50% spend too much time on security tactics, not enough on security strategy.
In past security surveys, IT executives expressed strong confidence in their information security. This year, that confidence slipped a little: Just 83 percent of IT executives believe their company’s security is adequate, compared with 90 percent in 2003. Yet respondents report fewer breaches and losses, and say they’re doing a better job of enforcing their security policies and have deployed more security technologies. Why the worries? CIOs are especially anxious about outside threats, in particular e-mail-borne viruses and worms, hackers and cyberterrorism. But our survey of 469 IT executives also found many companies are giving short shrift to developing a security strategy, monitoring compliance with security policies, and coming up with security policies for contractors, wireless LANs and instant messaging. And while nearly every company has a privacy policy in place, many are overlooking an important one: At least 29 percent do not inform customers or employees immediately when they discover private data has been stolen. IT executives need to go beyond patches and passwords, and think harder about their security and privacy policies.
To download the survey results, click here.