EY's Global Information Security Survey - 2013

Under cyber attack

  • Share
  • Improve
  • Expand
  • Innovate

Awareness of cyber threats propels improvement

EY - 4 questions CEOs should ask their CISOs

Awareness of cyber threats propels improvement

Over the past year, organizations have made substantial progress in improving their defenses against cyber attacks. Yet their position remains reactive, addressing the threats they know, but not seeking to understand the threats that may be just around the corner.

For nearly three-quarters of organizations surveyed, information security policies are now owned at the highest organizational level.

In 10% of organizations the information security function reports directly to the CEO. Information security professionals in 35% of the organizations we surveyed present information security to the board and those at the top of the governing structure on a quarterly basis; a little more than 1 in 10 report monthly.

Information security is now seen as vital to the ongoing health and success of the organization. However, despite the efforts organizations have made over the course of the last 12 months to improve, much more still needs to be done.

Only 23% of respondents rated security awareness and training — a key component of continuous improvement activities — as their number one or two priority; 32% ranked it last.

EY chart - threats and vulnerabilities

The only security area rated a lower priority by more respondents was threat and vulnerability management, an activity for which 31% of respondents had no program. This is surprising, as without it organizations have little visibility into where the cyber threats are and where a cyber attack may be coming from.

As the rate and complexity of cyber attacks continue to increase, organizations need to act quickly to avoid leaving themselves exposed to a costly and brand-damaging security incident that shakes the confidence of consumers and shareholders.

Based on actual incidents, these threats and vulnerabilities

EY chart - threats and vulnerabilities ×

The leading practices that expand improvements

EY - 10 leading practices to combat cyber threats

The leading practices that expand improvements

Organizations must signal support from the top to be proactive and ready for the unknown. Those that are satisfied with merely being reactive may not survive the next attack.

For the most part, organizations have improved their information security programs over the last 12 months. However, our findings suggest that leading organizations take improvements one step further.

There are 10 areas where we see leading companies expanding improvement opportunities across their entire organization.

In our survey, we asked respondents to rank the maturity of their information security programs.

The responses to well-established information security approaches, such as identity and access management program, are less than what is needed. More recent approaches, such as threat intelligence and vulnerability identification, are less mature and need more attention.

EY chart - program maturity scale

Executives at the highest level of an organization need to commit to strive for information security maturity — and be accountable for achieving it. Without it, none of the other improvements the information security function seeks to implement will realize their intended benefits.

Based on actual incidents, these threats and vulnerabilities

EY chart - program maturity scale ×

To survive, innovation must power transformation

EY - EY Security Program Assessment

To survive, innovation must power transformation

Innovative information security solutions can protect organizations against known cyber risks and prepare them for a great unknown: the future.

Innovators must constantly scan the horizon, searching for the vulnerabilities in each opportunity emerging technologies bring.

In our survey, we ask respondents to rank by level of importance the following 13 emerging technologies and trends:

Emerging technologies and trends

EY chart - Emerging technologies and trends

Current technologies

  • Digital devices, which includes the security and risk considerations for:
    • Smartphones and tablets
    • Software applications
    • Web-based applications (HTML5) and website design to fit mobile screens
  • Social media in the context of a digital business enabler and network facilitator

Around the corner

  • Big data, which we describe as the exponential volume and complexity of data under management
  • Enterprise application store, which encompasses associated costs versus increased productivity of employee requests for applications
  • Supply chain management, in the context of how external assets (customers, suppliers, vendors, contractors and partners) impact security
  • Cloud service brokerage as it pertains to how brokers manage cloud security, privacy and compliance issues
  • Bring your own cloud, including personal cloud infrastructures that can be owned, managed and operated by an organization, third party or a combination of both, and may exist on or off the premises or concern data and applications access that only cloud owners manage

On the horizon

  • In-memory computing, which involves data storage in the main random access memory instead of complicated databases, allowing real-time analyses of high-volume data
  • Internet of things (for example, embedded sensors, image recognition technologies), which are used in security programs but more often will be applied to our day-to-day lives
  • Digital money and the associated regulations and legislation needed to address fraud and money laundering issues relating to mobile money services
  • Cyber havens, where countries provide data hosting without onerous regulations

If organizations want to get ahead of cyber threats — or at least keep pace — they need to be proactive not only about the known and unknown risks associated with technologies just around the corner, but also about those just beginning to appear on the horizon.