Despite these attacks, the ninth annual Global Information Security Survey conducted by CIO's sister publication CSO magazine and PricewaterhouseCoopers indicates that of the 9,600-plus business and technology execs surveyed, 43 percent identify themselves as security frontrunners and believe they have a sound security strategy and are executing it effectively.

"Clearly, something unusual is happening, with so many organizations viewing themselves as security leaders," says Mark Lobel, a principal in the advisory services division of PwC. In reality, "nowhere near 43 percent [are] leaders."

Pete Lindstrom, research director at Spire Security, has another take. "Either 43 percent are fooling themselves, or they are reaching a good level of success in setting their strategy and hitting it."

To better understand the actual security-management capabilities of the respondents who said they were leaders, PwC filtered the results according to factors it thinks are markers of real leadership. To meet the criteria, a company had to have a security strategy in place, IT security had to report to senior business leadership, the company had to have reviewed its IT security policy in the past year, and if the business had suffered a breach, it had to understand the cause. "When we finished that analysis, the amount of frontrunners fell from 43 percent to 13 percent," Lobel says.

Where does this unwarranted confidence come from? "Perhaps they didn't have bad things happen, or they're not aware that bad things have happened," says Lobel. "That can definitely create a false sense of security."