2010/2011 Computer CrIme and SeCurIty Survey - Gatton College ...

2010 / 2011 CSI Computer Crime and Security Surveyhave posited that the breadth of the titles, some clearly outside the realm of information technologyentirely, might be evidence that the security function continues to expand into more businesssegments. And this may well be true. But it also seems plausible that this reflects the lack of consensuswithin the business world on the organizational locus of the security function.“Others” aside, it is clear that at least 51 percent of respondents (C-level and security officerscombined) have full-time security responsibilities. Additionally, as noted earlier, the survey pool isdrawn from the CSI community, and thus respondents are assumed to be more “security savvy”than would be a survey pool of randomly selected information technology professionals.Beginning last year, we asked respondents to tell us which laws and industry regulations applied totheir respective organizations (Figure 5). The numbers are fairly similar to last year’s, which againsuggests a certain year-over-year continuity in the respondent group. This is particularly interestingwhen you consider that some of these answers suggest that respondents may not realize (orperhaps simply don’t acknowledge) that they are beholden to certain laws. Given that the surveyapplies exclusively to the United States and that there are (at time of writing) 46 states with breachnotification requirements, it’s hard to imagine that most businesses don’t fall within the scope ofthese laws. Yet only 47.4 percent of respondents claim they are affected.How can that be? Well, one thing to consider is that many of these laws are, arguably, a bit sloppyin what they define as a breach that requires notification. The original California law, on which manyother state laws are based, referred to customer records. Thus, some non-profits, educationalinstitutions, and health care facilities who may not feel that they have “customers” per se. Governmentorganizations may also believe themselves outside the scope of these laws. Exactly why thenumber isn’t higher is impossible to say with certainty, but it’s fairly remarkable that less than halfof respondents say that breach notification laws apply to them.Equally remarkable—and it was striking last year as well—is the percentage of respondents whosay that the Health Insurance Portability and Accountability Act (HIPAA) applies to their organization.This even though only 6.6 percent of respondents identified their organizations as being inthe health care sector. As most readers will already know, HIPAA applies to any organization thatinteracts with data that has been previously identified as HIPAA-protected data. So an insurancecompany storing information about medical policy claims would fall under HIPAA, as would the accountingcompany to which they outsource customer billing data. The tendrils of HIPAA, alongsideall the other legislative acts in the security world, spread farthest.We leave for consideration later in the survey whether the pressure asserted by these various lawsand regulations has had either a positive or a desultory effect on the actual security.7