Ad-hoc information security solutions no longer an option, as companies struggle to keep pace with today's threats
London, 29 October 2012 – Organizations need to fundamentally shift their approach to information security in order to meet the threats presented by existing and emerging technologies according to EY’s Global Information Security Survey 2012 report released today. The report, now in its fifteenth year, is one of the most comprehensive surveys in its field and is based on responses from over 1,850 CIOs, CISOs and other information security executives in 64 countries.
Organizations are implementing incremental improvements to their information security capabilities to provide short-term solutions — without tackling the issues associated with the overall information security threat. With 31% experiencing a higher number of security incidents in the last two years, the need to develop a robust security architecture framework has never been greater. However 63% of organizations have no such framework in place and only 16% of respondents report that their information security function fully meets the needs of the organization.
Commenting on the findings, Paul van Kessel, EY Global IT Risk and Assurance Services Leader says, “The new normal for the CIO is that fast is not fast enough. The velocity and complexity of change is happening at a staggering pace, with emerging markets, continuing economic volatility, off-shoring and increasing regulatory requirements adding to an already complicated information security environment.”
Threat level continues to rise
Organizations recognize that the risk environment is changing, as the frequency and nature of information security threats increase and the number of security incidents rises. Over three-quarters (77%) of respondents agreed that there is an increasing risk from external attacks, but this is not the only source for concern for global organizations, with 46% reporting that internal vulnerabilities are also on the rise.
The unstoppable march of new technology
New technologies are opening up tremendous opportunities for organizations; but also potential threats from previously unknown sources. Cloud computing continues to be one of the main drivers of business model innovation, with the numbers of organizations using the cloud almost doubling in the last two years. However, 38% of organizations have not taken any measures to mitigate the risks, such as stronger oversight on the contract management process for cloud providers or the use of encryption techniques.
Another significant new technology is internet-enabled mobile devices, whose technology advancements — and the associated business benefits — have vastly increased adoption rates.
Van Kessel comments, “With 44% of organizations now allowing the use of company or privately-owned tablets — up from 20% in 2011 — substantial levels of information are now flowing in and out of the office, making control increasingly difficult.”
Organizations recognize that they need to do more on mobile technology. However, in the fast-moving mobile computing market the adoption of security techniques and software is still relatively low, with just 40% of organizations using some form of encryption technique on mobile devices.
More money, but is it well spent?
With more risks and more technology to secure, organizations are responding by increasing budgets and adjusting their priorities. Fifty-one percent of organizations reported plans to increase their budget by more than 5% in the next 12 months. While 32% of respondents spend over US$1m on information security, the level of investment varies globally, with 48% of Americas’ organizations allocating in excess of US$1m, compared with 35% and 26% in Asia-Pacific and EMEIA (Europe, Middle East, India and Africa) respectively. In terms of where the budget is assigned, the top investment priorities are securing new technologies (55%) and business continuity (47%).
Responsibility shift needed from IT to the risk function
The budget increases planned can only be effective with the right decision-makers taking responsibility. Information security continues to be IT-led within many organizations; with 63% of respondents indicating that their organizations have placed the responsibility for information security in the hands of the IT function.
However, as information security begins to spread beyond traditional IT issues, decisions are now needed around selecting the right tools, processes and methods for monitoring threats, gauging performance and identifying coverage gaps, and a reappraisal of responsibilities is required.
With just 5% of chief risk officers currently responsible for information security, many organizations lack the formal risk assessment mechanism provided by the risk function, resulting in 52% of organizations having no threat intelligence program in place. The proliferation of threats — and the acceleration of the gap between vulnerability and security — requires multiple sources of assessment, such as internal audit, internal self assessments and third-party assessments, to monitor and evaluate security incidents.
Van Kessel concludes, “For some organizations, skills resources, security maturity or budget may be playing a role in their decision-making; but these bolt-on or stack work-around solutions being seen today — which fix short-term information security needs — are masking a bigger problem around vulnerability.”
When looking to the future, he adds, “Although we’ve identified some of the current gaps, there are still more on the horizon, in the form of government intervention and new regulatory pressures. If organizations don’t take action to develop comprehensive security frameworks today, the combined consequences of the current and future issues will only fuel the information security threat further.”
To read the complete survey findings and recommendations for organizations, visit www.ey.com/GISS2012.
Notes to Editors
About EY's Advisory Services
The relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 25,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how EY makes a difference.
EY is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
EY refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.
This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.