In a recent IDC International Survey on security governance, risk, and compliance, IDC Energy Insights found that over 50% of respondents feel optimistic about information security investments. However, only half of the respondents’ organisations have an official strategy in place to overcome potential information security threats.
More insights are revealed in the report, which sheds light on the fundamental issues around core security initiatives within oil and gas companies.
The report provides a combined analysis of two IDC surveys: IDC Energy Insights’ International Survey on Security Governance, Risk, and Compliance and 2011 North American Vertical IT and Communications Survey. Survey results, along with secondary research and analyst expertise, provide the foundation for analysis and outline recommendations that will help oil and gas companies’ IT executives to maximise the benefits of their investments in information security, minimise the risk of security breaches, while embracing new opportunities, such as cloud, social networking, and mobile devices.
Historically, oil and gas companies have been a capital-intensive business, but the industry is fast becoming more information-intensive, with information spanning wide timescales and locations. This transition is further propelled by an increase in the digital intensity owing to a progressive adoption of smart fields (or digital oilfields) technologies by the organisations.
The survey also highlights that of the top three security threats perceived by oil and gas companies, the greatest is state or industrial espionage, followed by employee error or accidental loss of sensitive information and vulnerabilities owing to insecure code.
The survey revealed that companies need to catch up on security policies, oil and gas companies are still lagging behind an average cross-industry company in formulating security policies — and approving and executing them — as well as getting a strong buy in from senior management.
Security budgets remain flat or below par, the survey reported. 55% of survey respondents indicated an expected increase in IT security budget over the next 12 months. In North America, spending on new solutions is even scantier, and only 29% of the respondents indicated an investment in new solutions.
In addition to which, the survey found that security investments are not compliance driven. Only 10% of the respondents indicated that they are using regulatory compliance as a requirement to justify budgets. Respondents also pointed out that tough regulatory compliance and threat sophistication are the biggest barriers to security. Almost 25% of respondents indicated regulatory environment as a barrier to ensuring security. In addition, 20% of respondents acknowledged the increasing threat landscape.
“Information security does matter for business; it is not just an IT operations concern,” said Roberta Bigliani, head of Europe, Middle East, and Africa IDC Energy Insights. “In oil and gas companies, awareness of appropriate security policies and best practices is still not good enough. They need to be better prepared to prevent and manage security breaches. This is not the time to reduce the budget for IT security and compliance.”
The report also includes a section describing results from a second survey of U.S. oil and gas companies revealing that while interest in security is improving in the U.S., it does not appear to be driving budgets. More than 31% of the respondents stated that security was a top IT initiative at their company in 2011, but only 12% of the respondents indicate that they are actually making investments to improve security and mitigate risk. “Software spending is increasing for client security solutions such as antivirus and antimalware. Investment in security appliance solutions such as firewalls and intrusion prevention remains low this year, as just 10% of the survey respondents indicate investing in them,” said Usman Sindhu, senior research analyst, IDC Energy Insights.