CIOs unwilling to scrimp on security in tough times

2 Nov 2009

Nearly two-thirds of CIOs worldwide say they intend to maintain and even increase their spending on information security despite the economic downturn.

According to the 7th Annual Global State of Information Security Survey 2010 conducted by PricewaterhouseCoopers (PwC), six out of 10 respondents (63 pc) expect spending to either increase or stay the same – in spite of the worst economic downturn in decades – or perhaps because of it.

Largest study of its kind

The study, the largest of its kind, has been conducted in conjunction with CIO and CSO magazines. More than 7,200 executives from 130 countries across all industries were asked about their information-security expectations.

Two findings, in particular, stand out. On the one hand, there’s compelling evidence that, in some respects, the security function appears to be “under protection”— as if the efforts of technology and security executives to better align security with the business are, in fact, beginning to show results.

On the other hand, the economic downturn has clearly “raised the bar” on security. In addition to helping the business mitigate risks associated with factors such as globalisation, outsourcing and third-party compliance with the company’s policies, the information-security function is now also charged with new challenges — and for some companies, with more urgency than ever before.

The function and its leaders are now also tasked with helping the company address an acute set of crisis-related risks and opportunities, such as those associated with new business models, Mergers and Acquisitions (M&A) transactions, successive waves of redundancies, a shifting regulatory landscape, cost-cutting drives in other parts of the enterprise, and major shifts in a key competitor’s strategy.

Increase in business impacts

Overall, the survey finds that business impacts, such as financial losses, damage to brand or reputation, and loss of shareholder value, have increased.

“The increased risk environment has visibly elevated the role and importance of the information-security function to the entire business organisation and the experience is similar for Irish companies,” explained Kieran Mongan, leader of Information Security Advisory Services, PwC Ireland.

“After years of misalignment, business and IT leaders are now more closely aligned, when information-security issues are considered. This year, as we move from 2009 to 2010, there is consensus between leaders and security functions that increasing the focus on data protection is the highest priority security objective.

“It’s hard to avoid the conclusion that the economic downturn has impacted financial services companies more than those in any other industry – and is largely responsible for less progress and investments in security capabilities. However, traditionally the financial services companies have strong capabilities in all major security domains, including strategy, structure, people, process and technology,” said Mongan.

Financial services

This year, fewer financial services respondents predict spending will increase (40 pc in 2009; 46 pc in 2008). For the first time in the history of this survey, the majority of metrics used to track advances in security-related capabilities – have, by and large, for the financial services industry, not improved.

Health Industries

A key priority this year will be addressing a global trend in stiffer requirements for breach notification and specific technical controls. For example, more than six out of 10 provider respondents (61 pc) report their organisation does not have an incident-response policy to report and handle breaches with third parties handling data.


Reported incident type levels have declined across all elements, except one: the exploitation of data or data leakage is now the leading type of incident.

Utility companies have advanced their security and privacy capabilities in the past year in areas including strategy, security leadership, privacy-related assessments, and integration.

Public sector

Today, a new generation of government employees is accessing social networks from work in great numbers, often without the knowledge of the IT department – and in circumvention of the traditional countermeasures employed by many. Some organisations have moved quickly to close this gap – but most need to do more – only 35 pc of Government agencies have security technologies in place that support Web 2.0 exchanges.

Advancing cyber security and private/public partnerships are additional emerging priorities.

Looking ahead, companies are placing high expectations on initiatives that prioritise security investments based on risk.

“Irish companies have similar expectations and alignment with business priorities has improved, however, the significant challenge facing Irish organisations is achieving these expectations. While the economic downturn has elevated the role and importance of the security function, cost-reduction efforts will make adequate security more difficult to achieve,” Mongan concluded.

By John Kennedy

Photo: Sixty-three per cent of survey respondents expect information security spending to either increase or stay the same, the 7th Annual Global State of Information Security Survey 2010 suggests.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years