The 2011 Global State of Information Security Survey found that 49% of respondents say economic conditions continue to drive information security spending - and most say they are optimistic that their companies will increase spending in the next year. The study is conducted by PwC in conjunction with CIO and CSO magazines.
The 8th annual survey of more than 12,800 executives from 135 countries revealed a remarkable level of optimism among security executives: 52% say their company will increase security spending over the next year. Yet many executives say their company's business partners (52%) and suppliers (50%) have been weakened by economic conditions, a substantial increase from 43% and 42%, respectively, in 2009.
"With the rise of outsourcing and offshoring, it is understandable that more companies are concerned that their business partners and suppliers have been weakened by economic conditions," says Kenneth Wong, a Partner at PwC China's Risk and Controls Solutions (RCS) practice and National Security practice leader. "This change reveals that respondents are still concerned about the vulnerability that their business partners, suppliers or service providers may now face due to a reduced focus on security controls and the uncertainty around where the company's information or data is stored and processed by its business partners, suppliers or service providers."
The more significant spending drivers to show substantial increases this year are "client requirement" and "potential liability / exposure," the study found. Client requirement moved up from the bottom of the list in 2007 to near parity with the top-ranking legal / regulatory environment. The rise of client requirement demonstrates the continuing strategic importance and integration of the security department to the business.
Focus on China Trends
The survey revealed that economic conditions continue to be one of the major drivers globally and especially in China. In fact the survey shows that 92% of Chinese respondents said their company will boost spending in the next 12 months, as compared with North America (71%), South America (81%) and Europe (68%).
The survey also found that merger and acquisition activities as a driver for security spending increased from 21% in 2009 to 26% in 2010. Perhaps Chinese respondents are starting to recognise the importance of checking a potential target's level of security and intellectual property protection as part of due diligences and the need to ensure security of acquired companies to protect investment.
Interestingly and perhaps due to the country's faster pace of recovery and ever-changing market, Change is seen as the third leading driver for security spending. Over 54% of respondents say that Change is a driver for information security spending. The rationale behind this trend, of course, is based on the changing dynamics of the business and supporting Information Technology environment which often leads to change in information security infrastructure and budget allocation.
Chinese respondents are more likely to acknowledge that the increased risk environment inherent in current economic conditions has advanced the role and importance of the security function, and they are more focused on data protection than those in other regions, which explains why as Chinese or multi-national companies operating in China increase their R&D investments and activities, they have also become increasingly concerned about protecting their intellectual property investment.
The study reveals that information security is a priority for Chinese organisations. More than 8 out of every 10 Chinese respondents expect information security spending to either increase or stay the same over the next 12 months - a higher score than nearly every other country in the world.
However, despite the optimism in security technologies spending, the study shows that Chinese organisations spending on technology are often misaligned with people and process to drive and prove the effectiveness of managing organisation-wide information security and data privacy. "Given the recent events in Hong Kong and mainland China which suggest that most organisations in China still fail to recognise the importance of the "people" aspect when it comes to protecting confidential and sensitive company and customer data," says William Gee, a Partner at PwC China's Risk and Controls Solutions (RCS) practice based in Beijing.
In fact, according to the results of the survey, Chinese organisations are much more eager to invest in technology (increased from 60% in 2009 to 63% in 2010) as a safe guard for data privacy. However, many of these organisations are still lagging behind in terms of placing emphasis on people (58% in 2009, 57% in 2010) and process (46% in 2009, 46% in 2010). "Chinese enterprises should put more emphasis in educating their people and managing their process better to truly realise the value of the security technology investment that have put in," adds Gee.
Risks of Social Networking and Collaborative Tools
The survey revealed that Chinese companies are more concerned about the risk associated with the use of social networking and collaborative tools by employees, e.g. leakage of company sensitive data or information to outsiders through the use of social networking tools. The survey shows that 57% of respondents in China said their organisation has implemented security technologies supporting Web 2.0 exchanges (potentially through some form of content monitoring device tracking data traffic across the company's network and perimeter), as compared to 40% globally. And 33% of China respondents have established security policies that address the use of social networks or Web 2.0 technologies as compared to 23% globally.
"Although China is ahead of the curve, the excessive use of content monitoring devices as a security technology mitigating the risk of Web 2.0 exchanges without the appropriate data privacy policies in place can raise data privacy concerns among employees," says Charlie Fu, a Partner at PwC China's Risk and Controls Solutions (RCS) practice based in Shanghai.
In China, visibility over security incidents have seen a significant improvement, with the number of respondents reporting that they could not identify the types of security incidents affecting them dropping 19% from the previous year to just 15%. This is well ahead of the curve, with the global figure at 34% and the Asia region at 26%.
The study also finds that as companies gain a much clearer perspective on the actual extent of security incidents, they're discovering that the greatest compromises are to data. In fact, the number of respondents in China reporting data loss or leakage has increased from 40% in 2009 to 45% in 2010 which is substantially higher than global survey (27%).
The impact of security breaches or data loss incidents on business has risen to significant levels. Hackers were among the fastest-growing category of suspects. This was true globally and in China. Not surprisingly, what are likely to be more suspected in China (than its global counterparts) are hackers and former employees, which explains why Chinese or multi-national companies operating in China have become increasingly concerned about leakage of confidential company data through former employees (or current employees who may become former employees in the near future) working in collaboration with external hackers.
Not much has changed from last year when we asked respondents if their business partners, suppliers or service providers have been affected by weakened economic conditions. The study reveals that Chinese respondents are still concerned that their suppliers (65% in 2009, 68 % in 2010) and business partners (73% in 2009, 70% in 2010) have been weakened by economic conditions.
The survey further says that around 85% of the respondents in China have a contingency plan in relation to security incident, a figure much higher than global (58%). However, among the respondents, only half of them (52%) think that the plans are effective. The satisfactory rate is lower than the global results (63%). According to the survey results, the main principal reasons are due to incomplete plan (58%), lack of training (53%), and lack of management support (54%).