Reed Exhibitions conducted the survey with Network Intelligence Corp. at the InfoSecurity 2003 event in New York City Dec. 10-11. The survey was answered by 87 of the 2,000 security executives and professionals who attended the event. Some of the highlights:
The network will never be 100% secure, 66% of the respondents answered. On the other extreme, 27% responded that the network will be 100% secure within one to five years.
The most feared potential source of corporate security breaches was "unknown hackers," cited by 40%; followed by current employees, feared by 32%. The greatest concern related to security compliance, with the growing number of regulations such as the Sarbanes-Oxley Act, was the threat by current employees, cited by 47%, followed by unknown hackers, cited by 30%.
Most of the respondents, 65%, knew of between 10 and 25 security breaches in the past year. Some 18% reported experiencing fewer than 10 security breaches; and 5% reported knowing of between 75 and 150 breaches in the past year.
Half the respondents, 52%, reported the number of breaches experienced in the past year had stayed the same as the year before. Some 20% said the number is increasing, and 29% reported the number of incidents in the past year decreased.
Nearly 50% of respondents expect the number of security breaches coming in 2004 to be greater than 2003; 22% expect fewer; and 13% anticipate the same level.
Over 56% of the respondents are increasing security budgets in 2004; 1% will decrease spending; 42% will keep spending at the same level.
The number one priority for spending was ranked as firewalls. Security event management and intrusion detection/intrusion prevention were tied for second.
The California Database Security Break Notification Act (SB 1386) requires that customers have to be alerted to a breach. Fewer than 7% of respondents knew of having to report a security breach to a customer as required by SB 1386.
Characterizing the focus of their IT organizations, 34% responded that their company was investing in IT to improve technology infrastructure; 34% responded that their company was investing in IT to help the company grow; and 27% responded that their company is focused on cost-cutting in IT.
Positioned within overall IT priorities, 60% of respondents reported that security is a mid-level corporate concern; and 15% reported that security is either a top or low-level IT priority.