Regulatory Compliance Drives Security Investments

Only 11% of CSOs reported risk of theft of intellectual property or proprietary information as the primary factor driving security investments, according to CSO magazine’s new Security Sensor survey. The majority of security investment decisions are driven by issues related to regulatory compliance (49%).

Interestingly, maintaining customer confidence (15%) and risk of financial loss (8%) rank lower than regulatory demands on the list of investment priorities for these security executives.

On average, the security professionals polled spend have an annual security budget of $16.6 million. Over the past nine months, this number has remained consistent with previous survey findings. Budgets include both IT security and corporate/physical security.

Protecting IP

Despite indicating that the theft of intellectual property or proprietary information is not a key driver for investing in security, CSOs find it to be a major area of concern.

Fifty-six percent (56%) of CSOs believe managing access to critical documents and corporate information within their organizations is important, yet 27% said it is they will implement an enterprise-wide solution to mitigate the risk. Fifteen percent (15%) of respondents report a loss or unauthorized duplication of critical documents or corporate information in the past 12 months, while 24% were unsure.

Ex-Employee Access

CSOs also report taking great measures to safeguard the critical data in their networks. For example, when employees leave their organizations, most CSOs (74%) report they block access to the network and all of its critical documents and proprietary information within the same business day; 39% do so within one hour or less.

Similarly, 81% block physical access to the organization within the same business day, with 47% locking the doors within one hour or less.

Other questions and top five results:

Who, outside your security department, has the greatest influence over security investment in your organization?

  • 19% – Office of the CEO
  • 17% – IT department
  • 17% – Executive committee
  • 8% – Audit
  • 7% – Finance department
  • Please estimate your organization’s total annual IT budget in 2004.

  • 3% – $1.5 billion or more
  • 1% – $1 billion to $1.49 billion
  • 3% – $500 million to $999.9 million
  • 2% – $250 million to $499.9 million
  • 6% – $100 million to $249.9 million
  • How confident are you that your organization’s information security activities are effective?

  • 10% – Extremely confident
  • 38% – Very confident
  • 41% – Somewhat confident
  • 8% – Not very confident
  • 2% – Not at all confident
  • How confident are you in the ability of your organization to continue operating despite an electronic or physical event or disaster?

  • 10% – Extremely confident
  • 40% – Very confident
  • 34% – Somewhat confident
  • 10% – Not very confident
  • 5% – Not at all confident
  • When disposing of IT assets does your organization do anything to ensure that critical information is removed from these?

  • 89% – Yes
  • 5% – No
  • 7% – Not sure
  • 100% – Total Responding
  • When disposing of IT assets like those mentioned above, does your organization do anything to ensure that computer waste is handled and disposed of properly, that is, according to environmental regulations?

  • 81% – Yes
  • 8% – No
  • 10% – Not sure
  • 100% – Total Responding
  • For which of the following types of incidents does your organization have contingency plans in place?

  • 94% – Natural disasters
  • 86% – Cyber attacks
  • 80% – Employee/former employee violence
  • 63% – Conventional attacks, terrorist or otherwise
  • 39% – Unconventional attacks, terrorist or otherwise
  • Methodology

    CSO magazine conducted this online survey between April 27, 2004 and May 18, 2004 among 476 chief security officers and other security executives who subscribe to CSO magazine. An email invitation containing a link to the survey was sent to 20,000 CSO subscribers, receiving 476 completed surveys. Respondents have average company revenues of $7.0 billion, average security budgets of $16.6 million and an average number of employees of 20,030. Results have a 4.5% margin of error.

    This article was compiled and edited by CIO Update staff. Please direct any
    questions regarding its content to Allen Bernard, Managing Editor.