Chief Security Officers Reveal Business Continuity, Resiliency and Disaster Recovery the Top Security Business Concern in 2006

CSOs on Information Security Confidence
Only 7% of senior security executives are extremely confident that their organizations’ information security activities are effective with 43% very confident and another 42% reporting they are somewhat confident. A small minority of respondents (7%) are not very confident in their organizations’ security effectiveness with one percent stating they are not at all confident.

CSOs on Corporate Security
Leading the list of corporate security (e.g., physical security, facilities security, and investigations) initiatives in 2006 is the education of senior management regarding physical security (35%) with 34% reporting the education of all employees about physical security practices a top priority. Twenty-five percent (25%) consider participation in exercises that simulate security crisis responses a top priority while 22% name the evaluation and deployment of access control a priority (down from 33% in 2005).

CSOs on Risk
When it comes to spending time and resources on risks and risk-related activities, 27% of respondents will spend the most time on information security (e.g., cyber crime, data security) with 16% focusing on business continuity management and 14% on business ethics compliance. Only 4% plan to spend the majority of time and resources managing threats of terrorism.

CSOs on Responsibility
Additional findings reveal that once an IT security system is in place, the majority of respondents (66%) say the information technology (IT) department is responsible for managing the solution with only 23% reporting management is the responsibility of the security department.

CSOs on Vendor Cycles
Almost one-third of respondents (31%) report the average purchase cycle is three months to less than six months when considering major enterprise security purchases with a known vendor. Twenty-seven percent (27%) report the process takes less than three months with 16% reporting the process will exceed nine months. When the same purchase decisions are made with an unfamiliar vendor, 22% report an average purchase cycle of three months to less than six months and only 7% report a purchase cycle of less than three months.

CSOs on 2006 Goals
The majority of respondents (54%) plan to investigate data protection in 2006, with 43% researching business continuity planning and another 32% looking into privacy maters. Very few CSOs plan to investigate the growing health crisis surrounding avian flu (15%) and even fewer plan to research employee violence mitigation (10%).

Complete Results:

1. What are your organization’s top security business priorities for 2006? (Check all that apply.) (Base: 420)
Assuring business continuity, business resiliency, & disaster recovery 50%
Enforcing security policy 47%
Aligning security strategy with business goals 43%
Improving or enhancing the effectiveness of security 43%
Training & educating employees about security policies and procedures 43%
Enforcing compliance to security policy & government regulations (e.g., SOX, GLBA, EU Data
Protection Directive, C-TPAT) 39%
Validating risk assessment process and identifying new risks 31%
Defining, measuring, communicating, & justifying effectiveness of security programs 30%
Improving alignment between IT & corporate security (e.g., physical security, facilities security, investigations) 28%
Putting security policies in place 27%
Security staff development, training, & retaining 27%
Controlling security costs 20%
Securing the physical workplace/enhancing employee safety 18%
Measuring return on security investment 17%
Increasing security spending/budgets 15%
Fostering realistic executive expectations for compliance success 14%
Identifying commonality among regulation requirements & implementing security solutions holistically to address common requirements 13%
Security staff recruitment & selection 11%
Assuring acceptable levels & standards for security among supply chain partners 8%
Other 4%
Not sure 1%

2. Which of the following information security initiatives will be a priority for your organization in 2006? (Check all that apply) (Base: 420)
Conduct security risk assessment 53%
Conduct security audits 51%
Enhance network security 46%
Block unauthorized access 43%
Detect malicious programs (virus threats/hostile code) 37%
Enhance application security 34%
Monitor system activity 32%
Monitor user compliance with security policy 31%
Conduct penetration testing 30%
Identify intrusion attempts 28%
Discover unauthorized devices 27%
Define role based access control strategy 24%
Evaluate/deploy encryption technology 24%
Evaluate/deploy intrusion detection tools 24%
Enhance telecommunication security 21%
Evaluate/deploy identity provisioning solution 20%
Evaluate/deploy reduced or single sign-on 20%
Integrate security systems 20%
Evaluate/deploy secure remote access 18%
Evaluate/deploy data encryption technologies 17%
Evaluate/deploy enhanced operating system security 15%
Evaluate/deploy network firewalls 14%
Evaluate/deploy personal or end-user firewalls 14%
Evaluate/deploy application firewalls 13%
Obtain staff certifications 13%
Evaluate/deploy secure data backup solutions 13%
Evaluate/hire information security staff 12%
Evaluate/deploy a public key infrastructure (PKI) 11%
Evaluate/deploy biometric solution 11%
Evaluate/deploy smart card solution 11%
Set technical and control objectives 11%
Evaluate outsourcing certain aspects of information security organization 8%
Other 6%
Not sure 5%

3. Which of the following corporate security (e.g., physical security, facilities security, and investigations) initiatives will be a priority for your organization in 2006? (Check all that apply.) (Base: 420)
Educate senior management about physical security 35%
Educate all employees (except senior management) about physical security 34%
Participate in tabletop exercises to simulate various responses to security threats 25%
Evaluate/deploy access control solution 22%
Evaluate/deploy employee identification badging 18%
Harden access at remote facilities 18%
Strengthen/create relationship(s) with law enforcement 18%
Deploy CCTV surveillance system 17%
Evaluate/deploy loss prevention solutions 12%
Reduce inventory loss/theft/shrinkage 11%
Conduct a red team penetration test of physical facilities 10%
Evaluate/deploy visitor or employee screening solution(s) to prevent the introduction of unauthorized materials (i.e. weapons, explosives, narcotics, etc.) into the workplace 10%
Manage protection of employees traveling abroad 9%
Contract with a background examination firm 8%
Evaluate/deploy a document destruction service or device(s) 8%
Evaluate/deploy automated surveillance system 8%
Restrict the presence of camera-enabled cell phones in the workplace 7%
Evaluate/hire physical security staff 6%
Contract with a guard service 5%
Evaluate outsourcing certain aspects of physical security organization 5%
Evaluate/deploy hazardous chemical detectors and/or biological agent detectors 4%
Evaluate/hire a risk management consultancy 4%
Outsource some aspect of operation (i.e. guard service, monitoring, background exams, etc.) 4%
Initiate an employee substance abuse screening policy/program 2%
Evaluate/hire an executive recruiter 1%
Other 5%
Not sure 15%

4. Which of the following risks or risk-related activities will your organization spend the most time and resources managing in 2006? (select only one) (Base: 415)
Information security (e.g., cyber crime, data security) 27%
Business continuity management 16%
Business ethics compliance (e.g., Sarbanes/Oxley) 14%
Privacy/data protection 13%
Corporate security (e.g., access control, cameras/surveillance, security officers, etc.) 13%
Terrorism (e.g., WMD, chemical, biological, etc.) 4%
Intellectual property loss 3%
Investigations 3%
Security program management (e.g., C-TPAT, RFID, etc.) 3%
Workplace violence 1%
Other 1%
Not sure 2%

5. What is the #1 factor driving security investment in your organization? (select one only) (Base: 417)
Regulation and compliance (from govt., industry, or internal mandates) 43%
Self-directed decisions by CSO or senior security executive based on needs assessments 17%
Requirements from board of directors, corporate management, business units, and/or customers 9%
Maintaining existing programs 5%
Industry-specific risks and/or threats 5%
Corporate image/legal liability 5%
Risk of financial loss 5%
Risk of theft of intellectual property or proprietary information 5%
Current terrorist threat and/or war environment 3%
Other 3%
Not sure 1%

6. How critical of a priority is monitoring and preventing confidential data leakage over HTTP/s? For example, an employee sending confidential customer data or intellectual property to a personal email account? (Base: 414)
Critical priority 27%
High priority 44%
Low priority 18%
Not a priority 4%
Not sure 8%

7. How high of a priority is securing FTP transitions to prevent transmission of confidential data to unauthorized parties? For example, customer data or source code being transmitted via FTP to an unauthorized vendor or partner. (Base: 416)
Critical priority 32%
High priority 42%
Low priority 15%
Not a priority 5%
Not sure 7%

8. Once an IT security system or solution is in place, which department is responsible for managing/overseeing it? (Base: 417)
IT department 66%
Security department 23%
Other 9%
Not sure 2%

9. Considering major enterprise security purchases, what is the average purchase cycle for a vendor you are already familiar with or have experience with? (Base: 418)
Under one month ...4%
One month to less than 3 months 23%
3 months to less than 6 months 31%
6 months to less than 9 months 13%
9 months to one year 7%
One year or longer 9%
Not sure 13%

10. Considering major enterprise security purchases, what is the average purchase cycle for a vendor you are NOT familiar with or DO NOT have experience with? (Base: 415) Under one month 1%
One month to less than 3 months 6%
3 months to less than 6 months 22%
6 months to less than 9 months 24%
9 months to one year 14%
One year or longer 15%
Not sure 17%

11. How confident are you that your organization's information security activities are effective? (Base: 420)
Extremely confident 7%
Very confident 43%
Somewhat confident 42%
Not very confident 7%
Not at all confident 1%
Not sure 1%

12. What is your primary job title? (Check one only) (Base: 418)
CSO (Chief Security Officer) 7%
CISO (Chief Information Security Officer) 13%
Chief Risk/Privacy/Compliance Officer 1%
CIO/CTO 4%
CEO, President, Owner, Partner 2%
CFO, Treasurer, Controller 1%
COO, Gen. Mgr., Exec. Dir., Managing Dir. 1%
EVP, Sr. VP, VP of Security 3%
EVP, Sr. VP, VP of Operations 1%
EVP, Sr. VP, VP of IS/IT/Communications/Networking 3%
Director/Manager of Security 27%
Director/Manager of Finance/Accounting 1%
Director/Manager of Operations 2%
Director/Manager of IS/IT/Communications/Networking 13%
Director/Manager of Risk/Privacy/Compliance 2%
Government/Military Titled Personnel 5%
Consultant 4%
Staff 5%
Other 5%

13. To whom do you report? (Base: 413)
Chairman or CEO 13%
President 4%
COO 6%
CFO 4%
VP Finance/Administration 5%
Other non-IT officer or assistant officer 10%
CSO/CISO or top security executive 7%
Director of Security 9%
Other security manager 3%
CIO/CTO or top IS executive 24%
IS/IT Director 11%
Other IS/IT manager 4%

14. Which of the following describes your level of responsibility with regards to your organization's security? (Check all that apply.) (Base: 420)
Responsible for IT security 66%
Responsible for compliance and business conduct 47%
Responsible for corporate security (e.g., physical security, facilities security, and investigations) 42%

15. Please estimate what your organization's formal budget for all SECURITY products, systems, services and/or staff will be in 2005. Please include budget for hardware, software, services, and staff for both IT security and corporate security (e.g., physical security, facilities security, and investigations). (Base: 413)
$250 million or more 3%
$100 million to $249.9 million 1%
$50 million to $99.9 million 1%
$25 million to $49.9 million 2%
$10 million to $24.9 million 4%
$5 million to $9.9 million 10%
$1 million to $4.9 million 22%
$500,000 to $999,999 7%
$250,000 to $499,999 9%
$100,000 to $249,999 7%
$50,000 to $99,999 6%
Less than $50,000 4%
Average $16.7 million

Not sure/not applicable 10%
Decline to answer 14%

16. Including expenditures made through your organization's formal security budget as well as those charged back to other departments and/or business units, please estimate what your organization's total expenditures on SECURITY products, systems, services and/or staff will be in 2005. Please include expenditures for both IT security and corporate security (e.g., physical security, facilities security, and investigations). (Base: 414)
$250 million or more 4%
$100 million to $249.9 million 1%
$50 million to $99.9 million 2%
$25 million to $49.9 million 3%
$10 million to $24.9 million 8%
$5 million to $9.9 million 9%
$1 million to $4.9 million 20%
$500,000 to $999,999 7%
$250,000 to $499,999 8%
$100,000 to $249,999 4%
$50,000 to $99,999 5%
Less than $50,000 4%
Average $22.5 million

Not sure/not applicable 12%
Decline to answer 15%

17. Approximately how many people are employed by your entire organization or enterprise? (Please include all plants, divisions, branches, parents, and subsidiaries worldwide.) (Base: 415)

100,000 or more 8%
50,000 to 99,999 7%
30,000 to 49,999 7%
20,000 to 29,999 6%
10,000 to 19,999 8%
7,500 to 9,999 5%
5,000 to 7,499 7%
2,500 to 4,999 15%
1,000 to 2,499 12%
500 to 999 14%
Less than 500 12%
Average 20,497

Not sure 2%

18. Please select the dollar amount that best represents the annual gross sales or revenues for your organization or enterprise (include all plants, divisions, branches, parents, and subsidiaries worldwide). (Base: 410)
$40 billion or more 7%
$30 billion to $39.9 billion 3%
$15 billion to $29.9 billion 4%
$10 billion to $14.9 billion 5%
$5 billion to $9.9 billion 8%
$2 billion to $4.9 billion 6%
$1 billion to $1.9 billion 7%
$500 million to $999.9 million 9%
$300 million to $499.9 million 4%
$100 million to $299.9 million 8%
$50 million to $99.9 million 3%
Less than $50 million 9%
Average (excludes n/a, unsure) $8.6 billion

Not applicable (e.g., non-profit, government, union) 17%
Unsure 9%

19. What is your organization's primary business? (Base: 417)
Finance/Banking/Accounting 14%
Government: State or Local 11%
Government: Federal (including Military) 10%
Health Care/Pharmaceuticals/Medical Services 8%
Manufacturer of Other Products (non-computer related) 7%
Education 6%
Telecommunication, Electric, Gas 6%
Computer and Data Processing Services/Consulting 5%
Insurance 5%
Wholesale or Retail Trade (non-computer related) 4%
Aerospace/Defense Contractor 3%
Business Services (other than computer) 3%
Law Enforcement 2%
Manufacturer of Computers, Communication or Peripheral Equipment 2%
Real Estate/Legal Services 2%
Transportation: Land, Sea or Air 2%
VAR, VAD, Systems or Network Integrator 2%
Communications Carriers 1%
Computer Related Retailer/Wholesaler/Distributor 1%
Internet Service Provider 1%
Mining/Construction/Petroleum/Refining/Agriculture 1%
Publishing, Broadcast, Advertising, Public Relations 1%
Research and Development 1%
Other 7%

20. Which of the following topics are you planning to investigate/learn more about, and/or address in 2006? (Base: 420)
Data protection 54%
Business continuity planning 43%
Privacy 32%
Document retention issues 29%
Electronic crime prevention 26%
Legal issues 25%
Corporate integrity (ethics compliance, governance, etc.) 25%
Avian flu pandemic 15%
Employee violence mitigation 10%
Other 8%
None of the above 3%
Not sure 3%

Methodology
CSO magazine conducted this online survey between January 25 and February 10, 2006 among chief security officers and other security executives who subscribe to CSO magazine. An email invitation containing a link to the survey was sent to 15,000 CSO subscribers, receiving 420 completed surveys. Respondents have average company revenues of $8.6 billion, control average security budgets of $16.7 million and an average number of 20,497 employees. CSO subscribers are pre-qualified security executives with security purchasing authority at their organizations. The sample was chosen using an nth select across the CSO magazine subscriber circulation. Results have a +/- 4.8% margin of error.

About CSO Magazine
Launched in 2002, CSO magazine, its companion website (www.CSOonline.com) and the CSO Perspectives™ conference provide chief security officers (CSOs) with analysis and insight on security trends and a keen understanding of how to develop successful strategies to secure all business assets—from people to information and financial value to physical infrastructure. The magazine is read by 27,000 security leaders from the private and public sectors. The U.S. edition of the magazine and website are the recipients of 50 awards to date, including the American Society of Business Publication Editor’s Magazine of the Year award as well as five Jesse H. Neal National Business Journalism Awards and Grand Neal runner-up honors two years in a row. Licensed editions of CSO magazine are published in Australia, France and Sweden. The CSO Perspectives™ conference, the first face-to-face conference designed for CSOs and featuring speakers from the national stage and the CSO community, offers educational and networking opportunities for pre-qualified corporate and government security executives. CSO magazine, CSOonline.com and the CSO Perspectives conference are produced by International Data Group’s award-winning business unit: CXO Media Inc.

About CXO Media, Inc.
CXO Media Inc. produces award-winning media properties and executive programs for corporate officers who use technology to thrive and prosper in this new era of business, including CIO, CSO magazines and websites, Darwinmag.com and the CIO Executive Council. CXO Media is a subsidiary of International Data Group (IDG), the world's leading technology media, research and event company. A privately-held company, IDG publishes more than 300 magazines and newspapers including Bio-IT World, CIO, CSO, Computerworld, GamePro, InfoWorld, Network World, and PC World. The company features the largest network of technology-specific websites with more than 400 around the world. IDG is also a leading producer of more than 170 computer-related events worldwide including LinuxWorld Conference & Expo®, Macworld Conference & Expo®, DEMO®, and IDC Directions. IDC provides global market research and advice through offices in 50 countries. Company information is available at http://www.idg.com.