The big question

Senior IT professionals from 1900 organisations in over 60 countries were interviewed for Ernst & Young’s 2009 Global Information Security Survey. Here we report the survey’s main findings and the pressures currently being faced by IT security managers.

“Information security leaders are facing considerable challenges as a result of the current environment. It would be naive to think that information security has not also been impacted by economic pressures”
-Ernst & Young

How do you protect your organisation's brand and reputation in an environment of change? How do you identify and manage new risks? How do you overcome increasing challenges to deliver an effective information security programme? How do you comply with new regulations and industry requirements? These are just some of the questions that information security leaders are struggling with – and must find answers to – if they are going to outpace change and protect their organisation's most critical information assets. Over the last year, we have witnessed a global economic downturn become a crisis for many countries and many organizations and we have seen the competitive landscape drastically altered for many industries. Although there are signs of economic recovery, the impact of these difficult times will continue to be felt by many companies as they reshape, restructure and reinvent themselves.

Information security leaders are facing considerable challenges as a result of the current environment. It would be naive to think that information security has not also been impacted by economic pressures; the need to reduce costs and provide more results from investments already made extends to all areas of the enterprise, including the information security function. To support this statement, there is evidence from our survey that many more organisations are struggling with a lack of skilled and trained information security resources. Our survey respondents are also reporting that finding adequate budget for information security is a major challenge for the coming year. These are clear indicators that information security is not immune to external economic forces and must find ways to improve efficiency and effectiveness while keeping spending to a minimum.

The current environment is also producing a rise in both internal and external threats. Our survey participants reveal a growing concern with reprisals from recently separated employees as well as noting an increase in external attacks on their company websites and networks.

Regulatory compliance is also top of mind for information security leaders, and our survey confirms that it continues to be an important driver of information security improvements. Several industries and countries are moving toward more regulation, primarily related to data protection and privacy. Correspondingly, companies are reporting an increase in the cost of compliance as the complexity and number of regulations also increases. In this 12th annual global information security survey we take a closer look at how organisations are specifically addressing the changing environment, including the risks, challenges, increasing regulatory requirements and new technologies.

Managing risks

In the last several years, we have seen a shift in the way technology is being deployed to support the flow of information. The increasingly mobile and global workforce, coupled with the rapid adoption of broadband and over-the-air technologies, has changed the way many organisations use technology and information. As a result, it has expanded or perhaps even eliminated the traditional borders of the organisation and the conventional digital perimeter paradigm. Organisations must now adjust their information security risk management approach – from "keeping the bad guys out" to protecting information no matter where it resides. We consider this to be a more "information-centric" view of security and a more effective approach. Not surprisingly, improving information security risk management was the top security priority for our survey participants, with 50 percent of respondents indicating that they plan to spend more and 39 percent planning to spend relatively the same amount on this initiative over the next year.

Increased threats

In addition to the technology shift, the current economic environment is fuelling an increase in the number of threats organisations are facing. The increase is driven not only from external sources – our survey found that 41 percent of respondents noted an increase in external attacks – but also from within the organisation: 25 percent of respondents witnessed an increase in internal attacks, and 13 percent reported an increase in internally perpetrated fraud.

Information security management systems

A structured and repeatable risk management approach is the core element of an information security management system (ISMS). It is also the approach chosen by a majority of companies to address their information security risks. Our survey results show that 44 percent of respondents currently have an ISMS in place or are in the process of implementing one, with another 32 percent considering an ISMS solution.

Information security standards are also playing an increasingly important role in shaping the ISMS for many organisations. Although only eight percent of respondents have achieved formal certification, 36 percent of respondents indicated that they are using the ISO/IEC 27001:2005 security standard as the basis for their ISMS. Standards can provide organisations with a set of leading practices related to information security risk management and are a logical starting point in developing an effective and comprehensive ISMS.

Availability of resources

In 2009, the primary challenge to effectively delivering information security was the lack of appropriate resources, with 56 percent of respondents ranking this as a high or significant challenge; this is an increase of eight percentage points compared to our 2008 survey results (48 percent). In somewhat of a contradiction, our respondents indicated that the two leading areas for reducing spending over the coming 12 months will be for outsourcing services (18 percent) and in-house staffing (16 percent). It appears that although organisations recognise the availability of resources to be their most significant challenge, only 20 percent of respondents plan to hire more in-house resources and only 14 percent plan to spend more on outsourcing to help alleviate this issue.

Adequate budgets

Allocating adequate budgets to information security continues to be a challenge in 2009, with a total of 50 percent of respondents ranking this as a high or significant challenge; this is a very notable increase of 17 percentage points over 2008 (33 percent). This is also particularly interesting in light of the fact that 40 percent of respondents indicated that they planned to increase their annual investment in information security as a percentage of total expenditures, and 52 percent planned on maintaining the same level of spending.

The survey results clearly show that information security budgets are not being significantly reduced, nor is the security function being asked to take on more responsibility than in previous years. So why do organisations continue to struggle to find adequate security budgets? One contributing factor may be that 44 percent of the organisations that participated in the survey still don't have a documented information security strategy. In the absence of a well-thought-out information security strategy, it will continue to be difficult to articulate and build the business case for an appropriate budget allocation, particularly in today's economic climate. The lack of a cohesive strategy also makes it difficult to prioritise spending decisions and to ensure that scarce resources are being allocated to where they will provide the most benefit. It is more important than ever for organisations to develop comprehensive, risk-based security strategies, prioritising spend based on the value of the assets at risk, both in order to justify budget requests and to make sure that they are getting maximum benefit out of those budgets.

Organisational security awareness

It has long been generally accepted that authorised users and employees pose the greatest security threat to an organisation and that raising and maintaining the awareness level of those people is a crucial part of an effective information security strategy. In spite of this knowledge, this remains a significant challenge and a significant issue for many organisations. While most organisations (74 percent) have a security awareness programme, less than half of all respondents indicated that their programme includes such things as:

• Updates and alerts on current threats (44 percent)
• Informational updates on new hot topics (42 percent)
• Specific awareness activities for high-risk groups such as social networking users (35 percent)

Furthermore, only 20 percent of respondents indicated that they measure the effectiveness of their awareness programmes and modify those programmes based on the results.

Given that the challenge associated with organisational security awareness has not been reduced over time, it can be concluded that many current security training and awareness programmes are not working as well as they could be. It should also be noted that 73 percent of respondents have no plans to outsource their security training and awareness programmes. Yet, when we look closer at the 12 percent of respondents who currently outsource this activity, we find that organisational awareness is less likely to be a significant challenge. In fact, it does not make it into the top three challenges for these organisations. This may illustrate the fact that more organisations should begin to look for outside help to design, execute, monitor and (or) measure the effectiveness of their security training and awareness programmes.

Complying with regulations

Regulatory compliance continues to be one of the top priorities for organisations and an important objective of the information security function. When asked about the importance of specific information security activities, 46 percent of respondents indicated that achieving compliance with regulations was very important with an additional 31 percent considering it important. This is not surprising, given the considerable attention and focus on compliance efforts over the last several years by most organisations.

Cost of compliance

When we asked how much companies were spending on compliance efforts, we found that 55 percent of respondents indicated that regulatory compliance costs were accounting for moderate to significant increases in their overall information security costs. While this number is down from 65 percent for the preceding three years, only five percent of respondents plan on spending less over the next 12 months on regulatory compliance. This may be an indication that organisations are spending too much of their security budgets on demonstrating point-in-time compliance as opposed to implementing a comprehensive information security programme where compliance is a by-product and not the primary driver The point is further supported by the fact that only 36 percent of our survey respondents have deployed a solution for continuous monitoring of security controls. Moving to a more risk-driven security programme and leveraging continuous compliance monitoring technologies may allow organisations to reduce the amount they spend on demonstrating compliance and either reduce their overall security investment or focus it on more value-added information security services.

Privacy laws and regulations

Data protection and privacy are key components of regulatory compliance and are gaining more attention from governments and regulators. The number and complexity of privacy-related regulations is increasing; yet, 68 percent of respondents stated that they have a clear understanding of the privacy laws and regulations that may impact their organisations. In addition, 63 percent of respondents indicated that they include privacy requirements in contracts with external partners, vendors and contractors. Although it is encouraging that companies are recognising their privacy requirements, it is also clear that far too few organisations have taken the necessary steps to protect personal information. Only 32 percent of respondents have produced an inventory of information assets covered by privacy requirements, and an even fewer number (26 percent) have conducted an assessment of the personal data life cycle (gathering, using, storing and disposing).

Summary

Our 2009 survey shows that companies and information security leaders are facing an environment of change; escalating levels of risk, new challenges and increasing regulatory complexity are now driving information security decisions. Companies are also struggling to leverage new technologies – to get the most benefit and cost savings possible – while understanding the potential security impact to the organisation.

Our survey also revealed that many organisations continue to be challenged by a lack of skilled information security resources and inadequate budgets. These challenges have been identified in our previous surveys, but this year, they have become more significant, driven by heightened economic uncertainty.

To address the risks and challenges of the changing environment, information security leaders are abandoning the old paradigms and taking a more information-centric view of security. It is a more flexible, risk-based approach that is focused on protecting the organisation's critical information, and more suited to supporting a connected business model and today's increasingly mobile and global workforce. By leveraging the information in this survey and taking action on the suggestions for improvement, organisations can achieve more effective information security and continue to outpace change.

Visit www.ey.com/lessons-from-change to learn more about Ernst & Young's recent research and the resulting eight performance goals that companies are, or should be, adopting to prepare for the rebound.

This article was first published in CXO magazine.