While the efforts of technology and security executives to better align a company's security with the business are beginning to show results, the economic downturn and the uncertainties brought by cost-cutting, layoffs and new business models has clearly "raised the bar" on security. The risks related to online social networks are also being tackled.

These are the major findings of the 7th annual Global State of Information Security Survey 2010, titled Trial by Fire, a worldwide study by PricewaterhouseCoopers (PwC), CIO magazine and CSO magazine.

The results discussed in the report are based on the responses of more than 7,200 senior executives, vice presidents and directors of IT and information security from 130 countries. Thirty-one per cent of respondents were from North America, 27 per cent from Asia, 26 per cent from Europe, 14 per cent from South America, and two per cent from the Middle East and South Africa.

Two findings, in particular, stand out in the 2009 survey. On the one hand, there's compelling evidence that, in some respects, the security function appears to be "under protection" - as if the efforts of technology and security executives to better align security with the business were, in fact, beginning to show results.

On the other hand, the economic downturn has clearly "raised the bar" on security. In addition to helping the business mitigate risks associated with factors such as globalisation, outsourcing and third-party compliance with the company's policies, the information security function is now also charged with new challenges - and for some companies, with more urgency than ever before. The function and its leaders are now also tasked with helping the company address an acute set of crisis-related risks and opportunities such as those associated with new business models, successive waves of layoffs, cost-cutting drives in other parts of the enterprise, and major shifts in a key competitor's strategy.

The economic downturn has shaken up the normal roster of leading drivers of information security spending - and very nearly jumped to the top of the list. The shift in pattern isn't even subtle, the report notes.

Not surprisingly, security spending is under pressure. Most executives are eyeing strategies to cancel, defer or downsize security-related initiatives. When the global economic floor drops suddenly, it's natural for executives to flinch. And so they have this year.

Yet, what the survey finds most interesting, is that nearly two out of every three respondents (63 per cent) expect spending to either increase or stay the same -in spite of the worst economic downturn in decades. Or, perhaps because of it, the report implies.

So what exactly has been the impact of the economic downturn on the information security function?

Not surprisingly, this year's pool of survey respondents are most concerned about the regulatory environment - and the fact that it has become more complex and burdensome. They're also concerned about cost reduction efforts that make adequate security more difficult to achieve. They believe that the threats to the security of their business assets have increased - due to employee layoffs and risks associated with business partners and suppliers weakened by the downturn.

Taken either individually or in combination, these factors - and addressing them - represents challenges that sit squarely on the security leader's desk. In fact, respondents report that the second greatest impact of the economic downturn is an increase in the role and importance of the information security function.

Another finding of the survey is that after years of "thinking differently", business and IT leaders may be starting to think like each other.

After years in the limelight, protecting data elements is now a top priority at, arguably, the most critical time.

The number of respondents, for example, who say that their organisation has a data loss prevention capability in place has leapt this year - from 29 per cent in 2008 to 44 per cent this year. More now report that their organisation continuously prioritises data and information security assets according to their risk level.

Yet, fewer than half of this year's respondents (45 per cent) report that their organisation's security policies address the protection, disclosure and destruction of data. Six out of ten respondents report that their organisation still does not have an accurate inventory of locations or jurisdictions where personal data for employees and customers is collected, transmitted and stored.

The survey also assesses perceptions of risk association with online social networking, and it seems companies are beginning to focus on these risks. Today, a new generation of employees worldwide is accessing social networks such as Facebook and Twitter from work in great numbers, often without the knowledge of the IT department - and in circumvention of the traditional countermeasures employed by many.

Some companies have moved quickly to close this gap - but most need to do more, the survey report argues. Approximately a third (36 per cent) audit and monitor postings to external blogs or social networking sites and even fewer (23 per cent) have security policies that address access and postings to social networking sites.

In conclusion, the survey results reveal that companies are looking hardest - and placing their highest expectations on - initiatives that address the "big risks" first, improve data protection, invest in disciplined alignment with the security strategy, and increase efficiency and reduce cost.

"If this year, moving from 2009 to 2010, proves to be a trial by fire, these strategies will be enormously valuable - not just in limiting damages to assets and reputations and mitigating risks but also in positioning companies for the recovery period and stronger business performance in the years ahead," the PwC survey concluded.