Information security poses significant challenges for Canadian businesses
(As originally published in the Financial Post, December 2012)
By Nitin Bedi, Manager, IT Security, Ernst & Young LLP
According to Ernst & Young’s annual global information security survey, Fighting to close the gap, 21% of Canadian businesses surveyed reported seeing more IT security incidents in the last year. The study also finds that Canadian companies are lagging behind most other countries in security innovation, with little more than 5% of spending invested in new technologies and management processes targeting information security over the last 12 months.
Businesses have made significant moves to respond to information security threats by addressing vulnerabilities with increased resources, training, governance and integration. But with smarter attacks occurring in greater numbers, short-term solutions and incremental changes are not enough. Canadian information security functions are fixing problems that are three to five years old, and the gap between what they are doing and should be doing has widened. What we need now is a fundamental business transformation to close the gap.
So what’s causing this gap and what does this mean for business owners in Canada?
- Lack of alignment with the business beyond the IT function: The information security agenda continues to be IT-led rather than focused on the overall business strategy. In Canada, 42% of businesses do not have an information security strategy. Only 29% align their information security strategy to their organization’s risk appetite and risk tolerance and 7% have given responsibility for information security to the chief risk officer.
An effective information security strategy needs to stretch across the business and work in tandem with many different functional areas.
- Insufficient resources with the right skills and training: When asked what the main barriers and obstacles businesses see as challenging the ability of their information security function to deliver, 43% of respondents cite a lack of skilled resources. While budgets remain tight for many organizations, almost 40% of respondents expect an information security funding increase in the next 12 months and more than half cite business continuity management and disaster recovery as the highest priority areas for the next year.
Given the acceleration of external threats, coupled with the use of emerging technologies such as mobile and cloud, businesses also need to devote resources and budget to train employees outside of the information security function about the role they must play in keeping the organization’s information safe.
- Insufficient process rigor: Despite a reported increase in IT security incidents in the last year, 63% of respondents indicated that their organizations have no formal security architecture framework in place, nor are they necessarily planning on using one.
In responding to short-term information security needs, organizations seem increasingly inclined to bolt on or stack work-around solutions, creating significant gaps in security. The work-around solution approach isn’t easy to understand, use or update. Nearly a third of organizations rate their architecture as the threat or vulnerability that has increased the most over the last 12 months, largely because controls are outdated and can’t easily be fixed or replaced.
- New and evolving of technology: New technologies like cloud computing, social media, and mobile devices open up tremendous opportunities and costs savings for companies; however, the information security function needs to pay particular attention to, and manage, the associated risks.
Speed of change, increasing threats, looming gaps
The speed of change in information security can be dizzying if we think about how quickly and how far technology has evolved in such a short period of time. The rise of emerging markets, the financial crisis and off shoring only add to the complexity of ever-evolving information security issues — and the urgency to address them.
So how can Canadian companies keep up?
Later this week, we’ll go in-depth and look more specifically at emerging technology trends including cloud computing, social media and bring your own device (or BYOD) and offer practical steps your organization can carry out as part of your due diligence.
To read the complete survey findings and recommendations for organizations, visit ey.com/GISS.