A “State of Security” report from industry giant McAfee shows how IT decision-makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. As the corporate data environment expands, McAfee says effective information security is possible only by creating a strategic security plan that incorporates a comprehensive threat analysis and an in-depth, layered security-risk-mitigation approach.
The report is based on a survey conducted by Evalueserve that included responses from 495 organizations. Countries included in the survey were the United States, Canada, the U.K., Germany, France, Brazil, Australia, Singapore and New Zealand. Company size ranged from 1,000 employees to more than 50,000.
The survey respondents categorized themselves into various states of security maturity. The terms below are used to describe the level of security maturity of participating organizations:
>> Reactive – Uses an ad hoc approach to defining security processes and is event driven. Nine percent of the surveyed companies claim to be at this stage.
>> Compliant – Has some policies in place, but has no real standardization across security policies. The organization adheres to some security standards or the minimum required (32 percent).
>> Proactive – Follows standardized policies, has centralized governance, and has a degree of integration across some security solutions (43 percent).
>> Optimized – Follows security industry best practices and maintains strict adherence to corporate policy. The organization uses automated security solutions highly integrated across the enterprise (16 percent).
“Every organization needs to take a layered approach to security, utilizing both processes and solutions designed to prevent compromise. Complicating the challenge of managing risk and securing data is the fact that ‘the enterprise’ now extends far beyond office walls and perimeter firewalls,” notes McAfee Vice President Jill Kyte. “Companies are giving network access to business partners and contract workers, and, in some cases, even to customers.”
She continues, “Workers access the enterprise network remotely using mobile devices, many of which are personally owned and not controlled by the company whose network they access. Moreover, data and applications are being moved into public and hybrid cloud environments where the data owners have little direct control over security and all of this requires a business to have a strategic security plan.”
>> Organizations are confident about identifying the most critical threats to their environments and knowing where their critical data resides. However, most companies are not confident about quantifying the potential financial impact of a breach, should one occur.
>> Organizational awareness and protection against information security risks is important. However, one-third of the “Optimized” companies are uncertain about their IT security posture in terms of awareness and protection. Despite having formal strategic plans, 34 percent of the companies believe they are not adequately protected against information security risks that could impact their business.
>> A majority of the respondents say that, as they develop strategic security plans, they include consideration of potential threats and the associated risk to business and financial analysis. Yet, 80 percent experienced a significant security incident in the past 12 months.
>> Almost a third of organizations surveyed either have not purchased or have not yet implemented many of the next-generation security technologies designed to address current-day threats, despite more than 80 percent of the organizations identifying malware, spyware and viruses as major security threats.
>> Forty percent of organizations have either an informal or ad hoc plan or no security strategic plan in place; the size of the organization matters when it comes to having a formal plan. Six of every 10 large enterprises have a formal security plan, and two out of every three mid-size enterprises have one. This ratio dips to only one in two small enterprises.
>> Organizations in North America and Germany are more likely to have a formal security plan than those organizations in other regions of the world. This may be attributed to the regulatory environments in those countries.
>> Top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. The lowest priority is to reduce capital and operating expenditures for security infrastructure, which in turn indicates that organizations are willing to spend on the right kind of security solutions.
What Does This All Mean?
While organizations are working on their strategic security plans and putting in their best efforts toward protecting business systems and critical data, there is much room for improvement all the way around.
>> Step up to a higher security maturity level. Only 16 percent of the survey respondents classify their organizations as being at the “Optimized” level. Worse, however, is the fact that 9 percent of the organizations are “Reactive” in their approach to IT security.
>> Executive involvement is crucial. While IT and security personnel may take the lead in developing the plan, it’s important to have insight from those who best understand the business systems and the data they use. Moreover, executive involvement is critical to set the tone for the importance of security throughout the organization.
>> Test early, test often and make adjustments as needed. What good is a plan if it is developed and put on a shelf? If it is never tested? Unfortunately, 29 percent of “Compliant” companies never test how they would respond to an incident. What’s more, 79 percent of the surveyed companies had security incidents in the past year, indicating gaps in the security plans that must be addressed.
>> Use budget allocations wisely. Though every manager would like to have a bigger budget to be able to apply more safeguards, the “Optimized” companies have found ways to reach the highest level of performance with the same level of funding (percentage-wise) as the companies that are less prudent with their budgets.
>> Use the right tools for the current threats. The survey shows that 45 percent of the companies haven’t deployed next-generation firewalls. Mobile security is another area that should not be ignored, yet 25 percent of the organizations have not purchased any tools for this purpose.
>> Focus on protecting the lifeblood of the company. This means sensitive corporate data.