Page 1

GLOBAL AIRLINE IT SECURITY SURVEY 2009

Short version

Specialists in air transport communications and IT solutions


Contents

Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Best practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Judging security threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Budget stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Compliance barriers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Upgrade status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 In summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Improve security threat evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Ensure best practice delivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Monitor software ‘sell-by’ dates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Establish compliance connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Maximise secure spending value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Notes and references. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

© SITA 2009

GLOBAL AIRLINE IT SECURITY SURVEY 2009 3


Executive summary

Best practice The SITA Global IT Security Survey 2009 shows a step change in the way that airlines and air freight organisations are dealing with security management in relation to previous years. In general best practice measures are improving and the need for improved security management information is also being responded to.

Investments Regarding IT security investment, the economic downturn appears to have only a nominal influence on security budget increases / decreases against last year (2007/8). However, the number of businesses seeing cost cutting as a primary driver for outsourcing has increased considerably from 36% in 2007/8 to 58% in 2008/9. Despite budget stability, cost efficiency is clearly playing a major role in decision making.

Compliance With key compliance initiatives in the pipeline for 2009/10, there is a notable level of importance assigned compliance as an issue for IT security professionals. This is combined with a healthy acknowledgement of the challenges that lay ahead in meeting compliance standards over coming years. Presence of best practice measures increases by an average of 14% from 2007/8 Trend towards improved provision of security management information Cost efficiency demands increase as security budgets remain fixed for 2009 73% of businesses see airline industry compliance as important in 2009 Reflecting the airline industry as a whole, the IT security function finds gains in key areas of strategy that should yield positive performances in operational areas. As long as there is sufficient cohesion between strategic intentions and ‘on the ground’ activity, strategic best practice improvement shown in the survey should deliver value over time. There are obviously hurdles to overcome in meeting organisational needs for air industry businesses, but there are measures in place to do so. The key point is to ensure that the good work undertaken in creating transparent, measurable frameworks and practices is not undone by day-to-day security events or the increased pressures on security created by compliance in the wider organisation.

4 SURVEY

Š SITA 2009


Best practice

An improvement is shown across the areas of best practice stipulated in the SITA Global IT Security Survey [Figure 1]. Respondents state levels of agreement with statements of best practice surrounding the following areas: ■

Policy processes

Quality of tracking and processes

Level of security governance

Measurement

Business objective / IT security alignment

With the areas of Policy (71%) and Measurement (67%) showing the most significant levels of improvement over the past 12 months, it is evident that confidence in citing agreement with these practices is growing amongst airline security professionals. These are encouraging signs for the industry. With a greater focus on best practice it appears that benefits are being experienced in other areas of IT security management, for example, improvement provision of security management information.

Our organisation undertakes processes that support security policies, system-specific management practices and security standards

71%

PO LI C Y

59%

We have dedicated security project management processes that are tracked and verified for quality

61%

QUALITY

48%

Our organisation has overarching security governance that is evaluated to substantiate processes such as quality documentation, communications and deliverables Our security strategy is specifically tied to and measured in context of the business goals of the organization We are able to provide clear evidence / facts that demonstrate how security strategy supports business objectives

59%

G OVERNANCE

48%

67%

ME ASUREMENT 46%

BUSINESS OBJE CTIVE

64% 49%

2008/9 2007/8

Figure 1. Best practice in security (% shows level of agreement with statements provided – agree / strongly agree is shown)

© SITA 2009

GLOBAL AIRLINE IT SECURITY SURVEY 2009 5


Judging security threats

Figure 2 shows that 66% of respondents worldwide believe there is a need to improve management information surrounding security threats in order to refine security strategy. At first glance, two thirds of the sample finding themselves in this position clearly shows room for improvement in assembling more robust management data may seem high. However, it is notable that in 2006/7 and 2007/8 the worldwide figure for security management improvement need was 85% and 76% respectively. Therefore, Figure 2 shows a marked improvement on previous years. The sector is heading in the right direction. Looking at the data from a regional perspective, there is an obvious distinction between Middle East (71%) and AsiaPac (84%) regions against the other regional territories, suggesting more work is needed across these two important local regions to meet the global average.

66%

All N. Europe

57%

S. Europe

63%

Americas

63%

84%

AsiaPac Middle East/ Africa

71%

Figure 2. Percentage of respondents who agree / strongly agree with the statement “We need to improve management information on the level of security threats posed to our organization in order to refine our approach�

6 SURVEY

Š SITA 2009


Budget stability

Figure 3 should be seen as a positive trend for security budgets, especially in light of the operational challenges experienced in the airline industry as a whole. With the pressure of highly competitive markets, fluctuating fuel costs and the wider global downturn, IT security budgets appear somewhat insulated from significant cuts. Though there is a slight increase in static budgets, with 34% of respondents seeing budgets fixed in 2008/9 against 30% in the previous year, the picture year-on-year is consistent overall. In times of hardship, there seems to be an encouraging respect for maintaining security spending. However, there is still the need for businesses to innovate against a dynamic range of network threats, which may present challenges for the 45% of businesses that experienced no budget growth over 2008.

40% 2007-2008 34%

35% 30%

2008-2009 31%

30% 25%

25% 20%

21%

20% 15% 10% 7%

6% 4%

5%

5%

4%

3%

4%

3%

3%

Increase between 6-10%

Increase 10%+

0%

0% Decrease 10%+

Decrease between 6-10%

Decrease between 1-5%

Static

Increase between 1-5%

Don't know / refused

Figure 3. What best reflects the level of IT security budget increase/decrease from last year (2007/8) to this year (2008/9)

Š SITA 2009

GLOBAL AIRLINE IT SECURITY SURVEY 2009 7


Compliance barriers

Compliance formed a major area of focus for SITA in the 2009 Global IT Security Research, as it is increasingly a part of the IT and security professional’s remit. In fact, 42% of respondents overall stated that they had input into IT compliance for their respective organisations. Figure 4 shows that the majority of respondents with a compliance remit place a high level of importance on a wide range of compliance issues. In particular, industry compliance (73%) and customer information compliance (68%) are considered important to the business. This is again encouraging as key compliance initiatives such as PCI DSS1 and ISO270012 are both becoming increasingly relevant and time-sensitive to the industry in order to meet standards for customer data and billing compliance. For example, Visa has issued compliance deadlines for PCI DSS regarding data storage and validation procedures for September 2009 and 2010, respectively.

Very important Airline / industry compliance

Financial sector

Customer information

35%

38%

33%

23%

Online payment compliance Employee IT compliance

Important

25%

34%

35%

22%

39%

29%

Figure 4. Compliance priorities

8 SURVEY

Š SITA 2009


Figure 5 brings some light to the challenges faced in the field of compliance within the sector. Evidently, resources, skills and budget play a fundamental role are top priority challenges for IT professionals supporting compliance issues. With IT security and compliance becoming increasingly interdependent in the industry, there is clearly a call to action to ensure that compliance initiatives are not compromised by skills and resource shortages. With key issues such as data protection and credit / debit card transaction assurance becoming more open to compliance regulation, there is a risk that increased best practice in general security strategy is compromised by compliance shortfalls. It is noted that compliance professionals may take a different and perhaps more positive view of competency and resources than their IT counterparts in delivering compliance projects. However, at the point that compliance and technology meet, the challenges stated in Figure 4 need to be addressed.

Insufficient resources

54%

Insufficient budget

49%

Lack of knowledge around compliance

Insufficient planning

47%

42%

Skills shortage in implementing measures

41%

Lack of internal comms / project mgt

41%

Lack of clarity / info from regulatory body

38%

Figure 5. Barriers to meeting compliance needs with in business

Š SITA 2009

GLOBAL AIRLINE IT SECURITY SURVEY 2009 9


Upgrade status

It is enlightening to observe the level of upgrade activity that takes place across a portfolio of security applications, as shown in Figure 6. The observation provides an interesting snapshot of security ‘sell-by’ dates for a raft of security functions. With real-time updates being the most desirable option in order to keep both data and security perimeters up to date, there are many instances where this level of security vigilance has been achieved. Clearly, all businesses seek to improve the processes behind security and virus upgrades as they are a drain on resources and, if not adhered to, can also increase security risk. It is interesting to note that frequency of upgrade decreases on some very important elements of defence, such as mobile device management and intrusion detection, suggesting more emphasis is needed in these areas over the next 12 months. Other areas of the security portfolio, such as PKI and event management software, operate upgrades on understandably longer lead times.

Security event mgt Public Key Infrastructure (PKI) Policy mgt / reporting Intrusion detection systems Virus upgrades / patches Email Data encryption IP gateway / firewall VPN Mobile device mgt Desktop mgt

11%

22%

9%

19%

20%

14%

15%

51%

13% 22%

22%

31%

22%

28% 26% 21%

13%

15%

24%

4% 2 %

15% 17%

4%

22% 19%

25%

11% 11%

27%

26%

26% 27%

18% 14%

18%

30%

26%

15%

20%

26%

18%

29% 34%

25%

36%

11%

18% 22%

23%

18%

3-6 months ago

Less than 2 months ago Do not have this function

Realtime /ongoing 7-18 months ago

9% 23%

23%

10%

Figure 6. Security event management Policy management/ reporting Mobile device management Desktop management

10 SURVEY

© SITA 2009


In summary

In 2009, a combination of economic pressures, perennial threats to the IT network and infrastructure changes will dictate the success or failure of IT security strategy in the air transport industry. The SITA Global IT Security Survey provides useful insights for airlines and air freight businesses in dealing with the major issues surrounding security planning and delivery. The survey shows encouraging signs of improvement in how security threats are evaluated and measured within the sector. It also provides a benchmark of current levels of automation surrounding IT security, giving airline organisations a view of how the industry as a whole is maintaining network vigilance. Whilst better security information appears to be providing greater visibility for security strategy, the call to action is that of ensuring strategic measures translate into reduced security threats and improved operational efficiencies. Respondents in the survey estimated that airline and air freight businesses are exposed to 28 incidents of network slowdown as a result of malware presence on the network each year. This suggests that, although improvements abound, there is still work to do in reinforcing defences against the ongoing battle of security threats and malware.

Š SITA 2009

GLOBAL AIRLINE IT SECURITY SURVEY 2009 11


Recommendations

Expanding on the findings in the executive summary, a wider report looking at regional differences across the globe and key areas of the data in more detail follows. In response the findings in the 2009 research, five key considerations are provided below:

Improve security threat evaluation Many businesses (66%) still struggle with security management information. In its absence, strategic decisions may fall short of meeting business objectives and carry more risk for the organisation. Businesses without sufficient security information should prioritise this issue in 2009.

Ensure best practice delivers With the increase of best practice frameworks in place, the important point is to ensure that security operations are delivering within these frameworks as practical shortfalls in security strategy still seem to be evident.

Monitor software ‘sell-by’ dates The need for constant scrutiny of suitable upgrade agreements and implementations along with a vigilant approach to virus and security upgrade scheduling is imperative.

Establish compliance connections The integration of compliance and security functions in achieving key transactional and security standards should be a part of strategic objectives for 2009. A greater level of cohesion should reduce some of the compliance challenges experienced by IT professionals in the survey.

Maximise secure spending value As 2010 budgets remain uncertain, 2009 may be a window for completion or acceleration of key security implementations for specific businesses and the industry as a whole.

Americas, 20%

N. Europe, 34%

Middle East / Africa, 13%

AsiaPac, 17%

S. Europe, 15%

Methodology The SITA Global IT Security Survey 2009 interviewed 183 director-level technology professionals across five global regions: USA, Northern Europe, Southern Europe, Middle East and AsiaPac. Interviews were conducted during December 2008 by Loudhouse research, an international research agency headquartered in the UK. 45-minute interviews were undertaken via telephone using a Computer Assisted Telephone Interview (CATI) system.

12 SURVEY

Š SITA 2009


Notes and references

1 PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined. 2 ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series' is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 27001:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. It is entitled Information technology - Security techniques - Code of practice for information security management. The current standard is a revision of the version first published by ISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999

Š SITA 2009

GLOBAL AIRLINE IT SECURITY SURVEY 2009 13


Notes

14 SURVEY

© SITA 2009


For further information, please contact SITA by telephone or e-mail: Africa +27 11 5177000 info.africa@sita.aero

Middle East & Turkey +961 (1) 657200 info.middle.east.turkey@sita.aero

North Europe +44 (0)20 8756 8000 info.northeurope@sita.aero

East & Central Europe +41 22 747 6000 info.east.central.europe@sita.aero

North America +1 770 850 4500 info.northamerica@sita.aero

South Asia & India +65 6545 3711 info.south.asia.india@sita.aero

Latin America & Caribbean +55 21 2111 5800 info.latin.america.and.caribbean@sita.aero

North Asia & Pacific +65 6545 3711 info.north.asiapacific@sita.aero

South Europe +39 06 965111 info.southeurope@sita.aero

Specialists in air transport communications and IT solutions

Š SITA 09-THW-032-1. All trademarks acknowledged. Specifications subject to change without prior notice. This literature provides outline information only and (unless specifically agreed to the contrary by SITA in writing) is not part of any order or contract.

Global_Airline_IT_Security_Survey_2009_exec_summ  

Short version SpecialistsinairtransportcommunicationsandITsolutions GLOBAL AIRLINE IT SECURITY SURVEY 2009 3 ©SITA 2009

Read more
Read more
Similar to
Popular now
Just for you