The report provides a combined analysis of two IDC surveys: IDC Energy Insights' International Survey on Security Governance, Risk, and Compliance and 2011 North American Vertical IT and Communications Survey. Survey results, along with secondary research and analyst expertise, provide the foundation for analysis and outline recommendations that will help oil and gas companies' IT executives to maximize the benefits of their investments in information security, minimize the risk of security breaches, while embracing new opportunities, such as cloud, social networking, and mobile devices.
Historically, oil and gas companies have been a capital-intensive business, but the industry is fast becoming more information-intensive, with information spanning wide timescales and locations. This transition is further propelled by an increase in the digital intensity owing to a progressive adoption of smart fields (or digital oilfields) technologies by the organizations.
The industry evolution towards integrated operations, connectivity, and an ensuing focus on risk as well as the rise in cybercrime and terrorist threats, has amplified the boundaries for cybersecurity initiatives in oil and gas companies. It is encouraging to see that oil and gas decision makers believe the role of information technology is changing from being seen a technology cost center to being part of organizations' strategic functions. The survey also highlights that of the top 3 security threats perceived by oil and gas companies, the greatest is state or industrial espionage, followed by employee error or accidental loss of sensitive information and vulnerabilities owing to insecure code.
Key findings from the survey reveal that:
- Companies need to catch up on security policies. Oil and gas companies are still lagging behind an average cross-industry company in formulating security policies - and approving and executing them - as well as getting a strong buy in from senior management
- Security budgets remain flat or below par. 55% of survey respondents indicated an expected increase in IT security budget over the next 12 months. In North America, spending on new solutions is even scantier, and only 29% of the respondents indicated an investment in new solutions.
- Security investments are not compliance driven. Only 10% of the respondents indicated that they are using regulatory compliance as a requirement to justify budgets.
- Tough regulatory compliance and threat sophistication are the biggest barriers. Almost 25% of respondents indicated regulatory environment as a barrier to ensuring security. In addition, 20% of respondents acknowledged the increasing threat landscape.
"Information security does matter for business; it is not just an IT operations concern," said Roberta Bigliani, head of Europe, Middle East, and Africa IDC Energy Insights. "In oil and gas companies, awareness of appropriate security policies and best practices is still not good enough. They need to be better prepared to prevent and manage security breaches. This is not the time to reduce the budget for IT security and compliance."
The report also includes a section describing results from a second survey of U.S. oil and gas companies revealing that while interest in security is improving in the U.S., it does not appear to be driving budgets. More than 31% of the respondents stated that security was a top IT initiative at their company in 2011, but only 12% of the respondents indicate that they are actually making investments to improve security and mitigate risk. "Software spending is increasing for client security solutions such as antivirus and antimalware. Investment in security appliance solutions such as firewalls and intrusion prevention remains low this year, as just 10% of the survey respondents indicate investing in them," said Usman Sindhu, senior research analyst, IDC Energy Insights.