Global state of information security 2006


How entertainment and media companies are addressing the security and privacy implications of an open business model: The global state of information security 2006

Results from the world's largest information security study are in. This year, responses to PricewaterhouseCoopers' and CIO magazine's Global State of Information Security study reveal that entertainment and media (E&M) companies are spending 15.8% of their IT budget on security and privacy and 54% expect to increase spending during the next 12 months. But survey responses also reveal that security funding this year is far less likely to come from IT (37% vs. 59% in 2005). Instead, it's increasingly apt to be provided by areas of the organization that have a rapidly growing stake in security's effectiveness - such as the marketing function (16% vs. 11%) and individual lines of business (25% vs. 16%).

These are just a few of the signs that the convergence of voice, video, and data that promises potentially enormous gains in shareholder value requires more than competing in new markets, deploying unfamiliar technologies, and assuming the expanded portfolio of risks associated with a new and open business model. This convergence also requires a more strategic approach to security. Apart from a few areas of improvement, however, E&M security practices do not yet appear to reflect this emerging imperative.

Securing systems and infrastructure: E&M companies are more likely this year than last to conduct periodic risk assessments (44% vs. 38%), employ a chief information security officer or chief security officer (41% vs. 26%), and deploy vulnerability scanning tools (30% vs. 26%). But 70% of E&M companies still don't have an overall security strategy - virtually the same rate as last year - and 85% have not yet defined spending procedures to protect intellectual property.

Establishing ground rules: The brightest light of improvement this year is in security policies. E&M companies are significantly more likely to ensure their policies address key areas, such as application security segregation-of-duties (35% vs. 30%), classification of data according to its value (28% vs. 19%), and a policy enforcement mechanism (19% vs. 15%). Respondents estimate, however, that 32% of their users don't comply with these policies, and 72% of E&M companies do not conduct training programs to improve employee security awareness.

Measuring impact: Security incidents are happening more often. Only 32% of E&M respondents reported encountering none this year - down from 36% in 2005. And when events did occur, they took a toll. Four in 10 organizations suffered loss or damage to internal records. Other impacts included financial losses (22%), intellectual property theft (11%), and impacts to the organization's brand or reputation (16%).

Critical areas needing improvement
As E&M companies work to extend advanced services successfully and sustainably to customers through new content-delivery technologies and new models of value creation, executives need to focus particularly on the following critical areas:

Improving data protection
A top priority is the need to protect data - whether private employee and customer information or digitized content. Yet 71% of E&M companies do not maintain an accurate inventory of user data and only 54% secure web transactions. Most E&M companies do not encrypt stored data (64%) or data in transmission (56%). In addition, while the number of incidents involving the loss or theft of laptops and their stored data continues to rise, 80% of E&M companies do not have security standards or procedures in place for handheld and portable devices.

Strengthening access control
One of the most effective ways of managing risk to information is controlling access to structured applications. When asked the likely source of attack this year, 38% of E&M respondents pointed to either current or former employees. Despite this, 82% of E&M companies do not yet have an identity-management solution in place. In addition, only 26% use tiered authentication levels based on user risk classification.

Extending security protocols to third parties
Engaging an open business model means that E&M company operations will be increasingly dependent upon collaboration and partnership with third-party companies who require access to shared information systems. Most E&M companies (77%), however, have not yet established security baselines for external suppliers and vendors and only 20% keep an accurate inventory of all third parties using customer data.

To learn more about the survey, or about the Security and Privacy practice at PwC, visit:

Survey Methodology: The State of Information Security 2006, a worldwide security survey by PricewaterhouseCoopers and CIO magazine, was conducted online from April 5 to May 22, 2006. Readers of CIO magazine and CSO magazine and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results discussed in this report are based on 7,791 responses from IT and security professionals in 50 countries. Respondent titles included CEO, CFO, CIO, CSO, and vice president, director, and manager of IT and information security. The margin of error is plus or minus 1%. Of the 161 respondents from entertainment and media industries (2% of survey), 31% were from North America, 29% from Europe, 19% from South America, and 18% from Asia.

The full article published in CIO magazine's September 15th, 2006, edition can be viewed at