Security practices in Asia now on par with North America while Europe stalls and South America surges

According to PricewaterhouseCoopers / CIO / CSO Magazines' Global State of Information Security Study 2008

Asian companies have made dramatic gains in upgrading their information security efforts, according to the 6 th annual Global State of Information Security Survey 2008. The study - the largest of its kind - was conducted by PricewaterhouseCoopers LLP (PwC) in conjunction with CIO and CSO magazines and polled over 7,000 IT, security and business executives across all industries from 119 countries on the challenges of protecting corporate information assets.

One of the most compelling facts emerging from a regional comparison of the survey's results is that Asian companies no longer lag behind North American ones in establishing leading practices in security. Boosted by the widespread advances made by companies principally in India, Asian companies are now on par and many surpass North American companies in establishing leading practices in security. Overall, 74% of respondents reported that their information security spending will either increase or stay the same over the next 12 months, the study found.

The survey revealed that Asian respondents are now more likely than their regional counterparts around the world to employ either a CISO (C hief Information Security Officer) o r CSO (C hief Security Officer) (63% vs. 52% in North America, 58% in Europe and 56% in South America), and conduct an enterprise risk assessment at least once a year (71% vs. 59% in North America, 57% in Europe and 64% in South America).

When it comes to protecting privacy, however, Asian companies sometimes lag behind those in other parts of the world (for example 18% of Asian respondents employ a Chief Privacy Officer vs. 24% in Europe and 21% in North and South America). In terms of other privacy capabilities, Asia is a few steps ahead of Europe and South America—but trails behind North America. For example, 41% of Asian respondents say their companies require employees to complete training in privacy practices, as compared to their colleagues in North America (54%), South America (30%) and Europe (28%).

According to the survey, 58% of respondents in Asia say that Data Leakage Prevention (DLP) tools will be brought into effective action over the next 12 months. Moreover, the percentage of respondents in Asia towards the business value of data classified in the security policies is also higher than global results at 8% (Asia 32% and Global 24%).

Although organisations in Asia continue to heavily invest in security tools such as software for intrusion detection, encryption and identity management, they are still struggling with their security and safeguard processes. There appears to be an overall misalignment with executive management's view of security, causing many organisations to not capture the full value of their spending.

Vilaiporn Taweelappontong, partner in the PricewaterhouseCoopers Mekong, which comprises Cambodia, Laos, Thailand and Vietnam who heads the Information Technology Services unit said, "Based on our experience, most companies in Asia, particularly in the Mekong region still believe that data leakage protection are "gifts from God". Their perception is that if they implement the tools, they will be able to fully resolve any privacy issues and achieve their privacy protection goals. In fact, without a clear understanding of either business or regulatory requirements on privacy, a proper privacy framework, efficient privacy strategy, or applicable privacy policy and procedures, those companies will not be able to handle privacy requirements and will also not be able to appropriately manage privacy risks. Business and IT executives should consider people, processes and technology which are the 3 keys to success when implementing a security system."  

"Companies must decide on the right strategy, engage the right people, target the right data, and employ the right technology effectively. Those that are ready for the surprises will be the ones that succeed," Vilaiporn added.

When asked to identify the most critical business issues or factors driving information security spending, 57% of respondents still point first to "business continuity/disaster recovery."  Further, this year, 40% of respondents cited "change" almost as often as they did "compliance with regulations or internal policies" (44% and 46% respectively) as a critical factor driving security spending.

In spite of the rapidly evolving maturity of security capabilities, a surprisingly large percentage of respondents "don't know what they don't know." Many respondents could not answer basic questions about the risks to their company's key information. 35% of respondents weren't sure how many security incidents their organisations have had in the past 12 months. This number is higher in North America (40%) and Europe (36%) than it is in South America (28%) and Asia (25%). As a result, security remains largely a reactive function of the organisation.