Canadian Companies are more concerned with protecting their reputations than their global competitors when they spend on information security. This is one of the findings in the latest 2006 Global State of Information Security (GSIS) Survey, a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers (PwC). Fifty-three per cent of Canadian companies surveyed said their reputation was driving their information security spending, much higher than the global average of 41%.
The GSIS survey is the largest of its kind and includes the responses of almost 7,800 senior executives at companies in more than 50 countries across all industries. 250 Canadian organizations of various sizes participated, representing a wide range of sectors.
The study found that 67% of Canadian organizations actively engage both business and IT decision-makers in addressing information security issues, compared to 52% worldwide. This is a very positive finding, and suggests that Canadian companies are increasingly aware that information security is a key business issue today.
A surprise finding was that 61% of Canadian respondents surveyed have limited or no security training for the end-users of their technology: their employees. “Over the long term, organizations need to create a culture of security in the workplace, where employees recognize the threats to their organization’s information security and how they can combat them,” said Greg Murray, PwC security and privacy leader in the GTA. “This can take time but is one of the most solid defences a business can build.”
He added that Canadian organizations are still relying too much on funding from their IT budgets to pay for their security. 87% of companies in Canada said their information security budgets are part of their IT budget. This compares to 79% globally.
Almost half (48%) of companies said their information security budgets will increase in 2006 and 42% said it will stay the same. Respondents indicated that the top two barriers to better security were limited budgets and a limited number of staff dedicated to security.
When it came to staffing, 64% of Canadian organizations were found to be dedicating two or less full-time employees or equivalents to information security. This is above the global average of 55%. Twenty-one per cent of the companies surveyed employ a Chief Information Security Officer (CISO). Under a third of Canadian respondents said that their physical and IT security functions report to the same executive leader. This compares to 40% globally.
The 2006 GSIS survey also looked at information security and outsourcing, and found that confidence with the security of outsource vendors is not high. Forty-three per cent of respondents were not at all or only somewhat confident in their outsourcers’ security and just 20% were very confident.