Managing Complexity Still Top Security Challenge, Prompting Increase in Security Spend, According to Security Survey

U.S. companies plan to spend 12 percent of their IT budgets on security, Chinese companies expect to spend 19 percent

PRNewswire
NEW YORK
(:UBM.L)
Jul 16, 2007

NEW YORK, July 16 /PRNewswire/ -- Managing the complexity of security continues to be the number one challenge for organizations around the globe, followed closely by preventing security breaches, enforcing security policies and spreading user awareness. These challenges have prompted plans for a significant increase in security spending in the coming year, according to a 2007 survey by Accenture (NYSE: ACN) and CMP Technology's InformationWeek.

The tenth annual survey of nearly 3,000 IT professionals from the U.S. and China also revealed that the security challenges, plans and priorities of Chinese companies are aligning more closely with U.S. organizations. Chinese companies are taking a more sophisticated approach to their security posture - - in fact, they expect to spend an average of 19 percent of their IT budgets on security, compared to 12 percent for U.S. organizations.

"Business Technology executives and security professionals still do not have their arms around the security issues despite current and planned increases in spending," said Rob Preston, Editor-in-Chief of InformationWeek. "The challenge is extremely complex and the need for information security literally everywhere, from computing devices to networks to applications, is only accelerating the challenge."

  Survey highlights and trends include:
  -- Security spending is expected to grow significantly this year. Thirty-
     nine percent of the respondents in the U.S. and 55 percent of the
     respondents in China expect security spending to increase this year
     compared with 2006.

  -- IT professionals in China perceive themselves to be more vulnerable
     than their counterparts in the U.S. Fifty-eight percent of respondents
     in China feel their organization is more vulnerable to malicious code
     attacks and security breaches than a year ago, versus 16 percent of
     respondents in the U.S. Vulnerability is attributed to increased
     sophistication of such threats as SQL injection, more ways to attack
     corporate networks, including wireless, and an increased volume of
     attacks.

  -- Assessing security risk and then modifying plans and budgets
     accordingly is problematic across the board. More than 20 percent of
     U.S. companies and nearly a quarter of Chinese companies do not
     regularly assess security risk and threats. Of those who do regularly
     assess risk, only 34 percent of U.S. companies and 39 percent of
     Chinese companies use the information strategically to drive budgets
     and planning.

  -- Measuring the value of security is difficult. Forty-three percent of
     U.S. companies measure value in terms of fewer worker hours spent on
     security-related issues. Twenty-four percent of respondents do not even
     attempt to measure the value of security investments.

"Organizations in the U.S. and China are spending more on information security yet it seems they are uncertain why," said Dr. Alastair MacWillson, managing director of Accenture's Security Practice. "Without fully understanding risk and its strategic impact and without systematically measuring value it is difficult to recognize how security can enable high performance."

  Threat Response and Risk Management
  -- Top ranking tactical security priorities for both the U.S. and China in
     the coming year include installing better access controls, securing
     remote access and installing monitoring software.

  -- Consistent across geographies, viruses and worms pose the biggest
     security threat. Over the past year, 68 percent of Chinese companies
     and 49 percent of U.S. companies suffered from computer viruses,
     followed by 55 percent and 35 percent, respectively, from worms. As a
     result, 65 percent of U.S. respondents and 75 percent of Chinese
     respondents said dealing with viruses and worms are a top priority,
     followed by spyware or malware and then spam.

  -- The primary methods of attack differ across geographies. Over the past
     year, U.S. and Chinese companies both suffered when known operating-
     system vulnerabilities (43 percent and 66 percent, respectively) and
     known application vulnerabilities (24 percent and 41 percent,
     respectively) were exploited. In China, however, companies also
     suffered from exploited access control (38 percent) and database
     vulnerabilities (30 percent), attacks that were not as prevalent for
     U.S. organizations (18 percent and 7 percent, respectively).

  -- In both regions, companies suspected computer hackers, malicious coders
     and unauthorized users to be responsible for breaches or espionage in
     the past year.

  -- Chinese companies have fallen victim to public data breaches five times
     more often than U.S. companies. Thirty-two percent of Chinese companies
     suffered from a publicized data breach or data loss over the past year,
     compared with only six percent of U.S. companies.

  Compliance and Data Privacy
  -- Over the past 12 months, respondents in both the U.S. and China said
     improved storage management and improved document management have been
     beneficial to achieving regulatory compliance. In the U.S., improved
     infrastructure security was also considered helpful, and in China,
     classified e-mail content has been beneficial.

  -- The U.S. more aggressively monitors employee activities, with more than
     half monitoring e-mail use, compared with 34 percent of Chinese
     companies. In the U.S., 40 percent of respondents monitor web-site use,
     compared with a quarter of their Chinese counterparts. Thirty-five
     percent of U.S. companies monitor phone usage versus 22 percent of
     Chinese respondents. Instant message monitoring is nearly even across
     the U.S. and Chinese with 29 percent and 30 percent, respectively.

  Security Responsibility
  -- C-level responsibility for security budget and policy differ across
     regions. CEOs and presidents hold the purse strings for security
     spending for 53 percent of U.S. companies, while the majority of
     security policies are made by CIOs and directors of information
     services/IT. In China, the majority of security spending is determined
     by CFOs and finance directors, with policies set by CEOs and
     presidents. In both regions, the majority of Chief Information Security
     Officers or equivalent, report directly to the CEO.

  -- Sixty-two percent of companies in China are attempting to integrate
     physical and IT security, compared to 36 percent of companies in the
     U.S.

  Security Vendors and Outsourcing
  -- Price is the dominant factor in security product or service selection
     in both the U.S. and China. Sixty-four percent of U.S. respondents and
     48 percent of Chinese respondents said price was the most important
     determinant in selecting security products and services, followed
     closely by the overall technical strength of the product.

  -- Chinese companies are more likely to use a managed security provider
     for security functions, with 36 percent currently using managed
     security providers and 31 percent planning to, versus only 13 percent
     and seven percent, respectively, of U.S. companies.

  -- The majority of companies in the U.S. expect to spend the same amount
     on security outsourcing this year compared with 2006, while the
     majority of companies in China expect to increase spending on security
     outsourcing. Sixty-six percent of U.S. companies expect security
     outsourcing to remain the same this year compared to last year and 27
     percent plan to spend more. In China, 51 percent of companies plan to
     spend more and 45 percent expect to spend the same amount on security
     outsourcing in 2007.

  Methodology

The Information Security Survey, an editorial research product of InformationWeek magazine and Accenture conducted online during May and June 2007, examined responses from 1,101 business technology and security professionals in the U.S. and 1,991 in China.

The U.S. sample is from the subscriber base of InformationWeek Magazine and its affiliates. The sample for China was supplied from the subscriber base of InformationWeek China.

For additional information on InformationWeek, go to http://www.informationweek.com/ and http://www.informationweek.com.cn/

About Accenture

Accenture is a global management consulting, technology services and outsourcing company. Committed to delivering innovation, Accenture collaborates with its clients to help them become high-performance businesses and governments. With deep industry and business process expertise, broad global resources and a proven track record, Accenture can mobilize the right people, skills and technologies to help clients improve their performance. With more than 158,000 people in 49 countries, the company generated net revenues of US$16.65 billion for the fiscal year ended Aug. 31, 2006. Its home page is http://www.accenture.com/.

About InformationWeek

InformationWeek is the leading multimedia Business Technology brand -- online sites, magazine, events and research - providing CIOs and IT decision makers with unique perspective and tools that work in lock step with their decision making process -- from the setting of business strategies to the evaluation and recommendation of technology solutions. Through its cross-media platform, InformationWeek provides editorial content developed by both journalists and CIO and IT peers delivered when and how they want it, 24/7. For Technology Marketers, InformationWeek offers a dynamic portfolio of products to engage and align with the largest, most influential buying audience in the market. This means marketing solutions that target broad audiences (reach), as well as media programs organized by content themes and specific audience segments (composition). The InformationWeek audience of 3 million buyers, includes CIOs, IT executives and business managers who cut across industries, job titles, company sizes and global borders.

About CMP Technology (http://www.cmp.com/)

CMP Technology is a marketing solutions company serving the technology industry. Through its market-leading portfolio of trusted information brands, CMP has earned the confidence of more technology professionals than any other media company. As a result, CMP is the premier provider of access, insight and actionable programs designed to connect sellers and buyers in ways that yield superior return on investment. CMP Technology is a subsidiary of United Business Media (http://www.unitedbusinessmedia.com/), a global provider of news distribution and specialist information services with a market capitalization of more than $3 billion.

  Contact: Lisa Smith
           Managing Editor/Research, InformationWeek
           516.562.5043
           lcsmith@cmp.com

SOURCE: CMP Technology

CONTACT: Lisa Smith, Managing Editor-Research, InformationWeek,
+1-516-562-5043, lcsmith@cmp.com

Company News On-Call: http://www.prnewswire.com/comp/141739.html