PwC U.S. has released the “2013 Global State of Information Security Survey” with key findings on information security issues facing the power and utilities industry. The report, including responses from 201 senior utility industry executives, finds that most executives are confident in the effectiveness of their information security practices and believe their strategies are sound, but they are still dealing with challenges related to keeping their data and assets secure.
Industry executives are confident in their security practices. Thirty-eight percent of utility respondents said their organizations have strategies and are proactive in executing them — exhibiting two distinctive attributes of a leader. Sixty percent of respondents, however, are confident they have instilled effective security behaviors into their organizations’ cultures, yet most do not have processes to handle third-party breaches.
Utilities are trying to catch up to known cybersecurity problems. Forty-two percent of utility respondents invest in cybersecurity primarily to address known weaknesses and incidents; 40 percent address cybersecurity on an enterprise level and only 35 percent have programs to combat advanced persistent threats (APTs).
Utility respondents are optimistic about security spending during the next 12 months. Fifty-two percent of utility respondents expect security budgets to increase in the year ahead. Respondents reported fewer deferrals and budget cutbacks for security initiatives.
Less than half of respondents have employee security training programs. Forty-eight percent of utility respondents have employee security awareness training programs, and only half have staff dedicated to security awareness.
What keeps security from being what it should be?
- Fifty-two percent of utility respondents continue to perceive top leadership as obstacles to more effective security, although fewer identify CEOs as stumbling blocks this year.
- More chief security officers and equivalent senior information security executives report directly to CEOs, although that number remains below 20 percent. The percentage of chief privacy officers who report to CEOs increased to 27 percent.
- Eighty-five percent of respondents said protecting customer and employee data is important, but fewer understand what that data entails and where it is stored.
Where can it improve?
- Implement a comprehensive risk-assessment strategy and align security investments with identified risks.
- Understand their organization’s information, who wants it and what tactics adversaries might use to get it.
- Understand that information security requirements — and overall strategies for doing business — have reached a turning point.
- Embrace a new way of thinking in which information security is a means to protect data and an opportunity to create value to the business.