The 2007 Technology, Media and Telecommunications (TMT) Survey indicates that 46 percent of the more than 100 respondents have no formal information security strategy. However, 69 percent of the respondents surveyed said they're "very confident" or "extremely confident" in their abilities to deal with security challenges.
"The key finding, I think, is that companies are still struggling to get ahead of security challenges," Rena Mears, global and national service offering leader of Deloitte's privacy and data protection team, told SCMagazineUS.com. "They're just keeping up or still have a way to go to say they're keeping pace with their security challenges."
Mears added that other findings show respondents seem to be reactive to emerging threats.
"When you look at the survey, 38 percent say they have the skills and capabilities to respond effectively to security challenges -- that's less than 40 percent," she said. "We're talking about a security function that's in reactive mode -- they're not getting ahead of game."
Almost half of the companies studied -- mostly media, technology and telecommunications organizations -- have between 5,000 to 50,000 employees, and about half reported annual revenue between $1 billion and $10 billion.
The data was compiled through face-to-face interviews with chief security officers, chief information security officers and security management teams, according to Deloitte.
Forty-nine percent of respondents said they're falling behind on security threats. Just seven percent replied that they thought their security situation was improving, and only five percent said they had increased security spending by 15 percent or more.
A major problem, Mears explained, is that many organizations consider security to be an IT initiative only. Thirty-eight percent of respondents said their senior executives do not consider security to be a strategic issue.
"Governance has to be taken seriously by senior management and evangelized," she said. "Companies have to invest and incorporate security into business processes, and only then can security be successfully supported by various components such as IT."