State of Practice of Information Security Management [Pakistan’s Perspective] – Assessment and Conclusion

Abstract

As we are witnessing the emergence of new technologies i.e. Cloud computing, social media and mobile computing new threats and risks are continuously evolving as well. All these threats and risks add to the existing complex environment in organizations. Although budgets have been increased for information security management in organizations, but they continue to fall short as security incidents are on a rise as well. There are many factors which contribute to current information security management practices in organizations. The intentions of the study are to assess the current posture of InfoSec Management in Pakistan and how it is different from state of practice around the globe. This is the first study of its kind in Pakistan, where a structured survey was conducted between January 2014 and June 2014. A total of 551 respondents from all major sectors participated in this survey. The results depict surprising situation of InfoSec Management in Pakistan. The main focus of the organizations is toward risk management and implementation of external standard i.e. ISO 27001. Although the budget has been increased, the top priorities, of local organizations for risk mitigation, are inconsistent with global study. As compared to other threats; web defacement, malware and unauthorized access exposed organizations frequently in last 12 months. Financial frauds and attempts to steal financial information (involving credit card numbers) are ranked high as well. The lack of experienced, qualified and certified information security workforce was ranked one of the top challenges for organizations. The capacity building of human resource, especially security awareness is not on the agenda of c-level executives. Alarmingly, 1/3 of the organizations do not assess the effectiveness and efficiency of their information security functions. In most cases, the controls against risks of emerging technologies like cloud computing, social media and mobile computing are either inadequate or absent. iii Only a handful respondent from local organizations ranked their processes as mature.