InformationWeek Reports' 2012 Strategic Security Survey examines the challenges of protecting corporate information and managing the risks of doing business in the Internet age. 946 security professionals from companies with 100 or more employees responded to our survey. Our 2012 report, written by security expert Michael Davis, addresses risks in three key areas: mobile devices, cloud services, and software development. An executive overview of this year’s report will be featured in our 5/7 digital issue of InformationWeek Magazine.
On the mobile device front, a full quarter of respondents say smartphones and tablets represent a significant threat to security. Loss or theft is IT's greatest concern when it comes to mobile devices, a result unchanged from 2011. And for good reason: end users are more likely to leave a tablet in a cab or have a smartphone snatched than they are to download a malicious app. That's why we recommend having the right tools in place. For instance, mobile device management software can remotely wipe data, protecting the organization from a potentially messy information leak.
It's clear from our survey that organizations today take cloud security much more seriously than in the past. The number of respondents that conduct their own risk assessments of cloud providers jumped to 29% this year, from 18% in 2011. Even better news is that the number of companies that don't bother with a risk assessment dropped by almost half compared to 2011. Another 9% of respondents want to conduct risk assessments but are stymied by uncooperative providers. If IT pros are shopping for a cloud service, pushback on a risk assessment may be a red flag. What hasn't changed among our respondents is perceived cloud risks. Top worries include leaks of customer data from a cloud, and security defects in the providers' systems. These were also the top two concerns last year.
Finally, our report drills into data on secure software development. This is an important component of an overall risk management practice because flaws and defects in software can be exploited by attackers for malicious purposes. One recommendation is for organizations to invest in a secure software development lifecycle (SDLC). Only a third of our 946 respondents have formal secure SDLC processes in place. That's a number that needs to grow. For those that do use a secure SDLC, 33% rate it to be very effective.
This year's report also introduced new questions to the survey, including whether organizations have purchased insurance policies against security breaches. Almost a fifth of respondents have done so. Unfortunately, this may not be money well spent. It's difficult for anyone to accurately estimate the costs of a breach, including cleanup and remediation, so your policy may not cover the true extent of the damage. If IT pros really want good insurance, they need to focus their efforts around sound risk management practices and leave the actuarial tables to hurricanes and car crashes.
We’ll be sure to post the full results of this year’s survey when it becomes available. Stay tuned.