Are your IT vendors protecting your customer data? A new survey from Deloitte raises plenty of stomach-churning questions. Almost half--49 percent--of the over 100 companies surveyed in their 2007 Technology, Media & Telecommunications Security Survey say they are "falling behind or catching up to security threats." Just 7 percent believe they are ahead of them.

Among the other findings in the 40 page report:

• 36 percent of companies do not track losses of customer data; only 53 percent publicly disclose the loss of customer data. (However, 33 percent have dedicated an executive for privacy issues, and 72 percent have either launched a privacy program or established one already.)
• 38 percent say their organization "has all the skills and capabilities they need to respond effectively and efficiently to security challenges."
• 69 percent are "very confident" or "extremely confident" about their organization's effectiveness in dealing with external security challenges, while only 56 percent are confident about facing internal threats.
• 54 percent have a formal information security strategy; 20 percent intend to have one in place within two years. Seventeen percent of the surveyed companies see the lack of such a strategy as one of their biggest barriers to achieving information security.
• 65 percent have a chief information security officer.
• 62 percent of respondents believe security is a "key imperative at the board or executive level."
• 45 percent say top management is "informed about security issues only on an ad hoc basis or not at all."

Deloitte's takeaway is that the industry is just treading water. But it appears that at some vendors, the swimmer has drowned.