You are on page 1of 100

Contents

1. Changing the game - Key findings from The Global State of Information Security Survey 2013 2. Changing the game - Key findings from The Global State of Information Security Survey Exec. Summary 3. Pharmaceuticals

www.pwc.com/security

Advisory Services Security While tight budgets have forestalled updates to security programs, many businesses are confident theyre winning the game. But the rulesand the playershave changed.

Changing the game Key findings from The Global State of Information Security Survey 2013

Methodology
The Global State of Information Security Survey 2013 is a worldwide study by PwC, CIO magazine, and CSO magazine. It was conducted online from February 1, 2012, to April 15, 2012. Readers of CIO and CSO magazines and clients of PwC from around the globe were invited via e-mail to take the survey. The results discussed in this report are based on the responses of more than 9,300 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from 128 countries. Forty percent of respondents were from North America, 26% from Europe, 18% from Asia, 14% from South America, and 2% from the Middle East and South Africa. The margin of error is less than 1%. All figures and graphics in this report were sourced from survey results.

Information security has always been a highstakes game, one that demands a smart strategy, the right technology, and an unblinking focus on adversaries. Today, however, both the game and the opponents have changed. To win, businesses must play by new rules and bring advanced skills and strategy to the table.

Table of contents

The heart of the matter

For many businesses, security has become a game that is almost impossible to win. The rules have changed, and opponentsold and neware armed with expert technology skills, and the risks are greater than ever.

An in-depth discussion

Attitudes about security often follow no rational game plan. Case in point? The general mood among global executives is optimistic, even though the data do not always support that sentiment.
I. II. III. IV. A game of confidence: Organizations assess their security practices A game of risk: The decline of capabilities over time Its how you play the game: Alignment, leadership, and training are key The new world order: Asia advances, South America makes its move, and other regions try to maintain

5 9 17 21

What this means for your business

26

Understanding the practices of true information security leaders can help you improve your organizations security game.

The heart of the matter

For many businesses, security has become a game that is almost impossible to win. The rules have changed, and opponentsold and neware armed with expert technology skills, and the risks are greater than ever.

The uncertain economy of the past four years has made information security an increasingly challenging game whose outcome can have potentially serious consequences for your business. In todays rapidly evolving threat landscape, businesses have fallen behind, their defenses weakened and security practices dulled by a protracted period of tight budgets and truncated projects. At the same time, their adversaries are becoming ever more sophisticated, breaching the defenses of business ecosystems and leaving reputational, financial, and competitive damage in their wake. Those keeping score agree: The bad guys appear to be in the lead. But respondents to The Global State of Information Security Survey 2013 seem to be playing from an entirely different game plan. Among more than 9,300 executives across 128 countries and virtually every industry, confidence in their organizations information security practices remains high.

Indeed, many believe they are winning. Strategies are deemed to be sound. Budgets are recovering. Nearly half (42%) of respondents see their organization as a front-runner in terms of information security strategy and execution. The odds, however, are not in their favor. Too oftenand for too many organizationsdiminished budgets have resulted in degraded security programs. Risks are neither well understood nor properly addressed. The number of security incidents is on the rise. Senior executives frequently are seen as part of the problem rather than keys to the solution. Given todays elevated threat environment, businesses can no longer afford to play a game of chance. They must prepare to play a new game, one that requires advanced levels of skill and strategy to win.

The heart of the matter

An in-depth discussion

Attitudes about security often follow no rational game plan. Case in point? The general mood among global executives is optimistic, even though the data do not always support that sentiment.

I. A game of confidence: Organizations assess their security practices


Finding #1
Good self-assessments continue this year, with a substantial number of respondents saying their organizations exhibit the attributes of information security leaders.

Finding #2
Confidence runs deep. Most respondents believe their organizations have instilled effective information security behaviors into organizational culture.

Finding #3
Good behaviors lead to good outcomes, so its not surprising that most respondents say their information security activities are effectivealthough they may not realize that confidence in this area has waned over the years.

An in-depth discussion

Finding #1. Good selfassessments continue this year, with a substantial number of respondents saying their organizations exhibit the attributes of information security leaders. A closer look at the data shows that many of these claims are overly optimistic, however. Our survey includes several questions meant to identify genuine security leadership, along with others that allow organizations to assess their own readiness. The self-assessments tend to be much more positive than our leadership analysis. Weve categorized respondents according to the way they describe their approaches to security. Frontrunners (42%) say their organization has an effective strategy in place and is proactive in executing the plan. These are key elements of true security leadership. Strategists (25%) say they are better at getting the strategy right than executing the plan, while tacticians (16%) rate themselves better at getting things done than at defining an effective

strategy. Firefighters (16%) admit that they do not have an effective strategy in place and are typically in a reactive mode. But are our front-runners actually leaders? We measured respondents self-appraisals against four key criteria used to define leadership. Real leaders must: Have an overall information security strategy Employ a chief information security officer (CISO) or equivalent who reports to the top of the house e.g., to the chief executive officer (CEO), chief financial officer (CFO), chief operating officer (COO), or legal counsel

Have measured and reviewed the effectiveness of their security measures within the past year Understand exactly what type of security events have occurred in the past year Based on these qualifications, our analysis reveals that only 8% of respondents rank as true leaders. Compare that elite group to the much larger cohort of self-identified front-runners and it seems clear that many organizations overrate their security practices.

Figure 1: How survey respondents characterize their organizations approach to information security
Front-runners

Strategists

43%

42% 27%

Tacticians

Firefighters

25% 15% 16% 14% 16%

We have an effective strategy in place and are proactive in executing the plan 2011

We are better at getting the strategy right than we are at executing the plan
2012

We are better at getting things done than we are at defining an effective strategy

We do not have an effective strategy in place and are typically in a reactive mode

Note: Due to rounding, numbers reported may not reconcile precisely with raw data.

Changing the game

Finding #2. Confidence runs deep. Most respondents believe their organizations have instilled effective information security behaviors into organizational culture. To be effective, security must be integral to the way people think and work, not merely an afterthought or another item to be checked off a list. And most respondents tell us they have achieved that kind of buy-in: 29% are very confident they have instilled effective security behaviors into their organizational culture, and another 39% are somewhat confident. Just 20% are either not very confident or not at all

confident on the culture question, while 12% say they do not know. Less clear, however, is whether security really has become second nature. A look at the routines and interactions that make up an average workday reveals gaps between perception and reality. For example, just one-quarter of respondents report that information security becomes involved in major projects at inception, while a slightly smaller group says security is looped in during the analysis and design phases and 12% says it becomes involved during implementation. More than one in five say security gets involved on an as-needed basis, while 18% do not know.

The way people work with others also reflects a general lack of real commitment to security. Most organizations lack an incident-response process to report and handle breaches at third parties that handle data, and fewer than one-third require third parties (including outsourcing vendors) to comply with their privacy policies. Furthermore, fewer than half (44%) of respondents say their firms collect, retain, and access only as much personal customer information as is necessary to conduct their business. The rest, presumably, collect more customer information than they actually use.

Figure 2: Confidence that organizations have instilled effective information security behaviors into their culture

Figure 3: When information security becomes involved in major projects

At project inception 39% 29% 68% During the analysis and design phases Somewhat confident Very confident During the implementation phase

25%

24%

12%

On an as-needed basis

21%

Do not know

18%

An in-depth discussion

Finding #3. Good behaviors lead to good outcomes, so its not surprising that most respondents say their information security activities are effectivealthough they may not realize that confidence in this area has waned over the years. Strategy and culture only pay off if execution is strong, and most of the people who took our survey have a strong sense that their security is good at a nuts-and-bolts level. More than 70% of respondents are very (32%) or somewhat (39%) confident that their organizations information security activities are effective.

Yet high as those numbers are, a look at past years reveals a dwindling sense of well-being. While this years total is essentially flat compared with 2011, the percentage of respondents indicating confidence in their security activities routinely topped 80% from 2006 to 2009 before dipping to 74% in 2010. A hint of doubt has crept into the security realm. As we will see later, this sense of foreboding is justified.

Figure 4: Confidence that information security activities are effective

39%

32%

71%

Somewhat confident

Very confident

Changing the game

II. A game of risk: The decline of capabilities over time


Finding #4
Budget growth has slowed, but money is flowing again for security projects as deferrals for capital and operating projects have declined.

Finding #5
While reported security incidents have increased marginally, financial losses due to security breaches have decreased significantly. Yet approaches to measuring these losses are often incomplete.

Finding #6
The economic environment ranks first among the multiple factors shaping security budgets, with information security concerns lying far down the list.

Finding #7
There has been a long-term decline in the use of some basic information security detection technologies. Thats like playing a championship game with amateur sports equipment.

Finding #8
Organizations are pruning their rulebooks, with some once-familiar elements of information security policies becoming less common.

Finding #9
Safeguarding information is easier when you know where that information is. But organizations are keeping looser tabs on their data now than they did in years past.

Finding #10
As mobile devices, social media, and the cloud become commonplace both inside the enterprise and out, technology adoption is moving faster than security.

An in-depth discussion

Finding #4. Budget growth has slowed, but money is flowing again for security projects as deferrals for capital and operating projects have declined. The purse strings are looser than they were during the economic recession, yet the trend toward bigger security budgets has leveled off. Fewer than half (45%) of our survey respondents expect an increase in their budgets in the next 12 months, down from 51% last year and 52% in 2010. More than one-quarter of respondents plan to hold steady on security spending and almost one in ten foresee decreases. About 18% say they dont know where security spending is headed. Better news is to be found in declining rates of deferrals for both capital and operating expendituresboth much lower than in preceding yearsalong with fewer budget cutbacks for security initiatives. Nearly 60% of respondents report that their organization did not defer capital spending for IT security. Another 20% say projects were deferred by less than six months; only 8% saw projects deferred by a year or more. Meanwhile, deferrals on operating expenditures were even less common, by a slight margin.

Project budgets were pretty well protected, with no spending cuts seen by almost two-thirds of respondents, and another 15% reporting cuts of less than 10%. Still, almost one out of nine capital projects saw cost cuts of over 20%. Again, the numbers were similar for IT security operating budgets.

Figure 5: Percentage of respondents who believe that information security spending will increase over the next 12 months

52% 44% 44% 38%

51% 45%

2007

2008

2009

2010

2011

2012

10

Changing the game

Finding #5. While reported security incidents have increased marginally, financial losses due to security breaches have decreased significantly. Yet approaches to measuring these losses are often incomplete. Reported security incidents are on the rise compared with last year, if only marginally. The number of respondents reporting 50 or more incidents hit 13%, up slightly from last year and far above the levels reported in earlier surveys. About one-third of respondents say their organization experienced no incidents, while one in seven say they do not know. Among those that did experience a security incident, 14% of respondents reported financial losses due to breaches, down from 20% the two previous years and 10% in 2008. Just 7% say they experienced a loss in shareholder value this year due to security breaches, down a bit from last year. These numbers seem encouraging, yet theres a catch: Many organizations do not perform a thorough appraisal of the factors that might contribute to such losses. For example, barely one-quarter considered damage to brand and

reputation when estimating the full impact of a security breach, and just over half considered loss of customer business. This is significant because protecting data is essential to customer loyalty. In fact, a recent PwC consumer survey found that 61% of respondents would stop using a companys products or services after a breach. 1 Consideration of costs was limited as well: Investigations and forensics were included by just over one-third of respondents, and roughly the same percentage looked at audit and consulting services and legal defense services.

Figure 6: Factors included in calculation of financial losses from security breaches

Loss of customer business Legal defense services Investigations and forensics Audit and consulting services Deployment of detection software, services, and policies Damage to brand/reputation Court settlements 35% 35% 34% 31% 27% 26%

52%

Note: Not all factors shown. Totals do not add up to 100%. Respondents were allowed to indicate multiple factors.

PwC, Consumer Privacy: What Are Consumers Willing to Share? (July 2012)

An in-depth discussion

11

Finding #6. The economic environment ranks first among the multiple factors shaping security budgets, with information security concerns lying far down the list. What business issues or factors drive security spending? We saw a wide range of responses on this issue, but the most frequently cited answers did not concern the business value of good information security. In fact, economic conditions are by far the largest driver of security spending, cited by 46% of respondents. Thats a lower percentage than 2011 and 2010.

Of course, all departments feel the pinch in tough times, but crooks dont take holidays. Tying budgets too closely to the economy is a risky way to set security priorities. The security-specific response that drew the largest number of responses was business continuity / disaster recovery, at 31%a much lower rate than the 40% reported just two years ago. Company reputation is roughly as important to budget-makers as continuity and recovery, at 30%. And a lot of organizations seem to spend on security because they are required to do so by either regulators (29%) or internal policy compliance (28%).

Figure 7: Business issues or factors driving your companys information security spending

49% 50%

46% 41% 40% 34% 31% 32% 35% 32% 33% 38% 34% 30% 29% 28% 28% 30% 30% 37% 33% 27% 29%

39%

Economic conditions

Business continuity/ disaster recovery


2010

Company reputation

Change and business transformation

Internal policy compliance

Regulatory compliance

2009

2011

2012

Note: Not all factors shown. Totals do not add up to 100%. Respondents were allowed to indicate multiple factors.

12

Changing the game

Finding #7. There has been a long-term decline in the use of some basic information security detection technologies. Thats like playing a championship game with amateur sports equipment. A counterintuitive trend during this era of information security confidence has been the decreasing deployment of many basic information security and privacy tools. To some extent, this is probably a consequence of several years of tight budgets. If it also reflects a shift in tactics and strategy, the direction of those changes remains cloudy.

What is clear is the diminution of detection technology arsenals in recent years. Among the categories taking a hit are malicious code detection tools for spyware and adware, down to 71% after topping out at 83%, and intrusion detection tools, once in use by nearly two-thirds of respondents and now used by just over half. Similar slides have occurred with tools for vulnerability scanning, security event correlation, and data loss prevention.

Figure 8: Technology information security safeguards currently in place

83% Malicious code detection tools (spyware and adware) 71% 62% Intrusion detection tools 53% 57% Tools to discover unauthorized devices 47% 59% Vulnerability scanning tools 46% 49% Subscription to vulnerability alerting service(s) 41% 48% Data loss prevention (DLP) tools 39% 47% Security event correlation tools 36%

2011

2012

Note: Not all factors shown. Totals do not add up to 100%. Respondents were allowed to indicate multiple factors.

An in-depth discussion

13

Finding #8. Organizations are pruning their rulebooks, with some once-familiar elements of information security policies becoming less common. Concurrent with the emptying of information security toolboxes has been a relaxation of the policies that set standards across the enterprise. Many fundamental elements of security policy have dwindled sometimes sharplyover the past several years. Take, for example,

policies defining backup and recovery / business continuity, which only 51% of respondents say remain in place at their organizations. The list goes on: User administration, application security, physical security, and management practices like segregation of duties have all seen declines.

Figure 9: Elements included in security policies

Backup and recovery/business continuity

53% 51% 49% 48% 38% 35% 38% 33% 37% 32% 36% 32% 29% 24% 26% 22% 22% 16%

User administration

Application security

Logging and monitoring

Regular review of users and access

Physical security

Inventory of assets/asset management

Change management

Classifying business value of data

2011

2012

Note: Not all factors shown. Totals do not add up to 100%. Respondents were allowed to indicate multiple factors.

14

Changing the game

Finding #9. Safeguarding information is easier when you know where that information is. But organizations are keeping looser tabs on their data now than they did in years past. This is a basic point that survey data suggest has been lost on a growing number of respondents. While more than 80% say protecting customer and employee data is important, far fewer understand what that data entails and where it is stored. This is significant because customers increasingly want to be in control of their personal data and able to turn off the flow of information from companies.2

The percentage of respondents reporting an accurate inventory of employee and customer personal data increased from last year, but it remains under 40% and is off earlier highs. Accurate accounting of locations and jurisdictions of stored data followed a similar trajectory, barely topping 30% this year.

Figure 10: Data privacy safeguards in place related to process

Privacy policy reviewed at least once a year A written privacy policy is in place and published on our external website Accurate inventory of where personal data for employees and customers are collected, transmitted, and stored Require third parties (including outsourcing vendors) to comply with our privacy policies Audit privacy standards through third-party assessment 33%

39% 49% 53% 41%

34% 29% 32% 25% 31% 29% 31% 27% 27% 24% 26% 29% 26%

Accurate inventory of locations or jurisdictions where data is stored Incident response process to report and handle breaches to third parties that handle data Inventory of all third parties that handle personal data of employees and customers Conduct compliance audits of third parties that handle personal data of customers and employees 2011 2012

Note: Not all factors shown. Totals do not add up to 100%. Respondents were allowed to indicate multiple factors.

PwC, Consumer Privacy: What Are Consumers Willing to Share? (July 2012)

An in-depth discussion

15

Finding #10. As mobile devices, social media, and the cloud become commonplace both inside the enterprise and out, technology adoption is moving faster than security. To remark upon the popularity of mobile technology and social media seems almost redundant at a time when the release of the latest iPhone and the offering of shares in Facebook carry the status of pop culture events. The cloud may have less cultural cachet, but it, too, has become part of the infrastructure of everyday life and business. In this context, it comes as no surprise to find an increase in the number

of organizations with safeguards in place for mobile, social media, and cloud computing, along with policies covering the use of employee-owned devices. But these numbers remain stubbornly low: Just 44% have a mobile security strategy, while strategies for the cloud and social media clock in at less than 40% and lag the adoption rates of the technologies themselves. Our data show, for example, that 88% of consumers use a personal mobile device for both personal and work purposes,3 yet just 45% of respondents have a security strategy to address personal devices in the workplace, and only 37% have malware protection for mobile devices.

Figure 11: Information security safeguards currently in place

44% 38% 26% 29% 32% 37%

43%

45%

Cloud security strategy

Social media security strategy

Mobile device security strategy

Security strategy for employee use of personal devices on the enterprise

2011

2012

Note: Not all factors shown. Totals do not add up to 100%. Respondents were allowed to indicate multiple factors.

PwC, Consumer Privacy: What Are Consumers Willing to Share? (July 2012)

16

Changing the game

III. Its how you play the game: Alignment, leadership, and training are key
Finding #11
A focus on business success should inform all aspects of the organizations activities. Most respondents say security strategies and security spending are aligned with business goals.

Finding #12
An effective coach is key to a winning team. Respondents say executives still have work to do in demonstrating their leadership in security strategy. Security leaders, meanwhile, still lack adequate access to the executive suite.

Finding #13
People who dont know how to do things rarely do them well, which makes the lack of staff and resources available for security training a significant problem.

An in-depth discussion

17

Finding #11. A focus on business success should inform all aspects of an organizations activities. Most respondents say security strategies and security spending are aligned with business goals. The value of even the boldest strategies and plushest budgets should be measured against their alignment with the goals of the larger organization. By that standard, most respondents believe their security efforts are well-targeted, with one-third saying security policies are completely aligned with business goals. Another 46% say they are somewhat aligned. Just over one in five respondents say strategies are poorly aligned or not aligned. Translating those policies into welltargeted spending is the next task, and alignment of security spending with business objectives hits similar marks. Forty-six percent of respondents say they are somewhat aligned. A smaller group (30%) claim to be completely aligned, while 14% claim poor alignment and 10% say they are not aligned.

Figure 12: Alignment of security policies with business objectives

46% 33%

11%

11%

Completely aligned

Somewhat aligned

Poorly aligned

Not aligned

Note: Due to rounding, numbers reported may not reconcile precisely with raw data.

Figure 13: Alignment of security spending with business objectives

46%

30%

14%

10%

Completely aligned

Somewhat aligned

Poorly aligned

Not aligned

Note: Due to rounding, numbers reported may not reconcile precisely with raw data.

18

Changing the game

Finding #12. An effective coach is key to a winning team. Respondents say executives still have work to do in demonstrating their leadership in security strategy. Security leaders, meanwhile, still lack adequate access to the executive suite. We asked respondents to name the most significant barriers to improving the overall strategic effectiveness of the

information security function. Many of the respondents point to the top: More than one in five name the CEO, board, or equivalent, while another 15% single out the CIO and 14% cite senior security officers. Added together, more than half of respondents say top-level leadership is the greatest obstacle to improving information security effectivenessa larger number than any single category, including insufficient capital and operating funds, lack of strategy, and a shortage of skilled workers.

The data pointing to a lack of C-suite leadership in information security makes sense considering that the security function often lacks a direct channel to the real decision-makers. Reporting to the top of the house is a mark of the true security leader, but only about one-third of senior information security executives report directly to the CEO, a lower rate than in 2009 and 2010. The percentage reporting to the CFO (13%) dipped slightly from last year, but remains in the same range as in recent surveys.

Figure 14: Greatest obstacles to improving the overall strategic effectiveness of the organizations information security function

26% 23% 21% 18% 15% 17% 14% 22%

26% 24%

27%

26% 21% 21% 21% 22% 19% 17%

Leadership: CEO, president, board, or equivalent

Leadership: CIO or equivalent

Leadership: CISO, CSO, or equivalent

Lack of an effective information security strategy

2011

2012

Lack of an Insufficient actionable capital vision or expenditures understanding of how future business needs impact information security

Insufficient operating expenditures

Absence or shortage of in-house technical expertise

Poorly integrated or overly complex information/ IT systems

Note: Totals do not add up to 100%. Respondents were allowed to indicate multiple factors.

An in-depth discussion

19

Finding #13: People who dont know how to do things rarely do them well, which makes the lack of staff and resources available for security training a significant problem. No security program can be effective without adequate training, yet only about half of respondents report that their companies have employee security and privacy awareness training programs. One place where the impact is evident: Lack of training is cited as a top reason why contingency and response plans are not effective.

Security awareness personnel are expensive to employ and training via the Internet is increasingly popular, so constraints on staffing are understandable. Still, the level of personnel deployed on the training front, and the trend in that area, raise serious questions. This year saw a decrease in staff dedicated to employee awareness programs for internal policies, procedures, and technical standards, from 51% to 47%, and also a decline in the employment of information security consultants.

Figure 15: Information security safeguards related to people

Conduct personnel background checks Have people dedicated to employee awareness programs for internal policies, procedures, and technical standards Have people dedicated to monitoring employee use of Internet/information assets Link security, either through organizational structure or policy, to privacy and/or regulatory compliance Employ Chief Information Security Officer (CISO) in charge of the security program Integrate physical security and information security personnel Employ information security consultants Employ dedicated security personnel that support internal business departments Employ Chief Security Officer (CSO) in charge of the security program None of the above 2011 2012 16% 20% 34%

54% 51% 51% 47% 49% 45% 48% 44% 45% 42% 47% 41% 44% 41% 46% 40% 40%

Note: Totals do not add up to 100%. Respondents were allowed to indicate multiple factors.

20

Changing the game

IV. The new world order: Asia advances, South America makes its move, and other regions try to maintain
Finding #14
Years of investment pay off as Asia leads the world in security practices and performance.

Finding #15
Security budgets are almost flat in North America, but certain strategies show gains.

Finding #16
As spending stalls in Europe and safeguards weaken, some security practices are improving.

Finding #17
South America plays catch-up on security investments and emerges as a leader in some important categories.

An in-depth discussion

21

Finding #14. Years of investment pay off as Asia leads the world in security practices and performance. Among all regions, Asia has the fewest respondents who expect a decrease in security budgets this year. In fact, roughly 60% of Asian respondents expect to see an increase over the next 12 months. Thats down from 74% in 2011, but still among the highest of any region. But Asias success in creating a culture of security goes beyond spending. The region, in fact, boasts the highest number of selfproclaimed front-runners among our survey respondents. Confidence in information security runs high in Asia, and at least some of this confidence is justified by the extent to which strategy, technology, and processes are in place. For example, senior security executives report directly to the CEO more often in Asia than elsewherean important measure of securitys place in organizational culture. And its clear that this culture of security runs deep: Asian organizations are the second most likely to bake security into major projects from the start, and are more likely than their peers in other regions to base security spending on factors like business

continuity and disaster recovery, rather than other external drivers. Asia respondents also put their organizations at or near the top of global averages in terms of security and privacy technology deployment, and also in terms of process. As for keeping up with new challenges, Asia rates highly for mobile security initiatives and cloud security strategy.

organizations indicate that they are the best in the world at staying on plan when it comes to IT projects. Based on their survey responses, they are the least likely to defer capital or operational projects, and the deferrals that do happen tend to be shorter than those in other regions. And North American firms are the least likely to cut budgets for capital and operational projects. This strength in process and planning extends to other areas. Respondents say that their contingency plans for downtime, for example, are quite effective. Indeed, average downtimes over the past 12 months as a result of security incidents (unavailable services/applications/network) are lower in North America than in other regions. Other areas in which North American respondents indicate superior performance when measured against peers include the vital areas of mobility, social media, and the cloud. While progress in these realms still lags the adoption rates of the technologies, North America ties with Asia for the lead in cloud security strategy and is tops in mobile and social networking securitythe latter by a considerable margin. Another distinction: Responses from North American firms indicate that they are far and away the least likely to outsource security functions.

Finding #15. Security budgets are almost flat in North America, but certain strategies show gains. Plan your work and work your plan: That seems to be the motto in North America. At first glance, the budget outlook for the region is uninspiring. Only about one-third of respondents expect to see a bump in their security budgets next year, continuing a modest up trend but far behind Asia and South America. Almost the same percentagea larger percentage than in any other regionexpects budgets to remain flat, and uncertainty hangs over the discussion of dollars, with almost one-quarter of respondents saying they do not know where spending is headed. But look a little closer and one trend emerges: predictable outcomes. Responses from North American

22

Changing the game

#16. As spending stalls in Europe and safeguards weaken, some security practices are improving. European respondents claim modest confidence in the effectiveness of their information security policies and activities. The region has a lower percentage of self-proclaimed frontrunners than any part of the globe except the Middle East and South Africa. And as Winston Churchill might have put it, these executives have much to be modest about. Spending remains in the doldrums. Expectations for budget growth are higher than North America, but Europe also leads every region except the Middle East and South Africa in respondents looking at lower budgets (14%). Both security spending and security policies are less well-aligned with business goals than in other established regions. Europe does lead the world in the percentage of firms that employ chief privacy officers or the equivalent, and also rates highly in terms of employing CISOs and chief security officers (CSOs). However, these executives report to the top of the house less often than in the three other leading regions. Europe scores poorly in terms of privacy technology and policy, and surpasses only the Middle East and

South Africa in terms of fewer senior security executives reporting directly to the CEO.

#17. South America plays catchup on security investments and emerges as a leader in some important categories. An upbeat mood is evident in South America, where spending has picked up after a fallow spell and confidence is on the rebound. More than 60% of respondents expect to see their security budgets increase in the next 12 months, including the highest proportion in any region expecting very large budget increases of 30% or more. Conversely, deferrals and cuts to project budgets are more frequent than in most other regions. The surge of investment comes as tough economic times were beginning to deplete the regions security arsenal. Now South American respondents are at or near the top of global rankings for confidence in security culture and the effectiveness of security activities. In terms of privacy and security technologies, South America tends to outscore Europe and in some cases has surpassed North America.

Looking to the future, South American respondents indicate the region is doing pretty well in terms of initiatives for mobile security, at least as compared with regions other than Asia. Respondents are also bullish about the clouds impact on security. South America trails only Asia in the frequency of security policy reviews. Outsourcing of various security functions, however, is more common among South American respondents than among respondents from any other region.

An in-depth discussion

23

Figure 16: Differences in regional information security practices, Asia vs. North America
Asia 2009 Security spending will increase over next 12 months Dont know number of security incidents in past 12 months Dont know types of security incidents in past 12 months Dont know estimated likely source of incidents in past 12 months Have overall security strategy in place Use identity management technology Dedicate security personnel to internal business departments Have malicious code detection tools Have tools to discover unauthorized devices Have vulnerability scanning tools A written privacy policy is in place and published on our external website Conduct compliance audits of third parties that handle personal data of customers and employees Use data loss prevention (DLP) tools Encrypt databases Use secure browsers Have implemented web services security 53% 2011 74% 2012 61% North America 2009 29% 2011 31% 2012 34%

21% 30% 32%

3% 6% 17%

11% 9% 14%

41% 47% 45%

17% 20% 37%

20% 19% 29%

66% 49% 48%

76% 62% 61%

74% 50% 47%

73% 47% 42%

58% 33% 36%

75% 36% 35%

70% 54% 55% 29% 33%

81% 65% 71% 34% 43%

73% 51% 53% 42% 29%

78% 57% 59% 40% 45%

86% 58% 59% 29% 27%

71% 48% 48% 49% 26%

44% 65% 63% 57%

57% 76% 78% 71%

41% 59% 63% 57%

49% 59% 68% 58%

48% 50% 77% 58%

41% 47% 57% 46%

Note: Not all factors shown. Totals do not add up to 100%. Respondents were allowed to indicate multiple factors.

24

Changing the game

Figure 17: Differences in regional information security practices, Europe vs. South America
Europe 2009 Deferred initiatives for security-related capital expenditures Deferred initiatives for security-related operating expenditures Reduced budgets for security-related capital expenditures Reduced budgets for security-related operating expenditures 39% 35% 43% 41% 2011 56% 54% 57% 56% 2012 49% 47% 48% 48% South America 2009 49% 44% 50% 48% 2011 68% 63% 66% 66% 2012 52% 48% 47% 47%

Have overall security strategy in place Employ CISO Implemented a centralized security information management process

59% 45% 43%

59% 51% 34%

70% 49% 43%

56% 45% 50%

60% 53% 38%

69% 50% 48%

Conduct personnel background checks Have inventory of all third parties handling employee/customer personal data Require third parties to comply with our privacy policies

44% 20%

44% 18%

42% 24%

55% 27%

53% 25%

50% 27%

31%

22%

30%

32%

28%

36%

Use intrusion detection tools Have web content filters Are confident that our organizations information security is effective

50% 55% 73%

58% 72% 62% 62%

47% 55% 66% 64%

59% 64% 89% 86%

57% 72% 71% 70%

56% 68% 75% 71%

Are confident that our partners/suppliers 65% information security is effective

Note: Not all factors shown. Totals do not add up to 100%. Respondents were allowed to indicate multiple factors.

An in-depth discussion

25

What this means for your business

Understanding the practices of true information security leaders can help you improve your organizations security game.

Thousands of executives participated in this survey. These are people who take information security seriously. Indeed, their jobsand the success of their organizationsdepend on getting it right. Yet just 8% responded to our questions in ways that met our criteria for true leaders in the fieldan elite group with the vision, determination, skills, and support to create the most effective security organizations. Leaders comprise a higher percentage of respondents from North America and Asia than from either Europe or South America. In general terms, executives who are leaders are more likely to work at a large company than a smaller one, and to command larger IT and security budgets than their peers.

business strategy than non-leaders although there is substantial room for improvement on that front, especially in terms of how they spend their money. Interestingly, leaders are more likely than other survey respondents to blame their companies most senior executives for security shortcomings. The distance between leaders and the rest of our respondents is very wide in some key areas. For example, leaders are far less likely to defer projects and suffer cuts to project budgets. They are also much more likely to employ a CISO than the overall survey population (90% vs. 42%) and to employ a CSO (70% to 34%). When it comes to securing newer technologies such as mobile devices, social media, and the cloud, leaders are ahead of the pack on strategy, and have a sizable lead in deploying mobile device malware protection and launching mobile security initiatives. Finally, leaders are far more aware of whats going on in their organizations than the average respondent. On question after question, either no leaders or a very small fraction of the group said they did not know the answer, while do not know responses among the general respondent population routinely registered 15% or more.

How leaders play the game


Organizations that are true leaders in information security are much more likely than other companies to employ integrated approaches and frameworks that combine compliance, privacy and data usage, security, and identity theft. Leaders are less likely to cut security spending and more likely to increase it, and they score higher than non-leaders on almost every area of security preparedness. They measure financial losses more thoroughly, and are much better aligned with overall

What this means to your business

27

What you can do to improve your performance


Information security today is a rapidly evolving game of advanced skill and strategy. As a result, the security models of the past decade are no longer effective. Todays information security leaders acknowledge that playing the game at a higher level is required to achieve effective security. They know that the very survival of the business demands that they understand security threats, prepare for them, and respond to them quickly.

Businesses seeking to strengthen their security practice must: Implement a comprehensive risk-assessment strategy and align security investments with identified risks Understand their organizations information, who wants it, and what tactics adversaries might use to get it Understand that information security requirementsand, indeed, overall strategies for doing businesshave reached a turning point Embrace a new way of thinking in which information security is both a means to protect data and an opportunity to create value to the business

Ask us, and we can provide you with more details on the way leaders play a better game and how their moves are relevant to your organization.

28

Changing the game

www.pwc.com/giss2013

For more information, pleasecontact: Gary Loveland Products & Services Industries 949 437 5380 gary.loveland@us.pwc.com Mark Lobel Products & Services Industries 646 471 5731 mark.a.lobel@us.pwc.com Joe Nocera Financial Services Industry 312 298 2745 joseph.nocera@us.pwc.com Peter Harries Health Industries 213 356 6760 peter.harries@us.pwc.com John Hunt Public Sector 703 918 3767 john.d.hunt@us.pwc.com Dave Burg Forensic Services 703 918 1067 david.b.burg@us.pwc.com Dave Roath Risk Assurance Services 646 471 5876 david.roath@us.pwc.com Or visit: www.pwc.com/giss2013
The Global State of Information Security is a registered trademark of International Data Group, Inc. 2012 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. DH-13-0028.th

www.pwc.com/security

Changing the game


While tight budgets have forestalled updates to security programs, many businesses are confident theyre winning the g game. But the rulesand the playershave changed. p y g

Key findings from The Global State of Information Security Survey 2013
September 2012

You cant succeed in Y di todays elevated threat environment if you dont know the players and you k h l d dont know the rules. Gary Loveland, Principal, G L l d P i i l PwC

September 2012 PwC

Information security has always been a high stakes game One that high-stakes game. demands a smart strategy, the right technology moves, and an unblinking eye on adversaries. For F many b i businesses, h however, it h b has become a pursuit th t i almost it that is l t impossible to win. Thats because the rules have changed, and opponentsold and neware armed with expert technology skills. As a result, the risks are greater than ever result ever. Businesses are fighting back by adopting new detection and prevention technologies. At the same time, governments around the world are enacting l i l ti t combat cyber th t A d regulatory b di are ti legislation to b t b threats. And l t bodies issuing new guidance on disclosure obligations for cyber incidents. Yet risks to data security continue to intensifyand show no signs of abating. Those k b h keeping score agree that the bad guys appear to b in the h h b d be h lead.

PwC

September 2012 3

Nonetheless, Nonetheless many businesses believe they are winning The Global winning. State of Information Security Survey 2013 shows that most executives across industries are confident in the effectiveness of their information security practices. They believe their strategies are sound and many consider themselves to be leaders in the field. The odds, however, are not in their favor: Diminished budgets have resulted in degraded security programs, reported security incidents are programs on the rise, and new technologies are being adopted faster than they can be safeguarded. Given todays elevated threat environment, businesses can no longer today s environment afford to play a game of chance. They must prepare to play a new game, one that requires advanced levels of skill and strategy to win.

PwC

September 2012 4

Agenda g

Section 1. Methodology 1 Section 2. A game of confidence Section 3. Meet the leaders Section 4. A game of risk Section 5. Its how you play the game Section 6 h S i 6. The new world order ld d Section 7. What this means for your business

PwC

September 2012 5

Section 1 Methodology h d l

PwC

September 2012 6

A worldwide study y

The Global State of Information Security Survey 2013, a worldwide study by PwC, CIO y y 3, y y , Magazine, and CSO Magazine, was conducted online from February 1, 2012 to April 15, 2012. PwCs 15th year conducting the online survey, 10th with CIO and CSO magazines Readers of CIO and CSO magazines and clients of PwC from 128 countries More than 9,300 responses from CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security More than 40 questions on topics related to privacy and information security safeguards and their alignment with the business Thirty-three percent (33%) of respondents from companies with revenue of $500 million+ Forty percent (40%) of respondents were from North America, 26% from Europe, 18% from Asia, 14% from South America, and 2% from the Middle East and South Africa Margin of error less than 1%
September 2012 7

PwC

A global, cross-industry survey of business and IT executives g , y y f


Respondents by region of employment
North America 40%

Respondents by title
CISO, CSO, CIO, CTO 14%

CEO, CFO, COO 21%

South America 14%

IT & Security (Mgmt) 21%

Middle East & South Africa 2%

Asia 18%

Europe 26%

IT & Security (Other) 31%

Respondents by company revenue size


Small (< $100M US) 33% Medium ($100M $1B US) 20%

Compliance, Risk, Privacy 13%

Non-profit/ Gov/Edu 7% Do not know 15% (Numbers reported may not reconcile exactly with raw data due to rounding) PwC

Large (> $1B US) 25%

September 2012 8

Survey response levels by industry y p y y

Number of responses this year Technology Financial Services Retail Consumer P d t R t il & C Products Industrial Products Public Sector Telecommunications Healthcare Providers Entertainment & Media Aerospace & Defense Automotive Power & Utilities Energy (Oil & Gas) Pharmaceutical 1,469 1,338 1,169 1 169 775 730 511 467 378 242 218 201 136 112

PwC

September 2012 9

Section 2 A game of confidence: Organizations assess f fid i i their security practices

PwC

September 2012 10

Respondents are confident in their security practices. p f yp

4 42% of respondents say their organization has a strategy in p p y g gy place and is p proactive in executing itexhibiting two distinctive attributes of a leader.
50% Front-runners 40% 43% 42% Strategists 27% 20% 25%

30%

Tacticians Firefighters 15% 16% 14% 16%

10%

0% We have an effective strategy in place and are proactive in executing the plan 2011 2012 We are better at "getting the We are better at "getting things strategy right" than we are at done" than we are at defining executing the plan an effective strategy We do not have an effective strategy in place and are typically in a reactive mode

Question 28: "Which category below best characterizes your organizations approach to protecting information security? (Numbers reported may not reconcile exactly with raw data due to rounding.) September 2012 PwC 11

Most believe they have instilled effective information y ff f security behaviors into organizational culture.
To be effective, security must be integral to the way p p think and work, not just , y g y people , j another item to be checked off a list. 68% of respondents are either very or somewhat confident they have instilled effective security behaviors into their organizational culture.

29%

39%

68% confident

0%

10%

20%

30%

40%

50%

60%

70%

80%

Very confident

Somewhat confident

Question 35: How confident are you that your organization has instilled effective information security behaviors into the organizational culture? (Not all factors shown. Totals do not add up to 100%.) September 2012 PwC 12

A majority of respondents say their information security j y f p y f y activities are effectivebut this confidence is eroding.
Confidence is a good thing. More than 70% of respondents are very (3 ) or somewhat g g 7 p y (32%) (39%) confident that their organizations information security activities are effective. Yet they may not realize that assurance has dropped since 2008.

80%

83%

82% 74% 72% 71%

60%

40%

20%

0% Confident (Somewhat or very) 2008 2009 2010 2011 2012

Question 41: How confident are you that your organizations information security activities are effective? PwC September 2012 13

Section 3 Meet the leaders: Measuring self-appraisals h l d i lf i l against our criteria for leadership

PwC

September 2012 14

A check-list for defining information security leaders. f f g f y

Self-appraisals can be misleading. To determine the real leaders in information pp g security, we compared respondents self-assessments against four key criteria to define leadership. To qualify as a leader, organizations must: Have an overall information security strategy E l a CISO or equivalent who reports to the Employ i l h h top of the h f h house (i.e., to the CEO, CFO, COO or legal counsel) Have measured and reviewed the effectiveness of security within the past year Understand exactly what type of security events have occurred in the past year

PwC

September 2012 15

A reality check on real leaders. y

Our analysis reveals that only 8% of respondents rank as real leaders. A comparison of y y p p this group with the much larger cohort of self-proclaimed front-runners suggests that many organizations have opportunities to improve their security practices.

Leaders

8%

Front-runners

42%

0%

10%

20%

30%

40%

50%

Leaders are identified by responses to Question 13A: Where / to whom does your CISO, CSO, or equivalent senior information security executive report? Question 14: What process information security safeguards does your organization currently have in place? Question 18: What types of security incidents (breach or downtime) occurred and Question 31: Over the past year, has your company measured and reviewed the effectiveness of its information security policies and procedures? September 2012 PwC 16

How these leaders play a more competitive game. p y p g

Leaders are, by significant margins, more likely than all respondents to have a more , y g g , y p mature security practice, implement strategies for newer technologies, and use sophisticated technology tools to safeguard data.
All survey 45% 42% 25% 30% 68% 60% 44% 71% 59% 49%

Leaders Expect security spending to increase over the next year Employ a CISO or equivalent Involve information security in major initiatives at project inception Security spending is completely aligned with business goals Confident that effective security behavior is instilled in company culture Have framework integrating compliance, privacy/data use, security, ID theft Have a mobile security strategy Use malicious code detection tools Use intrusion prevention tools Have measured and reviewed security over the past year 74% 90% 45% 50% 94% 92% 57% 86% 78% 100%

PwC

September 2012 17

Section 4 A game of risk: The d li of capabilities f i k h decline f bili i over time

PwC

September 2012 18

Budget increases are slowing after recovery f g g f y from the g global economic crisis.
Purse strings are looser than they were during the recession, but the trend toward bigger g y g , gg security budgets has leveled off. Fewer than half of respondents expect budgets to increase over the next 12 months, while 18% say they dont know where spending is headed.
60% 50% % 40% 30% 20% 10% 0% 2007 2008 2009 2010 2011 2012 44% 44% 38%

52%

51% 45%

Question 8: "When compared with last year, security spending over the next 12 months will:" (Respondents who answered Increase up to 10%," "Increase 11-30%," or "Increase more than 30%) PwC September 2012 19

But theres some good news: Security p j g y projects are on track and companies are less likely to cut spending.
Encouragingly, respondents report fewer deferrals and fewer b g cutbacks for security g g y, p p budget b y initiatives. Compared with last year, for instance, 24% more respondents say they had not reduced costs of security programs requiring capital expenditures.
70% 60% 59% 50% 49% 40% 30% 20% 10% 0% My company has not deferred My company has not reduced the My company has not deferred My company has not reduced the security-related initiatives cost of security-related initiatives security-related initiatives cost of security-related initiatives requiring capital expenditures requiring capital expenditures requiring operating expenditures requiring operating expenditures 2011 2012 49% 61% 52% 62% 50% 62%

Questions 9A and 10A: Has your company deferred capital and operating security-related initiatives? Questions 9B and 10B: Has your company reduced the capital and operating costs of security-related initiatives? September 2012 PwC 20

Reported security incidents inch up, yet financial losses due p y p, y f to breaches decrease significantly.
Respondents reporting 5 or more security incidents p year hit 13%up slightly from p p g 50 y per y 3 p g y last year and far above the levels of earlier yearsyet respondents reporting financial losses dropped to 14% from 20% in 2011. These assessments of financial hits may be inaccurate due to incomplete appraisals of factors that contribute to losses. For instance, only 27% consider damage to brand/reputation and only 35 factor in legal defense y 7 g / p y 35% g costs.
Loss of customer business Legal defense services Investigations and forensics Audit and consulting services Deployment of detection software, services, and policies Damage to brand/reputation Court settlements 0% 10% 35% 35% 34% 31% 27% 26% 20% 30% 40% 50% 60% 52%

Question 17: Number of security incidents in the past 12 months. Question 21: How was your organization impacted by the security incident? Question 21C: What factors are included in your companys calculation of these financial losses? (Not all factors shown. Totals do not add up to 100%.) September 2012 PwC 21

Security budgets are driven by the economy, not security y g y y, y needs.


Almost half (46%) of respondents say economic conditions rank as the top driver of (4 ) p y p security spending. Business continuity/disaster recovery is the highest security-specific response.
50% 49% 50% 9% 46% 40% 39% 30% 41% 40% 34% 31% 35% 32% 32% 30% 30% 33% 30% 29% 38% 34% 28% 28% 37% 33% 27% 29%

20%

10%

0% Economic conditions Business continuity / disaster recovery 2012 Company reputation Change and business transformation Internal policy compliance Regulatory compliance

2009

2010

2011

Question 37: What business issues or factors are driving your company's information security spending? (Not all factors shown.) PwC September 2012 22

Use of some key technology safeguards resumed a decline f y gy f g after last years uptick.
The future looked bright last y g year as many companies stepped up investments in y p pp p prevention and detection safeguards. This year, however, saw a decrease in deployment of these important tools.
90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Malicious code detection tools (spyware & adware) 2009 2010 2011 Intrusion detection tools Tools to discover Vulnerability scanning Data loss prevention unauthorized devices tools (DLP) tools Security event correlation tools 58% 57% 72% 72% 83% 71% 62% 53% 54% 52% 57% 47% 53% 53% 46% 44% 45% % 48% 39% 43% 43% 47% 36% 59%

2012

Question 15: What technology information security safeguards does your organization currently have in place? (Not all factors shown.) PwC September 2012 23

Security p y policies have g grown less robust and inclusive.

Many organizations are omitting fundamental elements of security from their overall y g g y policies.
60% 59% 50% 40% 30% 20% 10% 0% Backup and recovery / business continuity 2010 2011 2012 September 2012 24 User administration Application security Logging and monitoring Regular review Physical security Inventory of of users and assets / asset access management Classifying business value of data 53% 51% 53% 49% 48% 42% 38% 35% 42% 38% 33% 39% 37% 32% 38% 36% 32% 33% 29% 24% 23% 22% 16%

Question 32: Which of the following elements, if any, are included in your organizations security policy? (Not all factors shown.) PwC

Respondents know less about their data now than they p y did three years ago.
While more than 80% of respondents say p p y protecting employee and customer data is g p y important, far fewer understand what that data entails and where it is stored. This is significant because, increasingly, consumers want to be in control of their personal data and turn off the flow of information from companies.1
39%
Accurate inventory of locations or jurisdictions where data is stored

35% 29% 31%

40%
Accurate inventory of where personal data for employees and customers are collected, transmitted, and stored

39% 33% 34%

2009

2010

2011

2012

0%

10%

20%

30%

40%

50%

Question 38: What level of importance does your company place on protecting the following types of information? Question 11: Which data privacy safeguards does your organization have in place? 1 PwC, Consumer privacy: What are consumers willing to share? July 2012 September 2012 PwC 25

Technology adoption is moving f gy p g faster than security y implementation.


Across industries, organizations are struggling to keep p , g gg g p pace with the adoption of cloud p computing, social networking, mobility, and use of personal devices. Yet these new technologies often are not included in overall security plans even though they are widely used. In a recent survey, for instance, we found that 88% of consumers use a personal mobile device for both personal and work p p p purposes.2
50% 40% 30% 20% 10% 0% Cloud security strategy 2011 2012 Mobile device security strategy Social media security strategy Security strategy for employee use of personal devices in the enterprise 26% 29% 37% 32% 44% 38% 43% 45%

Question 14: What process information security safeguards does your organization currently have in place? (Not all factors shown. Totals do not add up to 100%.) 2 PwC, Consumer privacy: What are consumers willing to share? July 2012 September 2012 PwC 26

Section 5 Its how you play the game: Alignment, h l h li leadership, and training are key

PwC

September 2012 27

Respondents report that security strategies and security p p y g y spending are well-aligned with business goals.
Strategies and budgets should be measured against their alignment with the g g g g g goals of the larger organization. By that standard, most respondents believe their security efforts and security dollars are well-targeted.

Security spending

30%

46%

76% aligned

Security policies

33%

46%

79% aligned

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Completely aligned with business objectives

Somewhat aligned with business objectives

Question 33: "In your opinion, how well are your companys security policies aligned with your companys business objectives? Question 34: "In your opinion, how well is your companys security spending aligned with your companys business objectives? (Not all factors shown. Totals do not add up to 100%.) September 2012 PwC 28

What keeps security from being what it should be? p yf g

5 50% of respondents perceive top-level leadership to be an obstacle to improving p p p p p g information security. The most-cited single hindrance is insufficient capital expenditures, followed by lack of actionable vision.
2011 Leadership: CEO, president, board, or equivalent Leadership: CIO or equivalent Leadership: CISO CSO or equivalent CISO, CSO, Insufficient capital expenditures Lack of actionable vision or understanding Lack of an effective information security strategy 23% 17% 17% 27% 26% 26% 2012 21% 15% 14% 26% 24% 22%

Question 29: What are the greatest obstacles to improving the overall strategic effectiveness of your organizations information security function? (Not all factors shown. Totals do not add up to 100%.) September 2012 PwC 29

Less than half of respondents have security training f f p y g programs for employees.
No security p g y program can be effective without adequate training, y only 49% of q g, yet y 49 respondents have an employee security awareness training program in place. Even fewer have staff dedicated to security awareness.
Information security safeguards Have employee security awareness training program Have people d di t d to employee awareness programs H l dedicated t l 2009 53% 58% 2010 49% 55% 2011 43% 51% 2012 49% 47%

Question 13: What information security safeguards related to people does your organization have in place? Question 14: What process information security safeguards does your organization currently have in place? (Not all factors shown. Totals do not add up to 100%.) PwC September 2012 30

Section 6 The new world order: Asia advances, South h ld d i d h America makes its move, and other regions try to maintain

PwC

September 2012 31

Years of investment pay off as Asia leads the world in f p y ff security practices and performance.
Despite some degradation over last y p g year and a mixed spending outlook, Asias overall level p g , of information security technologies, policies, and spending are higher than other regions.
2011 Employ a Chief Information Security Officer CISO reports to CEO Employ a Chief Privacy Officer Have reduced budgets for security initiatives requiring capital expenditures g y q g p p Have reduced budgets for security initiatives requiring operating expenditures Have business continuity/disaster recovery plan Information security becomes involved in major initiatives at project inception No downtime over the past 12 months as a result of security incidents Have a mobile device security strategy Have an effective strategy in place and are proactive in executing the plan Security spending will increase over the next 12 months
(Not all factors shown.) PwC

2012 46% 43% 36% 35% 34% 49% 28% 17% 47% 46% 61%

48% 40% 32% 39% 39% 47% N/A 13% 54% 55% 74%

September 2012 32

Security budgets are almost f y g flat in North America, but , certain strategies show gains.
Despite low expectations for security budgets, North America leads in keeping p j p p y g , p g projects on track and makes some gains in practices like training, mobility, and business continuity/disaster recovery.
2011 Security spending will increase over the next 12 months Have reduced budgets for security initiatives requiring capital expenditures Have deferred security initiatives requiring capital expenditures Have an effective strategy in place and are proactive in executing the plan gy p p g p Have an overall information security strategy Have an effective contingency plan for downtime due to security incidents Have business continuity/disaster recovery plans Have an accurate inventory of employees and customers personal data Have employee security awareness training program Have a mobile device security strategy Have security strategy for use of p y gy personal devices on the enterprise p
(Not all factors shown.) PwC

2012 34% 30% 32% 42% 75% 73% 56% 38% 54% 47% 46%

31% 40% 40% 39% 58% 69% 46% 30% 42% 34% 37%

September 2012 33

As spending stalls in Europe and safeguards weaken, some p g p f g , security practices are improving.
Europe ranks low in the number of self-identified front-runners. But the Continent does p lead in the percentage of Chief Privacy Officers on staff, and rates highly at employing CISOs and CSOs. It trails most other regions in security and privacy safeguards, however.
Security spending will increase over the next 12 months Have reduced budgets for security-related capital expenditures Have reduced budgets for security-related operating expenditures gy p p g p Have an effective strategy in place and are proactive in executing the plan Employ a Chief Privacy Officer Have business continuity/disaster recovery plans Security policies are aligned with business objectives Have an accurate inventory of employees and customers personal data employees customers Have an employee security awareness training program Have a mobile device security strategy Have malicious code detection tools 2011 43% 57% 56% 41% 31% 32% 70% 26% 33% 30% 80% 2012 43% 48% 48% 40% 44% 43% 74% 29% 42% 39% 67%

(Not all factors shown.) PwC

September 2012 34

South America plays catch-up on security investments and p y p y emerges as a leader in some important categories.
Confidence is high South America, where spending is robust and initiatives for g , p g technologies like mobility and business continuity/disaster recovery are advancing.
2011 Security spending will increase over the next 12 months Have reduced budgets for security-related capital expenditures Have reduced budgets for security-related operating expenditures Have an effective strategy in place and are proactive in executing the plan Are confident that our information security activities are effective Employ a Chief Information Security Officer Have a mobile device security strategy Have an accurate i H t inventory of employees and customers personal data t f l d t ld t Require third parties to comply with our data privacy policies Cloud computing has improved security Have business continuity/disaster recovery plan 65% 66% 66% 42% 71% 53% 32% 29% 28% 56% 30% 2012 63% 47% 47% 42% 75% 50% 41% 30% 36% 61% 40%

(Not all factors shown.) PwC

September 2012 35

Section 7 What this means f your b i h hi for business

PwC

September 2012 36

What you can do to improve your p f y p y performance.

Information security today is a rapidly evolving g y y p y g game of advanced skill and strategy. As a gy result, the security models of the past decade are no longer sufficient. Effective security requires a new way of thinking. The very survival of the business demands that security leaders understand, prepare for, and quickly respond to security threats. y ,p p , q y p y Businesses seeking to strengthen their security practice must: Implement a comprehensive risk-assessment strategy and align security investments with id ifi d risks. i h identified i k Understand the organizations information, who wants it, and what tactics adversaries might use to get it. Understand that information security requirements and, indeed, overall strategies for doing business have reached a turning point. Embrace a new way of thinking in which information security is both a means to protect data as well as an opportunity to create value to the business business.
PwC September 2012 37

For more information, please contact:


Gary Loveland Products & Services Industries 949.437.5380 gary.loveland@us.pwc.com Mark Lobel Products & Services Industries 646.471.5731 mark.a.lobel@us.pwc.com Joe Nocera Financial Services Industry 312.298.2745 joseph.nocera@us.pwc.com Peter Harries P t H i Health Industries 213.356.6760 peter.harries@us.pwc.com John Hunt Public Sector 703.918.3767 john.d.hunt@us.pwc.com Dave Burg Forensic Services 703.918.1067 david.b.burg@us.pwc.com Dave Roath Risk Assurance Services 646.471.5876 david.roath@us.pwc.com

Or i it O visit www.pwc.com/giss2013 to explore the d t f your / i t l th data for industry and benchmark yourself.
The Global State of Information Security is a registered trademark of International Data Group, Inc. 2012 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC p , yp p g refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

PwC

www.pwc.com/security

Changing the game


While tight budgets have forestalled updates to security programs, many businesses are confident theyre winning the game. But the rules and the players have changed.

Pharmaceuticals

Key findings from The Global State of Information Security Survey 2013
September 2012

You cant succeed in Y di todays elevated threat environment if you dont know the players and you k h l d dont know the rules. G Gary L Loveland, Principal, l d P i i l PwC

September 2012 PwC

Information security has always been a high stakes game. One that high-stakes game demands a smart strategy, the right technology moves, and an unblinking eye on adversaries. For F many b i businesses, h however, it h b has become a pursuit th t i almost it that is l t impossible to win. Thats because the rules have changed, and opponentsold and neware armed with expert technology skills. As a result, the risks are greater than ever result ever. Businesses are fighting back by adopting new detection and prevention technologies. At the same time, governments around the world are enacting l i l ti t combat cyber th t A d regulatory b di are ti legislation to b t b threats. And l t bodies issuing new guidance on disclosure obligations for cyber incidents. Yet risks to data security continue to intensify and show no signs of abating. Those k b h keeping score agree that the bad guys appear to b in h h b d be the lead.

PwC

September 2012 3

Nonetheless, Nonetheless many businesses believe they are winning The Global winning. State of Information Security Survey 2013 shows that most executives in the global pharmaceuticals industry are confident in the effectiveness of their information security practices They believe their practices. strategies are sound and many consider themselves to be leaders in the field. The odds, however, are not in their favor: Diminished budgets have odds however resulted in degraded security programs, reported security incidents are on the rise, and new technologies are being adopted faster than they can be safeguarded. Given todays elevated threat environment, businesses can no longer afford to play a game of chance. They must prepare to play a new game, one that requires advanced levels of skill and strategy to win win.

PwC

September 2012 4

Agenda g

Section 1. Methodology 1 Section 2. A game of confidence Section 3. A game of risk Section 4. Its how you play the game

PwC

September 2012 5

Section 1 Methodology h d l

PwC

September 2012 6

A worldwide study y

The Global State of Information Security Survey 2013, a worldwide study by PwC, CIO y y 3, y y , Magazine, and CSO Magazine, was conducted online from February 1, 2012 to April 15, 2012. PwCs 15th year conducting the online survey, 10th with CIO and CSO magazines Readers of CIO and CSO magazines and clients of PwC from 128 countries More than 9,300 responses from CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security More than 40 questions on topics related to privacy and information security safeguards and their alignment with the business Thirty-three percent (33%) of respondents from companies with revenue of $500 million+ Survey included 112 respondents from the pharmaceuticals industry Margin of error less than 1%

PwC

September 2012 7

Demographics g p
Pharma respondents by region of employment
North America 35% South America 11%

Pharma respondents by title


CISO, CSO, CIO, CTO 25% CEO, CFO, COO 11% IT & Security (Mgmt) 20%

Middle East & South Africa 3% Asia 20%

Europe 32%

IT & Security (Other) 32%

Compliance, Risk, Privacy 13%

Pharma respondents by company revenue size


Medium ($100M $1B US) 25%

Small (< $100M US) 13% Non-profit/ Gov/Edu 4%

Large (> $1B US) 37%

Do not know 21% (Numbers reported may not reconcile exactly with raw data due to rounding) PwC September 2012 8

Section 2 A game of confidence f fid

PwC

September 2012 9

Pharma respondents are confident in their security p f y practices.


47% of p pharma respondents say their organization has a strategy in p p y g gy place and is p proactive in executing it exhibiting two distinctive attributes of a leader.
60% Front-runners 50% 49% 40% 30% Strategists 20% 10% 0% We have an effective strategy in place and are proactive in executing the plan 2011 2012 We are better at "getting the We are better at "getting things We do not have an effective strategy right" than we are at done" than we are at defining strategy in place and are executing the plan an effective strategy typically in a reactive mode 20% 18% Tacticians 22% 18% Firefighters 12% 14% 47%

Question 28: "Which category below best characterizes your organizations approach to protecting information security?" PwC

September 2012 10

A reality check on real leaders. y

But are they really leaders? We measured p y y pharma respondents self-appraisal against four p pp g key criteria to define leadership. To qualify, they must: Have an overall information security strategy Employ a CISO or equivalent who reports to the top of the house (e.g., to the CEO, CFO, COO, or l l counsel) ( h legal l) Have measured and reviewed the effectiveness of security within the past year Understand exactly what type of security events have occurred in the past year The Th result? O analysis f lt? Our l i found th t 10% of pharma respondents rank as l d d that % f h d t k leaders.
Pharma leaders All pharma respondents 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 10% 100% 100%

Leaders are identified by responses to Question 13A: Where / to whom does your CISO, CSO, or equivalent senior information security executive report? Question 14: What process information security safeguards does your organization currently have in place? Question 18: What types of security incidents (breach or downtime) occurred and Question 31: Over the past year, has your company measured and reviewed the effectiveness of its information security policies and procedures? September 2012 PwC 11

Many pharma companies lack incident response processes yp p p p and compliance policies for third parties.
Data privacy is p p y paramount in the pharmaceuticals industry, yet most respondents say p y, y p y they do not have a process in place to handle third-party breaches. Whats more, only 42% require third parties to comply with their privacy policies.

43% My company has an incident response process to report and handle breaches to third parties that handle data 35% 32% 36%

35% My company requires third parties (including outsourcing vendors) to comply with our policies 37% 34% 42% 0% 10% 20% 30% 40% 50%

2009

2010

2011

2012

Question 35: How confident are you that your organization has instilled effective information security behaviors into the organizational culture? Question 11: Which data privacy safeguards does your organization have in place? September 2012 PwC 12

Most respondents say their information security activities p y f y are effective, but this confidence is eroding.
Confidence is a good thing. A strong 76% of pharma respondents say they are confident g g g7 p p y y their companys security activities are effective, but they may not realize that assurance has dropped considerably since 2009.
100% 88% 80% 60% 67% 76%

80%

40%

20%

0% Confident (Somewhat or very) 2009 2010 2011 2012

Question 41: How confident are you that your organizations information security activities are effective? PwC September 2012 13

New data regulations and electronic health records are the g primary drivers of security spending.
Increased regulation of data including p g g privacy, security, and breach laws is the top y, y, p influence on security spending, followed by implementation of electronic health records and expanding global operations.
New global privacy, security, and b N l b l i it d breach l h laws and enforcements d f t creating restrictions on data uses / transfers Implementation of electronic health records (EHRs)/public health records (PHRs) More global operations, trials, outsourcing, and reliance on third parties Increased drive for outcome-based research and health analytics Reduced pharmaceutical sales force and electronic detailing tools and databases More specialty pharma involving direct contact with patients Increased integration of technology and standards related to M&A Increased sharing of, access to, and risks to health data via health information exchanges 0% 10% 27% 25% 23% 20% 30% 40% 50% 32% 36%

43% 41% 41%

(Asked only of Pharmaceuticals respondents) Question 1: Which trends are driving your investment in information security? PwC September 2012 14

Many pharma firms may be unprepared to solve their yp f y p p biggest security challenges.
Respondents identified the top five security issues they face this y , but many may not p p y y year, y y have implemented the strategies necessary to address them.
Top 5 security challenges 1. Meeting regulatory requirements Whats holding them back? Only 38% have a strategy for compliance with regulatory requirements Only 24% have implemented procedures dedicated to d di t d t protecting IP t ti Only 45% have a security policy for data protection, disclosure, and destruction Only 58% have a mobile device security strategy Only 31% have a cloud security strategy

2. Protecting intellectual property 3. Compliance with document-retention requirements 4. Securing mobile devices 5. Cloud computing

(Asked only of Pharmaceutical respondents) Question 2: Please identify your top five security challenges Question 14: What process information security safeguards does your organization currently have in place? Question 32: Which of the following elements, if any, are included in your organizations security policy? September 2012 PwC 15

Among pharma respondents, the outlook f security gp p , for y spending over the next 12 months is mixed.
37 37% of respondents expect security budgets to increase in the y p p y g year ahead. More encouragingly, respondents report fewer deferrals and fewer budget cutbacks for security initiatives. Compared with last year, for instance, 31% more respondents say they had not deferred security programs requiring operating expenditures.
80% 70% 60% 50% 40% 30% 20% 10% 0% My company has not deferred security-related initiatives requiring capital expenditures 2011 2012 My company has not reduced the My company has not deferred My company has not reduced the cost of security-related initiatives security-related initiatives cost of security-related initiatives requiring capital expenditures requiring operating expenditures requiring operating expenditures 55% 59% 52% 65% 55% 66% 54% 71%

Question 8: When compared with last year, security spending over the next 12 months will: Questions 9A and 10A: Has your company deferred capital and operating security-related initiatives? Questions 9B and 10B: Has your company reduced the capital and operating cost of security-related initiatives? September 2012 PwC 16

Section 3 A game of risk f i k

PwC

September 2012 17

Security budgets are not driven by security needs. y g y y

Compliance supplanted economic conditions as the top driver of security spending as new p pp p y p g regulations governing data movement, global data access, and breach notifications were introduced. Business continuity/disaster recovery was the largest security-specific response, at 33%.
45% Regulatory compliance 38% 43% 46% Internal policy compliance 30% 35% 45% Economic conditions 33% Business continuity / disaster recovery 33% Change and business transformation 0% 2010 2011 2012 10% 20% 33% 30% 32% 30% 40% 50% 43% 41% 41%

Question 37: What business issues or factors are driving your company's information security spending? (Not all factors shown.) September 2012 PwC 18

Reported security incidents are on the rise. p y

11% of pharma respondents report 10-49 security incidents in the last 12 months, up p p p 49 y , p from 8% in 2011. Those reporting the most numerous category of incidents 50 or more per year leveled off at 11%, the same as last year but far above rates in previous years. One in four respondents do not know the number of incidents, an uncertainty that suggests ineffective security p y gg y practices.
35% 30% 29% 25% 25% 20% 15% 10% 5% 0% None 2010 2011 2012 10-49 50 or more Do not know 8% 8% 3% 11% 11% 11% 21% 21% 19% 24%

Question 17: Number of security incidents in the past 12 months. PwC September 2012 19

Threats from insiders, p f , particularly current and f y former employees, are increasing.
Security incidents attributed to current employees are at the highest level in y y p y g years, as are , those blamed on former workers. Threats from other insiders providers, consultants, contractors, partners, and suppliers are also rising.
45% 40% 35% 35% 30% 25% 25% 25% 20% 20% 15% 10% 5% 0% Current employees 2010 2011 2012 Former employees Service providers / consultants / contractors Customers Partners / suppliers 17% 14% 15% 12% 7% 11% 9% 7% 12% 41% 42%

Question 20: Estimated likely source of incidents. PwC September 2012 20

Technology adoption is moving f gy p g faster than security y implementation.


As with many industries, pharma is struggling to keep p y ,p gg g p pace with the adoption of cloud p computing, social networking, mobility, and use of personal devices. These new technologies often are not included in overall security plans even though they are widely used. In a recent survey, for instance, we found that 88% of consumers use a personal mobile device for both personal and work p p p purposes.1
60% 50% 40% 30% 20% 19% 10% 0% Cloud security strategy 2011 2012 Mobile device security strategy Social media security strategy Security strategy for employee use of personal devices on the enterprise 37% 31% 29% 28% 31% 58% 43%

Question 14: What process information security safeguards does your organization currently have in place? 1 PwC, Consumer privacy: What are consumers willing to share? July 2012 PwC September 2012 21

Security p y policies have g grown less robust and inclusive.

Many companies are omitting fundamental elements of security from their overall y p g y policies.

80% 70% 60% 50% 40% 30% 20% 10% 0% Backup and recovery / business continuity 2010 2011 2012 Physical security Regular review of users Enforcement mechanism and access or standards Use of social networking/Web 2.0 technologies 69% 53% 54% 48% 44% 37% 26% 28% 21% 25% 19% 13%

50% 43% 42%

Question 32: Which of the following elements, if any, are included in your organizations security policy? PwC September 2012 22

Use of some key technology safeguards resumed a long-term f y gy f g g decline after last years uptick.
The future looked bright last y g year as many pharma companies stepped up investments in yp p pp p prevention and detection safeguards. This year, however, saw a decrease in deployment of these important tools.
90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Malicious code detection tools (spyware & adware) 2008 2009 2010 2011 2012 Intrusion prevention tools Patch management tools Vulnerability scanning tools 86% 75% 74% 87% 72% 74% 67% 69% 63% 60% 63% 58% 52% 64% 66% 56% 55% 46% 48%

70%

Question 15: What technology information security safeguards related to detection/prevention does your organization have in place? September 2012 PwC 23

Section 4 Its how you play the game h l h

PwC

September 2012 24

What keeps security from being what it should be? p yf g

4 41% of pharma respondents p p p perceive top-level leadership to be an obstacle to effective p p security. The most cited single hindrance is lack of an effective security strategy, followed by a shortage of in-house technical expertise.

2011 Leadership CEO, President, Board, or equivalent Leadership CIO or equivalent Leadership CISO, CSO, or equivalent Lack of an effective information security strategy Absence or shortage of in-house technical expertise Lack f ti L k of actionable vision or understanding bl i i d t di Insufficient capital expenditures 30% 18% 17% 18% 19% 28% 27%

2012 12% 20% 9% 34% 26% 25% 22%

Question 29: What are the greatest obstacles to improving the overall strategic effectiveness of your organizations information security function? September 2012 PwC 25

Security is not always baked into major p j y y j projects from the f beginning.
Information security sometimes seems like an afterthought, with more than one-third of y g , respondents saying their organization involves security late in the process during the implementation phase or on an as-needed basis.
30% 25% 24% 20% 15% 14% 10% 5% 0% At project inception During the analysis and g phases design p During the implementation p p phase On an as-needed basis Do not know 20% 18% 24%

Question 30: When does information security become involved in major projects? PwC September 2012 26

Pharma respondents know less about their data now than p they did three years ago.
While at least 84% of respondents say p 4 p y protecting customer and employee data is g p y important, far fewer understand what that data entails and where it is stored. This is significant because, increasingly, understanding data, data flows, and data uses is a prerequisite to new pharmaceutical business models.
47% Accurate inventory of locations/jurisdictions of stored data 31% 36% 37%

37% Accurate inventory of employees' and customers' personal data 40% 34% 35% 0% 2009 2010 2011 2012 10% 20% 30% 40% 50%

Question 38: What level of importance does your company place on protecting the following types of information? Question 11: Which data privacy safeguards does your organization have in place? September 2012 PwC 27

What you can do to improve your p f y p y performance.

Information security today is a rapidly evolving g y y p y g game of advanced skill and strategy. As a gy result, the security models of the past decade are no longer effective. Effective security requires a new way of thinking. The very survival of the business demands that security leaders understand, prepare for, and quickly respond to security threats. y ,p p , q y p y Businesses seeking to strengthen their security practice must: Implement a comprehensive risk-assessment strategy and align security investments with id ifi d risks. i h identified i k Understand their organizations information, who wants it, and what tactics adversaries might use to get it. Understand that information security requirements and, indeed, overall strategies for doing business have reached a turning point. Embrace a new way of thinking in which information security is both a means to protect data as well as an opportunity to create value to the business business.
PwC September 2012 28

For more information, please contact: US IT Security, Privacy & Risk Contacts Gary Loveland Principal i i l 949.437.5380 gary.loveland@us.pwc.com Mark Lobel k b l Principal 646.471.5731 mark.a.lobel@us.pwc.com US Pharmaceuticals Contacts Daniel Garrett Principal i i l 267.330.8202 daniel.garrett@us.pwc.com Peter Harries i Principal 602.750.3404 peter.harries@us.pwc.com Mick Coady Principal 713.356.4366 mick.coady@us.pwc.com i k d

Or visit www.pwc.com/giss2013

The Global State of Information Security is a registered trademark of International Data Group, Inc. 2012 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. P C refers t the United States member firm, and may sometimes refer to the P C d PwC f to th U it d St t b fi d ti f t th PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

PwC