Investment on information security is increasing -- but so is the speed and variety of threat vectors in the enterprise -- and these include determined attackers deploying the latest technologies.
The arms race scenario emerges from the results of the latest Global Information Security Survey conducted by CIO and CSO magazines in conjunction with PwC (PricewaterhouseCoopers).
"New models of information security strategies and practices are needed to be better prepared," says Colin Slater, security and technology partner at PwC New Zealand.
This also means realising that safeguarding everything to the same threat level is no longer possible, he says. "Businesses need to identify and prioritise what's most important to them and focus their resources on protecting that."
The survey, now on its 11th year, interviewed more than 9600 business, security and IT executives -- with 49 respondents from New Zealand.
The latest survey found the number of security incidents detected in the past 12 months has increased by 25 per cent over last year, while the average financial costs of incidents are up 18 per cent.
Security investment is strong - average security budgets have increased 85 per cent over last year, and at 4.3 per cent. Asia Pacific reports the highest IS budget as a per cent of overall IT spending.
Respondents are optimistic on future information security spend, with 60 per cent stating their security budget will increase over the next 12 months. However, average financial losses due to security incidents are up 28 per cent over last year. Insiders, particularly current or former employees, are still the top source of security incidents. While many believe nation-states cause the most threats, only 4 per cent of respondents cited them, whereas 32 per cent pinpoint hackers as a source of outsider security incidents.
The top three obstacles to improving security are insufficient funding, business strategy alignment with security, and lack of leadership from the CEO or board.
"New Zealand businesses should pay heed to these global findings. We may be geographically isolated, but in this online and digitally connected world we're just as vulnerable to threats as businesses in the US, UK, Australia or China," says Slater.
"We can't afford to be naive to the risks we face as the costs and complexities of responding to attacks continue to rise."
It is not all bad news, says Slater. "It's great that there is a focus on security and privacy, which has been pushed by the public sector."
Slater says the Government CIO has been instrumental in raising awareness of information security issues, following a raft of privacy and security breaches in government agencies. "You talk to anyone who's running mobile or online services, they're getting asked different questions by their users now than they used to."
What is key, however, is "actually putting in place putting long term remedies".
"Technology and how we use it is constantly evolving. We need to find the optimal point between being afraid to adopt new technologies that will increase our competitive positions, and seriously addressing security implications," says Slater.
Slater says security awareness training should not be seen as a "bit of a nice to have".
"Your people are your most effective deterrent and your most effective control," he says. "I actually think it's the most important thing that you can do."
He says enterprises can tailor the training to meet their business culture. When this is done, he says, "You have just multiplied your change agents and your security agents out in your workforce. And that is a really effective strategy."
"It's a concept that's really, really such a basic thing to do, but the ROI on it is so high," says Richard Tims, director, risk and control solutions at PwC NZ.
So how can CIOs get the executive management buy in for information security?
Getting executive support and endorsement is about context and consistency, says Slater. For CIOs he works with, "their biggest challenge is filtering their security privacy risks into a consistent view that's digestible by senior management and the execs.
"So how do you dashboard your risk and threat profile? The really successful ones are the ones that articulate risks really clearly and have a plan to manage them," says Slater.
The missing security piece
Slater and Tims point to the security implications for organisations deploying customer facing mobile applications.
They cite a "staggering" 55 per cent of respondents either did not know or did nothing in relation to the launch of customer facing mobile application. Only 15 per cent performed security testing or had secure development standards in place.
"If you are going to launch something mobile, have a conversation with somebody that understands the risks," says Slater. Following this, "You can put a plan in place to give you the comfort that you need and make sure it is safe and doesn't expose your business to undue risk.
"Often, when people get into that 'we've got to do it' mode, they get tunnel vision, they put the blinkers on and they just crack on and try and do it. Sometimes it works, but it's a big risk.
"You can rebrand it as much as you like but people won't go back," he says, citing the experience of online auction site Wheedle, which had to close down for six months following revelation of serious security flaws. "If something goes wrong with your mobile site, however simple the functionality might be, people are going to not want to go back there again."
Opportunities to collaborate
Security is an issue that transcends boundaries, and both Tims and Slater raise then the need for enterprises today to work with other organisations in the area.
Security should not be seen as competitive, they note. "Most organisations believe they are better off than their competitors, [and] opportunities to collaborate may be missed."
Tims likens the need to creating partnership with professional services. "You've got different angles on the problems, why don't you share that knowledge, leverage that experience for the greater good?"
Slater says these conversations can be off the record, applying the Chatham House Rule. "You're a CIO, you're an executive level person," says Slater. "You know inherently what is competitive and what isn't competitive. You can make that decision.
"Do seek advice, counsel and conversation with your peers, your peer CIOs... even competitors.
"Don't be an island."
Asset rich, security challenged
The main steps companies can take is understanding their data and which of these attackers might find useful or gain something from , says Graeme Neilson, chief information security officer at Aura. "If you have data that is sensitive, where is that kept?"
As for lack of executive support for having a comprehensive security program, Neilson points out some businesses are purely driven by ROI for projects.
Neilson approaches this discussion by pointing to the concept of something familiar to executives: The physical security for corporate headquarters, with some areas requiring different security mechanisms. "Pretty much every company understands that if they don't have those controls, people will come in and bad things will happen."
Information security should be viewed in the same mode, he says. "If you don't secure your website, people will break into it and vandalise it or steal information from you. You have to assume that will happen if you don't secure it."
Yet, he states, a lot of business are not approaching information security this way. "It goes back to identifying your assets," he says, and which are "business critical". "What would happen if these were stolen, modified or deleted? If that ends your business, you need to spend money on security. That is not a difficult argument."
Send news tips and comments to [email protected]
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz