GLOBAL AIRLINE IT SECURITY SURVEY 2009
Short version
Specialists in air transport communications and IT solutions
Contents
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Best practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Judging security threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Budget stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Compliance barriers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Upgrade status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 In summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Improve security threat evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Ensure best practice delivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Monitor software ‘sell-by’ dates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Establish compliance connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Maximise secure spending value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Notes and references. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
© SITA 2009
GLOBAL AIRLINE IT SECURITY SURVEY 2009 3
Executive summary
Best practice The SITA Global IT Security Survey 2009 shows a step change in the way that airlines and air freight organisations are dealing with security management in relation to previous years. In general best practice measures are improving and the need for improved security management information is also being responded to.
Investments Regarding IT security investment, the economic downturn appears to have only a nominal influence on security budget increases / decreases against last year (2007/8). However, the number of businesses seeing cost cutting as a primary driver for outsourcing has increased considerably from 36% in 2007/8 to 58% in 2008/9. Despite budget stability, cost efficiency is clearly playing a major role in decision making.
Compliance With key compliance initiatives in the pipeline for 2009/10, there is a notable level of importance assigned compliance as an issue for IT security professionals. This is combined with a healthy acknowledgement of the challenges that lay ahead in meeting compliance standards over coming years. Presence of best practice measures increases by an average of 14% from 2007/8 Trend towards improved provision of security management information Cost efficiency demands increase as security budgets remain fixed for 2009 73% of businesses see airline industry compliance as important in 2009 Reflecting the airline industry as a whole, the IT security function finds gains in key areas of strategy that should yield positive performances in operational areas. As long as there is sufficient cohesion between strategic intentions and ‘on the ground’ activity, strategic best practice improvement shown in the survey should deliver value over time. There are obviously hurdles to overcome in meeting organisational needs for air industry businesses, but there are measures in place to do so. The key point is to ensure that the good work undertaken in creating transparent, measurable frameworks and practices is not undone by day-to-day security events or the increased pressures on security created by compliance in the wider organisation.
4 SURVEY
Š SITA 2009
Best practice
An improvement is shown across the areas of best practice stipulated in the SITA Global IT Security Survey [Figure 1]. Respondents state levels of agreement with statements of best practice surrounding the following areas: ■
Policy processes
■
Quality of tracking and processes
■
Level of security governance
■
Measurement
■
Business objective / IT security alignment
With the areas of Policy (71%) and Measurement (67%) showing the most significant levels of improvement over the past 12 months, it is evident that confidence in citing agreement with these practices is growing amongst airline security professionals. These are encouraging signs for the industry. With a greater focus on best practice it appears that benefits are being experienced in other areas of IT security management, for example, improvement provision of security management information.
Our organisation undertakes processes that support security policies, system-specific management practices and security standards
71%
PO LI C Y
59%
We have dedicated security project management processes that are tracked and verified for quality
61%
QUALITY
48%
Our organisation has overarching security governance that is evaluated to substantiate processes such as quality documentation, communications and deliverables Our security strategy is specifically tied to and measured in context of the business goals of the organization We are able to provide clear evidence / facts that demonstrate how security strategy supports business objectives
59%
G OVERNANCE
48%
67%
ME ASUREMENT 46%
BUSINESS OBJE CTIVE
64% 49%
2008/9 2007/8
Figure 1. Best practice in security (% shows level of agreement with statements provided – agree / strongly agree is shown)
© SITA 2009
GLOBAL AIRLINE IT SECURITY SURVEY 2009 5
Judging security threats
Figure 2 shows that 66% of respondents worldwide believe there is a need to improve management information surrounding security threats in order to refine security strategy. At first glance, two thirds of the sample finding themselves in this position clearly shows room for improvement in assembling more robust management data may seem high. However, it is notable that in 2006/7 and 2007/8 the worldwide figure for security management improvement need was 85% and 76% respectively. Therefore, Figure 2 shows a marked improvement on previous years. The sector is heading in the right direction. Looking at the data from a regional perspective, there is an obvious distinction between Middle East (71%) and AsiaPac (84%) regions against the other regional territories, suggesting more work is needed across these two important local regions to meet the global average.
66%
All N. Europe
57%
S. Europe
63%
Americas
63%
84%
AsiaPac Middle East/ Africa
71%
Figure 2. Percentage of respondents who agree / strongly agree with the statement “We need to improve management information on the level of security threats posed to our organization in order to refine our approach�
6 SURVEY
Š SITA 2009
Budget stability
Figure 3 should be seen as a positive trend for security budgets, especially in light of the operational challenges experienced in the airline industry as a whole. With the pressure of highly competitive markets, fluctuating fuel costs and the wider global downturn, IT security budgets appear somewhat insulated from significant cuts. Though there is a slight increase in static budgets, with 34% of respondents seeing budgets fixed in 2008/9 against 30% in the previous year, the picture year-on-year is consistent overall. In times of hardship, there seems to be an encouraging respect for maintaining security spending. However, there is still the need for businesses to innovate against a dynamic range of network threats, which may present challenges for the 45% of businesses that experienced no budget growth over 2008.
40% 2007-2008 34%
35% 30%
2008-2009 31%
30% 25%
25% 20%
21%
20% 15% 10% 7%
6% 4%
5%
5%
4%
3%
4%
3%
3%
Increase between 6-10%
Increase 10%+
0%
0% Decrease 10%+
Decrease between 6-10%
Decrease between 1-5%
Static
Increase between 1-5%
Don't know / refused
Figure 3. What best reflects the level of IT security budget increase/decrease from last year (2007/8) to this year (2008/9)
Š SITA 2009
GLOBAL AIRLINE IT SECURITY SURVEY 2009 7
Compliance barriers
Compliance formed a major area of focus for SITA in the 2009 Global IT Security Research, as it is increasingly a part of the IT and security professional’s remit. In fact, 42% of respondents overall stated that they had input into IT compliance for their respective organisations. Figure 4 shows that the majority of respondents with a compliance remit place a high level of importance on a wide range of compliance issues. In particular, industry compliance (73%) and customer information compliance (68%) are considered important to the business. This is again encouraging as key compliance initiatives such as PCI DSS1 and ISO270012 are both becoming increasingly relevant and time-sensitive to the industry in order to meet standards for customer data and billing compliance. For example, Visa has issued compliance deadlines for PCI DSS regarding data storage and validation procedures for September 2009 and 2010, respectively.
Very important Airline / industry compliance
Financial sector
Customer information
35%
38%
33%
23%
Online payment compliance Employee IT compliance
Important
25%
34%
35%
22%
39%
29%
Figure 4. Compliance priorities
8 SURVEY
Š SITA 2009
Figure 5 brings some light to the challenges faced in the field of compliance within the sector. Evidently, resources, skills and budget play a fundamental role are top priority challenges for IT professionals supporting compliance issues. With IT security and compliance becoming increasingly interdependent in the industry, there is clearly a call to action to ensure that compliance initiatives are not compromised by skills and resource shortages. With key issues such as data protection and credit / debit card transaction assurance becoming more open to compliance regulation, there is a risk that increased best practice in general security strategy is compromised by compliance shortfalls. It is noted that compliance professionals may take a different and perhaps more positive view of competency and resources than their IT counterparts in delivering compliance projects. However, at the point that compliance and technology meet, the challenges stated in Figure 4 need to be addressed.
Insufficient resources
54%
Insufficient budget
49%
Lack of knowledge around compliance
Insufficient planning
47%
42%
Skills shortage in implementing measures
41%
Lack of internal comms / project mgt
41%
Lack of clarity / info from regulatory body
38%
Figure 5. Barriers to meeting compliance needs with in business
Š SITA 2009
GLOBAL AIRLINE IT SECURITY SURVEY 2009 9
Upgrade status
It is enlightening to observe the level of upgrade activity that takes place across a portfolio of security applications, as shown in Figure 6. The observation provides an interesting snapshot of security ‘sell-by’ dates for a raft of security functions. With real-time updates being the most desirable option in order to keep both data and security perimeters up to date, there are many instances where this level of security vigilance has been achieved. Clearly, all businesses seek to improve the processes behind security and virus upgrades as they are a drain on resources and, if not adhered to, can also increase security risk. It is interesting to note that frequency of upgrade decreases on some very important elements of defence, such as mobile device management and intrusion detection, suggesting more emphasis is needed in these areas over the next 12 months. Other areas of the security portfolio, such as PKI and event management software, operate upgrades on understandably longer lead times.
Security event mgt Public Key Infrastructure (PKI) Policy mgt / reporting Intrusion detection systems Virus upgrades / patches Email Data encryption IP gateway / firewall VPN Mobile device mgt Desktop mgt
11%
22%
9%
19%
20%
14%
15%
51%
13% 22%
22%
31%
22%
28% 26% 21%
13%
15%
24%
4% 2 %
15% 17%
4%
22% 19%
25%
11% 11%
27%
26%
26% 27%
18% 14%
18%
30%
26%
15%
20%
26%
18%
29% 34%
25%
36%
11%
18% 22%
23%
18%
3-6 months ago
Less than 2 months ago Do not have this function
Realtime /ongoing 7-18 months ago
9% 23%
23%
10%
Figure 6. Security event management Policy management/ reporting Mobile device management Desktop management
10 SURVEY
© SITA 2009
In summary
In 2009, a combination of economic pressures, perennial threats to the IT network and infrastructure changes will dictate the success or failure of IT security strategy in the air transport industry. The SITA Global IT Security Survey provides useful insights for airlines and air freight businesses in dealing with the major issues surrounding security planning and delivery. The survey shows encouraging signs of improvement in how security threats are evaluated and measured within the sector. It also provides a benchmark of current levels of automation surrounding IT security, giving airline organisations a view of how the industry as a whole is maintaining network vigilance. Whilst better security information appears to be providing greater visibility for security strategy, the call to action is that of ensuring strategic measures translate into reduced security threats and improved operational efficiencies. Respondents in the survey estimated that airline and air freight businesses are exposed to 28 incidents of network slowdown as a result of malware presence on the network each year. This suggests that, although improvements abound, there is still work to do in reinforcing defences against the ongoing battle of security threats and malware.
Š SITA 2009
GLOBAL AIRLINE IT SECURITY SURVEY 2009 11
Recommendations
Expanding on the findings in the executive summary, a wider report looking at regional differences across the globe and key areas of the data in more detail follows. In response the findings in the 2009 research, five key considerations are provided below:
Improve security threat evaluation Many businesses (66%) still struggle with security management information. In its absence, strategic decisions may fall short of meeting business objectives and carry more risk for the organisation. Businesses without sufficient security information should prioritise this issue in 2009.
Ensure best practice delivers With the increase of best practice frameworks in place, the important point is to ensure that security operations are delivering within these frameworks as practical shortfalls in security strategy still seem to be evident.
Monitor software ‘sell-by’ dates The need for constant scrutiny of suitable upgrade agreements and implementations along with a vigilant approach to virus and security upgrade scheduling is imperative.
Establish compliance connections The integration of compliance and security functions in achieving key transactional and security standards should be a part of strategic objectives for 2009. A greater level of cohesion should reduce some of the compliance challenges experienced by IT professionals in the survey.
Maximise secure spending value As 2010 budgets remain uncertain, 2009 may be a window for completion or acceleration of key security implementations for specific businesses and the industry as a whole.
Americas, 20%
N. Europe, 34%
Middle East / Africa, 13%
AsiaPac, 17%
S. Europe, 15%
Methodology The SITA Global IT Security Survey 2009 interviewed 183 director-level technology professionals across five global regions: USA, Northern Europe, Southern Europe, Middle East and AsiaPac. Interviews were conducted during December 2008 by Loudhouse research, an international research agency headquartered in the UK. 45-minute interviews were undertaken via telephone using a Computer Assisted Telephone Interview (CATI) system.
12 SURVEY
Š SITA 2009
Notes and references
1 PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined. 2 ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series' is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 27001:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. It is entitled Information technology - Security techniques - Code of practice for information security management. The current standard is a revision of the version first published by ISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999
Š SITA 2009
GLOBAL AIRLINE IT SECURITY SURVEY 2009 13
Notes
14 SURVEY
© SITA 2009
For further information, please contact SITA by telephone or e-mail: Africa +27 11 5177000 info.africa@sita.aero
Middle East & Turkey +961 (1) 657200 info.middle.east.turkey@sita.aero
North Europe +44 (0)20 8756 8000 info.northeurope@sita.aero
East & Central Europe +41 22 747 6000 info.east.central.europe@sita.aero
North America +1 770 850 4500 info.northamerica@sita.aero
South Asia & India +65 6545 3711 info.south.asia.india@sita.aero
Latin America & Caribbean +55 21 2111 5800 info.latin.america.and.caribbean@sita.aero
North Asia & Pacific +65 6545 3711 info.north.asiapacific@sita.aero
South Europe +39 06 965111 info.southeurope@sita.aero
Specialists in air transport communications and IT solutions
Š SITA 09-THW-032-1. All trademarks acknowledged. Specifications subject to change without prior notice. This literature provides outline information only and (unless specifically agreed to the contrary by SITA in writing) is not part of any order or contract.