Journal Online

rafael etges is the national practice manager of the governance, risk and compliance group at TELUS Security Solutions. Etges brings 14 years of consulting experience at major consulting groups in South and North America. Etges has extensive experience in corporate and IT governance, information security policy development, information security program management, and auditing. Walid hejazi is a professor of business economics at the Rotman School of Management at the University of Toronto (Ontario, Canada). He has published extensively in more than 40 business journals and publications. In keeping with the spirit of Rotman, Walid balances his research activities by helping many of Canadas leading organizations leverage research to decide new strategies and initiatives. alan lefort is the director of product management at TELUS Security Solutions. Lefort is responsible for the development and marketing of all managed security services, professional services and technology integration services. Additionally, Lefort has taught several courses on security at the University of Toronto.

A Study on Canadian IT Security Practices

Increasingly, information is the source of competitiveness for businesses and organizations of all kinds. This involves collecting, managing and analyzing information both to execute transactions as well as to develop strategies to engage customers either in a business-to-consumer or a business-tobusiness environment. Simply put, not having the ability to collect and store information safely will severely limit the success and growth potential of any business or organization. Given the strategic importance of information and IT systems, IT security is an integral part of the competitive strategy of any business. IT security gives customers confidence to provide information. Conversely, a lack of IT security can undermine the success of business, as customers shy away from any IT system that is not perceived to be secure. IT security breaches come with significant direct and indirect costs. The direct costs involve those related to notifying relevant parties of the compromised information, actions that must be taken to avoid financial losses that may stem from the security breach, and deploying a solution to avoid a similar security breach in the future. Indirect costs are far more difficult to calculate, and include the loss in business as customers move to businesses or organizations that have a more secure, either actual or perceived, IT system. Such breaches have been linked also to reductions in brand values. There are many studies available that document the state of IT security, but these are either global or US centric, or specific to certain industries. To better understand the nature of IT security in Canada, TELUS Corporation and the Rotman School of Management (a department within the University of Toronto) have partnered in the preparation of a survey that provides clarity on the state of IT security in Canada. This article provides the results of that survey and also undertakes an extensive analysis of the responses. Three hundred IT security specialists were surveyed on several aspects of IT security in their businesses or organizations. The survey collected information in the following areas: Respondent information Organization information Overall IT security posture (satisfaction) IT security governance IT security budgets IT security breaches IT security initiatives The extent to which organizations outsource IT security Concerns around the US Patriot Act State of It SecurIty In canada compareS Well agaInSt uS counterpartS Canada has caught up with the US in terms of security investment, and this has been driven by requirements to comply with Canadian regulations such as Payment Card Industry (PCI) Data Security Standards (DSS) and Canadas Personal Information Protection and Electronic Documents Act (PIPEDA). This catching up has come at a cost: organizations have not developed the skill sets and organizational maturity required to fully leverage their investment. For example, there is significantly less accountability in organizations where security policy is determined in Canada, relative to organizations where security policy is determined in the US, Europe or Asia. There are also dramatic differences in the extent to which security is linked to personal performance evaluation. In particular, in Canada, about 40 percent of respondents indicate that security is part of their personal performance evaluation, whereas this number is 50 percent in the US and 85 percent in Europe and Asia. Generally speaking, the maturity of compliance programs in Canada lags that of the US, and this is reflected in lower tendencies to measure security performance, communications related to risk and security, and attitudes toward accountability. technology adoptIon IS up, But SatISfactIon IS loW When contrasting investments by organizations that are very satisfied with their security posture relative to those that are not, the most pronounced differences in technology adoption was the extent of usage of encryption, notably storage encryption, followed by e-mail encryption and finally database encryption. 1

ISACA JOURNAL VOLUME 2, 2009

Technologies mandated as part of compliance, such as log management, are being implemented, but maturity and satisfaction levels are very low. The low satisfaction indicates that Canadian companies are still not deriving full utility from their investments. outSIder BreacheS SlIghtly hIgher, InSIder BreacheS loWer When compared to their US counterparts from the 2007 Computer Security Institute (CSI) Survey, Canadian respondents on the whole indicated they have experienced fewer breaches. Regarding breaches that are more associated with outsiders, such as phishing, misuse of public web applications, or viruses and malware, Canadian organizations reported in at slightly higher. For breaches relating to insider activity, results were much different. Regarding breaches related to abuse by employees or insiders, about one in six Canadian respondents reported a breach, whereas the number was closer to three out of five in the CSI survey, suggesting that an insider-related breach was slightly more than three times as likely to occur in a US organization. Breach coStS rISIng: canada reportS hIgher Breach coStS compared to uS In 2007 The annual losses associated with breaches according to all respondents were calculated at CAD $423,469. For Canadian-owned companies, the average annual loss was CAD $397,887; for US-owned companies doing business in Canada, the average annual loss was CAD $499,859. For organizations doing business in Canada with headquarters in Europe, South America or Asia, the average annual loss due to breaches was CAD $449,950. The average annual loss for a private company was CAD $293,750, for publicly traded companies CAD $637,500 and for government CAD $321,429. These figures compare to the average loss per respondent in the US CSI survey at US $345,000 in 2007, up substantially from US $167,713 in 2006. hoW an organIzatIon SpendS on SecurIty JuSt aS Important aS hoW much Not every type of organization fared the same in terms of satisfaction with security posture. Government respondents were least satisfied with their security posture, with only 3 percent of respondents indicating they were very satisfied. This contrasts with 23 percent of respondents in publicly held companies and 20 percent in privately held companies. When the satisfaction threshold is lowered from very satisfied 2
ISACA JOURNAL VOLUME 2, 2009

to satisfied, government respondents fared somewhat better, with 70 percent satisfaction compared to 75 percent in publicly traded companies and 73 percent in privately held companies. Overall, IT security satisfaction does not necessarily increase with spend. Based on the investment strategies reported by respondents, there is dissatisfaction for budgets below 5 percent. However, as budgets rise above 5 percent, there is a significant increase in satisfaction (satisfaction almost doubles), suggesting that a security investment threshold must be met for IT security to be effective. However, after that threshold of 5 percent is met, there is very little increase in satisfaction resulting from further budget increases. Nevertheless, there seems to be a second threshold at 10 percent, but even here, the doubling in the budget on IT security yields only a 10 percent increase in satisfaction. The data indicate that increased funding is spread fairly equally across all technologies, preserving biases toward traditional network security and the continued underfunding of application security. As budgets for IT security increase, reported breaches decreased considerably, declining by one-fifth for unauthorized access to one-half for botnets and abuse of wireless security. Breaches relating to misuse of a public web application fell by 60 percent. However, there are several breaches that did not fall significantly, such as financial fraud. So, even though breaches are falling, the annual cost associated with these breaches continues to rise, thus not yielding increases in satisfaction. hIgh-performIng SecurIty profeSSIonalS are more BuSIneSS-mInded Salaries for respondents to the survey averaged CAD $90,410. The average for those in positions of director and above was CAD $106,863, and it was CAD $84,127 for those in positions lower than that of director. That is, there was a premium of CAD $22,736 for being in a higher position in IT security. Talent matters. In particular, high earners, defined as those earning more than CAD $100,000, were much more likely to have a university degree and twice as likely to have a business degree. They were also nearly twice as likely to have a Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), or SANS (SysAdmin, Audit, Network, Security) Institute Certificate, but less likely to have a certificate for IT infrastructure, networking or a security vendor. Furthermore, 81 percent of high earners worked in the Canadian headquarters of the organization surveyed.

The survey found a wide variation in compensation across organizational types. Forty-seven percent of respondents from privately held organizations were high earners as compared to 32 percent in publicly traded companies and 18 percent in government organizations. This suggests that for areas of security that are in high demand and short supply, such as application security and identity management, government organizations struggle to attract and retain staff. SecurIty outSourcIng a VIaBle Strategy Although 40 percent of respondents indicated that their organization does not allow outsourcing of security, twothirds of respondents from publicly traded and government organizations indicated they are open to it. Privately held companies, however, appeared less likely to outsource, although those that do are more likely to make a decision based on value (19 percent). Government entities (32 percent) were twice as likely as publicly traded companies (16 percent) in Canada to require Canadian service providers. Privately held firms were less likely to prefer Canadian organizations (9 percent). Organizations that outsource their IT security are less likely to experience breaches that can be prevented through network security technologies. For breaches that are likely to require application security measures, outsourcers generally underperformed compared to those who did not outsource. Notwithstanding those divergent results, those that outsource are more likely (75 percent) to be satisfied with their security posture as compared to those that do not outsource (69 percent). uS patrIot act aS much a concern aS canadIan regulatIonS Chief executive officers (CEOs) were less concerned with the Patriot Act (31 percent) compared to security managers and individual contributors (43 percent). More important though, when compared to other regulatory acts, is the fact that the

CEOs concern with the Patriot Act was quite significant as it is more top of mind than regulations such as PCI DSS (20 percent) or Bill C-198 (Canadas Sarbanes-Oxley Act) (25 percent) and almost as important as the US Sarbanes-Oxley Act (40 percent). Also, the high concern with PIPEDA demonstrated by CEOs compared with the concern for the US Patriot Act suggests CEOs are not aware that storing data in a location that requires compliance with the US Patriot Act can undermine PIPEDA compliance. concluSIon Organizations looking to increase satisfaction in their security posture should consider the best practices of the most satisfied organizations: Focus on performance measurementTop performers were much more likely to have reporting and metrics in place. Balance investmentTo ensure that technology benefits are fully realized in terms of a decrease in breaches and an increase in technology satisfaction, staffing investments must be made in proportion to the growth in technology footprints. Invest in application securityHighly satisfied organizations invested much more in application security and in technologies, such as encryption, that aided in maintaining confidentiality of customer data. Invest adequatelyOrganizations investing less than 5 percent of their IT budget in security are almost twice as likely to be dissatisfied with their security posture. authorS note The full 65-page report containing all questions, aggregated answers and in-depth analysis can be downloaded from www.telus.com/securitystudy and www.rotman.utoronto.ca/ securitystudy.

ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content. 2009 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

ISACA JOURNAL VOLUME 2, 2009