PwC 2008 infosec survey

A key finding from the 2008 information security survey by PwC is that organizations are spending more on security technologies but need to achieve a better balance:

"One of the best ways of improving enterprise-wide visibility into the crucial details of actual security incidents is to match technology investments with an equally robust commitment to the other principal drivers of security’s value: the critical business and security processes that support technology, and the people that administer them."

Technology is a bottomless pit for security investment: one can always spend more on security hardware and software but after the basics (such as antivirus and firewalls) are covered, the returns diminish. Organizations should be complementing their technological investments with security awareness and training.

"What matters, of course, is improving an organization’s ability to defend and prevent attacks on an ongoing basis—without distracting people from the every-day operational needs of the business or incurring the exorbitantly high price tags associated with a reactive response to an unexpected (but foreseeable) crisis. And that requires getting key information about the risks to an organization’s data and systems very quickly from the front row to everyone else in the house. Expanding security awareness at every level of the enterprise is essential."