Outpacing change Ã¢Â€Â“ EY's 12th annual global information security ...

Outpacing change 

Ernst & Young’s 12th annual 

global information security survey

Foreword......................................................................... 1 

Introduction: outpacing change....................................... 3 

Managing risks................................................................ 4 

Addressing challenges..................................................... 8 

Complying with regulations............................................ 12 

Leveraging technology.................................................. 16 

Summary...................................................................... 20 

Survey approach........................................................... 22 

About Ernst & Young..................................................... 24 

iv 

Outpacing change: Ernst & Young’s 12 th annual global information security survey

Foreword 

Over the last year, we have witnessed unprecedented changes in the global 

economic environment. Increased pressure to reduce costs, coupled with 

increased government and industry regulations, has presented new risks and 

challenges — challenges that many organizations are now struggling to address 

and which can significantly affect their information security postures. We have 

also witnessed new technologies introduced and adopted, some that helped 

improve information security and some that brought new risks and concerns. 

The survey results are encouraging in that many organizations are now taking a more 

holistic view of security and focusing on the overall health of their information 

security programs. However, our survey also reveals that the lack of adequate 

budget and resources continues to be a significant challenge for many organizations. 

The Ernst & Young global information security survey is one of the longest-running 

and most recognized annual surveys of its kind. We are very proud that for 12 

years, our survey has helped our clients focus on the right risks and priorities, 

identify their strengths and weaknesses, and improve their information security. 

We are also impressed that this year’s survey received the highest levels of 

participation since its inception more than a decade ago, demonstrating that 

information security continues to be an important issue for our clients. 

I would like to extend my warmest thanks to all of our nearly 1,900 survey 

participants for taking the time to share their views on information security. My 

colleagues and I are confident you will find this survey report useful, informative 

and insightful. We welcome the opportunity to speak with you personally about 

your specific information security risks and challenges. We are certain such 

discussions will position you to stay ahead of change and allow you and your 

organization to achieve your full potential. 

Paul van Kessel 

Global Leader, 

IT Risk and Assurance Services 

Outpacing change: Ernst & Young’s 12 th annual global information security survey 

1

2 Outpacing change: Ernst & Young’s 12 th annual global information security survey

Introduction: outpacing change 

Information security 

is not immune to 

external economic 

forces and must find 

ways to improve 

efficiency and 

effectiveness while 

keeping spending to 

a minimum. 

How do you protect your organization’s brand and reputation in an 

environment of change How do you identify and manage new risks How 

do you overcome increasing challenges to deliver an effective information 

security program How do you comply with new regulations and industry 

requirements How do you leverage technology to not only meet business 

objectives but also improve security 

These are just some of the questions that information security leaders are struggling 

with — and must find answers to — if they are going to outpace change and protect their 

organization’s most critical information assets. 

Over the last year, we have witnessed a global economic downturn become a crisis 

for many countries and many organizations. We have seen the competitive landscape 

drastically altered for many industries. Although there are signs of economic recovery, the 

impact of these difficult times will continue to be felt by many companies as they reshape, 

restructure and reinvent themselves. 

Information security leaders are facing considerable challenges as a result of the current 

environment. It would be naive to think that information security has not also been 

impacted by economic pressures; the need to reduce costs and provide more results from 

investments already made extends to all areas of the enterprise, including the information 

security function. To support this statement, there is evidence from our survey that many 

more organizations are struggling with a lack of skilled and trained information security 

resources. Our survey respondents are also reporting that finding adequate budget for 

information security is a major challenge for the coming year. These are clear indicators 

that information security is not immune to external economic forces and must find ways to 

improve efficiency and effectiveness while keeping spending to a minimum. 

The current environment is also producing a rise in both internal and external threats. Our 

survey participants reveal a growing concern with reprisals from recently separated employees 

as well as noting an increase in external attacks on their company websites and networks. 

Regulatory compliance is also top of mind for information security leaders, and our survey 

confirms that it continues to be an important driver of information security improvements. 

Several industries and countries are moving toward more regulation, primarily related to 

data protection and privacy. Correspondingly, companies are reporting an increase in the 

cost of compliance as the complexity and number of regulations also increases. 

In this 12 th annual global information security survey we take a closer look at how 

organizations are specifically addressing the changing environment, including the risks, 

challenges, increasing regulatory requirements and new technologies. We also identify and 

examine potential opportunities for improvement and important short-term and long-term 

trends that will shape information security in the coming years. 


3

Managing risks 

Improving 

information security 

risk management 

is the top security 

priority over the 

next year. 

In the last several years, we have seen a shift in the way technology is being deployed to 

support the flow of information. The increasingly mobile and global workforce, coupled with 

the rapid adoption of broadband and over-the-air technologies, has changed the way many 

organizations use technology and information. As a result, it has expanded or perhaps even 

eliminated the traditional borders of the organization and the conventional digital perimeter 

paradigm. Organizations must now adjust their information security risk management 

approach — from “keeping the bad guys out” to protecting information no matter where it 

resides. We consider this to be a more “information-centric” view of security and a more 

effective approach. Not surprisingly, improving information security risk management was 

the top security priority for our survey participants, with 50% of respondents indicating 

that they plan to spend more and 39% planning to spend relatively the same amount on this 

initiative over the next year. 

Compared to the previous year, does your organization plan to spend more, less or 

relatively the same amount over the next year for the following activities 

Improving information security risk management 

50% 

39% 

5% 6% 

Implementing or improving DLP technologies and processes 

43% 

47% 

5% 5% 

Implementing virtualization technologies 

41% 

42% 

9% 

8% 

Internal security awareness and training 

39% 

49% 

7% 

5% 

Risk management 

36% 

54% 

4% 6% 

Performing security testing 

32% 

55% 

8% 

5% 

Implementing or improving secure development processes 

30% 

56% 

6% 

8% 

Implementing or improving IAM technologies and processes 

28% 

57% 

7% 

8% 

Regulatory compliance 

28% 

60% 

6% 

6% 

Implementing standards 

24% 

59% 

9% 

8% 

Staffing 

20% 

58% 

16% 

6% 

Implementing other technologies 

17% 

39% 

5% 

39% 

Forensics/fraud support 

14% 

67% 

9% 

10% 

Outsourcing of security functions 

14% 

59% 

18% 

9% 

Spend 

more 

Same or 

constant 

Spend 

less 

Not 

answered 

Shown: percentage of respondents 

The role of regulators in promoting an information-centric security approach 

In Singapore, the Monetary Authority of Singapore (MAS) has recently released a set of guidelines requiring 

financial service institutions to evaluate the risks of information being compromised through endpoints. 

This approach places the emphasis on establishing controls that follow the flow of information, as well as 

the organization’s understanding of risk and the controls they have in place to protect the data. 


Increased threats 

In addition to the technology shift, the current economic environment is fueling an increase 

in the number of threats organizations are facing. The increase is driven not only from 

external sources — our survey found that 41% of respondents noted an increase in external 

attacks — but also from within the organization: 25% of respondents witnessed an increase 

in internal attacks, and 13% reported an increase in internally perpetrated fraud. 

Given the current economic environment, have you seen or perceived a change in the 

threats facing your organization 

No perceived changes noted 

Increase in external attacks (e.g., phishing, website attacks) 

Increase in internal attacks (e.g., abuse of employee 

privileges, theft of information) 

25% 

41% 

44% 

41% of respondents 

noted an increase 

in external 

attacks and 25% 

of respondents 

witnessed an 

increase in 

internal attacks. 

Increase in externally perpetrated fraud 

19% 

Increase in internally perpetrated fraud 

13% 


Information security risk 

management defined 

Information security risk management is 

the ongoing process of (1) identifying and 

understanding the potential threats and 

risks; (2) assessing to determine the extent 

of the risk; (3) remediating the risks; and (4) 

continuing these activities over time. It also 

includes the necessary communication and 

risk reporting within the organization. 


5

Managing risks (continued) 


revealed that 

they are concerned 

with the possible 

reprisal from 

employees recently 

separated from their 

organization. 

More interesting than the rise in internal and external attacks is the fact that a full 75% of 

respondents revealed that they are concerned (33% are very concerned) with the possible 

reprisal from employees recently separated from their organizations. Survey results also 

show that 42% of respondents are trying to understand the potential risks related to this 

issue and 26% are already taking steps to help mitigate the risks. 

Given the current economic environment, how concerned is your organization with the 

possible reprisal from employees recently separated from your organization 

Somewhat concerned, and we are trying 

to understand the potential risks 

Very concerned, and we are taking 

steps to help mitigate the risks 

Not a concern 

Very concerned, but we haven’t 

addressed the potential risks 

7% 

26% 

25% 

42% 


Information security management system 

A structured and repeatable risk management approach is the core element of an 

information security management system (ISMS). It is also the approach chosen by a 

majority of companies to address their information security risks. Our survey results 

show that 44% of respondents currently have an ISMS in place or are in the process of 

implementing one, with another 32% considering an ISMS solution. 

Information security standards are also playing an increasingly important role in shaping 

the ISMS for many organizations. Although only 8% of respondents have achieved formal 

certification, 36% of respondents indicated that they are using the ISO/IEC 27001:2005 

security standard as the basis for their ISMS. Standards can provide organizations with a 

set of leading practices related to information security risk management and are a logical 

starting point in developing an effective and comprehensive ISMS. 


Has your organization implemented an information security management system (ISMS) 

that covers the overall management of information security 

Yes, implemented and formally certified 

Yes, without certification objective 

Yes, currently in the process of implementing 


Our perspective 

No, but considering it 

No, and not considering it 

Our survey shows that the levels of internal and external risk continue to increase. To 

manage the increased risks, companies should develop a formal response aimed at dealing 

with employees likely to leave the organization as a result of workforce reductions or job 

elimination. Companies should also undertake a specific risk assessment exercise to identify 

their potential exposure within this sphere and put in place appropriate risk-based responses. 

8% 

17% 

19% 

24% 

32% 

Security standards defined 

ISO/IEC 27001:2005 — This standard provides 

a model for establishing, implementing, 

operating, monitoring, reviewing, maintaining 

and improving an ISMS. 

ISO/IEC 27002:2005 — This standard 

outlines the potential controls and control 

mechanisms which may be implemented 

based on the guidance provided within 

ISO/IEC 27001:2005. It established guidelines 

and general principles for establishing, 

implementing, operating, monitoring, 

reviewing, maintaining and improving 

information security management within 

an organization. 

Information Security Forum (ISF): The 

Standard of Good Practice for Information 

Security — This standard addresses 

information security from a business 

perspective, providing a practical basis for 

implementing and assessing an organization’s 

information security arrangements. 

Managing information security risks can be difficult — made more so in a changing 

environment — and requires an approach that is flexible and focused on what matters most 

to the organization: protecting critical information. Companies need to take an informationcentric 

view of security to ensure better alignment with their information flows. Only by 

understanding the use of information within critical business processes can an organization, 

and in particular its information security function, truly begin to manage its security needs. 

Information-centric security moves far beyond the boundaries of information technology 

(IT), and to deliver such an approach successfully, information security functions need to 

be more closely integrated with the business. This will help change how security should be 

viewed within the organization — as a flexible, responsible corporate citizen rather than an 

“obstacle” to achieving business objectives. 


7

Addressing challenges 

In 2009, the 

primary challenge to 

effectively delivering 

information 

security was the 

lack of appropriate 

resources. 

Overall, the challenges impacting the ability of an organization to effectively deliver its 

information security initiatives have not changed much over the last several years. The 

availability of resources, budget and organizational awareness continue to dominate 

this category. However, this year’s survey results show an increase in the number 

of organizations struggling with both resources and budget. This confirms that the 

information security function is not immune to the pressures of the current 

economic environment, and like any other organizational function, it is competing 

for scarce resources. 

Availability of resources 

In 2009, the primary challenge to effectively delivering information security was the lack 

of appropriate resources, with 56% of respondents ranking this as a high (4) or significant 

(5) challenge (on a 1 to 5 scale); this is an increase of eight percentage points compared 

to our 2008 survey results (48%). In somewhat of a contradiction, our respondents 

indicated that the two leading areas for reducing spending over the coming 12 months will 

be for outsourcing services (18%) and in-house staffing (16%). It appears that although 

organizations recognize the availability of resources to be their most significant challenge, 

only 20% of respondents plan to hire more in-house resources and only 14% plan to spend 

more on outsourcing to help alleviate this issue. 

What is the level of challenge related to effectively delivering your organization’s 

information security initiatives for each of the following 

Availability of resources 

20% 

36% 

28% 

11% 

5% 

Adequate budget 

19% 

31% 

29% 

14% 

7% 

Organizational awareness 

13% 

35% 

33% 

14% 

5% 

Assessing new threats and vulnerabilities 

9% 

29% 

36% 

19% 

7% 

Organizational change 

11% 

23% 

23% 

20% 

23% 

Business uncertainty 

12% 

21% 

27% 

20% 

20% 

Regulatory change or uncertainty 

8% 

22% 

31% 

23% 

16% 

Understanding emerging technologies 

5% 

22% 

35% 

25% 

13% 

Management sponsorship 

8% 

19% 

29% 

25% 

19% 

Significant challenge 4 3 2 Not a challenge 



In addition, our survey revealed that there is a definite unwillingness for many organizations 

to outsource their security functions. With the exception of attack and penetration testing 

(55%) and security assessments/audits (44%), the majority of respondents indicated that 

they had no plans to outsource most of their security-specific activities. 

Given this aversion to outsourcing and the fact that organizations continue to struggle to 

find and maintain adequate resources, it is clear that they need to look to other solutions to 

alleviate their resource challenges. 

Which of the following security-specific activities have been outsourced or considered 

for outsourcing 

Allocating 

adequate budget to 

information security 

continues to 

be a challenge. 

Attack and penetration testing 

55% 

18% 

27% 

Security assessments/audits 

44% 

16% 

40% 

Firewall or other device management 

30% 

9% 

61% 

Application testing 

21% 

12% 

67% 

Help desk 

23% 

7% 

70% 

Forensics/fraud support 

14% 

13% 

73% 

Disaster recovery/business continuity 

15% 

12% 

73% 

Security training and awareness 

12% 

15% 

73% 

Vulnerability/patch management 

17% 

8% 

75% 

Incident response 

10% 

6% 

84% 


Currently 

outsourced 

Under evaluation/ 

planned for outsourcing 

No plans 

to outsource 

While adoption of new technologies to automate and sustain controls can help offset the 

challenge of finding adequate human resources, organizations should be careful of becoming 

too reliant on technology at the expense of people and processes. Therefore, organizations 

should consider adopting co-sourced security models, wherein they can access appropriately 

skilled resources from their co-sourcing partners without relinquishing control over their 

security function to the degree associated with outsourcing. 

Adequate budget 

Allocating adequate budget to information security continues to be a challenge in 2009, 

with a total of 50% of respondents ranking this as a high (4) or significant (5) challenge; this 

is a very notable increase of 17 percentage points over 2008 (33%). This is also particularly 

interesting in light of the fact that 40% of respondents indicated that they planned to increase 

their annual investment in information security as a percentage of total expenditures, and 

52% planned on maintaining the same level of spending. 


9

Addressing challenges (continued) 

The survey results clearly show that information security budgets are not being significantly 

reduced, nor is the security function being asked to take on more responsibility than in previous 

years. So why do organizations continue to struggle to find adequate security budgets 

One contributing factor may be that 44% of the organizations that participated in the survey 

still don’t have a documented information security strategy. In the absence of a well-thoughtout 

information security strategy, it will continue to be difficult to articulate and build the 

business case for an appropriate budget allocation, particularly in today’s economic climate. 

The lack of a cohesive strategy also makes it difficult to prioritize spending decisions and to 

ensure that scarce resources are being allocated to where they will provide the most benefit. 

It is more important than ever for organizations to develop comprehensive, risk-based 

security strategies, prioritizing spend based on the value of the assets at risk, both in order to 

justify budget requests and to make sure that they are getting maximum benefit out of those 

budgets. 

Does your organization have a documented information security strategy for the next 

one to three years 

44% 

Yes 

56% 

No 


Social networking defined 

Social networking is the interaction between 

people over the internet on websites 

that attempt to mimic real-life encounters 

(e.g., Facebook.com, LinkedIn.com). 

Social networking sites present many 

potential risks, including: identity theft, 

legal or libel issues, viruses, malicious 

code, as well as disclosure of sensitive 

company information. Organizations 

should take steps to inform and educate 

their people about the issues related to 

social networking as an important part 

of their of security awareness programs. 

Organizational security awareness 

It has long been generally accepted that authorized users and employees pose the greatest 

security threat to an organization and that raising and maintaining the awareness level of 

those people is a crucial part of an effective information security strategy. In spite of this 

knowledge, this remains a significant challenge and a significant issue for many 

organizations. While most organizations (74%) have a security awareness program, less 

than half of all respondents indicated that their program includes such things as: 

• Updates and alerts on current threats (44%) 

• Informational updates on new hot topics (42%) 

• Specific awareness activities for high-risk groups such as social networking users (35%) 

Furthermore, only 20% of respondents indicated that they measure the effectiveness of 

their awareness programs and modify those programs based on the results. 


What elements are currently covered in your organization’s security awareness program 

General awareness of security topics in general 

Review and agreement of compliance with current 

security policies and standards 

Direct and frequent updates/alerts on current 

threats to the organization 

Informational updates on new hot topics 

44% 

42% 

61% 

74% 

Security training and 

awareness programs 

are not working as 

well as they could be. 

Specific awareness activities or training sessions 

for high-risk user groups 

35% 

Measuring the effectiveness of awareness activities and 

improving the program based on these measurements 

20% 


Given that the challenge associated with organizational security awareness has not been 

reduced over time, it can be concluded that many current security training and awareness 

programs are not working as well as they could be. It should also be noted that 73% 

of respondents have no plans to outsource their security training and awareness programs. 

Yet, when we look closer at the 12% of respondents who currently outsource this activity, 

we find that organizational awareness is less likely to be a significant challenge. In fact, it 

does not make it into the top three challenges for these organizations. This may illustrate the 

fact that more organizations should begin to look for outside help to design, execute, monitor 

and (or) measure the effectiveness of their security training and awareness programs. 


Our survey shows that organizations continue to be impacted by a lack of information security 

resources and inadequate budgets. They are also struggling to make improvements in the 

area of organizational security awareness. These challenges are not new, but they are 

increasing under the pressure of the current economic climate; information security leaders 

must explore new and more creative solutions, and improved operational efficiency should 

be considered a fundamental aspect of all new security initiatives. 

Companies need to adopt a risk-based security strategy to help prioritize initiatives, justify 

new investments and maximize the benefits from those investments which have already been 

committed. Organizations should also investigate potential co-sourced security alternatives, 

which may help provide much-needed access to skilled resources, without turning over 

control to others. However, such steps should be taken with care, as the operation of 

security by third parties requires different management competencies from those used to 

manage and deliver security to an organization using internal resources only. 


11

Complying with regulations 

Regulatory 

compliance 

continues to be 

one of the top 

priorities for 

organizations and an 

important objective 

of the information 

security function. 

Regulatory compliance continues to be one of the top priorities for organizations and 

an important objective of the information security function. When asked about the 

importance of specific information security activities, 46% of respondents indicated that 

achieving compliance with regulations was very important (5) with an additional 31% 

considering it important (4). This is not surprising, given the considerable attention and 

focus on compliance efforts over the last several years by most organizations. 

How important is information security in supporting the following activities in your 

organization 

Protecting reputation and brand 

Managing privacy and the protection of personal information 

Achieving compliance with regulations 

Achieving compliance with corporate policies 

Supporting operational and (or) enterprise risk management 

Protecting intellectual property 

Improving IT and operational efficiencies 

Improving stakeholder and investor confidence 

27% 

26% 

30% 

38% 

40% 

46% 

53% 

61% 

39% 

37% 

30% 

25% 

36% 

31% 

27% 

20% 

24% 

20% 

25% 

26% 

10% 

14% 

19% 

15% 

10% 

10% 

7% 

9% 

4% 1% 

6% 3% 

5% 

7% 

5% 

6% 

2% 

2% 

2% 

2% 

Managing external vendors 

15% 

33% 

32% 

14% 

6% 

Enhancing new service or product launches 

18% 

26% 

31% 

15% 

10% 

Examining new and emerging technologies 

11% 

28% 

38% 

17% 

6% 

Facilitating mergers, acquisitions and divestitures 

13% 

20% 

26% 

18% 

23% 

Very important 

4 

3 

2 

Not important 


Cost of compliance 

When we asked how much companies were spending on compliance efforts, we found that 

55% of respondents indicated that regulatory compliance costs were accounting for moderate 

to significant increases in their overall information security costs. While this number is down 

from 65% for the preceding three years, only 5% of respondents plan on spending less over 

the next 12 months on regulatory compliance. This may be an indication that organizations 

are spending too much of their security budgets on demonstrating point-in-time compliance 

as opposed to implementing a comprehensive information security program where compliance 

is a by-product and not the primary driver. 

The point is further supported by the fact that only 36% of our survey respondents have 

deployed a solution for continuous monitoring of security controls. Moving to a more 

risk-driven security program and leveraging continuous compliance monitoring technologies 

may allow organizations to reduce the amount they spend on demonstrating compliance 

and either reduce their overall security investment or focus it on more value-added 

information security services. 


What impact has regulatory compliance had on the annual cost of information security 

for your organization 

Significant increase in cost of information security 


Moderate increase in cost 

No change in cost 

Cost was reduced 

Compliance-driven improvements 

When we look at the impact of regulatory compliance on the effectiveness of information 

security, we discover that 64% of respondents believe it has increased effectiveness, with 

21% indicating a significant increase in effectiveness. For regulatory compliance to have 

this dramatic an effect on information security performance, we believe that for many 

organizations compliance is still the primary driver of information security improvements. 

What impact has regulatory compliance had on the annual cost of information security 

for your organization 

5% 

16% 

39% 

40% 


indicated that 

regulatory 

compliance costs 

were accounting 

for moderate to 

significant increases 

in their overall 

information 

security costs. 

Significant increase in the effectiveness 

21% 

Moderate increase in the effectiveness 

43% 

No change 

34% 

Reduced the effectiveness 

2% 



13

Complying with regulations (continued) 

Too few 

organizations have 

taken the necessary 

steps to protect 

personal information. 

Privacy laws and regulations 

Data protection and privacy are key components of regulatory compliance and are gaining 

more attention from governments and regulators. The number and complexity of privacyrelated 

regulations is increasing; yet, 68% of respondents stated that they have a clear 

understanding of the privacy laws and regulations that may impact their organizations. In 

addition, 63% of respondents indicated that they include privacy requirements in contracts 

with external partners, vendors and contractors. Although it is encouraging that companies 

are recognizing their privacy requirements, it is also clear that far too few organizations 

have taken the necessary steps to protect personal information. Only 32% of respondents 

have produced an inventory of information assets covered by privacy requirements, and 

an even fewer number (26%) have conducted an assessment of the personal data life cycle 

(gathering, using, storing and disposing). 

Which of the following statements can be made by your organization regarding privacy 

We have a clear understanding of the privacy laws 

and regulations that may impact the organization 

68% 

We have included privacy requirements in contracts 

with external partners, vendors and contractors 

We have implemented specific controls to 

protect personal information 

59% 

63% 

We have established a response and management 

process specific to privacy-related incidents 

We have produced an inventory of information 

assets covered by privacy requirements 

We have implemented a process to monitor 

and maintain privacy-related controls 

We have conducted an assessment 

of the personal data life cycle 

34% 

32% 

29% 

26% 



EuroPriSe 

The EuroPriSe certification program offers a voluntary product audit. The procedure consists of an 

evaluation of the IT product or IT service by accredited legal and IT experts and a validation of the 

evaluation report by an independent certification body. The European Privacy Seal (EuroPriSe) visualizes 

that a product has been checked and approved by an independent privacy organization and indicates a 

trustworthy product that can be used in compliance with European data protection laws. 

Privacy and protection of personal data will become an even greater challenge for 

organizations as new technologies and services, such as social networking, virtualization, 

cloud computing and radio-frequency identification (RFID) gain more widespread use. 

Privacy and data protection will also likely gain increased focus of governments and 

regulators as they attempt to keep privacy regulations out in front of the potential risks 

associated with these new technologies. The combination of increased regulations and 

technologies that facilitate a more open flow of personal information will present a 

significant challenge for even the most “privacy savvy” organizations. 


Regulatory compliance has been a significant driver of information security for several 

years, and our survey confirms that it continues to significantly influence the information 

security agenda. Most organizations still spend a considerable amount of their information 

security budgets on compliance and plan to continue doing so in the coming year. 

Organizations must formally detail all the regulations they are required to meet in the 

various geographies and validate this position with appropriate legal and operational 

groups across the enterprise. They also need to build an understanding of how their 

compliance efforts can be integrated into wider change programs, delivering greater 

business benefit. As part of these efforts, companies need to implement a comprehensive 

information security program where regulatory compliance is considered a by-product 

rather than the primary driver. 

We also found compliance with privacy regulations to be a growing area of focus for many 

organizations, but with limited progress or improvement shown in the last year. Companies 

need to understand the scope of privacy within their operations and identify effective 

business champions who they can work with, to ensure that normal business processes and 

practices do not contribute to potential privacy violations. Consistent privacy policies and 

procedures are becoming the norm across globally distributed enterprises and something 

that all organizations should strive for. 


15

Leveraging technology 

Implementing or 

improving Data 

Leakage Prevention 

(DLP) technologies is 

the second-highest 

security priority 

in the coming 

12 months. 

When considering how organizations are leveraging new technologies, there are two distinct 

aspects related to information security that should be examined: 

1. Which technologies are organizations implementing to improve their information 

security programs 

2. What are organizations doing to address the risks that are inherent with the 

introduction of new technologies 

Our survey results provide an insight into how technology can have both a positive and 

negative effect on information security. 

Data leakage protection 

Due to increasing and new risks organizations are facing, data protection is now top of mind 

for many information security leaders. Implementing or improving data leakage prevention 

(DLP) technologies is the second-highest security priority in the coming 12 months, identified 

by 40% of respondents as one of their top three priorities. Implementing DLP technologies is 

now a higher priority for many organizations than both security awareness training (39%) and 

regulatory compliance (27%). Improving information security risk management (47%) was the 

only priority that topped DLP technologies from an overall perspective, but more respondents 

(19%) selected DLP as their first priority for the next year. It is also worth noting that 90% of 

respondents plan on spending relatively the same (47%) or more (43%) over the next year on 

implementing or improving DLP technologies and processes. 

Please indicate your top three security priorities for the coming 12 months 

Improving information security risk management 

16% 

17% 

14% 

Implementing/improving DLP technologies and processes 

19% 

12% 

9% 

Internal security awareness and training 

11% 

14% 

14% 

Regulatory compliance 

11% 

9% 

7% 

Performing security testing 

4% 

8% 

12% 

Risk management 

6% 

8% 

8% 

Implementing/improving IAM technologies and processes 

8% 

6% 

6% 

Implementing standards 

7% 

7% 

6% 

Implementing virtualization technologies 

8% 

5% 

6% 

Implementing/improving secure development processes 

2% 

5% 

7% 

Staffing 

2% 2% 3% 

1st priority 2nd priority 3rd priority 



DLP tools will be the leading security technology implemented over the next year. 

According to our survey results, 50% of respondents are at some stage of the evaluation 

and implementation process; 22% have planned an implementation within 12 months; and 

another 28% are currently evaluating the technology. 

However, it isn’t just DLP technology being implemented to protect data. Of the top 

information security technologies planned for implementation in the coming 12 months, 

most are also related to this objective, including: encryption of portable media (19%), 

laptop encryption (17%) and email encryption (15%) and identity and access management 

(IAM) products (15%). When we look at the information security technologies that are 

currently in use by our survey respondents, we find that three of the top five are also aimed 

at protecting sensitive data: content monitoring and filtering tools (69%), laptop encryption 

(41%), and email encryption (35%). 

Which of the following security technologies are used or have been identified for use by 

your organization 

Data leakage prevention tools 

25% 

22% 

28% 

25% 

Few companies are 

encrypting their 

laptops. Only 41% 

of respondents are 

encrypting them 

today, with 17% 

planning to do so in 

the next year. 

Encryption of portable media 

25% 

19% 

29% 

27% 

Laptop encryption 

41% 

17% 

23% 

19% 

Governance, risk and compliance tools 

36% 

17% 

24% 

23% 

Email encryption 

35% 

15% 

25% 

25% 

Data leakage prevention (DLP) defined 

IAM products 

Enhanced authentication (802.1x, tokens) 

Desktop encryption 

Digital rights management 

Content monitoring and filtering tools 

Physical and logical security convergence 


15% 

14% 

24% 

31% 

Currently 

using 

12% 

10% 

49% 

9% 

69% 

15% 

31% 

34% 

26% 

Planned within 

12 months 

12% 

25% 

18% 

9% 

45% 

Under 

evaluation 

39% 

41% 

10% 

29% 

21% 

12% 

Not 

using 

Data leakage prevention (also known as 

data loss prevention or information leak 

prevention) is the combination of tools and 

processes for identifying, monitoring and 

protecting sensitive data or information 

according to an organization’s policies or 

government and industry regulations. DLP 

solutions typically focus on preventing 

certain data or information from leaking 

out of the organization and detecting any 

unauthorized access or transmission of 

sensitive data. 

One of the most noteworthy survey findings is how few companies are encrypting their 

laptops. Only 41% of respondents are encrypting them today, with 17% planning to do so in 

the next year. This is notable for a number of reasons: many breaches have occurred and 

continue to occur due to loss or theft of laptops; the technology is readily available and 

affordable to implement; and the impact to users during deployment is relatively low and 

should no longer be a barrier. 


17

Leveraging technology (continued) 


will have 

implemented 

virtualization before 

the end of the next 

year. However, 

only 19% of the 

same respondents 

indicated that 

virtualization was a 

security priority. 

Cloud computing defined 

Cloud computing essentially involves the 

outsourcing of computing capacity through 

third-party services over the internet, on 

an as-needed, “pay-as-you-go” basis. It can 

potentially help cut your power, storage, 

hardware, personnel and real estate-related 

costs. In addition, some companies are also 

employing a version of cloud computing — 

known as “Software-as-a-Service” (SaaS) — 

to help reduce daily technical operations and 

support business and consumer software. 

Virtualization and cloud computing 

New technologies are making an impact in the corporate enterprise, particularly 

virtualization and cloud computing. Both are unquestionably receiving a lot of media 

attention, and given the current economic environment, virtualization offers some 

attractive options for business leaders looking to cut costs, increase manageability and 

improve overall IT efficiency. The potential cost savings from virtualization — essentially, 

a more efficient pooling of IT resources, including networks, servers and storage — can be 

significant. However, there are security-related concerns. 

Virtualization is one of the highest-ranking technologies for adoption, with 78% of 

respondents indicating that they will have implemented virtualization before the end of 

the next year. However, only 19% of the same respondents indicated that virtualization 

was a security priority. Clearly, our survey respondents do not recognize the same level of 

risk with virtualization as would be expected with such a significant and extensive change 

effort. More alarming is the fact that virtualization security should be a concern, but the 

majority of organizations and security leaders are ignoring its implications. 

Cloud computing is another technology that has been very visible recently in industry 

publications, with some analysts predicting the cloud computing services market to reach 

as high as US$42 billion by 2012 1 . Yet, we are seeing adoption rates for cloud computing 

to be much slower compared to virtualization. Only 17% of respondents indicated that they 

are using the technology or planning to use it in the next year, and 47% stated they have no 

plans for using the technology. However, a significant percentage (36%) of respondents are 

currently evaluating its use. 

Which of the following technologies are used or have been identified for use by your 

organization 

Grid computing 

Cloud computing 

Radio frequency identifiers 

Voice over IP 

Virtualization 

Wireless 

7% 

9% 

15% 

5% 

8% 

4% 

31% 

63% 

36% 

29% 

67% 

69% 

9% 

57% 

52% 

11% 

6% 

47% 

15% 

10% 

12% 

13% 

15% 

10% 

Storage area networks 

80% 

5% 

6% 

9% 

Currently using 

Planned within 

12 months 

Under evaluation 

Not using 

1 Source: IDC survey of 244 IT leaders released 

October 2008 



Key information security risks and considerations for virtualization 

• Spread the risk — Companies should spread out the critical application instances across physical machines as much 

as possible. This can be accomplished by combining them with different types of applications while maintaining 

an appropriate ratio between physical and virtual machines. This helps achieve higher application availability and 

reduce security risks. 

• Limit access — Inappropriate access to server administrative interfaces can expose numerous production 

applications at once in virtualized environments. Develop a checklist in accordance with leading practices for 

securing administrative interfaces, including strict password policies and file permissions. 

• Use secure networks — Secure networks should be utilized for data migrations involving virtualization software, 

since data is not typically encrypted in these migrations. 

• Monitor threats — Properly functioning applications on virtual machines can hide latent security vulnerabilities. 

Thus, it is critical to continuously monitor both the virtual machines and the underlying virtual machine monitor, for 

potential threats. 

Cloud computing has its own potential data privacy and security issues. The companies 

that provide cloud computing services may provide those services in different data systems 

in various data centers in cities around the world. Unlike a more traditional IT outsourcing 

arrangement, cloud computing clients do not have dedicated servers or dedicated lines. This 

raises issues about exactly where clients’ data exists, and under whose jurisdiction it resides 

at any one given point in time. In addition, the possible need to recode data may increase the 

exposure to errors and security risks. 


Technology can play a major role in helping a company meet its information security and 

larger business objectives. However, technology can also expose an organization to 

additional risks. Our survey suggests that some organizations may be more focused on the 

benefits and cost savings than on any possible security issues related to the new technologies. 

Organizations must assess the potential impact of any new technology that is being 

considered, looking beyond any promised benefits to the evaluation of the potential impact 

upon the organization’s ability to protect its assets. 

New evolving security technologies can potentially deliver substantial benefits to the overall 

management of information security across an enterprise. However, the deployment of 

such technologies must continue to be investigated to further ensure that they are fit for 

purpose and will deliver the benefits required. 

Each organization need to define its position on new IT delivery models, including 

virtualization and cloud computing, to ensure that any decisions made are consistent with 

the overall business strategy, as well as the information technology strategy and direction 

of the organization. 


19

Summary 

Our 2009 survey shows that companies and information security leaders are facing an 

environment of change; escalating levels of risk, new challenges and increasing regulatory 

complexity are now driving information security decisions. Companies are also struggling 

to leverage new technologies — to get the most benefit and cost savings possible — while 

understanding the potential security impact to the organization. 

Our survey also revealed that many organizations continue to be challenged by a lack of 

skilled information security resources and inadequate budget. These challenges have been 

identified in our previous surveys, but this year, they have become more significant, driven 

by heightened economic uncertainty. 

To address the risks and challenges of the changing environment, information security 

leaders are abandoning the old paradigms and taking a more information-centric view 

of security. It is a more flexible, risk-based approach that is focused on protecting the 

organization’s critical information, and more suited to supporting a connected business 

model and today’s increasingly mobile and global workforce. 

By leveraging the information in this survey and taking action on the suggestions for 

improvement, organizations can achieve more effective information security and continue 

to outpace change. 

Key survey findings 


• Improving information security risk management is a top security priority for the next year. 

• ►External and internal attacks are increasing. 

• ►Reprisals from recently separated employees have become a major concern. 


• Availability of skilled information security resources is the greatest challenge to effectively delivering information 

security initiatives. 

• ►Despite most organizations maintaining current spending on information security, adequate budget is still a significant 

challenge to delivering security initiatives. 

• ►Security training and awareness programs are falling short of expectations. 


• ►Regulatory compliance continues to be an important driver for information security. 

• ►Cost of compliance remains high, with few companies planning to spend less in the next 12 months. 

• Too few organizations have taken the necessary steps to protect personal information. 

Leveraging technology 

• ►Implementing DLP technologies is the top security priority for many organizations. 

• The lack of endpoint encryption remains a key risk with few companies encrypting laptops or desktop computers. 

• ►Virtualization and cloud computing are gaining greater adoption, but few companies are considering the information 

security implications. 




• Develop a formal response aimed at dealing with employees likely to leave the organization as a 

result of workforce reductions or job elimination. 

• Undertake a risk assessment exercise to identify potential exposure and put in place appropriate 

risk-based responses. 

• ►Take an information-centric view of security, better aligned with the organization’s information flows. 

• ►Continue to integrate information security with the business — becoming a flexible, responsible 

corporate citizen, rather than an “obstacle” to achieving business objectives. 


• Adopt a risk-based security strategy to help prioritize initiatives, justify new investments and maximize 

the benefits from those investments which have already been committed. 

• ►Investigate potential co-sourced security alternatives, which may help provide much-needed access to 

skilled resources, without turning over control to others. 


• Formally detail the regulations an organization is required to meet in the various geographies and 

validate this position with appropriate legal and operational groups across the enterprise. 

• Build an understanding of how compliance efforts can be integrated into wider change programs, 

delivering greater business benefit. 

• Implement a comprehensive information security program where regulatory compliance is considered 

a by-product rather than the primary driver. 

• Gain an understanding of the scope of privacy within operations and identify effective business 

champions to help ensure that normal business processes and practices do not contribute to potential 

privacy violations. 

Leveraging new technology 

• ►Assess the potential impact of any new technology that is being considered, looking beyond any 

promised benefits to the evaluation of the potential impact upon the organization’s ability to protect 

its assets. 

• Investigate the deployment of new security technologies to ensure that they are fit for purpose and 

will deliver the benefits required. 

• ►Define a position on new IT delivery models, such as virtualization and cloud computing, to ensure 

alignment with the overall business strategy and information technology strategy. 

Outpacing change: Ernst & Young’s 12 th annual global information security survey 21

Survey approach 

Ernst & Young’s 12th annual global information security survey was developed with the 

help of our assurance and advisory clients in more than 60 countries. 

This year’s survey was conducted between June 2009 and August 2009. Nearly 1,900 

organizations across all major industries participated. 

Methodology 

The questionnaire was distributed to designated Ernst & Young professionals in each country 

practice, along with instructions for consistent administration of the survey process. 

Most of the survey responses were collected during face-to-face interviews with individuals 

responsible for information security at the participating organizations. When this was not 

possible, the questionnaire was administered electronically via the Internet. 

If you wish to participate in Ernst & Young’s 13th annual global information security survey, 

you can do so by contacting your local Ernst & Young office or visiting www.ey.com and 

completing a brief request form. 

Profile of 2009 survey participants 

Survey participants by region 

9% 

29% 

Americas 

33% 

Asia/Pacific 

Europe 

Middle East/Africa 

29% 



Survey participants by major industry group 

Financial services 

30% 

Manufacturing 

16% 

Retail, wholesale & distribution 

10% 

Technology 

Energy & utilities 

7% 

7% 

Health services 

Government & public sector 

6% 

6% 

Other 

19% 


Survey participants by annual revenue (US$) 

$10 billion or more 

12% 

$1 billion–$9 billion 

23% 

$500 million–$999 million 

9% 

$100 million–$499 million 

22% 

Less than $100 million 

28% 

Not applicable 

6% 


Survey participants by job title 

Chief Information Officer 

19% 

Information Technology Executive 

16% 

Information Security Executive 

Chief Information Security Officer 

13% 

12% 

Chief Security Officer 

5% 

Chief Technology Officer 

3% 

Other 

34% 



23

About Ernst & Young 

At Ernst & Young, our services focus on our individual clients’ specific business needs and 

issues because we recognize that every need and issue is unique to that business. 

Information technology is one of the key enablers for modern organizations to compete. It gives the opportunity 

to get closer, more focused and faster in responding to customers, and can redefine both the effectiveness 

and efficiency of operations. But as opportunity grows, so does risk. Effective information technology risk 

management helps you to improve the competitive advantage of your information technology operations, to make 

these operations more cost efficient and to manage down the risks related to running your systems. Our 6,000 

information technology risk professionals draw on extensive personal experience to give you fresh perspectives 

and open, objective advice — wherever you are in the world. We work with you to develop an integrated, holistic 

approach to your information technology risk or to deal with a specific risk and information security issue. We 

understand that to achieve your potential you need a tailored service as much as consistent methodologies. We 

work to give you the benefit of our broad sector experience, our deep subject matter knowledge and the latest 

insights from our work worldwide. It’s how Ernst & Young makes a difference. 

For more information on how we can make a difference in your organization, contact your local Ernst & Young 

professional or any of the people listed in the table below. 

Contacts 

Global 

Norman Lonergan 

(Advisory Services Leader, London) 


(IT Risk and Assurance Services Leader, Amsterdam) 

Advisory Services 

Robert Patton 

(Americas Leader, Atlanta) 

Norman Lonergan 

(Europe, Middle East, India and Africa Leader, London) 

Nigel Knight 

(Far East Leader, Shanghai) 

Isao Onda 

(Japan Leader, Chiba-shi) 

Doug Simpson 

(Oceania Leader, Sydney) 

IT Risk and Assurance Services 

Bernie Wedge 

(Americas Leader, Atlanta) 


(Europe, Middle East, India and Africa Leader, Amsterdam) 

Troy Kelly 

(Far East Leader, Hong Kong) 

Giovanni Stagno 

(Japan Leader, Chiyoda-ku) 

Iain Burnet 

(Oceania Leader, Perth) 

+44 (0) 20 7980 0596 norman.lonergan@uk.ey.com 

+31 88 40 71271 paul.van.kessel@nl.ey.com 

+1 404 817 5579 robert.patton@ey.com 

+44 (0) 20 7980 0596 norman.lonergan@uk.ey.com 

+86 21 2228 8888 nigel.knight@cn.ey.com 

+81 4 3238 7011 onda-s@shinnihon.or.jp 

+61 2 9248 4923 doug.simpson@au.ey.com 

+1 404 817 5120 bernard.wedge@ey.com 

+31 88 40 71271 paul.van.kessel@nl.ey.com 

+81 2 2629 3238 troy.kelly@hk.ey.com 

+81 3 3503 1100 stagno-gvnn@shinnihon.or.jp 

+61 8 9429 2486 iain.burnet@au.ey.com 


Ernst & Young 

Assurance | Tax | Transactions | Advisory 

About Ernst & Young 

Ernst & Young is a global leader in assurance, tax, 

transaction and advisory services. Worldwide, our 

144,000 people are united by our shared values and 

an unwavering commitment to quality. We make a 

difference by helping our people, our clients and our 

wider communities achieve their potential. 

For more information, please visit www.ey.com. 

Ernst & Young refers to the global organization of 

member firms of Ernst & Young Global Limited, each 

of which is a separate legal entity. Ernst & Young 

Global Limited, a UK company limited by guarantee, 

does not provide services to clients. 

The Ernst & Young organization is divided into five 

geographic areas and firms may be members of 

the following entities: Ernst & Young Americas LLC, 

Ernst & Young EMEIA Limited, Ernst & Young Far East 

Area Limited and Ernst & Young Oceania Limited. 

These entities do not provide services to clients. 

About Ernst & Young’s Advisory Services 

The relationship between risk and performance 

improvement is an increasingly complex and central 

business challenge, with business performance 

directly connected to the recognition and effective 

management of risk. Whether your focus is on 

business transformation or sustaining achievement, 

having the right advisors on your side can make all 

the difference. Our 18,000 advisory professionals 

form one of the broadest global advisory networks of 

any professional organization, delivering seasoned 

multidisciplinary teams that work with our clients to 

deliver a powerful and superior client experience. 

We use proven, integrated methodologies to help 

you achieve your strategic priorities and make 

improvements that are sustainable for the longer 

term. We understand that to achieve your potential 

as an organization, you require services that 

respond to your specific issues, so we bring our 

broad sector experience and deep subject matter 

knowledge to bear in a proactive and objective way. 

Above all, we are committed to measuring the gains 

and identifying where the strategy is delivering the 

value your business needs. It’s how 

Ernst & Young makes a difference. 

© 2009 EYGM Limited. 

All Rights Reserved. 

EYG no. AU0383 

In line with Ernst & Young’s commitment to minimize its 

impact on the environment, this document has been printed 

on paper with a high recycled content. 

This publication contains information in summary form and is therefore 

intended for general guidance only. It is not intended to be a substitute 

for detailed research or the exercise of professional judgment. Neither 

EYGM Limited nor any other member of the global Ernst & Young 

organization can accept any responsibility for loss occasioned to any 

person acting or refraining from action as a result of any material in 

this publication. On any specific matter, reference should be made to 

the appropriate advisor. 

www.ey.com

Outpacing change Ã¢Â€Â“ EY's 12th annual global information security ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?