Your competitive advantage — four steps to improve your information security
(As originally published in the Financial Post, December 2012)
By Rafael Etges, Leader, Information Security, and Nitin Bedi, Manager, IT Security, Ernst & Young LLP
Organizations have been working hard to keep up with the pace of technology – and the increasing number of information security threats – with varying levels of success.
Those organizations that can minimize the gap between what their information security functions are doing now and what they need to do will secure competitive advantage.
The only way an organization can close the gap is by
fundamentally transforming its information security function.
This is a key conclusion of Ernst & Young’s 2012 annual Global Information Security Survey: Fighting to close the gap.
Our survey results suggest that although many organizations are taking steps to enhance their information security capabilities, few are keeping up with on the latest threats affecting them. Even fewer are able to get far enough ahead to anticipate not only today’s threats, but also tomorrow’s.
We have looked at the results of our surveys over the past few years and found that in 2009, 41% of business respondents noticed an increase in external security attacks. By 2011, that number had leapt to 72% and this year, the number has risen again, to 77%. Examples of accelerating external threats include “hacktivism”, state-sponsored espionage, organized crime and terrorism.
In this year’s survey, nearly half of respondents (46%) say they have noticed an increase in internal vulnerabilities, with 37% ranking careless or unaware employees as the threat that has increased the most over the last 12 months.
A fundamental transformation
Transformation of the information security program that aims at closing the ever-growing gap between vulnerability and security does not require complex technology solutions. Rather, it requires leadership, as well as the commitment to take action. Obstacles like budget constraints, lack of the right resources and organizational issues prevent companies from closing this critical information security gap.
But how does a company transform its information security function to stay ahead of the accelerating threats? We’ll focus on four key steps business owners can take to fundamentally shift how their information security functions operate.
- Link the information security strategy to the business strategy. It is vital that organizations align their information security strategy with their business strategy and objectives by focusing their efforts on:
- Growth — effective information security can protect the whole business, safeguard revenue and free up resources to increase revenue opportunities.
- Innovation — new technology is being used to interact with customers in new ways. The data that is generated needs to be secure, with privacy a critical issue.
- Optimization — well-structured and well-managed information security can help reduce costs across the business.
- Protection — information security needs good governance and transparency to provide stakeholders with confidence.
Optimize the architecture and demonstrate how information security can deliver business results. Instead of reworking the existing landscape, information security management should undertake a fundamental redesign. We must allow for innovation and embrace new and emerging technologies, to achieve the results that promote protection and progress.
Identify the real risks
The security strategy should focus on your business drivers and methods to protect high-value data. Start by defining your organization’s overall risk appetite and how information risk fits. Then identify the most important information and applications, where they reside and who has/needs access. And finally, assess the threat landscape and determine points of exposures.
Protect what matters most
Assume that breaches will occur — the key is to improve processes that plan, protect, detect and respond. Remember to balance the fundamentals to appropriately plan and protect against emerging threats.
Embed in the business
Make security everyone’s responsibility and align all aspects of security with the business. Where possible, selectively consider outsourcing operational security program areas to contain costs. When it comes to investing, spend wisely in controls and technology — invest more in people and processes.
Sustain your security program
Get the governance right and include continuous learning and improvement measures. Security needs to be an executive level priority and should drive compliance, not vice versa. Measure leading indicators to identify problems while they are still small and accept manageable risks that improve performance.
Execute the transformation successfully and sustainably Fundamental transformation isn’t just about implementing a program and walking away. To make sure the changes stick:
- Make leaders accountable for delivering results and visibility throughout the life of the program.
- Align the entire organization and get them involved in the transformation approach — from planning and delivery of the program to the sustained adoption of the performance objectives.
- Continually predict, monitor and manage risk throughout the execution of the program.
- Identify adoption techniques, communicate wins and be transparent with challenges and fixes.
Take a deep dive into the new technologies. Despite their risks, new technologies are here to stay. Organizations need to use them to their advantage to extend their reach and energize profitable growth.
Any information security framework needs to constantly assess the role of new technologies and how to maximize their potential for the organization while minimizing risks and keeping them safe.
Although individual businesses worry about their own performance, governments also want to ensure that organizations providing key services that support the continued well-being of society can continue to operate with the minimum of disruption.
As threats continue to evolve, we may see new interventions and regulatory pressures in critical areas, such as energy, telecoms, water supply, food production, healthcare and financial services to safeguard against information security incidents that could interrupt or damage operations.
With security threats on the rise, standing still is not an option. Successful organizations will be the ones that evolve their thinking and response. Effective information security transformation does not require complex technology solutions. It requires leadership and the commitment, capacity and willingness to act.