Ad-hoc information security solutions no longer an option, as companies struggle to keep pace with today’s threats
Organisations need to fundamentally shift their approach to information security in order to meet the threats presented by existing and emerging technologies according to Ernst & Young’s Global Information Security Survey 2012 report. The report, now in its fifteenth year, is one of the most comprehensive surveys in its field and is based on responses from over 1,850 CIOs, CISOs and other information security executives in 64 countries.
Damon Greber, Ernst & Young Channel Islands IT Risk and Assurance Services Leader said: “This report is of direct relevance to the Channel Islands, with many local organisations implementing online access for their clients and also considering the usage of cloud services. Those responsible for information security need to ensure that they work closely together with the risk function of their organisation.”
Organisations are implementing incremental improvements to their information security capabilities to provide short-term solutions — without tackling the issues associated with the overall information security threat. With 31% experiencing a higher number of security incidents in the last two years, the need to develop a robust security architecture framework has never been greater. However 63% of organisations have no such framework in place and only 16% of respondents report that their information security function fully meets the needs of the organisation.
Commenting on the findings, Paul van Kessel, Ernst & Young Global IT Risk and Assurance Services Leader said:, “The new normal for the CIO is that fast is not fast enough. The velocity and complexity of change is happening at a staggering pace, with emerging markets, continuing economic volatility, off-shoring and increasing regulatory requirements adding to an already complicated information security environment.”
Threat level continues to rise
Organisations recognise that the risk environment is changing, as the frequency and nature of information security threats increase and the number of security incidents rises. Over three-quarters (77%) of respondents agreed that there is an increasing risk from external attacks, but this is not the only source for concern for global organisations, with 46% reporting that internal vulnerabilities are also on the rise.
The unstoppable march of new technology
New technologies are opening up tremendous opportunities for organisations; but also potential threats from previously unknown sources. Cloud computing continues to be one of the main drivers of business model innovation, with the numbers of organisations using the cloud almost doubling in the last two years. However, 38% of organisations have not taken any measures to mitigate the associated risks, such as stronger oversight on the contract management process for cloud providers or the use of encryption techniques.
Another significant new technology is internet-enabled mobile devices, whose technology advancements — and the associated business benefits — have vastly increased adoption rates.
Van Kessel commented:, “With 44% of organisations now allowing the use of company or privately-owned tablets — up from 20% in 2011 — substantial levels of information are now flowing in and out of the office, making control increasingly difficult.”
Organisations recognise that they need to do more on mobile technology. However, in the fast-moving mobile computing market the adoption of security techniques and software is still relatively low, with just 40% of organisations using some form of encryption technique on mobile devices.
More money, but is it well spent?
With more risks and more technology to secure, organisations are responding by increasing budgets and adjusting their priorities. Fifty-one percent of organisations reported plans to increase their budget by more than 5% in the next 12 months. While 32% of respondents spend over US$1m on information security, the level of investment varies globally, with 48% of Americas’ organisations allocating in excess of US$1m, compared with 35% and 26% in Asia-Pacific and EMEIA (Europe, Middle East, India and Africa) respectively. In terms of where the budget is assigned, the top investment priorities are securing new technologies (55%) and business continuity (47%).
Responsibility shift needed from IT to the risk function
The budget increases planned can only be effective with the right decision-makers taking responsibility. Information security continues to be IT-led within many organisations; with 63% of respondents indicating that their organisations have placed the responsibility for information security in the hands of the IT function.
However, as information security begins to spread beyond traditional IT issues, decisions are now needed around selecting the right tools, processes and methods for monitoring threats, gauging performance and identifying coverage gaps, and a reappraisal of responsibilities is required.
With just 5% of chief risk officers currently responsible for information security, many organisations lack the formal risk assessment mechanism provided by the risk function, resulting in 52% of organisations having no threat intelligence program in place. The proliferation of threats — and the acceleration of the gap between vulnerability and security — requires multiple sources of assessment, such as internal audit, internal self assessments and third-party assessments, to monitor and evaluate security incidents.
Van Kessel concluded: “For some organisations, skills resources, security maturity or budget may be playing a role in their decision-making; but these bolt-on or stack work-around solutions being seen today — which fix short-term information security needs — are masking a bigger problem around vulnerability.”
When looking to the future, he added: “Although we’ve identified some of the current gaps, there are still more on the horizon, in the form of government intervention and new regulatory pressures. If organisations don’t take action to develop comprehensive security frameworks today, the combined consequences of the current and future issues will only fuel the information security threat further.”
To read the complete survey findings and recommendations for organisations, visit www.ey.com/GISS.
Category: Finance & Business