Price Waterhouse Coopers has released their 2008 Global State of Information Security Study titled “safeguarding the new currency of business.” The report called out the UK and the neighbour across the channel, France, for failing to make meaningful progress in the areas of compliance testing, secure technology disposal, privacy, and identity. The report states that the two countries had a lower response rate from previous years indicating a lack of progress in the concerned areas.
Of particular interest was the section regarding “executive misalignment” which stated,
“CISOs don’t see eye-to-eye with the rest of the executive
suite on what single business issue is principally driving information
security spending. They are far more likely to cite regulatory compliance
than CEOs, CFOs, and even—quite surprisingly—Chief Compliance
Officers (75% vs. 27%, 37% and 24%, respectively). And all of these
executives—in addition to the CIO, who is the only other business leader
who sits on the IT side of the table—unanimously disagree: they cite a
completely different principal driver for security investments: business
continuity and disaster recovery.”
Figure 4 is quite remarkable as it shows that even amongst senior leadership, the team simply does not understand why each other exist in the business. At minimum, an executive team should be able to state, as a matter of memory, the roles and responsibilities of the senior staff.
I always laugh when I read reports like these because IT companies like Microsoft, Symantec, Computer Associates, IBM, just to name a few, pound away with the message around security and manageability, identity, and compliance, yet so often if feel like these words fall on deaf ears. Apparently the “Old World” is severely falling behind the like of Asia and North America and to quote the study, “South America is in the passing lane.”