Escolar Documentos
Profissional Documentos
Cultura Documentos
rafael etges is the national practice manager of the governance, risk and compliance group at TELUS Security Solutions. Etges brings 14 years of consulting experience at major consulting groups in South and North America. Etges has extensive experience in corporate and IT governance, information security policy development, information security program management, and auditing. Walid hejazi is a professor of business economics at the Rotman School of Management at the University of Toronto (Ontario, Canada). He has published extensively in more than 40 business journals and publications. In keeping with the spirit of Rotman, Walid balances his research activities by helping many of Canadas leading organizations leverage research to decide new strategies and initiatives. alan lefort is the director of product management at TELUS Security Solutions. Lefort is responsible for the development and marketing of all managed security services, professional services and technology integration services. Additionally, Lefort has taught several courses on security at the University of Toronto.
Technologies mandated as part of compliance, such as log management, are being implemented, but maturity and satisfaction levels are very low. The low satisfaction indicates that Canadian companies are still not deriving full utility from their investments. outSIder BreacheS SlIghtly hIgher, InSIder BreacheS loWer When compared to their US counterparts from the 2007 Computer Security Institute (CSI) Survey, Canadian respondents on the whole indicated they have experienced fewer breaches. Regarding breaches that are more associated with outsiders, such as phishing, misuse of public web applications, or viruses and malware, Canadian organizations reported in at slightly higher. For breaches relating to insider activity, results were much different. Regarding breaches related to abuse by employees or insiders, about one in six Canadian respondents reported a breach, whereas the number was closer to three out of five in the CSI survey, suggesting that an insider-related breach was slightly more than three times as likely to occur in a US organization. Breach coStS rISIng: canada reportS hIgher Breach coStS compared to uS In 2007 The annual losses associated with breaches according to all respondents were calculated at CAD $423,469. For Canadian-owned companies, the average annual loss was CAD $397,887; for US-owned companies doing business in Canada, the average annual loss was CAD $499,859. For organizations doing business in Canada with headquarters in Europe, South America or Asia, the average annual loss due to breaches was CAD $449,950. The average annual loss for a private company was CAD $293,750, for publicly traded companies CAD $637,500 and for government CAD $321,429. These figures compare to the average loss per respondent in the US CSI survey at US $345,000 in 2007, up substantially from US $167,713 in 2006. hoW an organIzatIon SpendS on SecurIty JuSt aS Important aS hoW much Not every type of organization fared the same in terms of satisfaction with security posture. Government respondents were least satisfied with their security posture, with only 3 percent of respondents indicating they were very satisfied. This contrasts with 23 percent of respondents in publicly held companies and 20 percent in privately held companies. When the satisfaction threshold is lowered from very satisfied 2
ISACA JOURNAL VOLUME 2, 2009
to satisfied, government respondents fared somewhat better, with 70 percent satisfaction compared to 75 percent in publicly traded companies and 73 percent in privately held companies. Overall, IT security satisfaction does not necessarily increase with spend. Based on the investment strategies reported by respondents, there is dissatisfaction for budgets below 5 percent. However, as budgets rise above 5 percent, there is a significant increase in satisfaction (satisfaction almost doubles), suggesting that a security investment threshold must be met for IT security to be effective. However, after that threshold of 5 percent is met, there is very little increase in satisfaction resulting from further budget increases. Nevertheless, there seems to be a second threshold at 10 percent, but even here, the doubling in the budget on IT security yields only a 10 percent increase in satisfaction. The data indicate that increased funding is spread fairly equally across all technologies, preserving biases toward traditional network security and the continued underfunding of application security. As budgets for IT security increase, reported breaches decreased considerably, declining by one-fifth for unauthorized access to one-half for botnets and abuse of wireless security. Breaches relating to misuse of a public web application fell by 60 percent. However, there are several breaches that did not fall significantly, such as financial fraud. So, even though breaches are falling, the annual cost associated with these breaches continues to rise, thus not yielding increases in satisfaction. hIgh-performIng SecurIty profeSSIonalS are more BuSIneSS-mInded Salaries for respondents to the survey averaged CAD $90,410. The average for those in positions of director and above was CAD $106,863, and it was CAD $84,127 for those in positions lower than that of director. That is, there was a premium of CAD $22,736 for being in a higher position in IT security. Talent matters. In particular, high earners, defined as those earning more than CAD $100,000, were much more likely to have a university degree and twice as likely to have a business degree. They were also nearly twice as likely to have a Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), or SANS (SysAdmin, Audit, Network, Security) Institute Certificate, but less likely to have a certificate for IT infrastructure, networking or a security vendor. Furthermore, 81 percent of high earners worked in the Canadian headquarters of the organization surveyed.
The survey found a wide variation in compensation across organizational types. Forty-seven percent of respondents from privately held organizations were high earners as compared to 32 percent in publicly traded companies and 18 percent in government organizations. This suggests that for areas of security that are in high demand and short supply, such as application security and identity management, government organizations struggle to attract and retain staff. SecurIty outSourcIng a VIaBle Strategy Although 40 percent of respondents indicated that their organization does not allow outsourcing of security, twothirds of respondents from publicly traded and government organizations indicated they are open to it. Privately held companies, however, appeared less likely to outsource, although those that do are more likely to make a decision based on value (19 percent). Government entities (32 percent) were twice as likely as publicly traded companies (16 percent) in Canada to require Canadian service providers. Privately held firms were less likely to prefer Canadian organizations (9 percent). Organizations that outsource their IT security are less likely to experience breaches that can be prevented through network security technologies. For breaches that are likely to require application security measures, outsourcers generally underperformed compared to those who did not outsource. Notwithstanding those divergent results, those that outsource are more likely (75 percent) to be satisfied with their security posture as compared to those that do not outsource (69 percent). uS patrIot act aS much a concern aS canadIan regulatIonS Chief executive officers (CEOs) were less concerned with the Patriot Act (31 percent) compared to security managers and individual contributors (43 percent). More important though, when compared to other regulatory acts, is the fact that the
CEOs concern with the Patriot Act was quite significant as it is more top of mind than regulations such as PCI DSS (20 percent) or Bill C-198 (Canadas Sarbanes-Oxley Act) (25 percent) and almost as important as the US Sarbanes-Oxley Act (40 percent). Also, the high concern with PIPEDA demonstrated by CEOs compared with the concern for the US Patriot Act suggests CEOs are not aware that storing data in a location that requires compliance with the US Patriot Act can undermine PIPEDA compliance. concluSIon Organizations looking to increase satisfaction in their security posture should consider the best practices of the most satisfied organizations: Focus on performance measurementTop performers were much more likely to have reporting and metrics in place. Balance investmentTo ensure that technology benefits are fully realized in terms of a decrease in breaches and an increase in technology satisfaction, staffing investments must be made in proportion to the growth in technology footprints. Invest in application securityHighly satisfied organizations invested much more in application security and in technologies, such as encryption, that aided in maintaining confidentiality of customer data. Invest adequatelyOrganizations investing less than 5 percent of their IT budget in security are almost twice as likely to be dissatisfied with their security posture. authorS note The full 65-page report containing all questions, aggregated answers and in-depth analysis can be downloaded from www.telus.com/securitystudy and www.rotman.utoronto.ca/ securitystudy.
ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content. 2009 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org