2012 Global Information Security Survey - Fighting to close the gap
Insufficient process rigor
Surprisingly, 63% of respondents in this year's survey indicated that their organizations have no formal security architecture framework in place, nor are they necessarily planning on using one.
These findings could explain why 56% of organizations only conduct between 1 and 10 attack and penetration tests annually, and why 19% don’t conduct any tests at all.
For some organizations, skills, resources, security maturity or budget may be playing a role in their decision-making. Other organizations may simply be hoping that the issue will go away on its own.
A patchwork of non-integrated, complex and frequently fragile defenses creates significant gaps in security.
In responding to short-term information security needs, organizations seem increasingly inclined to bolt on or stack work-around solutions, creating significant gaps in security.
The work-around solution approach isn’t easy to understand, use or update. Nearly a third of organizations rate their architecture as the threat or vulnerability that has increased the most over the last 12 months, largely because controls are outdated and can’t easily be fixed or replaced.
However, it is encouraging to see that 37% use one or more formal security frameworks, with The Open Group Architecture Framework being the most popular.