Sometimes our annual Strategic Security Survey can be plodding. The responses tend not to vary much year over year, and we've come to know what to expect: Companies have core information security tools, and they know where the threats are coming from, yet they still get hammered. And it's not just small or clueless companies that get breached; attackers took some notable scalps recently. For instance, EMC's RSA unit, which should know a thing or two about protecting its information assets, fell to the one-two punch of a targeted phishing email with a malicious attachment.
But in this year's survey, we were pleasantly surprised to see movement--and in a positive direction. The biggest change in 2011 is in the area of executive involvement in security policy and budgets, indicating that businesses are finally understanding that when it comes to security, everyone needs to pay attention. But this heightened executive involvement also means more scrutiny for security executives and managers. CEOs want to see results.
Our 2011 Strategic Security Survey report also collects new data on mobile devices. Security pros are gauging the threat that smartphones and tablets represent to the business. The top-level takeaway: Few companies are panicking about mobile risks, but few are ignoring them.
You Have Their Attention
A common complaint from security pros is that top executives don't consider security a priority. As one survey respondent comments, "Upper management rarely considers the value of security--until an attack or breach occurs."
But this reactivity may be changing. Our survey results show a tiny increase in security budgets for 2011 vs. 2010: 38% of respondents say their security budget will increase this year, compared with 36% in 2010. This isn't an increase to crow about, but money follows priorities, so it's a sign that more attention is being paid to security.
We're also seeing encouraging movement around management buy-in and adequate funding, long regarded as a problem among security pros. Only 23% of the 1,084 survey respondents list that as a challenge this year, compared with 27% last year.
When asked what might increase their companies' vulnerability to attack, the number of respondents citing "budget constraints" fell by 8 percentage points compared with 2010, from 38% to 30%. And those who cited a lack of senior management attention or interest fell by 3 percentage points, from 28% to 25%.
To read the rest of the article,
Download the May 2011 issue of InformationWeek