Right-o. So the initial page trumpets its achievement of having interrogated 600 IT professionals across a wide swath of Canadian industry, promises to "provide clarity on the Canadian security landscape, especially as it relates to emerging trends in breaches, threats and preparedness." At the risk of making readers gag, it proclaims: "It's information that you won't find anywhere else - this is the only Canadian-focused study on IT security."
I tend to agree. We won't find this stuff anywhere else, although the rhetoric seems particularly banal: "insights on breaches in the age of global and personal hacks" <yawn> "IT complexity and what it means for senior executives" <sheesh!> "security concerns around mobile devices in the workplace" <oh boy!>.
TELUS and The Rotman School of Management - whose motto is "a new way to think" - decided that asking a few hundred IT professionals and reporting the straight dope would be the way to go. Fair enough. So overall security breaches are apparently down 50% from last year. But last year they were up 29% over the previous year. Although they acknowledge that the discrepancies are in the reporting of breaches may be due to a variety of factors, it's all about the numbers. But wait, the study is on "IT Security Practices". So why not include some of those promised 'clarity and 'insights' instead of meaningless figures? Ah, is it because you don't want to alienate potential respondents whose participation in future years may continue to facilitate the production of this um.. "study"? No need for cynicism here. By their own admission, over the past 4 studies, some 2000 people have been interviewed, so if this year's number of 600+ is unprecedented, then we're looking at an awful lot of turnover in respondents. Is the spectre of a lack of clear baseline starting to form? The fact that this undermines the very meaning of the numbers perhaps underlined the need for bravely including other factors within those promised deliverables. And so it was.
To be fair, the ever-expanding scope of the report appears to now include every buzzword known to man: social media, mobile security, cloud computing, people process and technology, risk posture, breaches, privacy, internal, external monitoring, etc. are all words lifted from the intro page alone. I copy them here without hesitation because I know as well as they do, that it will endear me to search engines, but the ambitious undertaking is no less daunting because of the ridiculous promotional verbiage.
In the interest of your time and my tireless efforts to combat reverse peristalsis, I'll pluck out a handful of gems from this landmark study to at least see you off on this year 2012 with a smile on your face:
1. Government sector insider breaches are up 28% in one year.
2. The number of security breaches per government organization is down but that only points to faulty approaches to IT security.
3. Over twice as many thefts, losses and other breaches were reported by government organizations than private sector firms.
4. Blocking access to social networking sites like Facebook actually results in more breaches.
5. The cost of resolving breaches "for all types of organizations" has gone from $800,000 to $80,000 in the past 2 years.
Before even bothering to get your head around the astronomical numbers, you should note that the figure was pegged at $400,000 three years ago, making these figures seem random at best.
6. The main expert engaged to decisively drive the point home concluded that "Unfortunately, the government is doing a really, really poor job in raising [security] awareness...This secrecy is not helping us at all. We need more transparency"
Taken out of context, his words are so trivial that I wouldn't blame you if you stopped reading right here. But the inclusion of said context - his point being that unauthorized access to sensitive data is usually the fault of people more so than technology - doesn't improve matters any. "A new way to think" indeed.
If I could stomach it, I'd go on, because many more pearls of wisdom await the determined reader, but I'll stop here. Remember to take security experts - including yours truly - with a grain of salt!
Enjoy 2012 and give common sense a chance! ;)