In addition, only 45% of companies are strongly (that is, extremely or very) confident in identifying their most critical security threats, and only 47% are strongly confident that they have appropriate controls in place to protect their crucial data, according to McAfee’s State of Security 2012 report.
The survey was conducted by Evalueserve for McAfee and included responses from 495 organizations with at least 1,000 employees in the United States, Canada, United Kingdom, Germany, France, Brazil, Australia, Singapore, and New Zealand.
“We are still struggling in industry with making security an integral part of the business operation”, said Jill Kyte, vice president of marketing at McAfee. “This is what I see as a big gap”, she told Infosecurity.
One-third of organizations have either not purchased or not yet implemented next-generation security technologies designed to address current threats. These security technologies include gateway URL filtering, embedded security products, virtualized environment security, data leakage prevention, vulnerability assessment, mobile security, application whitelisting, and next-generation firewall.
Despite having formal strategic plans in place, 34% of the companies believed they are not adequately protected against information security risks that could impact their business.
Kyte noted that 24% of companies never rehearse a security incident scenario or they only do so after a breach. “That’s a little scary in light of folks just waiting around for something to happen versus having some confidence that what they put in the plan is not just sitting on a shelf”, she added.
A majority of the respondents said that they included consideration of potential threats and the associated risk to business and financial analysis in their strategic security plan. Two out of every five organizations have either an informal or ad hoc plan or no strategic security plan in place. Six of every 10 large enterprises have a formal plan, two out of every three mid-size enterprises have a formal plan, while this ratio dips to only one in two small enterprises.
Organizations in North America and Germany are more likely to have a formal strategic security plan than those organizations in other regions of the world. This may be attributed to the regulatory environments in those countries, McAfee observed.
Top security priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. The lowest priority is to reduce capital and operating expenditures for security infrastructure.
To assist businesses in developing a strategic security plan, McAfee has put together a book called the Security Battleground: An Executive Field Manual. “What we did with the development of the Security Battleground book was try to put together the highlights of how a security-obligated executive can guide their organization and understand what the issues are in developing a security plan”, Kyte said.