With a new security survey being released almost daily, usually by a product vendor whose goal is to promote their wares, I thought I would do my own little survey (if you could call it that). Securus Global works with businesses of all sizes and across most industry sectors. We randomly selected a sample of 20 CSOs and IT Security Managers and asked them a few basic questions.

How do you compare? Keen on your comments….Read on….

———————————————–

1. Do you measure your enterprise security position now fully? (Note: Objective of this question was to see if IT Security practices were deployed from an enterprise view. ie; looking at the whole business and not just sections of it).

Results: 75% – No

Some of the “Yes” Comments:

“We have more detailed review against specific contract signings and deliverables but we still have an overall understanding and a general concern for the wider environment that we try to address with our counterparts.”

“We maintain  metrics around our SLAs and contractual  deliverables to determine  how well we’ve met our deliverables which is a  decent and  semi-comprehensive indication of how well we are performing security.”

“In depth global assessments for each country are conducted every two years.”

“Quite fully on essential practices using high level qualitative method”

“Various reporting on incidents, outstanding issues, security statistics, etc”

Some of the “No” Comments:

“Not yet.”

“…none of them understand risk, nor have the budget. Best that can be done is minimised exposure.”

“You need to define fully. For example, where do you draw the boundary with  an outsourced organisation?”

“No. Wouldn’t know how to benchmark it properly. i.e. would you benchmark it against (i) a standard, (ii) supposed best practice, (iii) other companies, (iv) companies in your same sector (v) companies in your same sector of the same size.”

“Some aspects of the organisations security are measured and risk rated. The metrics and risk are regularly reported within the IT department. This rarely feeds into any ERM framework.”

————————————————

2. How do you think you compare to your peers? (Similar companies)

A. Far better
B. Better
C. About the Same
D. Worse

Results:
A – 0%
B – 25%
C – 70%
D – 5%

————————————————

3. Do you think you manage security better now than you did one year ago?

Results:
Yes – 75%
No – 25%
Don’t know – 5%

Comments:

“Yes. Processes have matured, as security is bled and injected more into the business’s understanding of how they  should be performing their business.”

“Yes. I believe we are slowly improving but do not have the company ‘buy in’ yet to fully appreciate security.”

“Yes. Places I work in, yes, coz I’ve been there MOFO ”

“Yes. Better structure, more involvement with business initiatives (not just IT), more accountabilities

Yes. There are a number of aspects that have been improved across the organisation. Specifically how risk is measured for information systems. There is still a disconnect relating to risk ownership between the information owner and the information custodian.”

“Yes. Improved reporting and task allocation.”

“No. We have 30% less staff doing security now than a year ago.”

“No. Still reactionary and don’t have the right security organisation structure in place as yet.”

————————————————-

4. Do you think your security spend is right?

A. We overspend on silver bullets and other useless crap
B. We spend a lot on crap but some of the spend is worth it
C. We are spot on
D. We slightly underspend on security
E. We don’t spend nearly enough

Results:
A – 0%
B – 15%
C – 0%
D – 70%
E – 15%

Comments:

“EEEEEEE is for eeeekkkk when they get hacked!”

“Don’t really know. Just guessing.”

“B. We spend a lot on crap but some of the spend is worth it probably not the best choices but this one seems the closest.”

“E. We don’t spend nearly enough.”

————————————————-

5. How would you rate the security of your organisation out of ten (given you are either the head of IT security or part of the team that should know):

1 – 0%
2 – 0%
3 – 15%
4 – 10%
5 – 20%
6 – 20%
7 – 30%
8 – 5%
9 – 0%
10 – 0%

Comments:

“10 being perfect where I can see absolutely zero  opportunities to improve and everything is being perfectly managed with full and comprehensive reporting and feedback into the management  structure.”
————————————————-

6. Do you think the security of your organistion will improve in 2009?

Results:
Yes – 60%
No – 25%
Maybe – 15%

Comments:

“Yes. Continuing improvements in security  practices as well as awareness as well as improvement in visibility of all  reporting and standardization of practice.”

“Yes, but only in small degrees.”

“Been giving them sh*t all over the place, potentially ”

“Yes. We are rationalising security teams and going back to basics to ensure that we are working on the right things.”

“Yes. Via continuous involvement in business initiatives to help raise profile + directing internal audit activities on existing weaknesses.”

“Yes. A number of projects and initiatives have begun or are planned to improve the tactical and strategic security position of the organisation.”

“Yes. Always working on continuous improvement…”

————————————————–