Largest Security Study Ever Conducted Finds Asia and South America Trail North America and Europe In Security Development and Best Practice Implementation

64 Percent Plan to Increase in Security Spending According To International Survey by PricewaterhouseCoopers and CIO Magazine

NEW YORK and FRAMINGHAM, Mass � 10 SEP 2004 � Asia and South America trailed North America and Europe in security and best practice implementation according to the 2004 State of Information Security study from PricewaterhouseCoopers and CIO magazine. The second annual study also finds external factors, including regulations and potential liability, are the primary forces driving security initiatives. The research identifies best practices to combat security threats and the degree to which they have been accepted and implemented by participating organizations. The global security study of more than 8,000 senior information technology (IT) executives representing 62 countries across all industries is the largest ever conducted.

While security spending budgets are flat, the study finds 64% of companies say spending will increase this year. Interestingly, best practice organizations allocate a higher portion of their budget to information security (14% compared to 11% for other respondents) and focus more than their counterparts on developing strategies for information security (69% vs. 56%), security architecture (66% vs. 50%), identity management (47% vs. 31%), threat and vulnerability management (62% vs. 44%), and security crisis and incident response (55% vs. 38%).

“Governance and compliance issues are still driving the need for information security, with some of the budget coming from ‘compliance’ initiatives related to Sarbanes-Oxley,” says Joe Duffy, PricewaterhouseCoopers partner and global leader of its Technology and Data Services practice. “Even though we’re seeing best-practice companies begin to take a more strategic look at information security, with the organizations that are most confident in their security efforts taking the time to align security with business strategy, compliance and risk management programs, there’s still a lot of room for improvement.”

The greatest barrier to effective security is an inadequate budget. Little or no time to focus on security, as well as limited staff dedicated to security, were also significant barriers, according to the research. The study also determines the most frequent impact of cyber attacks is slowed/down networks, unavailable email and applications and unauthorized spam. Total downtime as a result of these events fell from 26% reporting a total downtime of eight hours or more in 2003 to 21% in 2004 with an increased percentage of organizations (26% in 2003 and 33% in 2004) reporting no downtime.

Global Highlights

Study results also shine a spotlight on advances in organizational security programs that the United States and North America have made in comparison to the rest of the world. Some of those findings include:

  • North American organizations (58%) are more likely to have established appropriate use of the Internet as part of their security policy than organizations in Asia (41%), South America (37%) and Europe (36%).

  • Data protection, disclosure and destruction are reported as part of organizations’ security policies at (51%) of the organizations in North America versus (44%) in Asia, (40%) in Europe and (24%) South America.

  • Inventory of assets and assets management were integral parts of organizations’ security policies at (42%) of the organizations in North America, (35%) in Asia, (27%) in South America and (25%) Europe.

“This study shows some improvement in information security during the past year. However, these improvements are not evenly distributed,” says Scott Berinato, Senior Editor, CIO and CSO magazines. “There is still great weakness in Asia and South America who trail North America, the world leader, in the development and implementation of best practices. This is primarily due to the wealth and resources of corporations in North America, as well as the litigious nature of American society.”

Examples of Best Practices

  • More frequently reported increased integration of organizations’ corporate and information security personnel (38%) compared to (26%) of the overall survey respondents

  • Had top management’s support (51%) more so than the overall respondents (37%)

  • More frequently reviewed policies and procedures (62%) in the past 12 months than the overall respondents (37%)


The State of Information Security 2004, a worldwide study by CIO magazine and PricewaterhouseCoopers, was conducted online from March 22 through April 30, 2004. Readers of CIO magazine, CSO magazine and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results shown in this report are based on the responses of over 8,000 CEOs, CFOs, CIOs, vice presidents and directors of IT and information security from 62 countries. The margin of error for this study is 1%.

For more information, go to:

About PricewaterhouseCoopers

PricewaterhouseCoopers ( provides industry-focused assurance, tax and advisory services for public and private clients. More than 120,000 people in 139 countries connect their thinking, experience and solutions to build public trust and enhance value for clients and their stakeholders.

“PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

About CIO Magazine

CIO magazine (launched in 1987) is published by CXO Media, Inc. In addition to CIO magazine, CXO Media publishes CSO magazine,, The CIO Insider,, CMO magazine and CXO Media serves CIOs, CSOs, CEOs, CFOs, COOs and other corporate officers who use technology to thrive and prosper in this new era of business. The company strives to enhance partnerships among C-level executives, as well as create opportunities for information technology (IT) and consumer marketers to reach them. In addition to magazines and websites, CXO Media produces Executive Programs, a series of conferences that provide educational and networking opportunities for corporate and government leaders.

About CXO Media

CXO Media is a subsidiary of International Data Group (IDG), the world’s leading technology media, research and conference company. A privately-held company, IDG publishes more than 300 magazines and newspapers including Bio-IT World, CIO, CSO, Computerworld, GamePro, InfoWorld, Network World, and PC World. The company features the largest network of technology-specific Web sites with more than 400 around the world. IDG is also a leading producer of more than 170 computer-related events worldwide including LinuxWorld Conference & Expo(R), Macworld Conference & Expo(R), DEMO(R), and IDC Directions. IDC provides global market research and advice through offices in 50 countries. Company information is available at