25% CXOs Admit to System Compromise

by Kunal Rupera & Abhinna Shreshtha    Apr 20, 2009

The results of the CXOtoday Information Security Survey 2009 are in. The comprehensive survey queried organizations of all sizes and across verticals (BFSI, manufacturing, ITeS, retail, government, etc.) to paint a truer picture of how companies perceive information security. The organizations surveyed included HDFC Standard Life Insurance Company,” ” Honda Motorcycle & Scooter India, Ashok Leyland, Maharashtra State Electricity Distribution, etc. from

Contrary to popular belief, the size of the organization does not determine how important information security is viewed within the organization. Barring a few exceptions (7%), most of the organizations placed information security in the ‘High’ to ‘Top’ priority, showing that the importance of security is not lost among Indian enterprises.

Around 38% of those polled said they had a Chief Information Security Officer. Unsurprisingly, the general trend shown was — the bigger the company, the more chances of it having a designated officer to manage information security.

About a quarter (25.06%) of those surveyed admitted that their system had been compromised at some point or the other. The most common means were virus attacks, through the Internet and through USB drives. Companies having a CISO did not report major system threats in the recent past.

92% of the interviewees said they regularly follow news related to security. When asked about the Conficker worm, only 11% admitted to having taken preventive measures to counter the threat.

As expected, most business still want to keep all the information under tight controls. 64.5% of CXO surveyed preferred to keep security issues in-house instead of outsourcing. This is still not a significant percentage. We had anticipated this to be much higher, but lately CXOs have come to realize that even security comes at a cost. Sometimes it is cheaper to outsource security compared to developing in-house expertise. They attempt to solve this by outsourcing their security needs and safeguarding it through stringent SLAs.

Our survey also included how frequently organizations updated their applications. A majority of users (30.9%) updated their software on a daily basis. This shows that most Indian CXOs are well aware that software can have bugs and require updates and patches. An interesting finding of the analysis was that the percentage of users who updated one every three months and once every week were the same which was 20%. Users who updated on an annual or monthly basis were at 9%, which is shocking.

The most recent security activity shown by a majority of the respondents focused on installing new firewalls and anti-virus or updating existing ones and ISO compliance.