Secure Information – Safe Future - PwC · comparison – globally, the security budget constitutes on average 3.8% of the IT budget and the level of spending on IT technologies

Secure Information– Safe Future

Key observations fromthe results of “The GlobalState of Information SecuritySurvey 2014”

www.pwc.pl/cyber-security

First timeresults forPoland!

December 2013

Dear Sirs,

Security of information and IT systems

– nowadays referred to as the “cyber

security” – is becoming an increasingly

important element of business.

Cloud computing, mobility, the “Internet

of Things” and social networks are more

and more prevalent in our lives, as well.

We have decided to take a look at such

trends in our annual survey on the

security of information worldwide,

conducted by PwC along with CIO and

CSO magazines.

This year, for the first time we present the

results of the survey of the Polish market

against the results worldwide.

It gives us great pleasure to present

our report to you. Feel free to read it and

contact our experts in case of any

questions.

Piotr UrbanPartner

PwC Risk Assurance

Leader

Rafał JaczyńskiPwC Cyber Security

Leader

Contents

The heart of the matter 6

An in-depth discussion 7

Today’s incidents, yesterday’s strategies 11

Weak defence 14

Preparing for the threats of tomorrow 17

Greatest obstacles 20

Security practices – Europe and Poland 21

Summary 22

Methodology of the survey 23

The Global State of Information Security ® Survey 2014The heart of the matter6

The heart of the matter

While information security risks have

evolved and intensified, security

strategies – historically compliance-

based and perimeter-oriented – have not

kept pace. In this situation approach to

security, which the main purpose is

traditionally meet the

requirements of regulation, is no

longer sufficient.

The result? Today, organizations often

rely on yesterday’s security strategies to

fight a largely ineffectual battle against

highly skilled adversaries who leverage

the technologies of tomorrow.

These sophisticated intruders are

bypassing outdated perimeter defences

to perpetrate dynamic attacks that are

highly targeted and difficult to detect.

Many use well-researched phishing

exploits that target top executives.

Compounding matters, the attack surface

– partners, suppliers, customers, and

others – has expanded as an ever-greater

volume of data flows through

interconnected digital channels.

These factors have combined to make

information security progressively more

complex and challenging. It has become

a discipline that demands pioneering

technologies and processes, a skill set

based on counterintelligence techniques,

and the unwavering support of top

executives. A key tenet of this new

approach is an understanding that

an attack is all but inevitable, and

safeguarding all data at an equally

high level is no longer practical.

The Global State of Information Security

Survey® 2014 aims to measure and

interpret how global organizations

implement practices to combat today’s

highly skilled adversaries. This year’s

survey indicates that executives are

elevating the importance of security.

They are heeding the need to fund

enhanced security activities and believe

that they have substantially improved

technology safeguards, processes, and

strategies. But while organizations have

raised the bar on security, their

adversaries have done even more. This

year’s survey shows that detected

security incidents have increased

25% over the previous year, while

the average financial costs of

incidents are up 18%.

The survey also reveals that many

organizations have not deployed

technologies that can provide insight

into threats, identify and protect key

assets, and evaluate threats within the

context of business objectives. For

many companies, security is not yet

a foundational component of the

business strategy, one that is

championed by the CEO and board,

and adequately funded.

Put simply, few organizations have kept

pace with today’s escalating risks – and

fewer still are prepared to manage future

threats.

In this new model of information

security, knowledge is power. Seize it.

Comments to the results of the

Polish survey

The global survey was supplemented

with the Polish part – the invitation

directed to the clients of PwC Poland

and readers of the THINKTANK

magazine was answered by more than 70

companies and organizations in Poland.

Due to the limited number of responses,

the observations from the Polish part are

more of a qualitative nature. Main areas

represented by the Polish respondents

were finance (banking and insurance),

telecommunications, consulting services,

software development and industry.

“Our survey was taken by

Polish companies which are

leaders of their respective

sectors. Compared to similar

businesses worldwide, Polish

companies are exceptionally

good in those areas which

require compliance with

restrictive law – in particular

the law on personal data

protection and intellectual

property. However, the

indicators of strategic

importance of cyber security

– for instance, its place in the

structure of the company or its

budget level – are significantly

worse than the best practices.”

Piotr Urban, Partner, PwC Risk

Assurance Leader

The Global State of Information Security ® Survey 2014 An in-depth discussion 7

An in-depth discussion

As digital technologies become universal,

they have transformed the business

environment.

Today, organizations are increasingly

interconnected, integrated, and

interdependent. They employ technology

and ubiquitous connectivity to share an

unprecedented volume of information

assets with customers, service providers,

suppliers, partners, and employees.

These sophisticated technologies enable

organizations to perform business tasks

with a velocity and degree of efficiency

that are unprecedented.

However this evolved business

ecosystem also imperils organizations by

putting them at the mercy of adversaries

who would exploit these technologies

and processes to disrupt operations and

even destroy businesses. As a result,

security threats have become a critical

business risk to global organizations.

The traditional reactive approach to

information security strategy, which

typically relegates security to an IT

challenge, remains commonplace. It is,

however, no longer effective, nor is it

defensible.

Today’s new world of security risks

demands that organizations treat

information security threats as

enterprise risk-management issues that

can critically threaten business

objectives.

We asked our respondents to tell us how

they are addressing information security

imperatives, and how well their privacy

and information security safeguards are

aligned with business objectives. The

results of the Polish survey show that

most people are confident in their

organization’s information security

practices.

Strong confidence in today’s

security practices

It is striking that, even in a climate of

escalating and evolving risks, executives

remain highly confident in their

organization’s security capabilities and

activities. In total, more than 80% of the

respondents say their security activities

are effective. This optimism is strongest

at the top of the organisational chart and

the executives rate such security

effectiveness very high. Lower-grade

personnel directly involved in the work

on projects is significantly more

distanced from such approach and less

convinced on the effectiveness of the

undertaken activities.

More than

80%of the respondents from Poland

claim that the activities of their

organizations in the area of

information security are

effective.

The Global State of Information Security ® Survey 2014An in-depth discussion8

This conviction on the validity of security

strategies adopted by companies is

confirmed by the evaluation of the

effectiveness of security expenditures.

However, it is noticeable that such an

approach to the evaluation of strategies

slightly decreases the general optimism

in Polish organizations. More than 64%

of the Polish respondents say security

spending is aligned with business

objectives. There are some sceptic

opinions of executives, which suggests

that the policy of budgeting initiatives

related to information security is not

always followed.

However, as in other countries, the

conviction of the Polish respondents as

to the effectiveness of their security

measures suggests that such measures

are – at least in theory – an integral part

of the business strategy. Optimism is also

prevalent in the approach to information

security.

More than

64%of the Polish respondents claim

that security spending at their

company is aligned with

business objectives.

42%

23%19%

15%

Mamy skuteczną strategię iaktywnie wcielamy ją w życie

Lepiej nam wychodziopracowanie odpowiedniejstrategii niż wcielanie jej w

życie

Lepiej nam wychodzirozwiązywanie problemu niż

określenie skutecznej strategii

Nie mamy skutecznej strategii izazwyczaj działamy reaktywnie

Figure 1: Which of the following categories describes best the approach ofyour business to the protection of information security?

We have an effectivestrategy in place andare proactive inexecuting the plan

We are better at “gettingthe strategy right” thanwe are at executing theplan

We are better at “gettingthings done” than we are atdefining an effectivestrategy

We do not have aneffective strategy inplace and are typicallyin a reactive mode

Front-runners

Strategists

Tacticians

Firefighters

Most of the respondents are willing

to be proactive in tackling new

challenges.

We label those who report they have an

effective strategy in place and are

proactive in executing the plan

front-runners, since they exhibit two

key attributes of leaders. Among this

year’s respondents, 40% say they have

the attributes of a front-runner. It is

only slightly less than indicated in the

global version of the report (where such

approach was declared by 50% of

respondents). About one in four say they

get strategy right but may not

successfully execute the plan, a category

we call strategists. Those who consider

themselves better at “getting things

done” than defining effective strategy

– tacticians – account for 20% of

respondents. The group that we call

firefighters, which do not have a

strategy in place and are typically in a

reactive mode, comprise 15% of

respondents.


Are front-runners really leaders?

Self-assessments are, by their very

nature, biased. So we took a closer look

at the data and created a series of

requirements that define “true” leaders

on the basis of reported capabilities and

undertaken activities rather than self-

perception.

To qualify as leaders, respondents

must:

• Have an overall information security

strategy,

• Employ a chief information security

officer (CISO) or equivalent who

reports to at least a Board member or

top leadership,

• Measure and review the effectiveness

of security measures within their

organization,

• Understand exactly what type of

security events have occurred

in the past year.

Filtering for these qualities shows that

only 26% of all the Polish respondents

rank as true leaders. They usually work

for large companies, with revenues of

more than PLN 5 billion, in the following

sectors:

• retail banking or financial consulting,

• telecommunications,

• mining industry.

Figure 2: Front-runners vs. leaders

40%

26%

Category 1 Category 2Front-runners Leaders

Global figures indicate that real

leaders detect more security

incidents, have a better

understanding of what types of

security incidents occur and the

source of those incidents, and

report lower average financial

losses as a result of security

incidents.


Cause for concern: too low

investments

Although the majority of respondents

declared a great commitment and

expressed a huge optimism, the budgets

for activities related to information

security still remain at a very low level.

Our results indicate that on average they

represent only 2.7% of the entire IT

budget. Therefore, we can state that the

will to act and increasing commitment in

information security are drastically

limited by insufficient funding. For

comparison – globally, the security

budget constitutes on average 3.8% of

the IT budget and the level of spending

on IT technologies is much bigger

worldwide.

But what about the future? Most

respondents do not expect any

significant improvement in the current

situation. Only 33% of the Polish

respondents claim that their budget for

information security will increase within

the next 12 months. In this category, we

are lagging way behind other markets,

where spending on information security

are in general expected to grow (51% of

responses in the global survey).

Only

33%claim that their budget for

information security will

increase.


Today’s incidents, yesterday’s

strategies

It has been all but impossible to ignore

the barrage of news reports about

increasingly sophisticated – and often

successful – security breaches over the

past year. Given the sometimes

sensational, and often click-driven

nature of news reporting, it’s only natural

to question the accuracy of reports

concerning cyber intrusions.

Global survey respondents report a 25%

jump in detected incidents over the last

year.

This would seem to validate the

headlines trumpeting elevated security

threats – unfortunately, Polish

companies do not seem to be concerned

about it. Considering that, according to

independent research, 75% of attacks

come from the very fact of existence of a

gap in security measures, not the

attractiveness of the target, the

discrepancies in this area may indicate a

lower effectiveness of processes and

solutions related to the detection of

security incidents.

“Right now it is only a matter of

time before a given company

becomes a target. It is best to

assume that our security had

already been breached, but we

have not detected yet. This

means that crisis management

and security start to intertwine

and must be considered jointly.”

Rafał Jaczyński, PwC Cyber Security

Leader

2 5622 989

3 741

2011 2012 2013

Figure 3: Average number of security incidents in past 12 months (in theglobal survey)

2011 2012 2013


“The increase in the number of

detected IT security incidents

does not indicate the

ineffectiveness of the

implemented security

strategies. On the contrary

– thanks to new technologies

and monitoring processes

companies may detect threats

and hacking attempts much

earlier.”

Patryk Gęborys, PwC Cyber Security

Manager

The concern that Polish companies are

not sufficiently prepared to detect and

handle security incidents is confirmed by

the figures which indicate how many

respondents do not have knowledge on

the number of security incidents at their

organization. In Poland, it is 22%, 4

percentage points more than the global

level.

The increase in the number of incidents

combined with a concurrent rise in the

volume of business data being shared

digitally means that the most frequent

result of potential security incidents is

the loss or theft of data. In Poland,

almost half of all attacks lead to a leakage

or unavailability of certain information.

The global survey also suggests that the

above risk becomes more and more

serious – this year, 24% of respondents

reported loss of data as a result of

security incidents, a hike of 16% over

2012.

Upon analysing detailed results of

security incidents in Poland, we can

arrive at new conclusions. In almost half

of all cases, such incidents involve brand

or reputation loss. This is related to the

type of information to be disclosed.

Usually such information concerns

intellectual property or identity of a

client or an employee. Almost all our

respondents told us that this is exactly

the kind of data which is considered the

most important in their companies.

Therefore, it seems natural to focus

protection on such data which often

becomes targeted in the first place.

Nevertheless, the results of the survey

indicate that the security measures

currently in use do not allow to fight

effectively the risk of data or intellectual

property theft.

40%

30%

20%15% 15% 15%

Category 1 Category 2 Category 3 Category 4 Category 5 Category 6

Figure 4: Impact of security incidents in Poland

Threat to brand/reputation

Theft of “soft”intellectual property(e.g. processes,institutionalknowledge, etc.)

Identify theft (clientor employee datastolen)

Theft of “hard”intellectual property(e.g. company’sstrategic plans,documents ontransactions, etc.)

Exposure to legalrisk/suit

Loss or damage ofinternal records

Respondents were allowed to indicate multiple factors, the figure indicates the percentage ofrespondents who chose a given answer.


The costs and complexity of

responding to incidents are

increasing. This includes the

cost to investigate, the cost to

understand business risks and

contain incidents, the cost to

manage notification to

regulators, customers, and

consumers, and the cost of

litigation. Also, the cost of

remediation is rising because

more records across more

jurisdictions are being

impacted, and security controls

have not kept pace with the

ever-changing threat

landscape.

Insiders, outsiders, and hackers

As every year, we asked our respondents

about the possible sources of security

incidents. More than half of the

respondents from Poland indicated

insiders – either employees or suppliers.

The participants of the global survey also

indicate that the main source of incidents

are insiders and trusted partners.

The results of the global GISS survey can

be compared with independent reports

prepared on the basis of actual data from

analysed security incidents: according to

the Verizon 2013 Data Breach

Investigations Report, the source of a

vast majority (92%) of incidents were

outsiders, and most of them (52%)

involved intrusions into IT systems.

This comparison calls for some

comment.

So far, the prevailing dogma of security

management has been the statement that

most incidents are caused by employees.

We believe this claim is now glaringly

obsolete and the truth is that company

employees and partners are less and less

frequently initiators of abuse – however,

they become either willing or unwilling

abettors. This change of approach

certainly does not mean the return to the

concept of a “wall” at the contact point

with the external world; it just means

that employees and IT resources used by

them directly (computers, office systems

and networks, online services) are in fact

yet another perimeter to be considered

by the company defence forces.

3%

5%

10%

15%

Category 6

Category 5

Category 4

Category 3

5%

10%

10%

25%

Category 10

Category 9

Category 8

Category 7

25%

50%

Category 2

Category 1Current employees

Former employees

Current serviceproviders/consultants/contractors

Clients

Former service providers/consultants/contractors

Information brokers

Hackers

Competitors

Organized crime

Activist/activist groups/hacktivists

Insiders

Trusted partners

Outsiders

Figure 5: Estimated likely source of incidents



One reason why organizations

do not have effective plans in

place for internal threats is that

many classes of insiders, such

as partners and suppliers, are

invited within network

perimeters and a certain level

of trust is assumed. Businesses

should understand that trust in

advisors should not be implicit.

Businesses should understand

that trust in advisors should

not be implicit.

Weak defences

To combat today’s risks, organizations

should be able to achieve ongoing insight

and intelligence on ecosystem

vulnerabilities and dynamic threats.

Activities and investments should be

driven by the best available knowledge

and evaluated within the context of

business activity.

For many, this represents a significant

shift in thinking and planning. So it’s not

entirely surprising that many survey

respondents report they have not

implemented technologies and processes

that provide insight into current risks

and threats. For instance, 55% of the

respondents in Poland have not deployed

behavioural profiling and monitoring

tools, and fewer (42%) do not employ

security information and event-

management technologies. Asset-

management tools are critical to

safeguarding data assets, yet are not in

place for 41% of respondents we

surveyed. On the other hand, it is worth

mentioning that the respondents in

Poland use data loss prevention tools

(DLP) and intrusion prevention systems

(IPS) rather often – as indicated by 57%

and 60% respectively.

As data proliferates and is shared among

more partners, suppliers, contractors

and customers, it is increasingly critical

that businesses understand the risks

associated with sharing data with third

parties. What’s more, organizations

should ensure that third parties meet or

beat their requirements for data security.

Respondents in Poland declare that in

most cases (74%) they require that

external entities (including providers of

outsourced services) follow the corporate

security policy. Although more than a

half (54%) maintain a list of all external

entities which handle personal data of

employees and clients, only 34%

declared that they held periodic audits to

make sure that third parties are able to

ensure protection of such data.

As noted, today’s elevated and evolving

threat environment requires that

organizations understand that it is no

longer practical – or, indeed, possible

– to protect all information with equal

priority. In a new model of security,

businesses should identify and prioritize

the information that really matters.


In Poland, companies are more eager to

use protection mechanisms for mobile

devices. However, still less than half of

them have implemented mechanisms

which allow for a remote management of

mobile devices (MDM), which are a key

tool for the automated management of

sets of company smartphones.

63%59%

48%44% 44%

7%

35%30%

39% 37%42%

19%

Klasyfikacja wartościbiznesowej

Zakaz używania lubdostępu do sieci zwłasnych urządzeń

użytkownika wmiejscu pracy

Oprogramowanie dozarządzania

urządzeniamimobilnymi (MDM)

Ochrona firmowejpoczty elektronicznej

i kalendarzy naurządzeniach

własnychpracownika iużytkownika

Strategiabezpieczeństwa

urządzeń mobilnych

Korzystanie zmechanizmów

kontroligeolokalizacji

Poland World

Strongauthentication ondevices

Ban of user-owneddevices in theworkplace/networkaccess

Mobile device-managementsoftware (MDM)

Protect corporatee-mail andcalendaring onemployee-anduser-owned devices

Mobile securitystrategy

Use of geolocationcontrols

Figure 6: Initiatives launched to address mobile security risks

Mobile devices are more and

more common in company

networks and users demand

easy access to company

resources. IT and information

security departments must find

the balance between business

expectations, regulatory

requirements and information

protection requirements.


A major risk to data security is the surge

in the use of mobile devices such as

smartphones and tablets, as well as the

“bring your own device” (BYOD) trend in

organizations. While the use of mobile

devices to share and transmit data

continues to increase, deployment of

mobile security policies lags behind, as

apparent particularly from the global

survey results.


organizations have not seriously

addressed the security implications of

cloud services – only 17% of the

respondents, who utilize cloud services

declare that.

APT (Advanced Persistent Threats) is

becoming a heavily discussed topic in

media. The general trend indicates that

in the future they can constitute a large

part of all computer security threats.

Since hackers are more and more often

indicated as a potential source of attacks,

it is worrying that only 30% of

respondents in Poland have

implemented anti-hacking measures. For

comparison – more than half of the

respondents worldwide claim to use

proper measures.

Cloud computing has been around for

more than a decade and is a

commonplace – if not quite mainstream

– in the corporate ecosystem. Almost half

(48%) of the respondents in Poland said

their companies use cloud computing. Of

those, 33% reported that their security

posture has improved thanks to such

model of service delivery. But there were

also doubts – 25% of respondents are

worried about the reliability of the data

recovery process in context of

applications deployed in the cloud. A

similar number of respondents expresses

doubts as to the control of authenticated

access at the website of a service

provider.

So it is a bit surprising to learn that many

Only

17%of respondents say they have

policies governing cloud

services.


Leaders are aligning security with

business needs, setting standards for

external partners, and, in general,

rethinking the fundamentals of security.

For instance, in as many as 83% of leader

organizations in Poland have a senior

executive who communicates the

importance of information security

across the enterprise. More than 67%

declared that they designate a cross-

functional team that regularly meets in

order to coordinate and communicate

security issues.

Policy and executive support are just a

start, however. A measure of real intent

can be gauged by whether companies

have also deployed technologies to

execute these policies.

Preparing for the threats of

tomorrow

Today, adversaries are constantly

sharpening and evolving their

capabilities to exploit new

vulnerabilities. Addressing these threats

will require that organizations approach

activities and investments with best-

available knowledge about information

assets, ecosystem threats, and

vulnerabilities.

This year’s survey indicates that those we

define as leaders more often enhance

their capabilities by implementing

policies that elevate security as a top

business imperative – not just an IT

challenge.

Involvement of senior

management and the board

allows for implementation of

consistent information security

program.

38%

75%81% 78%

58%67%

83% 83% 83% 83%

Ogólnofirmowy zespół Scentralizowane procesy Strategiabezpieczeństwa

Ustalone minimalne W organizacji

All respondents Leaders

Cross-functional teamcoordinates/communicates securityissues

A centralized securityinformation managementprocesses

Security strategy alignedwith business needs

Minimum securityrequirements/standardsfor external partners/customers/suppliers andvendors

A senior executive whocommunicates theimportance of security

Figure 7: Security policies and safeguards currently in place

Respondents were allowed to indicate multiple factors, the figure indicates thepercentage of respondents who chose a given answer.


Leaders are more likely to have deployed

tools that provide a real-time analysis

of suspicious activity. For instance, 83%

of leaders say they have implemented

security information and event

management (SIEM) technologies.

Similarly, a majority of leaders say they

have deployed event correlation tools,

which aggregate and correlate

information from disparate tools like

vulnerability and intrusion monitoring

systems. Tools for scanning systems for

security weaknesses and vulnerabilities

are quite often used by respondents

– 67% in total claim they have such

software.

While our focus is on leaders who have

implemented the technologies above, it’s

just as important to stress that, given

today’s elevated threat landscape, all

organizations should strongly consider

implementation of these safeguards

when applicable.

Another example can be found in

Security measures which are high priority for the next 12 months:

• monitoring of unauthorized access or use,

• encryption of smartphones (e.g. iPhone, BlackBerry, Android-based devices),

• security strategy on the use of own devices by employees at the companypremises,

• security strategy for social media,

• procedure of reacting to incidents, on reporting of breach events to externalentities which deal with the data and on handling such reports,

• profiling and monitoring behaviours,

• program of trainings in the knowledge of security,

• conducting risk assessments in relation to internal and external threats to privacy,security, confidentiality and integrity of hard copy and digital records which includepersonal data (e.g. through internal audits),

• standards/procedures for the security of mobile devices,

• security strategy for cloud computing,

• intrusion prevention systems (IPS),

• detecting malware in mobile devices.

employee security awareness program.

More than 56% of respondents say they

have such a safeguard in place. Because

adversaries often target employees with

social engineering schemes, all

organizations should implement an

effective employee-training program.

To gauge Polish respondents’ priorities

in preparing for the threats of tomorrow,

we looked at priorities for

implementation of process and

technology safeguards over the next 12

months.

A part of preparations involves mobile

devices, in particular encrypting their

content and implementing proper

security procedures and standards. The

companies also plan to introduce

regulations on social media and on using

own devices by employees at their

premises. The implementation of new

strategies of monitoring and detecting

security incidents also remains a priority.

In the face of new dangers, we consider it

a good practice to introduce a series of

trainings on the knowledge of security

and risk assessment on threats to

personal data. Our analyses indicate that

those areas may currently constitute an

important weakness in corporate security

strategies, which is why relevant

initiatives may reduce the risk level and

increase awareness of the existence of

potential threats.


In the past year, sharing information

about security threats – even among

competitors – has emerged as a powerful

offensive tool. We believe that

collaboration can enable a business to

more quickly adapt to market changes. In

PwC’s 5th Annual Digital IQ Survey we

found that firms with collaborative

C-suites intertwine business strategy and

IT, which often improves the

performance of a business.

So we were curious how Polish

respondents, many of whom operate in

an increasingly competitive

environment, would view collaboration

with others to improve security and share

knowledge of threats. Many

organizations see the merits of

collaboration: 52% of respondents said

they officially collaborate with other

(including the competition) in order to

improve security and mitigate risk

in the future; and among leaders, that

number rises to 83%.

In this regard, the figures in Poland are

almost identical to global. Of course, we

should bear in mind that those results

concern companies which decided to

take part in the survey – after taking into

account much lower popularity of such

surveys among Polish companies, it is

reasonable to claim that the tendency for

collaboration and share information on

threats is in Poland much lower than the

best global practice.

Among the 36% of respondents that do

not collaborate with other entities,

primary reasons for not sharing

information is the lack of confidence that

such collaboration could bring in direct

benefits.

Companies often believe that their

competitors are not more advanced in

the area of security (33% of

respondents). However, it should be

remembered that even slight experience

with various forms of threats is a good

basis for sharing experience. Other

reasons indicate frank distrust of

competitors and fear that acquired

information could be used against those

who proposed such exchange.

11%

22%

22%

33%

uważamy

obawiamy się

Nie chcemy

Nie sądzimyNo one competitor is considerably more advancedthan others

Do not want to draw attention to potential weaknesses

Are concerned that a competitor would use suchinformation to market against us

Larger organizations with more financial resourceswould use collaboration to their advantage

Figure 8: Why companies don’t collaborate with competitors on informationsecurity?



know-how to implement new security

practices. For comparison – in the global

survey this obstacle is mentioned only at

the fifth place. This suggests that the

Polish companies may lack effective

trainings or certification programs. The

problem with acquiring funds for

security-related initiatives is equally

serious. This confirms our earlier

conclusion that the budget for security is

too small compared to general IT

expenditures in Polish companies. Other

respondents indicate also the lack of

proper vision, which could be used to

determine the impact of future business

needs on the strategy of promoting

information security, or even the lack of

the strategy itself.

Another interesting fact is that some

respondents indicated the attitude of

higher officials as a potential obstacle in

implementing an effective security

strategy. In the global report we see an

interesting trend in the correlation of the

answers of respondents and their

respective job positions. CEOs

overwhelmingly named themselves as

obstacle No. 1 in following an effective

plan to improve the strategic

effectiveness of the security area. CFOs,

meanwhile, point to CEOs as the leading

hindrance. Ask CISOs, the executives

directly responsible for information

security, and they’ll put insufficient

funding (both capital and operating) at

the top of the list, followed by a lack of

in-house technical expertise. CIOs flag a

lack of strategy and vision, along with

leadership of CEOs and security

executives.

This lack of clarity on obstacles

to effective security shows, in

part, that businesses have not

engaged in sufficient dialogue

around security. Building and

sustaining a culture of security

awareness will also require the

full support of top executives,

including the CEO and board.

This must be an ongoing

discussion.

Greatest obstacles

Most people who deal with security in

their companies agree that new actions

to improve the information security are

needed. However, there are many

obstacles which reduce the effectiveness

of the implementation of new security

measures. We asked the Polish

respondents, which obstacles are the

worst and it turned out that potential

problems comes from many various

areas of the company’s operations.

Many respondents believe that insiders

do not have sufficient specialist

8%

12%

15%

23%

27%

35%

38%

42%

42%

Kierownictwo: członek zarządu

Kierownictwo: dyrektor

Kierownictwo

Brak skutecznej

Slabo

Niewystarczające

Brak przekładalnej

Niewystarczające nakłady

Brak lub niedobórLack or shortage of in-house technical expertise

Insufficient capital expenditures

Lack of an actionable vision or understanding of how futurebusiness needs impact information security

Insufficient operating expenditures

Poorly integrated or overly complex information and IT systems

Lack of an effective information security strategy

Leadership: CIO or equivalent

Leadership: CEO, President, Board, or equivalent

Leadership: CISO, CSO, or equivalent

Figure 9: Greatest obstacles to improving the overall strategic effectiveness ofsecurity in organisation



Security practices – Europe and Poland

be noticed in the procedures for

protection of intellectual property.

Although such elements of the security

policy are not yet widespread in all

European countries, the results of the

survey in Poland indicate better

readiness to adopt such good practice.

Europe Poland

Will security spending increase over the next 12 months? 46% 33%

Have an overall security strategy 77% 75%

Employ a Chief Information Security Officer 68% 36%

Have a senior executive who communicates the importance of security? 51% 57%

Have policy for backup and recovery/business continuity 45% 75%

Require third parties to comply with privacy policies 55% 74%

Employee security awareness training program 55% 56%

Have procedures dedicated to protecting intellectual property (IP) 17% 35%

Have intrusion-detection technologies in place (IPS) 63% 60%

Inventory of where personal data are collected, transmitted, and stored 52% 77%

Is organisation officially collaborating with others (including competitors) toimprove security and reduce risks?

45% 52%

Table 1. Security practices – Europe and Poland

The results of the global survey indicate

that investment in information security

is down slightly (3%) over last year in

Europe, and the continent continues to

lag in adoption of key security

safeguards. In Poland, only 33% of

respondents believes that security

spending will increase over the next 12

months, compared to 46% of

respondents from the entire Europe. It

indicates a significant deterioration of

perspectives of the development of

security divisions in Polish companies,

and then – the increased risk of more

numerous attacks.

Poland lags behind Europe also in the

organizational structure. Only 36% of

respondents indicated that their

organization employs a Chief

Information Security Officer For

comparison. In Europe, such a solution is

used almost twice as often.

On the other hand, Polish companies

care more about defining relevant policy

for backup and recovery/business

continuity. Such approach was indicated

by 74% of respondents, which

significantly exceeds the average figures

for Europe (55%). Similar relations may

“If you spend more on coffee

than on security, you will get

hacked. More – you deserve to

get hacked.”

Richard Clarke, Cyber Security Advisor,

White House

The Global State of Information Security ® Survey 2014Summary22

Summary

Our approach comprises four key

precepts:

• Strategy

An integrated security strategy should

be a pivotal part of your business

model; security is no longer simply an

IT challenge. The understanding of

the role and complexity of cyber

security-related issues should be

reflected in the organizational

structure and the budget for security.

• Awareness

Effective security requires that you

understand the exposure and

potential business impact associated

with operating in an interconnected

global business ecosystem. The

company awareness of cyber security

also means the ability to acquire and

analyse information on both external

and internal threats. What is also

important is collaboration with other

entities as to the exchange of such

information – only in such a way the

companies may together face more

and more determined opponents.

One thing is certain: the current approach is no longer sufficient

in the face of ever-changing threats.

• Selectivity

Effective security requires that you

understand and adapt to changes in

the threat environment by identifying

your most valuable information

prioritize your organization’s

resources to protect it. It will help you

reduce expenses and ensure the

proper level of monitoring and

response to incidents.

• Responsiveness

Preventive measures do not give

sufficient guarantee that information

and the processing power of systems

will not fall prey to criminals.

The ability of the company to notice

the moment of breach and launch

adequate response to the incident is

currently one of the most important

indicators of the maturity of the

company when it comes to cyber

security. Quick detection and

response – in the same way as the

quality of preventive measures – in

real life determine the ability of the

company to protect critical resources.

Unfortunately, the results of the survey

this year suggest that the previous

tendency gets only stronger. On the one

hand, our respondents declare progress

by implementing new security measures,

on the other – they do not pay sufficient

attention to key aspects like

determination of the business value of

information. They declare the need for

bigger investments in security, but they

still do not have a strategy for such

solutions like cloud processing.

Taking into account the dynamically

changing threats and environment, we

are not surprised that the choice of the

proper direction is by no means simple

or obvious. One thing is certain: the

current approach is no longer sufficient.

New risk will require a completely new

approach to information security.

In order to effectively respond to threats

of the future, in our opinion, the

approach to information security must be

based on the thorough knowledge of the

opponent, threats and environment. We

must accept that security incidents will

happen and must be taken into account

as one of business risks – unavoidable,

but possible to mitigate down to the

acceptable level.

The Global State of Information Security ® Survey 2014 Methodology of the survey 23

Methodology of the survey

Global State of Information Security

2014 is a world-wide undertaking of

PwC, CIO Magazine and CSO Magazine.

It was conducted online between

1 February and 1 April 2013. Readers of

CIO and CIO magazines and clients of

PwC were asked to take part in the

survey by e-mail. The global results in

this report are based on responses from

more than 9 600, including presidents

and members of management boards of

companies and organizations, CEOs and

people responsible for finance, IT,

security or privacy from 115 countries.

Thirty six per cent (36%) of respondents

were from North America, 26% from

Europe, 21% Asia and Pacific, 16% from

South America and 2% from Middle East

and Africa. The error margin was less

than 1%.

In this report, figures from the global

survey were compared with the Polish

survey – the invitation directed to the

clients of PwC Poland and the readers of

the THINKTANK magazine was

answered by more than 70 companies

and organizations in Poland. Main areas

represented by the Polish respondents

were finance (banking and insurance),

telecommunications, consulting services,

software development and industry.

Our experts are at your disposal, both in all mattersrelated to this report and any other questions you mayhave about the security of information and IT systems.

Contact persons– PwC Cyber Security

Piotr UrbanPartnerPwC Risk Assurance Leader+48 502 184 [email protected]

Rafał JaczyńskiPwC Cyber Security Leader+48 519 507 [email protected]

Patryk Gęborys+48 519 506 [email protected]

Rafał Skoczylas+48 519 506 [email protected]

This presentation has been prepared for general information purposes only; it does not constitute advice within the meaning of the Polish law.You are discouraged from basing your actions/ decisions on the information provided in this presentation without obtaining a prior professionaladvice. We do not guarantee (neither explicitly nor implicitly) that the information provided in this presentation is accurate or precise.Furthermore, within the scope laid down in the Polish law, PricewaterhouseCoopers Sp. z o.o., its partners, employees and representatives donot undertake any obligations nor accept any liability – neither contractual nor on any other account – for any losses, damage or expenseswhich may directly or indirectly result from actions undertaken based on the information provided herein or decisions made based on thispresentation.

The Global State of Information Security® is a registered trademark of International Data Group, Inc.

© 2013 PricewaterhouseCoopers Sp. z o.o. All rights reserved. The name “PwC” refers to companies that are parts of the networkPricewaterhouseCoopers International Limited, and each of them is an autonomous and independent entity.

Documents

Secure Information – Safe Future - PwC · comparison – globally, the security budget constitutes on average 3.8% of the IT budget and the level of spending on IT technologies