News Release

Security Professionals Taking New Threats in Their Stride

Poll Places Theft of Information and Regulatory Compliance at Top of Chief Security Officers' Agenda, but Board-Level Buy-In Remains Elusive VoIP vulnerabilities not perceived as significant
Apr 17, 2007

LONDON, April 17, 2007 - Research published today by Cisco® finds that corporate officers responsible for network security don't worry as much as they used to about computer viruses and unauthorized access. The second annual poll of information technology (IT) security chiefs across large UK enterprises found that 38 per cent of respondents place theft of information as their number one concern, whilst 33 per cent focus on regulatory compliance.

None of the respondents described themselves as "extremely concerned" about the security of voice over Internet Protocol (VoIP) or unified communications systems, although half (49 per cent per cent) agreed that security should be a consideration when implementing IP-based communications.

The survey, conducted by Vanson Bourne, reveals that viruses, the prime concern of 55 per cent of respondents in 2006, were cited by just 27 per cent this year. Fewer than a third of the respondents voiced worries about unauthorised access to data in 2007, compared with more than 50 per cent in 2006.

The poll shows organisations are responding assertively to rapid changes in the security landscape. Almost two-thirds (60 per cent) describe their organisations as "more secure" or "much more secure" compared with a year ago.

The survey also points to increased concern over the risks posed from within the organisation. Forty-three percent of respondents (compared with 33 per cent in 2006) said they were more concerned with internal threats, such as staff passing on confidential information or stealing intellectual property.

"This survey shows just how far the information security market has progressed over the past year," says Paul King, senior security advisor for Cisco. "In 2006, security concerns were focused on mitigating specific, typically external threats, but our research finds that security professionals are taking a more business-oriented approach in 2007. They are concentrating on safeguarding the information at the heart of the business, regardless of the form the attacks may take or where they may originate. As organisations become more aware of the risk to the business from the theft of corporate information, they are looking at the overall threat and not simply concentrating on the firewall as protection from the outside world."

Despite their widening remit, however, security professionals continue to experience mixed fortunes when it comes to airing their views in the boardroom. As in 2006, only half of respondents (52 per cent, compared with 54 per cent in 2006) said that IT security was a board-level issue at their organisation. In addition, a significant minority - one in 10 - still only takes a reactive approach to security management.

"Outside the government or financial sectors, the imperative to discuss information security at board level simply is not strong enough. Executives themselves may simply expect IT infrastructure to be secure by default, and are often surprised when vulnerabilities emerge. Organisations need to realise that security needs to start at the top of the organisation and it should be seen as everyone's responsibility: giving employees regular training and encouraging a positive security culture across the organisation. From an implementation perspective, this involves defence-in-depth and building security features into every device on the network - from PCs and IP handsets to servers, routers and even applications themselves," King adds.

"Targeted attacks - which use a range of tactics on an organisation to achieve pre-determined objectives - have dominated the headlines recently and have had a devastating impact on the victims' reputations. A 'defence in depth' strategy - coupled with a comprehensive and ongoing awareness effort - is the only approach that can offer real protection."

About the Research

Vanson Bourne conducted a survey of 100 security professionals - IT directors, CIOs or executivies with similar responsibility for information security - in companies with more than 1,000 employees during March 2007.