2010/2011 Computer CrIme and SeCurIty Survey - Gatton College ...

More documents

Recommendations

Info

2010 / 2011 CSI Computer Crime and Security SurveyDoes Your Organization Use a SecureSoftware Development Process?Organization does not developsoftware internally26.9%Informal process21.2%Formal process being developed13.2%Formal policy is established30.7%Don’t know/Other8.0%0 5 10 15 20 25 30 352010 CSI Computer Crime and Security Survey 2010 Respondents: 212Figure 16One area we’ve examined is the status of security policies within organization (Figure 15). We’vebeen interested in whether organizations have formal policies to describe what should be happening(and not happening) in terms of security. Curiously, the number of respondents saying theirorganizations had a formal security policy in place dropped to 60.4 percent from last year’s 68.8.The difference was made up in “no policy” and in “other,” which makes it possible that there is perhapssome slight shift in the makeup of the respondent pool. It may also be that the bar for whatcounts as “formal” may have shifted slightly upward. What is meant by “other” is something thatmay be worth examining in subsequent editions of the survey. In any case, the primary takeawayis that the vast majority of organizations have something in the way of a security policy in place.An important school of thought within security argues that software development is the primaryculprit in breaches, insofar as the development process seems almost helpless to prevent thecreation and deployment of software that has significant vulnerabilities. One important elementin reducing the number of software vulnerabilities may well be the use of disciplined softwaredevelopment processes within organization. Accordingly, the survey asks whether respondentorganizations use such a process. In large measure, they do, but have not changed significantlyin the extent to which they do over last year. To put it another way, if you’re banking on broaderadoption of such processes to improve the security situation, you’re still waiting. As figure 16shows, roughly 31 percent of respondents reported having a formal development process in place,approximately the same as last year’s 31.7 percent.26
2010 / 2011 CSI Computer Crime and Security SurveyPercentage of IT Budget Spent on Security2010 Figures on Outside, 2009 Figures on InsideUnknown16.0%Less than 1%10.1%1-2%(15.6%)More than 10%(18.6%)3-5%(17.7%)8-10%(16.5%)6-7%(5.5%)2010 CSI Computer Crime and Security Survey 2010 Respondents: 237Figure 17One could furthermore argue that these numbers, viewed in broad strokes, aren’t really very goodnews. While roughly a quarter of respondents don’t work at organizations that develop their ownsoftware, three-quarters of them do. Since only two-thirds of them have a formal policy, approximatelyhalf of organizations responding to the survey have formalized their secure developmentprocess. And while an informal policy is likely to be better than a complete disregard for security, itwould seem reasonable to assert that it’s precisely the formality of the process that yields applicationsthat don’t leave loose ends trailing where vulnerabilities are concerned.Budget and StrategyA critical element of having a security program is being able to pay for it, so we have for manyyears asked about much budget they have available. We ask survey respondents how much of theoverall IT budget is allocated to security (Figure 17). Since budget for security operations can comefrom sources outside of the IT department (coming, for example, from legal or physical securitydepartments), we tried to clarify the question this year by asking that respondents consider theirbudget as a percentage of the IT budget, even if that’s not actually where the money comes from.As the figure shows, there is a continued shift toward more funding of security, relative to IT overall.Respondents saying that their security programs receive more than ten percent of the budget27
Page 1: 2010 / 2011 CSI Computer Crime and
Page 5 and 6: 2010 / 2011 CSI Computer Crime and

2010/2011 Computer CrIme and SeCurIty Survey - Gatton College ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?