Enterprise Security Survey 2011

PricewaterhouseCoopers (PwC), in association with CIO Magazine and CSO Magazine, has released its 2011 Global State of Information Security Survey report.

The report is based on data collected in early Spring 2010 from almost 13,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security in 135 countries. It analyses trends and drivers in strategic security spending.

The data on adoption of certain security and privacy protection capabilities in place is interesting. The capabilities listed include some governance and human-related matters such as checks and training, but apart from "established security baselines for external partners, customers, suppliers and vendors", the remaining capabilities appear to be post-implementation activities such as monitoring, centralised information management and event correlation.

There is no mention of practices meant to build security in to business process development and acquisition (e.g. such as those described in the Software Assurance Maturity Model), or about maintaining and checking the accuracy of information. Perhaps there were not any questions in the survey about these aspects?

However, I am sure the high-level data will be useful for executives developing business cases for investment in security, especially helping judge what their colleagues' interests and concerns might be. The data is also broken down regionally.

Chris Potter, a PwC Partner, is speaking at ISACA London's chapter meeting next week on "Latest Trends in Security Breaches and the Implications for IT Governance and IT Assurance". I expect we will hear more information about this report and have the opportunity to ask further questions.