The results of the study, which surveyed 7 548 information security professionals globally, were presented at the Infosecurity Europe show in London, 22 April.
The study, which shows that information security has become more of a business imperative than ever before, demonstrates that corporate reputation, amongst other things, is motivating information security governance. The public disclosure of data breaches have earned plentiful news coverage over the last six months, but the UK is yet to implement the California breach disclosure law, which is now active in 40 other US states. John Colley has mixed feelings about the possible adoption of such law.
| "From a security point of view, disclosing a breach could actually make the situation worse" |
| John Colley |
“Personally, I’d want to know if my data has been compromised. But from a security point of view, disclosing a breach could actually make the situation worse. For example, in the case of the HMRC data breach, the media coverage and disclosure made that laptop and data a target”.
“Having said that, some legislation if definitely needed”, he continues, “but with that, a proper investigation needs to take place before a disclosure to mitigate loss. At the moment there is reluctance from the House of Lords for more legislation”.
Colley believes that people within the industry still have great difficulty articulating damage from infosecurity breaches. “Technology deployment still lags behind fear”, he says, “First comes fear, then the idea for a solution, and finally the technology”.
Information security awareness is half the battle says Colley. “In that respect, the HMRC breach had a positive impact on information security awareness, especially in terms of educating the general public and small and medium businesses. The breach has lead to companies reviewing their own procedures, and was in itself, an example of lack of awareness”.
Despite media speculation to the contrary, Colley is adamant that financial institutions do take data protection very seriously. “Having worked for three large financial institutions, I know that customer information is actually taken very seriously, which is why I was so surprised to hear about the HSBC breach. Respectable organisations do make the effort”.
According to the survey, 60% of respondents argued that breach of laws and regulations are motivating information security governance. But a significant number of companies still aren’t PCI compliant. Are current penalties for non-compliance not strict enough? Colley argues that the credit card companies are in a difficult position.
“What can Visa actually do? All deadlines from the payment card industry have passed, and status at present is that companies must become compliant. Visa need the business to impose fines for non-compliance – if it started cutting companies who aren’t PCI compliant off, they’d lose a lot of business”.
“PCI compliance is very basic; it’s the encryption and storage elements of the standard that are more important. If everyone conformed to these standards, it should be very straightforward”.
Smaller organisations (up to 500 employees) accounted for nearly 60% of respondents, presenting a move from security as a priority for large organisations to organisations of all sizes. This could be due to business requirements and compliance, and the introduction of PCI-DSS. But do smaller companies find it harder to cover the cost of compliance?
“It’s true that small and medium businesses have less budget to spend on infosecurity – but they are still accepting debit cards, so they must comply, otherwise their online presence could be compromised”, says Colley. “Cost justification might be hard because every penny counts, but the cost of a data breach is much harder to imagine.”
Results of the survey indicate that information security awareness is appreciated as a significant factor in information security management. Well-informed media articles are good at raising awareness, according to Colley, who argues that “only through the media, will the public become more aware”.
| "National press tend to only report bad things that have happened. Trade press on the other hand offer more balanced coverage, reporting the good as well as the bad" |
| John Colley |
“But sensationalised reporting is very bad; it’s like ‘crying wolf’. It’s difficult to get the national press to pay attention, and they rarely report advice on how to prevent such infosecurity issues. National press tend to only report bad things that have happened. Trade press on the other hand offer more balanced coverage, reporting the good as well as the bad”.
The information security profession is maturing globally, and according to the ISC2 report, average experience levels are 8.3 years in EMEA, which in theory makes information security a difficult industry for graduates to break into. Is this the case?
“Information security is a hard market to crack as a graduate – getting the first job is very difficult. We’re getting to a point however, due to market growth, where demand is outstripping supply”, says Colley. “This will force companies to give graduates a chance, and to train and develop staff in-house. We’re still in the first generation of graduates, remember”.
“Infosecurity is somewhat of a closed club to get into. Networking is very important, which is why ISC2 hold career evenings. Basic technical knowledge is important, as much as management and communication skills”, Colley advises.
And finally, the report reveals that spending across the board in infosecurity is on the rise, with 27% in EMEA reporting an increase since the previous study. But is the money being spent in the right areas?
“Spending in education, development and technology is sensible, but what is needed is less hype around ‘infosecurity solutions’. Product hype needs to be dropped” Colley remarks. And it seems that information security professionals across the globe are starting to come around to this way of thinking, as evident in the survey, which lists technology and software solutions as number five on the list of factors affecting an infosecurity professional’s ability to protect and secure its resources from breaches, abuse and misuse.