The 2007 global security survey of more than 100 organizations reveals that 46 percent of companies surveyed do not have a formal information security strategy in place. Despite this lack of a formal security strategy for nearly half the respondents, 69 percent report they are “very confident” or “extremely confident” about their organization’s effectiveness at tackling external security challenges.

“The technology, media & entertainment and telecommunications (TMT) industries are still in a reactive mode when it comes to their approach to security,” said Rena Mears, Deloitte global and U.S. privacy and data protection leader. “A prerequisite for effective information security is the implementation of a proactive information security strategy that is closely linked to the company’s overall business strategy, business requirements, and key business drivers.”

Additional findings include:

Just 7 percent of TMT companies believe they are prepared for future security threats. In the past year, only 5 percent of companies increased their security investment by 15 percent or more. And half allocated less than 3 percent of their IT budget to security.

Need More Resources

Only 38 percent of companies believe their organization has all the skills and capabilities they need to respond effectively and efficiently to security challenges.

Only 62 percent of respondents believe that security is a key imperative at the board or executive level.

With more and more people working outside the office – whether it is at home, in the car, or in a local coffeehouse – businesses must adopt an end-to-end security strategy that spans the extended enterprise. This model requires that enterprises pay close attention to the security of its mobile workers as well as the security capabilities of its business partners.

The study also revealed a concern amongst respondents in the area of insider threats, with only 56 percent displaying confidence in addressing employee misconduct, whether it is deliberate or accidental. 

The convergence of physical and information security is something most TMT companies have not yet addressed, with 64 percent of respondents indicating they have done little or nothing to integrate the two.  TMT companies could be missing out on opportunities to improve both information security and physical security by thinking about their strategy holistically.

For example, an access card or wireless chip normally used to control physical access could also be used to help prevent unauthorized information access. When someone tries to log on to an information system, the system could connect with the company’s physical security systems to make sure the person associated with that user ID is actually present in the building. If not, it could deny access and trigger a silent alarm.

Maturity Will Help

There are signs that smarter security strategies will emerge in 2008 as the number of Chief Information Security Officers (CISOs) appointed in the companies surveyed increased from 57 percent to 65 percent in the past year.  CISOs are still not industry standard among corporate officers, yet they are one of the keys to effective information governance.  The survey revealed that only 13 percent of CISOs have a tenure of over 10 years, whereas the highest percentage, 39 percent, responded having held a CISO position for just three to five years, indicating that there is still an upward trend toward governance frameworks overall.

“In order to get ahead of the problem, businesses must increase their security efforts and investments and think more strategically than simply reacting to emerging threats,” said Mears. “The bottom line, there is a lot of work to be done.”

For the second year, Deloitte conducted an in-depth survey of security practices at more than 100 organizations around the world.  Respondents included companies from across all three sectors, 44 percent of which employ between 5,000-50,000 employees and 47 percent of which report revenue between $1 billion and $10 billion.