2012 Global Information Security Survey - Fighting to close the gap
Information security needs to become a board-level priority and its executives need to have a seat at the boardroom table.
Information security executives have made great strides in achieving this level of visibility, accountability and value. But in recent years, as threats accelerate and economic volatility, emerging markets, off shoring and new technologies add complexity to the role, information security is competing with other board-level priorities.
As a result, information security may not be getting the attention it needs to keep pace with the velocity of change.
Broader alignment needed
An effective information security strategy needs to stretch across the entire enterprise and work in tandem with many different functional areas. That's why it is so important that information security's goals are aligned not only with the overall enterprise-wide business goals, but also with the various departmental and functional goals.
Admirably, the number of respondents who indicate that their information security strategy is aligned to their IT strategy has risen from 33% in 2008 to 56% in 2012. Similarly, the number of respondents suggesting that their information security strategy is aligned to their business strategy has risen from 18% in 2008 to 42% in 2012.
And yet, in 2012:
- Only 38% align their information security strategy to their organization's risk appetite and risk tolerance.
- Only 54% discuss information security topics in the boardroom on a quarterly basis or more frequently. The remaining 46% almost never — or never — discuss the topic with the top governing structure of their organization.
Governance and monitoring responsibilities
Given that information security continues to be IT-led within so many organizations, it’s not surprising that 63% respondents indicate that their organizations have placed the responsibility for information security with the IT function.
Information security needs to be more strategically positioned beyond the IT function.
However, blending IT expertise with a non-IT perspective, organizations can enhance overall information security effectiveness by:
- Helping to create and maintain accurate measurement that aligns with business goals
- Ensuring objective assessment around information security effectiveness
- Resolving decision-making issues, pre-empting potential conflicts of interest and helping to facilitate priority-related discussions which might otherwise be difficult if attempted in an IT-only environment
Notably, 26% of organizations have given responsibility for information security to the CEO, CFO or COO — elevating it to a C-suite topic. But only 5% have information security reporting to the chief risk officer — the person most responsible for managing the organization's risk profile.
Changing risk landscape
Organizations recognize that the risk environment is changing. Nearly 80% agree that there is an increasing level of risk from increased external threats, and nearly half agree that internal vulnerabilities are on the rise.
Additionally, 31% of respondents have seen increases in the number of security incidents compared to last year, while only 10% saw a corresponding decrease. 59% indicate that the number of incidents have stayed the same.
As the frequency and nature of information security threats increase and the number of security incidents rises, so too does the potential impact of security lapses.
Spending more, adjusting priorities
As organizations around the world are seeing the rise in the threat levels, some are responding by spending more and adjusting their priorities:
- 44% of respondents will be keeping their budgets the same over the next 12 months
- 30% expect an information security funding increase of 5% to 15%
- 9% expect to see an information security budget increase of 25% or more
The highest priority area (51% of respondents) for investment in the next 12 months is business continuity management and disaster recovery, up from 36% in 2011.
Interestingly, the second-highest ranked spending priority for respondents was a fundamental redesign of their information security program. These organizations understand that adding point solutions or working on incremental improvements is no longer sufficient.
An information security transformation (or fundamental shift) is necessary to face today’s issues.