The report makes some rather pessimistic findings:
1. Organizations are confident about identifying the most critical threats to their environments and knowing where their critical data resides. Contrary to this assertion, most companies are not confident about quantifying the potential financial impact of a breach, should one occur.
2. Organizational awareness and protection against information security risks is very important. However, one-third of the "Optimized" companies are uncertain about their IT security posture in terms of awareness and protection. Despite having formal strategic plans, many companies believe they are not adequately protected against information security risks.
However, there are some upsides:
3. A majority of the respondents tell us that as they develop Strategic Security Plans, they include consideration of potential threats and the associated risk to business and financial analysis.
4. Almost a third of organizations surveyed have either not purchased or not yet implemented many of the next generation security technologies that are designed to address current-day threats.
5. Most organizations identify malware, spyware and viruses as major security threats. This indicator suggests that organizations recognize the pervasiveness of cyber criminals' attempts to compromise their environments.
6. Top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. The lowest priority is to reduce capital and operating expenditures for security infrastructure.
How did the surveyed companies self-assess their security readiness? Read on.
According to Evalueserve's (the survey company commissioned to perform the research) data, the surveyed organisations self-evaluated themselves as either 'Reactive' (9%), 'Compliant' (32%), 'Proactive' (43%) or 'Optimised' (16%) when it came to assessing their overall security maturity.
Beyond these assessments, the report contains some interesting quotes. For instance, "Despite stating that they are "Compliant," 29% of the surveyed organizations either do not rehearse incident response scenarios after occurrence of a breach or never undertook the exercise of testing their incident response plans. Moreover, organizations with a formal security plan display greater prudence in both rehearsing and preparing themselves against any likely breach that may occur."
In addition, "this survey shows as many as 79% of the organizations experienced security incidents in the past twelve months."
Read on for the report's major recommendations.
This extensive report (we have brushed only the surface of it) makes six key recommendations in conclusion. All of these ought to be incredibly obvious to every organisation, it's a pity they (yet again) have to re restated.
Step up to a higher security maturity level. Only 16% claim to be at the 'optimised' level, and judging by other responses, even this figure is doubtful. Of course the 9% at the 'reactive' level have a lot of work to do.
Executive involvement is crucial. Too many organisations have no IT security reporting path to the board or to the CxO level. In addition, while a Strategic Security Plan is generally in place, it frequently comes under the exclusive ownership of the IT team and has neither involvement nor buy-in from the various lines of business.
Test early, test often, and make adjustments as needed. You *do* test your security plans don't you? The survey showed that 29% of 'compliant' organisations have never tested their response to a security incident.
Use budget allocations wisely. The survey discovered there was little (if any) difference in the security expenditure between the 'optimised' and the 'reactive' groups. The only difference was that the reactive organisations were spending the majority of the money *after* an event, not to prevent security incidents.
Use the right tools for the current threats. There is little point buying yesterday's tools for today's threats; but too many companies are a long way behind the curve in this regard.
Focus on protecting the lifeblood of the company - the sensitive corporate data. Most companies (fortunately) see this as their highest priority. McAfee (and iTWire) couldn't agree more.
We commend the report to all readers.