The survey focuses on an important problem, and provides insight into the state of the industry, no question.

However, as is classically the case, Web surveys are not random samples of the business universe. In fact, the folks who have time to sit at the desk answering these surveys are not the ones aggressively trying to solve their security problems. The picture drawn by the survey is likely a bit worse than the reality actually is.

Not is it statistically correct to say that the survey has a +/-1% sampling error or precision. Those percentages are appropriate only for random samples, and a Web sampling frame does not qualify. Properly, you cannot calculate sampling errors like this for Web surveys (any, business or consumer), and it can be argued that you should use nonparametric statistics to assess significance of findings.

These are factors undoubtly underlining the New York Time's refusal to public Web survey results, and the recent announcemnt by the Advertising Research Foundation that it is trying to develop professional standards for Web surveys.

Where is the DOJ data breach information published that was mentioned in the podcast? I googled but had no luck.
It would add value if the state laws required why the data was lost (barring laptops being lost)....to fix the problem.
Just a comment too, I went to Defcon 15 and the big news was Russian's selling malware subscriptions, no one ever mentioned out sourcing to South America for the coding of the subscriptions...according to the podcast. It makes sense.

(http://video.google.com/videoplay?docid=710124790709298362)

How about India? Then again, they have no privacy laws according to a talk a saw at CERT.org.
I expect a virus written to exploit MPACK soon.

As the technology arm for our company, how come we're not invited to give a presentation on something that will bring a new dimension in the cyber security domain? We definitely like to show the world that a new security model is needed to put an end to cyber diseases around the world. We call it Cyber Immunity. The world is filled with impotent firewalls and stealth backdoors, and false traps. Is this another gala for PWC to talk about security. Hey the big five used to be accounting firms. All of sudden they mutated to become security experts. Next time, I need to install a septic tank, I will call on PCW. They claim they are the best in septic engineering.

The results of the survey indicated 60% of companies have a CISO or CSO. That doesn't seem to be reflected by any of the conferences I attend, job postings I see, or discussions I have with infosec professionals across verticals. Most top infosec roles are still middle management, not at the executive level. The results of the survey may be skewed by how the question was asked or who the respondents were.

More technology. Better technology. All-in-one technology. Yet, everybody is still just as insecure? I guess the technology arms race, unlike the cold war, isn't going to be won by outspending the bad guys. Frankly, if all you're doing is outfitting yourself with all the open source tools, the best you'll ever achieve is parity. Everybody has access to the same tools, so at an IT manager you're at no advantage. The only thing you have going for you over all the potential problem-makers is information. If you don't understand HOW the technology is being used you can NEVER take a proactive approach and ensure secure, compliant operations. Sadly, in our VC-infected technology world, everybody's baseline costs are so high and the investments so great, nobody can afford to create an easy-to-use and affordable security solution. THE VCs WON'T STAND FOR IT. They need 10X returns and liquidity events, which continues to propagate the spiraling technology costs and complexity. This won't solve the security challenge. Good old fashioned information will do quite nicely, thank you. Now, if only the IT market knew where they could find such an easy-to-use and affordable tool....hmmmm?

No matter how much people spend on security technology, this won't keep systems and data safe. All the automation and controls cannot provide coverage against a constant torrent of dynamic usage conditions and content. The only way to ensure secure operation is to proactively monitor and view actual use. When you understand how the technology is how and performs under actual conditions, you can make any necessary changes to policies, procedures and controls where warranted. Simply throwing more money and equipment only complicates matters and clouds the real issues.