GLOBAL AIRLINE ITSECURITY SURVEY 2009

Short version Specialists in air transport communications and IT solutions

GLOBAL AIRLINE IT SECURITY SURVEY 2009 3

Contents

Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Best practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Judging security threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Budget stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Compliance barriers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Upgrade status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

In summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Improve security threat evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Ensure best practice delivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Monitor software ‘sell-by’ dates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Establish compliance connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Maximise secure spending value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Notes and references. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

© SITA 2009

Best practiceThe SITA Global IT Security Survey 2009 shows a step change in the way that airlines and air freight organisations aredealing with security management in relation to previous years. In general best practice measures are improving and theneed for improved security management information is also being responded to.

InvestmentsRegarding IT security investment, the economic downturn appears to have only a nominal influence on security budgetincreases / decreases against last year (2007/8). However, the number of businesses seeing cost cutting as a primary driverfor outsourcing has increased considerably from 36% in 2007/8 to 58% in 2008/9. Despite budget stability, cost efficiencyis clearly playing a major role in decision making.

Compliance With key compliance initiatives in the pipeline for 2009/10, there is a notable level of importance assigned compliance as anissue for IT security professionals. This is combined with a healthy acknowledgement of the challenges that lay ahead inmeeting compliance standards over coming years.

Presence of best practice measures increases by an average of 14% from 2007/8

Trend towards improved provision of security management information

Cost efficiency demands increase as security budgets remain fixed for 2009

73% of businesses see airline industry compliance as important in 2009

Reflecting the airline industry as a whole, the IT security function finds gains in key areas of strategy that should yieldpositive performances in operational areas. As long as there is sufficient cohesion between strategic intentions and ‘on theground’ activity, strategic best practice improvement shown in the survey should deliver value over time.

There are obviously hurdles to overcome in meeting organisational needs for air industry businesses, but there aremeasures in place to do so. The key point is to ensure that the good work undertaken in creating transparent, measurableframeworks and practices is not undone by day-to-day security events or the increased pressures on security created bycompliance in the wider organisation.

4 SURVEY

Executive summary

© SITA 2009

An improvement is shown across the areas of best practice stipulated in the SITA Global IT Security Survey [Figure 1].Respondents state levels of agreement with statements of best practice surrounding the following areas:

n Policy processes

n Quality of tracking and processes

n Level of security governance

n Measurement

n Business objective / IT security alignment

With the areas of Policy (71%) and Measurement (67%) showing the most significant levels of improvement over the past12 months, it is evident that confidence in citing agreement with these practices is growing amongst airline securityprofessionals.

These are encouraging signs for the industry. With a greater focus on best practice it appears that benefits are beingexperienced in other areas of IT security management, for example, improvement provision of security managementinformation.

GLOBAL AIRLINE IT SECURITY SURVEY 2009 5

Best practice

© SITA 2009

64%

67%

59%

61%

71%

BUSINESS OBJECTIVE

MEASUREMENT

GOVERNANCE

QUALITY

POLI CY

59%

48%

46%

49%

2007/8

48%

2008/9

Our organisation undertakes processes that supportsecurity policies, system-specific management

practices and security standards

We have dedicated security project managementprocesses that are tracked and verified for quality

Our organisation has overarching security governancethat is evaluated to substantiate processes such as quality

documentation, communications and deliverables

Our security strategy is specifically tied to andmeasured in context of the business

goals of the organization

We are able to provide clear evidence / facts thatdemonstrate how security strategy

supports business objectives

Figure 1. Best practice in security (% shows level of agreement with statements provided – agree / stronglyagree is shown)

Figure 2 shows that 66% of respondents worldwide believe there is a need to improve management informationsurrounding security threats in order to refine security strategy. At first glance, two thirds of the sample finding themselves inthis position clearly shows room for improvement in assembling more robust management data may seem high. However, itis notable that in 2006/7 and 2007/8 the worldwide figure for security management improvement need was 85% and 76%respectively. Therefore, Figure 2 shows a marked improvement on previous years. The sector is heading in the rightdirection.

Looking at the data from a regional perspective, there is an obvious distinction between Middle East (71%) and AsiaPac(84%) regions against the other regional territories, suggesting more work is needed across these two important localregions to meet the global average.

6 SURVEY

Judging security threats

© SITA 2009

71%

84%

63%

63%

57%

66%All

N. Europe

S. Europe

Americas

AsiaPac

Middle East/ Africa

Figure 2. Percentage of respondents who agree / strongly agree with the statement “We need to improvemanagement information on the level of security threats posed to our organization in order to refine ourapproach”

GLOBAL AIRLINE IT SECURITY SURVEY 2009 7

Figure 3 should be seen as a positive trend for security budgets, especially in light of the operational challengesexperienced in the airline industry as a whole. With the pressure of highly competitive markets, fluctuating fuel costs and thewider global downturn, IT security budgets appear somewhat insulated from significant cuts.

Though there is a slight increase in static budgets, with 34% of respondents seeing budgets fixed in 2008/9 against 30% inthe previous year, the picture year-on-year is consistent overall. In times of hardship, there seems to be an encouragingrespect for maintaining security spending. However, there is still the need for businesses to innovate against a dynamicrange of network threats, which may present challenges for the 45% of businesses that experienced no budget growth over2008.

Budget stability

© SITA 2009

6%

3%4%

30%31%

3% 3%

20%

4%

0%

7%

34%

25%

5%4%

21%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Decrease10%+

Decreasebetween6-10%

Decreasebetween

1-5%

Static Increasebetween

1-5%

Increasebetween6-10%

Increase10%+

Don't know/ refused

2007-2008

2008-2009

Figure 3. What best reflects the level of IT security budget increase/decrease from last year (2007/8) to this year(2008/9)

Compliance formed a major area of focus for SITA in the 2009 Global IT Security Research, as it is increasingly a part of theIT and security professional’s remit. In fact, 42% of respondents overall stated that they had input into IT compliance fortheir respective organisations.

Figure 4 shows that the majority of respondents with a compliance remit place a high level of importance on a wide rangeof compliance issues. In particular, industry compliance (73%) and customer information compliance (68%) are consideredimportant to the business.

This is again encouraging as key compliance initiatives such as PCI DSS1 and ISO270012 are both becoming increasinglyrelevant and time-sensitive to the industry in order to meet standards for customer data and billing compliance. Forexample, Visa has issued compliance deadlines for PCI DSS regarding data storage and validation procedures forSeptember 2009 and 2010, respectively.

8 SURVEY

Compliance barriers

© SITA 2009

39%

22%

34%

23%

38%

29%

35%

25%

33%

35%

Customerinformation

Employee ITcompliance

Online paymentcompliance

Financial sector

Airline / industrycompliance

Very important Important

Figure 4. Compliance priorities

GLOBAL AIRLINE IT SECURITY SURVEY 2009 9

Figure 5 brings some light to the challenges faced in the field of compliance within the sector. Evidently, resources, skillsand budget play a fundamental role are top priority challenges for IT professionals supporting compliance issues.

With IT security and compliance becoming increasingly interdependent in the industry, there is clearly a call to action toensure that compliance initiatives are not compromised by skills and resource shortages. With key issues such as dataprotection and credit / debit card transaction assurance becoming more open to compliance regulation, there is a risk thatincreased best practice in general security strategy is compromised by compliance shortfalls.

It is noted that compliance professionals may take a different and perhaps more positive view of competency and resourcesthan their IT counterparts in delivering compliance projects. However, at the point that compliance and technology meet,the challenges stated in Figure 4 need to be addressed.

© SITA 2009

Insufficient resources 54%

49%

47%

42%

41%

41%

38%

Insufficient budget

Lack of knowledge around compliance

Insufficient planning

Skills shortage in implementing measures

Lack of internal comms / project mgt

Lack of clarity / info from regulatory body

Figure 5.Barriers to meeting compliance needs with in business

It is enlightening to observe the level of upgrade activity that takes place across a portfolio of security applications, asshown in Figure 6. The observation provides an interesting snapshot of security ‘sell-by’ dates for a raft of securityfunctions.

With real-time updates being the most desirable option in order to keep both data and security perimeters up to date, thereare many instances where this level of security vigilance has been achieved. Clearly, all businesses seek to improve theprocesses behind security and virus upgrades as they are a drain on resources and, if not adhered to, can also increasesecurity risk.

It is interesting to note that frequency of upgrade decreases on some very important elements of defence, such as mobiledevice management and intrusion detection, suggesting more emphasis is needed in these areas over the next 12 months.Other areas of the security portfolio, such as PKI and event management software, operate upgrades on understandablylonger lead times.

10 SURVEY

Upgrade status

© SITA 2009

Figure 6. Security event managementPolicy management/ reportingMobile device managementDesktop management

15%

11%

18%

26%

18%

22%

51%

36%

14%

9%

11%

27%

21%

26%

28%

30%

31%

22%

26%

23%

20%

22%

25%

26%

24%

26%

22%

18%

13%

13%

25%

15%

19%

19%

22%

17%

15%

27%

11%

20%

22%

18%

10%

23%

9%

4%

15%

2%

4%

11%

18%

34%

29%

23%

14%

Security event mgtPublic Key Infrastructure (PKI)

Policy mgt / reportingIntrusion detection systems

Virus upgrades / patchesEmail

Data encryptionIP gateway / firewall

VPNMobile device mgt

Desktop mgt

Realtime /ongoing7-18 months ago

Less than 2 months agoDo not have this function

3-6 months ago

GLOBAL AIRLINE IT SECURITY SURVEY 2009 11

In 2009, a combination of economic pressures, perennial threats to the IT network and infrastructure changes will dictatethe success or failure of IT security strategy in the air transport industry. The SITA Global IT Security Survey provides usefulinsights for airlines and air freight businesses in dealing with the major issues surrounding security planning and delivery.

The survey shows encouraging signs of improvement in how security threats are evaluated and measured within the sector.It also provides a benchmark of current levels of automation surrounding IT security, giving airline organisations a view ofhow the industry as a whole is maintaining network vigilance. Whilst better security information appears to be providinggreater visibility for security strategy, the call to action is that of ensuring strategic measures translate into reduced securitythreats and improved operational efficiencies.

Respondents in the survey estimated that airline and air freight businesses are exposed to 28 incidents of networkslowdown as a result of malware presence on the network each year. This suggests that, although improvements abound,there is still work to do in reinforcing defences against the ongoing battle of security threats and malware.

In summary

© SITA 2009

Expanding on the findings in the executive summary, a wider report looking at regional differences across the globe and keyareas of the data in more detail follows. In response the findings in the 2009 research, five key considerations are providedbelow:

Improve security threat evaluationMany businesses (66%) still struggle with security management information. In its absence, strategic decisions may fallshort of meeting business objectives and carry more risk for the organisation. Businesses without sufficient securityinformation should prioritise this issue in 2009.

Ensure best practice delivers With the increase of best practice frameworks in place, the important point is to ensure that security operations aredelivering within these frameworks as practical shortfalls in security strategy still seem to be evident.

Monitor software ‘sell-by’ datesThe need for constant scrutiny of suitable upgrade agreements and implementations along with a vigilant approach to virusand security upgrade scheduling is imperative.

Establish compliance connectionsThe integration of compliance and security functions in achieving key transactional and security standards should be a partof strategic objectives for 2009. A greater level of cohesion should reduce some of the compliance challenges experiencedby IT professionals in the survey.

Maximise secure spending valueAs 2010 budgets remain uncertain, 2009 may be a window for completion or acceleration of key security implementationsfor specific businesses and the industry as a whole.

12 SURVEY

Recommendations

© SITA 2009

S. Europe, 15%

AsiaPac, 17%

Americas, 20%

N. Europe, 34%

Middle East / Africa,13%

MethodologyThe SITA Global IT Security Survey 2009 interviewed 183 director-level technology professionals across five globalregions: USA, Northern Europe, Southern Europe, Middle East and AsiaPac.

Interviews were conducted during December 2008 by Loudhouse research, an international research agencyheadquartered in the UK. 45-minute interviews were undertaken via telephone using a Computer Assisted TelephoneInterview (CATI) system.

GLOBAL AIRLINE IT SECURITY SURVEY 2009 13

Notes and references

© SITA 2009

1 PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit cardcompanies as a guideline to help organizations that process card payments prevent credit card fraud, hacking andvarious other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data mustbe PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands,either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/orfined.

2 ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series' is an information securitystandard published by the International Organization for Standardization (ISO) and the International ElectrotechnicalCommission (IEC) as ISO/IEC 27001:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing itinto line with the other ISO/IEC 27000-series standards. It is entitled Information technology - Security techniques - Codeof practice for information security management. The current standard is a revision of the version first published byISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999

14 SURVEY

Notes

© SITA 2009

© SITA 09-THW-032-1. All trademarks acknowledged. Specifications subject to change without prior notice. This literature providesoutline information only and (unless specifically agreed to the contrary by SITA in writing) is not part of any order or contract.

Africa+27 11 5177000info.africa@sita.aero

East & Central Europe+41 22 747 6000info.east.central.europe@sita.aero

Latin America & Caribbean+55 21 2111 5800info.latin.america.and.caribbean@sita.aero

For further information, please contact SITA by telephone or e-mail:

Middle East & Turkey+961 (1) 657200 info.middle.east.turkey@sita.aero

North America +1 770 850 4500 info.northamerica@sita.aero

North Asia & Pacific+65 6545 3711 info.north.asiapacific@sita.aero

North Europe+44 (0)20 8756 8000 info.northeurope@sita.aero

South Asia & India+65 6545 3711 info.south.asia.india@sita.aero

South Europe+39 06 965111info.southeurope@sita.aero

Specialists in air transport communications and IT solutions