on a tight budget due to economic uncertainty, and certain security capabilities are in decline as a result.
However, cloud computing can improve and is improving security, although many players want better enforcement of security policies as well.
“Compared with 2009, European organisations are significantly more likely to defer initiatives and reduce budgets for security-related capital and operating expenditures,” PwC states. “The news is not all bad, however. Like other regions in the world, Europe has gained new insights into the type, frequency and source of incidents.”