October 21, 2008
Global State of Security: It's Making My Head Hurt
OK, so if you're the kind of person who reads this stuff, CIO magazine just published their Global State of Security Survey findings. The article is pretty interesting, but I have to say that the way that overall the reports make my head hurt.
Now, don't get me wrong. I'm glad that they're publishing this information (somebody has to do it). I'm not even going to complain about the questions that they asked or how they asked them (I might have phrased them differently, but then again nobody asked for my opinion).
But I can't help but get fired up when I start looking for example at the conclusions PWC draws from the data. I won't go into all of them, or I'd be writing this for the rest of the day. But let me give you an example so you can see what I mean. For example, PWC draws the conclusion:
"Compliance is still a priority, of course. Yet few companies have a well-rounded view of their compliance activities."
From this data:
Although confidence that users are complying with internal security policies still runs optimistically high at 73%, most companies aren’t checking. Fewer than half of all respondents say their organization audits and monitors user compliance with security policies (43%). And only 44% conduct compliance testing. (Figure 2)"
Is that true? Can you state that "few companies have a well-rounded view..." because only 43% are monitoring and 44% are testing? Well, maybe... depending on what you mean. But could an organization have a well-structured and thorough approach to compliance without doing specific policy checking? They could. What else might they be doing to supplement their view? A GRC system, perhaps? Other types of compliance activities?
My point is that the data doesn't necessarily lead to only one conclusion, and it's important to remember that there is a bit of extrapolation that's done in the analysis of that data.
Posted by Ed at October 21, 2008 01:54 PM | TrackBack