Security still not a priority

Communications News, March, 2008

Companies in the technology, media and entertainment, and telecommunications industries are overconfident and under-prepared to prevent security breaches, according to a study by consulting firm Deloitte. In a global security survey of more than 100 such organizations, 46 percent do not have a formal information-security strategy in place. Despite this lack of a formal security strategy, 69 percent report they are "very confident" or "extremely confident" about their organization's effectiveness at tackling external security challenges.

With more people working outside the office, businesses should adopt an end-to-end security strategy that spans the extended enterprise, according to Rena Mears, Deloitte's global and U.S. privacy and data protection leader. This model requires that enterprises pay close attention to the security of their mobile workers, as well as the security capabilities of their business partners.

The study also revealed a concern among respondents in the area of insider threats, with only 56 percent displaying confidence in addressing employee misconduct, whether it is deliberate or accidental. In addition, the convergence of physical and information security is another area most of the polled companies have not yet addressed, with 64 percent of respondents indicating they have done little or nothing to integrate the two.

The number of chief information security officers (CISOs) appointed in the companies surveyed increased from 57 percent to 65 percent in the past year. The survey revealed that only 13 percent of CISOs have tenure of more than 10 years, with 39 percent having held a CISO position for just three to five years.

"In order to get ahead of the problem, businesses must increase their security efforts and investments and think more strategically than simply reacting to emerging threats," says Mears.