Outpacing change – EY's 12th annual global information security ...
Outpacing change – EY's 12th annual global information security ...
Outpacing change – EY's 12th annual global information security ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Outpacing</strong> <strong>change</strong><br />
Ernst & Young’s <strong>12th</strong> <strong>annual</strong><br />
<strong>global</strong> <strong>information</strong> <strong>security</strong> survey
Foreword......................................................................... 1<br />
Introduction: outpacing <strong>change</strong>....................................... 3<br />
Managing risks................................................................ 4<br />
Addressing challenges..................................................... 8<br />
Complying with regulations............................................ 12<br />
Leveraging technology.................................................. 16<br />
Summary...................................................................... 20<br />
Survey approach........................................................... 22<br />
About Ernst & Young..................................................... 24<br />
iv<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
Foreword<br />
Over the last year, we have witnessed unprecedented <strong>change</strong>s in the <strong>global</strong><br />
economic environment. Increased pressure to reduce costs, coupled with<br />
increased government and industry regulations, has presented new risks and<br />
challenges — challenges that many organizations are now struggling to address<br />
and which can significantly affect their <strong>information</strong> <strong>security</strong> postures. We have<br />
also witnessed new technologies introduced and adopted, some that helped<br />
improve <strong>information</strong> <strong>security</strong> and some that brought new risks and concerns.<br />
The survey results are encouraging in that many organizations are now taking a more<br />
holistic view of <strong>security</strong> and focusing on the overall health of their <strong>information</strong><br />
<strong>security</strong> programs. However, our survey also reveals that the lack of adequate<br />
budget and resources continues to be a significant challenge for many organizations.<br />
The Ernst & Young <strong>global</strong> <strong>information</strong> <strong>security</strong> survey is one of the longest-running<br />
and most recognized <strong>annual</strong> surveys of its kind. We are very proud that for 12<br />
years, our survey has helped our clients focus on the right risks and priorities,<br />
identify their strengths and weaknesses, and improve their <strong>information</strong> <strong>security</strong>.<br />
We are also impressed that this year’s survey received the highest levels of<br />
participation since its inception more than a decade ago, demonstrating that<br />
<strong>information</strong> <strong>security</strong> continues to be an important issue for our clients.<br />
I would like to extend my warmest thanks to all of our nearly 1,900 survey<br />
participants for taking the time to share their views on <strong>information</strong> <strong>security</strong>. My<br />
colleagues and I are confident you will find this survey report useful, informative<br />
and insightful. We welcome the opportunity to speak with you personally about<br />
your specific <strong>information</strong> <strong>security</strong> risks and challenges. We are certain such<br />
discussions will position you to stay ahead of <strong>change</strong> and allow you and your<br />
organization to achieve your full potential.<br />
Paul van Kessel<br />
Global Leader,<br />
IT Risk and Assurance Services<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
1
2 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
Introduction: outpacing <strong>change</strong><br />
Information <strong>security</strong><br />
is not immune to<br />
external economic<br />
forces and must find<br />
ways to improve<br />
efficiency and<br />
effectiveness while<br />
keeping spending to<br />
a minimum.<br />
How do you protect your organization’s brand and reputation in an<br />
environment of <strong>change</strong> How do you identify and manage new risks How<br />
do you overcome increasing challenges to deliver an effective <strong>information</strong><br />
<strong>security</strong> program How do you comply with new regulations and industry<br />
requirements How do you leverage technology to not only meet business<br />
objectives but also improve <strong>security</strong><br />
These are just some of the questions that <strong>information</strong> <strong>security</strong> leaders are struggling<br />
with — and must find answers to — if they are going to outpace <strong>change</strong> and protect their<br />
organization’s most critical <strong>information</strong> assets.<br />
Over the last year, we have witnessed a <strong>global</strong> economic downturn become a crisis<br />
for many countries and many organizations. We have seen the competitive landscape<br />
drastically altered for many industries. Although there are signs of economic recovery, the<br />
impact of these difficult times will continue to be felt by many companies as they reshape,<br />
restructure and reinvent themselves.<br />
Information <strong>security</strong> leaders are facing considerable challenges as a result of the current<br />
environment. It would be naive to think that <strong>information</strong> <strong>security</strong> has not also been<br />
impacted by economic pressures; the need to reduce costs and provide more results from<br />
investments already made extends to all areas of the enterprise, including the <strong>information</strong><br />
<strong>security</strong> function. To support this statement, there is evidence from our survey that many<br />
more organizations are struggling with a lack of skilled and trained <strong>information</strong> <strong>security</strong><br />
resources. Our survey respondents are also reporting that finding adequate budget for<br />
<strong>information</strong> <strong>security</strong> is a major challenge for the coming year. These are clear indicators<br />
that <strong>information</strong> <strong>security</strong> is not immune to external economic forces and must find ways to<br />
improve efficiency and effectiveness while keeping spending to a minimum.<br />
The current environment is also producing a rise in both internal and external threats. Our<br />
survey participants reveal a growing concern with reprisals from recently separated employees<br />
as well as noting an increase in external attacks on their company websites and networks.<br />
Regulatory compliance is also top of mind for <strong>information</strong> <strong>security</strong> leaders, and our survey<br />
confirms that it continues to be an important driver of <strong>information</strong> <strong>security</strong> improvements.<br />
Several industries and countries are moving toward more regulation, primarily related to<br />
data protection and privacy. Correspondingly, companies are reporting an increase in the<br />
cost of compliance as the complexity and number of regulations also increases.<br />
In this 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey we take a closer look at how<br />
organizations are specifically addressing the changing environment, including the risks,<br />
challenges, increasing regulatory requirements and new technologies. We also identify and<br />
examine potential opportunities for improvement and important short-term and long-term<br />
trends that will shape <strong>information</strong> <strong>security</strong> in the coming years.<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
3
Managing risks<br />
Improving<br />
<strong>information</strong> <strong>security</strong><br />
risk management<br />
is the top <strong>security</strong><br />
priority over the<br />
next year.<br />
In the last several years, we have seen a shift in the way technology is being deployed to<br />
support the flow of <strong>information</strong>. The increasingly mobile and <strong>global</strong> workforce, coupled with<br />
the rapid adoption of broadband and over-the-air technologies, has <strong>change</strong>d the way many<br />
organizations use technology and <strong>information</strong>. As a result, it has expanded or perhaps even<br />
eliminated the traditional borders of the organization and the conventional digital perimeter<br />
paradigm. Organizations must now adjust their <strong>information</strong> <strong>security</strong> risk management<br />
approach — from “keeping the bad guys out” to protecting <strong>information</strong> no matter where it<br />
resides. We consider this to be a more “<strong>information</strong>-centric” view of <strong>security</strong> and a more<br />
effective approach. Not surprisingly, improving <strong>information</strong> <strong>security</strong> risk management was<br />
the top <strong>security</strong> priority for our survey participants, with 50% of respondents indicating<br />
that they plan to spend more and 39% planning to spend relatively the same amount on this<br />
initiative over the next year.<br />
Compared to the previous year, does your organization plan to spend more, less or<br />
relatively the same amount over the next year for the following activities<br />
Improving <strong>information</strong> <strong>security</strong> risk management<br />
50%<br />
39%<br />
5% 6%<br />
Implementing or improving DLP technologies and processes<br />
43%<br />
47%<br />
5% 5%<br />
Implementing virtualization technologies<br />
41%<br />
42%<br />
9%<br />
8%<br />
Internal <strong>security</strong> awareness and training<br />
39%<br />
49%<br />
7%<br />
5%<br />
Risk management<br />
36%<br />
54%<br />
4% 6%<br />
Performing <strong>security</strong> testing<br />
32%<br />
55%<br />
8%<br />
5%<br />
Implementing or improving secure development processes<br />
30%<br />
56%<br />
6%<br />
8%<br />
Implementing or improving IAM technologies and processes<br />
28%<br />
57%<br />
7%<br />
8%<br />
Regulatory compliance<br />
28%<br />
60%<br />
6%<br />
6%<br />
Implementing standards<br />
24%<br />
59%<br />
9%<br />
8%<br />
Staffing<br />
20%<br />
58%<br />
16%<br />
6%<br />
Implementing other technologies<br />
17%<br />
39%<br />
5%<br />
39%<br />
Forensics/fraud support<br />
14%<br />
67%<br />
9%<br />
10%<br />
Outsourcing of <strong>security</strong> functions<br />
14%<br />
59%<br />
18%<br />
9%<br />
Spend<br />
more<br />
Same or<br />
constant<br />
Spend<br />
less<br />
Not<br />
answered<br />
Shown: percentage of respondents<br />
The role of regulators in promoting an <strong>information</strong>-centric <strong>security</strong> approach<br />
In Singapore, the Monetary Authority of Singapore (MAS) has recently released a set of guidelines requiring<br />
financial service institutions to evaluate the risks of <strong>information</strong> being compromised through endpoints.<br />
This approach places the emphasis on establishing controls that follow the flow of <strong>information</strong>, as well as<br />
the organization’s understanding of risk and the controls they have in place to protect the data.<br />
4 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
Increased threats<br />
In addition to the technology shift, the current economic environment is fueling an increase<br />
in the number of threats organizations are facing. The increase is driven not only from<br />
external sources — our survey found that 41% of respondents noted an increase in external<br />
attacks — but also from within the organization: 25% of respondents witnessed an increase<br />
in internal attacks, and 13% reported an increase in internally perpetrated fraud.<br />
Given the current economic environment, have you seen or perceived a <strong>change</strong> in the<br />
threats facing your organization<br />
No perceived <strong>change</strong>s noted<br />
Increase in external attacks (e.g., phishing, website attacks)<br />
Increase in internal attacks (e.g., abuse of employee<br />
privileges, theft of <strong>information</strong>)<br />
25%<br />
41%<br />
44%<br />
41% of respondents<br />
noted an increase<br />
in external<br />
attacks and 25%<br />
of respondents<br />
witnessed an<br />
increase in<br />
internal attacks.<br />
Increase in externally perpetrated fraud<br />
19%<br />
Increase in internally perpetrated fraud<br />
13%<br />
Shown: percentage of respondents<br />
Information <strong>security</strong> risk<br />
management defined<br />
Information <strong>security</strong> risk management is<br />
the ongoing process of (1) identifying and<br />
understanding the potential threats and<br />
risks; (2) assessing to determine the extent<br />
of the risk; (3) remediating the risks; and (4)<br />
continuing these activities over time. It also<br />
includes the necessary communication and<br />
risk reporting within the organization.<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
5
Managing risks (continued)<br />
75% of respondents<br />
revealed that<br />
they are concerned<br />
with the possible<br />
reprisal from<br />
employees recently<br />
separated from their<br />
organization.<br />
More interesting than the rise in internal and external attacks is the fact that a full 75% of<br />
respondents revealed that they are concerned (33% are very concerned) with the possible<br />
reprisal from employees recently separated from their organizations. Survey results also<br />
show that 42% of respondents are trying to understand the potential risks related to this<br />
issue and 26% are already taking steps to help mitigate the risks.<br />
Given the current economic environment, how concerned is your organization with the<br />
possible reprisal from employees recently separated from your organization<br />
Somewhat concerned, and we are trying<br />
to understand the potential risks<br />
Very concerned, and we are taking<br />
steps to help mitigate the risks<br />
Not a concern<br />
Very concerned, but we haven’t<br />
addressed the potential risks<br />
7%<br />
26%<br />
25%<br />
42%<br />
Shown: percentage of respondents<br />
Information <strong>security</strong> management system<br />
A structured and repeatable risk management approach is the core element of an<br />
<strong>information</strong> <strong>security</strong> management system (ISMS). It is also the approach chosen by a<br />
majority of companies to address their <strong>information</strong> <strong>security</strong> risks. Our survey results<br />
show that 44% of respondents currently have an ISMS in place or are in the process of<br />
implementing one, with another 32% considering an ISMS solution.<br />
Information <strong>security</strong> standards are also playing an increasingly important role in shaping<br />
the ISMS for many organizations. Although only 8% of respondents have achieved formal<br />
certification, 36% of respondents indicated that they are using the ISO/IEC 27001:2005<br />
<strong>security</strong> standard as the basis for their ISMS. Standards can provide organizations with a<br />
set of leading practices related to <strong>information</strong> <strong>security</strong> risk management and are a logical<br />
starting point in developing an effective and comprehensive ISMS.<br />
6 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
Has your organization implemented an <strong>information</strong> <strong>security</strong> management system (ISMS)<br />
that covers the overall management of <strong>information</strong> <strong>security</strong><br />
Yes, implemented and formally certified<br />
Yes, without certification objective<br />
Yes, currently in the process of implementing<br />
Shown: percentage of respondents<br />
Our perspective<br />
No, but considering it<br />
No, and not considering it<br />
Our survey shows that the levels of internal and external risk continue to increase. To<br />
manage the increased risks, companies should develop a formal response aimed at dealing<br />
with employees likely to leave the organization as a result of workforce reductions or job<br />
elimination. Companies should also undertake a specific risk assessment exercise to identify<br />
their potential exposure within this sphere and put in place appropriate risk-based responses.<br />
8%<br />
17%<br />
19%<br />
24%<br />
32%<br />
Security standards defined<br />
ISO/IEC 27001:2005 — This standard provides<br />
a model for establishing, implementing,<br />
operating, monitoring, reviewing, maintaining<br />
and improving an ISMS.<br />
ISO/IEC 27002:2005 — This standard<br />
outlines the potential controls and control<br />
mechanisms which may be implemented<br />
based on the guidance provided within<br />
ISO/IEC 27001:2005. It established guidelines<br />
and general principles for establishing,<br />
implementing, operating, monitoring,<br />
reviewing, maintaining and improving<br />
<strong>information</strong> <strong>security</strong> management within<br />
an organization.<br />
Information Security Forum (ISF): The<br />
Standard of Good Practice for Information<br />
Security — This standard addresses<br />
<strong>information</strong> <strong>security</strong> from a business<br />
perspective, providing a practical basis for<br />
implementing and assessing an organization’s<br />
<strong>information</strong> <strong>security</strong> arrangements.<br />
Managing <strong>information</strong> <strong>security</strong> risks can be difficult — made more so in a changing<br />
environment — and requires an approach that is flexible and focused on what matters most<br />
to the organization: protecting critical <strong>information</strong>. Companies need to take an <strong>information</strong>centric<br />
view of <strong>security</strong> to ensure better alignment with their <strong>information</strong> flows. Only by<br />
understanding the use of <strong>information</strong> within critical business processes can an organization,<br />
and in particular its <strong>information</strong> <strong>security</strong> function, truly begin to manage its <strong>security</strong> needs.<br />
Information-centric <strong>security</strong> moves far beyond the boundaries of <strong>information</strong> technology<br />
(IT), and to deliver such an approach successfully, <strong>information</strong> <strong>security</strong> functions need to<br />
be more closely integrated with the business. This will help <strong>change</strong> how <strong>security</strong> should be<br />
viewed within the organization — as a flexible, responsible corporate citizen rather than an<br />
“obstacle” to achieving business objectives.<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
7
Addressing challenges<br />
In 2009, the<br />
primary challenge to<br />
effectively delivering<br />
<strong>information</strong><br />
<strong>security</strong> was the<br />
lack of appropriate<br />
resources.<br />
Overall, the challenges impacting the ability of an organization to effectively deliver its<br />
<strong>information</strong> <strong>security</strong> initiatives have not <strong>change</strong>d much over the last several years. The<br />
availability of resources, budget and organizational awareness continue to dominate<br />
this category. However, this year’s survey results show an increase in the number<br />
of organizations struggling with both resources and budget. This confirms that the<br />
<strong>information</strong> <strong>security</strong> function is not immune to the pressures of the current<br />
economic environment, and like any other organizational function, it is competing<br />
for scarce resources.<br />
Availability of resources<br />
In 2009, the primary challenge to effectively delivering <strong>information</strong> <strong>security</strong> was the lack<br />
of appropriate resources, with 56% of respondents ranking this as a high (4) or significant<br />
(5) challenge (on a 1 to 5 scale); this is an increase of eight percentage points compared<br />
to our 2008 survey results (48%). In somewhat of a contradiction, our respondents<br />
indicated that the two leading areas for reducing spending over the coming 12 months will<br />
be for outsourcing services (18%) and in-house staffing (16%). It appears that although<br />
organizations recognize the availability of resources to be their most significant challenge,<br />
only 20% of respondents plan to hire more in-house resources and only 14% plan to spend<br />
more on outsourcing to help alleviate this issue.<br />
What is the level of challenge related to effectively delivering your organization’s<br />
<strong>information</strong> <strong>security</strong> initiatives for each of the following<br />
Availability of resources<br />
20%<br />
36%<br />
28%<br />
11%<br />
5%<br />
Adequate budget<br />
19%<br />
31%<br />
29%<br />
14%<br />
7%<br />
Organizational awareness<br />
13%<br />
35%<br />
33%<br />
14%<br />
5%<br />
Assessing new threats and vulnerabilities<br />
9%<br />
29%<br />
36%<br />
19%<br />
7%<br />
Organizational <strong>change</strong><br />
11%<br />
23%<br />
23%<br />
20%<br />
23%<br />
Business uncertainty<br />
12%<br />
21%<br />
27%<br />
20%<br />
20%<br />
Regulatory <strong>change</strong> or uncertainty<br />
8%<br />
22%<br />
31%<br />
23%<br />
16%<br />
Understanding emerging technologies<br />
5%<br />
22%<br />
35%<br />
25%<br />
13%<br />
Management sponsorship<br />
8%<br />
19%<br />
29%<br />
25%<br />
19%<br />
Significant challenge 4 3 2 Not a challenge<br />
Shown: percentage of respondents<br />
8 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
In addition, our survey revealed that there is a definite unwillingness for many organizations<br />
to outsource their <strong>security</strong> functions. With the exception of attack and penetration testing<br />
(55%) and <strong>security</strong> assessments/audits (44%), the majority of respondents indicated that<br />
they had no plans to outsource most of their <strong>security</strong>-specific activities.<br />
Given this aversion to outsourcing and the fact that organizations continue to struggle to<br />
find and maintain adequate resources, it is clear that they need to look to other solutions to<br />
alleviate their resource challenges.<br />
Which of the following <strong>security</strong>-specific activities have been outsourced or considered<br />
for outsourcing<br />
Allocating<br />
adequate budget to<br />
<strong>information</strong> <strong>security</strong><br />
continues to<br />
be a challenge.<br />
Attack and penetration testing<br />
55%<br />
18%<br />
27%<br />
Security assessments/audits<br />
44%<br />
16%<br />
40%<br />
Firewall or other device management<br />
30%<br />
9%<br />
61%<br />
Application testing<br />
21%<br />
12%<br />
67%<br />
Help desk<br />
23%<br />
7%<br />
70%<br />
Forensics/fraud support<br />
14%<br />
13%<br />
73%<br />
Disaster recovery/business continuity<br />
15%<br />
12%<br />
73%<br />
Security training and awareness<br />
12%<br />
15%<br />
73%<br />
Vulnerability/patch management<br />
17%<br />
8%<br />
75%<br />
Incident response<br />
10%<br />
6%<br />
84%<br />
Shown: percentage of respondents<br />
Currently<br />
outsourced<br />
Under evaluation/<br />
planned for outsourcing<br />
No plans<br />
to outsource<br />
While adoption of new technologies to automate and sustain controls can help offset the<br />
challenge of finding adequate human resources, organizations should be careful of becoming<br />
too reliant on technology at the expense of people and processes. Therefore, organizations<br />
should consider adopting co-sourced <strong>security</strong> models, wherein they can access appropriately<br />
skilled resources from their co-sourcing partners without relinquishing control over their<br />
<strong>security</strong> function to the degree associated with outsourcing.<br />
Adequate budget<br />
Allocating adequate budget to <strong>information</strong> <strong>security</strong> continues to be a challenge in 2009,<br />
with a total of 50% of respondents ranking this as a high (4) or significant (5) challenge; this<br />
is a very notable increase of 17 percentage points over 2008 (33%). This is also particularly<br />
interesting in light of the fact that 40% of respondents indicated that they planned to increase<br />
their <strong>annual</strong> investment in <strong>information</strong> <strong>security</strong> as a percentage of total expenditures, and<br />
52% planned on maintaining the same level of spending.<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
9
Addressing challenges (continued)<br />
The survey results clearly show that <strong>information</strong> <strong>security</strong> budgets are not being significantly<br />
reduced, nor is the <strong>security</strong> function being asked to take on more responsibility than in previous<br />
years. So why do organizations continue to struggle to find adequate <strong>security</strong> budgets<br />
One contributing factor may be that 44% of the organizations that participated in the survey<br />
still don’t have a documented <strong>information</strong> <strong>security</strong> strategy. In the absence of a well-thoughtout<br />
<strong>information</strong> <strong>security</strong> strategy, it will continue to be difficult to articulate and build the<br />
business case for an appropriate budget allocation, particularly in today’s economic climate.<br />
The lack of a cohesive strategy also makes it difficult to prioritize spending decisions and to<br />
ensure that scarce resources are being allocated to where they will provide the most benefit.<br />
It is more important than ever for organizations to develop comprehensive, risk-based<br />
<strong>security</strong> strategies, prioritizing spend based on the value of the assets at risk, both in order to<br />
justify budget requests and to make sure that they are getting maximum benefit out of those<br />
budgets.<br />
Does your organization have a documented <strong>information</strong> <strong>security</strong> strategy for the next<br />
one to three years<br />
44%<br />
Yes<br />
56%<br />
No<br />
Shown: percentage of respondents<br />
Social networking defined<br />
Social networking is the interaction between<br />
people over the internet on websites<br />
that attempt to mimic real-life encounters<br />
(e.g., Facebook.com, LinkedIn.com).<br />
Social networking sites present many<br />
potential risks, including: identity theft,<br />
legal or libel issues, viruses, malicious<br />
code, as well as disclosure of sensitive<br />
company <strong>information</strong>. Organizations<br />
should take steps to inform and educate<br />
their people about the issues related to<br />
social networking as an important part<br />
of their of <strong>security</strong> awareness programs.<br />
Organizational <strong>security</strong> awareness<br />
It has long been generally accepted that authorized users and employees pose the greatest<br />
<strong>security</strong> threat to an organization and that raising and maintaining the awareness level of<br />
those people is a crucial part of an effective <strong>information</strong> <strong>security</strong> strategy. In spite of this<br />
knowledge, this remains a significant challenge and a significant issue for many<br />
organizations. While most organizations (74%) have a <strong>security</strong> awareness program, less<br />
than half of all respondents indicated that their program includes such things as:<br />
• Updates and alerts on current threats (44%)<br />
• Informational updates on new hot topics (42%)<br />
• Specific awareness activities for high-risk groups such as social networking users (35%)<br />
Furthermore, only 20% of respondents indicated that they measure the effectiveness of<br />
their awareness programs and modify those programs based on the results.<br />
10 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
What elements are currently covered in your organization’s <strong>security</strong> awareness program<br />
General awareness of <strong>security</strong> topics in general<br />
Review and agreement of compliance with current<br />
<strong>security</strong> policies and standards<br />
Direct and frequent updates/alerts on current<br />
threats to the organization<br />
Informational updates on new hot topics<br />
44%<br />
42%<br />
61%<br />
74%<br />
Security training and<br />
awareness programs<br />
are not working as<br />
well as they could be.<br />
Specific awareness activities or training sessions<br />
for high-risk user groups<br />
35%<br />
Measuring the effectiveness of awareness activities and<br />
improving the program based on these measurements<br />
20%<br />
Shown: percentage of respondents<br />
Given that the challenge associated with organizational <strong>security</strong> awareness has not been<br />
reduced over time, it can be concluded that many current <strong>security</strong> training and awareness<br />
programs are not working as well as they could be. It should also be noted that 73%<br />
of respondents have no plans to outsource their <strong>security</strong> training and awareness programs.<br />
Yet, when we look closer at the 12% of respondents who currently outsource this activity,<br />
we find that organizational awareness is less likely to be a significant challenge. In fact, it<br />
does not make it into the top three challenges for these organizations. This may illustrate the<br />
fact that more organizations should begin to look for outside help to design, execute, monitor<br />
and (or) measure the effectiveness of their <strong>security</strong> training and awareness programs.<br />
Our perspective<br />
Our survey shows that organizations continue to be impacted by a lack of <strong>information</strong> <strong>security</strong><br />
resources and inadequate budgets. They are also struggling to make improvements in the<br />
area of organizational <strong>security</strong> awareness. These challenges are not new, but they are<br />
increasing under the pressure of the current economic climate; <strong>information</strong> <strong>security</strong> leaders<br />
must explore new and more creative solutions, and improved operational efficiency should<br />
be considered a fundamental aspect of all new <strong>security</strong> initiatives.<br />
Companies need to adopt a risk-based <strong>security</strong> strategy to help prioritize initiatives, justify<br />
new investments and maximize the benefits from those investments which have already been<br />
committed. Organizations should also investigate potential co-sourced <strong>security</strong> alternatives,<br />
which may help provide much-needed access to skilled resources, without turning over<br />
control to others. However, such steps should be taken with care, as the operation of<br />
<strong>security</strong> by third parties requires different management competencies from those used to<br />
manage and deliver <strong>security</strong> to an organization using internal resources only.<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
11
Complying with regulations<br />
Regulatory<br />
compliance<br />
continues to be<br />
one of the top<br />
priorities for<br />
organizations and an<br />
important objective<br />
of the <strong>information</strong><br />
<strong>security</strong> function.<br />
Regulatory compliance continues to be one of the top priorities for organizations and<br />
an important objective of the <strong>information</strong> <strong>security</strong> function. When asked about the<br />
importance of specific <strong>information</strong> <strong>security</strong> activities, 46% of respondents indicated that<br />
achieving compliance with regulations was very important (5) with an additional 31%<br />
considering it important (4). This is not surprising, given the considerable attention and<br />
focus on compliance efforts over the last several years by most organizations.<br />
How important is <strong>information</strong> <strong>security</strong> in supporting the following activities in your<br />
organization<br />
Protecting reputation and brand<br />
Managing privacy and the protection of personal <strong>information</strong><br />
Achieving compliance with regulations<br />
Achieving compliance with corporate policies<br />
Supporting operational and (or) enterprise risk management<br />
Protecting intellectual property<br />
Improving IT and operational efficiencies<br />
Improving stakeholder and investor confidence<br />
27%<br />
26%<br />
30%<br />
38%<br />
40%<br />
46%<br />
53%<br />
61%<br />
39%<br />
37%<br />
30%<br />
25%<br />
36%<br />
31%<br />
27%<br />
20%<br />
24%<br />
20%<br />
25%<br />
26%<br />
10%<br />
14%<br />
19%<br />
15%<br />
10%<br />
10%<br />
7%<br />
9%<br />
4% 1%<br />
6% 3%<br />
5%<br />
7%<br />
5%<br />
6%<br />
2%<br />
2%<br />
2%<br />
2%<br />
Managing external vendors<br />
15%<br />
33%<br />
32%<br />
14%<br />
6%<br />
Enhancing new service or product launches<br />
18%<br />
26%<br />
31%<br />
15%<br />
10%<br />
Examining new and emerging technologies<br />
11%<br />
28%<br />
38%<br />
17%<br />
6%<br />
Facilitating mergers, acquisitions and divestitures<br />
13%<br />
20%<br />
26%<br />
18%<br />
23%<br />
Very important<br />
4<br />
3<br />
2<br />
Not important<br />
Shown: percentage of respondents<br />
Cost of compliance<br />
When we asked how much companies were spending on compliance efforts, we found that<br />
55% of respondents indicated that regulatory compliance costs were accounting for moderate<br />
to significant increases in their overall <strong>information</strong> <strong>security</strong> costs. While this number is down<br />
from 65% for the preceding three years, only 5% of respondents plan on spending less over<br />
the next 12 months on regulatory compliance. This may be an indication that organizations<br />
are spending too much of their <strong>security</strong> budgets on demonstrating point-in-time compliance<br />
as opposed to implementing a comprehensive <strong>information</strong> <strong>security</strong> program where compliance<br />
is a by-product and not the primary driver.<br />
The point is further supported by the fact that only 36% of our survey respondents have<br />
deployed a solution for continuous monitoring of <strong>security</strong> controls. Moving to a more<br />
risk-driven <strong>security</strong> program and leveraging continuous compliance monitoring technologies<br />
may allow organizations to reduce the amount they spend on demonstrating compliance<br />
and either reduce their overall <strong>security</strong> investment or focus it on more value-added<br />
<strong>information</strong> <strong>security</strong> services.<br />
12 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
What impact has regulatory compliance had on the <strong>annual</strong> cost of <strong>information</strong> <strong>security</strong><br />
for your organization<br />
Significant increase in cost of <strong>information</strong> <strong>security</strong><br />
Shown: percentage of respondents<br />
Moderate increase in cost<br />
No <strong>change</strong> in cost<br />
Cost was reduced<br />
Compliance-driven improvements<br />
When we look at the impact of regulatory compliance on the effectiveness of <strong>information</strong><br />
<strong>security</strong>, we discover that 64% of respondents believe it has increased effectiveness, with<br />
21% indicating a significant increase in effectiveness. For regulatory compliance to have<br />
this dramatic an effect on <strong>information</strong> <strong>security</strong> performance, we believe that for many<br />
organizations compliance is still the primary driver of <strong>information</strong> <strong>security</strong> improvements.<br />
What impact has regulatory compliance had on the <strong>annual</strong> cost of <strong>information</strong> <strong>security</strong><br />
for your organization<br />
5%<br />
16%<br />
39%<br />
40%<br />
55% of respondents<br />
indicated that<br />
regulatory<br />
compliance costs<br />
were accounting<br />
for moderate to<br />
significant increases<br />
in their overall<br />
<strong>information</strong><br />
<strong>security</strong> costs.<br />
Significant increase in the effectiveness<br />
21%<br />
Moderate increase in the effectiveness<br />
43%<br />
No <strong>change</strong><br />
34%<br />
Reduced the effectiveness<br />
2%<br />
Shown: percentage of respondents<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
13
Complying with regulations (continued)<br />
Too few<br />
organizations have<br />
taken the necessary<br />
steps to protect<br />
personal <strong>information</strong>.<br />
Privacy laws and regulations<br />
Data protection and privacy are key components of regulatory compliance and are gaining<br />
more attention from governments and regulators. The number and complexity of privacyrelated<br />
regulations is increasing; yet, 68% of respondents stated that they have a clear<br />
understanding of the privacy laws and regulations that may impact their organizations. In<br />
addition, 63% of respondents indicated that they include privacy requirements in contracts<br />
with external partners, vendors and contractors. Although it is encouraging that companies<br />
are recognizing their privacy requirements, it is also clear that far too few organizations<br />
have taken the necessary steps to protect personal <strong>information</strong>. Only 32% of respondents<br />
have produced an inventory of <strong>information</strong> assets covered by privacy requirements, and<br />
an even fewer number (26%) have conducted an assessment of the personal data life cycle<br />
(gathering, using, storing and disposing).<br />
Which of the following statements can be made by your organization regarding privacy<br />
We have a clear understanding of the privacy laws<br />
and regulations that may impact the organization<br />
68%<br />
We have included privacy requirements in contracts<br />
with external partners, vendors and contractors<br />
We have implemented specific controls to<br />
protect personal <strong>information</strong><br />
59%<br />
63%<br />
We have established a response and management<br />
process specific to privacy-related incidents<br />
We have produced an inventory of <strong>information</strong><br />
assets covered by privacy requirements<br />
We have implemented a process to monitor<br />
and maintain privacy-related controls<br />
We have conducted an assessment<br />
of the personal data life cycle<br />
34%<br />
32%<br />
29%<br />
26%<br />
Shown: percentage of respondents<br />
14 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
EuroPriSe<br />
The EuroPriSe certification program offers a voluntary product audit. The procedure consists of an<br />
evaluation of the IT product or IT service by accredited legal and IT experts and a validation of the<br />
evaluation report by an independent certification body. The European Privacy Seal (EuroPriSe) visualizes<br />
that a product has been checked and approved by an independent privacy organization and indicates a<br />
trustworthy product that can be used in compliance with European data protection laws.<br />
Privacy and protection of personal data will become an even greater challenge for<br />
organizations as new technologies and services, such as social networking, virtualization,<br />
cloud computing and radio-frequency identification (RFID) gain more widespread use.<br />
Privacy and data protection will also likely gain increased focus of governments and<br />
regulators as they attempt to keep privacy regulations out in front of the potential risks<br />
associated with these new technologies. The combination of increased regulations and<br />
technologies that facilitate a more open flow of personal <strong>information</strong> will present a<br />
significant challenge for even the most “privacy savvy” organizations.<br />
Our perspective<br />
Regulatory compliance has been a significant driver of <strong>information</strong> <strong>security</strong> for several<br />
years, and our survey confirms that it continues to significantly influence the <strong>information</strong><br />
<strong>security</strong> agenda. Most organizations still spend a considerable amount of their <strong>information</strong><br />
<strong>security</strong> budgets on compliance and plan to continue doing so in the coming year.<br />
Organizations must formally detail all the regulations they are required to meet in the<br />
various geographies and validate this position with appropriate legal and operational<br />
groups across the enterprise. They also need to build an understanding of how their<br />
compliance efforts can be integrated into wider <strong>change</strong> programs, delivering greater<br />
business benefit. As part of these efforts, companies need to implement a comprehensive<br />
<strong>information</strong> <strong>security</strong> program where regulatory compliance is considered a by-product<br />
rather than the primary driver.<br />
We also found compliance with privacy regulations to be a growing area of focus for many<br />
organizations, but with limited progress or improvement shown in the last year. Companies<br />
need to understand the scope of privacy within their operations and identify effective<br />
business champions who they can work with, to ensure that normal business processes and<br />
practices do not contribute to potential privacy violations. Consistent privacy policies and<br />
procedures are becoming the norm across <strong>global</strong>ly distributed enterprises and something<br />
that all organizations should strive for.<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
15
Leveraging technology<br />
Implementing or<br />
improving Data<br />
Leakage Prevention<br />
(DLP) technologies is<br />
the second-highest<br />
<strong>security</strong> priority<br />
in the coming<br />
12 months.<br />
When considering how organizations are leveraging new technologies, there are two distinct<br />
aspects related to <strong>information</strong> <strong>security</strong> that should be examined:<br />
1. Which technologies are organizations implementing to improve their <strong>information</strong><br />
<strong>security</strong> programs<br />
2. What are organizations doing to address the risks that are inherent with the<br />
introduction of new technologies<br />
Our survey results provide an insight into how technology can have both a positive and<br />
negative effect on <strong>information</strong> <strong>security</strong>.<br />
Data leakage protection<br />
Due to increasing and new risks organizations are facing, data protection is now top of mind<br />
for many <strong>information</strong> <strong>security</strong> leaders. Implementing or improving data leakage prevention<br />
(DLP) technologies is the second-highest <strong>security</strong> priority in the coming 12 months, identified<br />
by 40% of respondents as one of their top three priorities. Implementing DLP technologies is<br />
now a higher priority for many organizations than both <strong>security</strong> awareness training (39%) and<br />
regulatory compliance (27%). Improving <strong>information</strong> <strong>security</strong> risk management (47%) was the<br />
only priority that topped DLP technologies from an overall perspective, but more respondents<br />
(19%) selected DLP as their first priority for the next year. It is also worth noting that 90% of<br />
respondents plan on spending relatively the same (47%) or more (43%) over the next year on<br />
implementing or improving DLP technologies and processes.<br />
Please indicate your top three <strong>security</strong> priorities for the coming 12 months<br />
Improving <strong>information</strong> <strong>security</strong> risk management<br />
16%<br />
17%<br />
14%<br />
Implementing/improving DLP technologies and processes<br />
19%<br />
12%<br />
9%<br />
Internal <strong>security</strong> awareness and training<br />
11%<br />
14%<br />
14%<br />
Regulatory compliance<br />
11%<br />
9%<br />
7%<br />
Performing <strong>security</strong> testing<br />
4%<br />
8%<br />
12%<br />
Risk management<br />
6%<br />
8%<br />
8%<br />
Implementing/improving IAM technologies and processes<br />
8%<br />
6%<br />
6%<br />
Implementing standards<br />
7%<br />
7%<br />
6%<br />
Implementing virtualization technologies<br />
8%<br />
5%<br />
6%<br />
Implementing/improving secure development processes<br />
2%<br />
5%<br />
7%<br />
Staffing<br />
2% 2% 3%<br />
1st priority 2nd priority 3rd priority<br />
Shown: percentage of respondents<br />
16 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
DLP tools will be the leading <strong>security</strong> technology implemented over the next year.<br />
According to our survey results, 50% of respondents are at some stage of the evaluation<br />
and implementation process; 22% have planned an implementation within 12 months; and<br />
another 28% are currently evaluating the technology.<br />
However, it isn’t just DLP technology being implemented to protect data. Of the top<br />
<strong>information</strong> <strong>security</strong> technologies planned for implementation in the coming 12 months,<br />
most are also related to this objective, including: encryption of portable media (19%),<br />
laptop encryption (17%) and email encryption (15%) and identity and access management<br />
(IAM) products (15%). When we look at the <strong>information</strong> <strong>security</strong> technologies that are<br />
currently in use by our survey respondents, we find that three of the top five are also aimed<br />
at protecting sensitive data: content monitoring and filtering tools (69%), laptop encryption<br />
(41%), and email encryption (35%).<br />
Which of the following <strong>security</strong> technologies are used or have been identified for use by<br />
your organization<br />
Data leakage prevention tools<br />
25%<br />
22%<br />
28%<br />
25%<br />
Few companies are<br />
encrypting their<br />
laptops. Only 41%<br />
of respondents are<br />
encrypting them<br />
today, with 17%<br />
planning to do so in<br />
the next year.<br />
Encryption of portable media<br />
25%<br />
19%<br />
29%<br />
27%<br />
Laptop encryption<br />
41%<br />
17%<br />
23%<br />
19%<br />
Governance, risk and compliance tools<br />
36%<br />
17%<br />
24%<br />
23%<br />
Email encryption<br />
35%<br />
15%<br />
25%<br />
25%<br />
Data leakage prevention (DLP) defined<br />
IAM products<br />
Enhanced authentication (802.1x, tokens)<br />
Desktop encryption<br />
Digital rights management<br />
Content monitoring and filtering tools<br />
Physical and logical <strong>security</strong> convergence<br />
Shown: percentage of respondents<br />
15%<br />
14%<br />
24%<br />
31%<br />
Currently<br />
using<br />
12%<br />
10%<br />
49%<br />
9%<br />
69%<br />
15%<br />
31%<br />
34%<br />
26%<br />
Planned within<br />
12 months<br />
12%<br />
25%<br />
18%<br />
9%<br />
45%<br />
Under<br />
evaluation<br />
39%<br />
41%<br />
10%<br />
29%<br />
21%<br />
12%<br />
Not<br />
using<br />
Data leakage prevention (also known as<br />
data loss prevention or <strong>information</strong> leak<br />
prevention) is the combination of tools and<br />
processes for identifying, monitoring and<br />
protecting sensitive data or <strong>information</strong><br />
according to an organization’s policies or<br />
government and industry regulations. DLP<br />
solutions typically focus on preventing<br />
certain data or <strong>information</strong> from leaking<br />
out of the organization and detecting any<br />
unauthorized access or transmission of<br />
sensitive data.<br />
One of the most noteworthy survey findings is how few companies are encrypting their<br />
laptops. Only 41% of respondents are encrypting them today, with 17% planning to do so in<br />
the next year. This is notable for a number of reasons: many breaches have occurred and<br />
continue to occur due to loss or theft of laptops; the technology is readily available and<br />
affordable to implement; and the impact to users during deployment is relatively low and<br />
should no longer be a barrier.<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
17
Leveraging technology (continued)<br />
78% of respondents<br />
will have<br />
implemented<br />
virtualization before<br />
the end of the next<br />
year. However,<br />
only 19% of the<br />
same respondents<br />
indicated that<br />
virtualization was a<br />
<strong>security</strong> priority.<br />
Cloud computing defined<br />
Cloud computing essentially involves the<br />
outsourcing of computing capacity through<br />
third-party services over the internet, on<br />
an as-needed, “pay-as-you-go” basis. It can<br />
potentially help cut your power, storage,<br />
hardware, personnel and real estate-related<br />
costs. In addition, some companies are also<br />
employing a version of cloud computing —<br />
known as “Software-as-a-Service” (SaaS) —<br />
to help reduce daily technical operations and<br />
support business and consumer software.<br />
Virtualization and cloud computing<br />
New technologies are making an impact in the corporate enterprise, particularly<br />
virtualization and cloud computing. Both are unquestionably receiving a lot of media<br />
attention, and given the current economic environment, virtualization offers some<br />
attractive options for business leaders looking to cut costs, increase manageability and<br />
improve overall IT efficiency. The potential cost savings from virtualization — essentially,<br />
a more efficient pooling of IT resources, including networks, servers and storage — can be<br />
significant. However, there are <strong>security</strong>-related concerns.<br />
Virtualization is one of the highest-ranking technologies for adoption, with 78% of<br />
respondents indicating that they will have implemented virtualization before the end of<br />
the next year. However, only 19% of the same respondents indicated that virtualization<br />
was a <strong>security</strong> priority. Clearly, our survey respondents do not recognize the same level of<br />
risk with virtualization as would be expected with such a significant and extensive <strong>change</strong><br />
effort. More alarming is the fact that virtualization <strong>security</strong> should be a concern, but the<br />
majority of organizations and <strong>security</strong> leaders are ignoring its implications.<br />
Cloud computing is another technology that has been very visible recently in industry<br />
publications, with some analysts predicting the cloud computing services market to reach<br />
as high as US$42 billion by 2012 1 . Yet, we are seeing adoption rates for cloud computing<br />
to be much slower compared to virtualization. Only 17% of respondents indicated that they<br />
are using the technology or planning to use it in the next year, and 47% stated they have no<br />
plans for using the technology. However, a significant percentage (36%) of respondents are<br />
currently evaluating its use.<br />
Which of the following technologies are used or have been identified for use by your<br />
organization<br />
Grid computing<br />
Cloud computing<br />
Radio frequency identifiers<br />
Voice over IP<br />
Virtualization<br />
Wireless<br />
7%<br />
9%<br />
15%<br />
5%<br />
8%<br />
4%<br />
31%<br />
63%<br />
36%<br />
29%<br />
67%<br />
69%<br />
9%<br />
57%<br />
52%<br />
11%<br />
6%<br />
47%<br />
15%<br />
10%<br />
12%<br />
13%<br />
15%<br />
10%<br />
Storage area networks<br />
80%<br />
5%<br />
6%<br />
9%<br />
Currently using<br />
Planned within<br />
12 months<br />
Under evaluation<br />
Not using<br />
1 Source: IDC survey of 244 IT leaders released<br />
October 2008<br />
Shown: percentage of respondents<br />
18 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
Key <strong>information</strong> <strong>security</strong> risks and considerations for virtualization<br />
• Spread the risk — Companies should spread out the critical application instances across physical machines as much<br />
as possible. This can be accomplished by combining them with different types of applications while maintaining<br />
an appropriate ratio between physical and virtual machines. This helps achieve higher application availability and<br />
reduce <strong>security</strong> risks.<br />
• Limit access — Inappropriate access to server administrative interfaces can expose numerous production<br />
applications at once in virtualized environments. Develop a checklist in accordance with leading practices for<br />
securing administrative interfaces, including strict password policies and file permissions.<br />
• Use secure networks — Secure networks should be utilized for data migrations involving virtualization software,<br />
since data is not typically encrypted in these migrations.<br />
• Monitor threats — Properly functioning applications on virtual machines can hide latent <strong>security</strong> vulnerabilities.<br />
Thus, it is critical to continuously monitor both the virtual machines and the underlying virtual machine monitor, for<br />
potential threats.<br />
Cloud computing has its own potential data privacy and <strong>security</strong> issues. The companies<br />
that provide cloud computing services may provide those services in different data systems<br />
in various data centers in cities around the world. Unlike a more traditional IT outsourcing<br />
arrangement, cloud computing clients do not have dedicated servers or dedicated lines. This<br />
raises issues about exactly where clients’ data exists, and under whose jurisdiction it resides<br />
at any one given point in time. In addition, the possible need to recode data may increase the<br />
exposure to errors and <strong>security</strong> risks.<br />
Our perspective<br />
Technology can play a major role in helping a company meet its <strong>information</strong> <strong>security</strong> and<br />
larger business objectives. However, technology can also expose an organization to<br />
additional risks. Our survey suggests that some organizations may be more focused on the<br />
benefits and cost savings than on any possible <strong>security</strong> issues related to the new technologies.<br />
Organizations must assess the potential impact of any new technology that is being<br />
considered, looking beyond any promised benefits to the evaluation of the potential impact<br />
upon the organization’s ability to protect its assets.<br />
New evolving <strong>security</strong> technologies can potentially deliver substantial benefits to the overall<br />
management of <strong>information</strong> <strong>security</strong> across an enterprise. However, the deployment of<br />
such technologies must continue to be investigated to further ensure that they are fit for<br />
purpose and will deliver the benefits required.<br />
Each organization need to define its position on new IT delivery models, including<br />
virtualization and cloud computing, to ensure that any decisions made are consistent with<br />
the overall business strategy, as well as the <strong>information</strong> technology strategy and direction<br />
of the organization.<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
19
Summary<br />
Our 2009 survey shows that companies and <strong>information</strong> <strong>security</strong> leaders are facing an<br />
environment of <strong>change</strong>; escalating levels of risk, new challenges and increasing regulatory<br />
complexity are now driving <strong>information</strong> <strong>security</strong> decisions. Companies are also struggling<br />
to leverage new technologies — to get the most benefit and cost savings possible — while<br />
understanding the potential <strong>security</strong> impact to the organization.<br />
Our survey also revealed that many organizations continue to be challenged by a lack of<br />
skilled <strong>information</strong> <strong>security</strong> resources and inadequate budget. These challenges have been<br />
identified in our previous surveys, but this year, they have become more significant, driven<br />
by heightened economic uncertainty.<br />
To address the risks and challenges of the changing environment, <strong>information</strong> <strong>security</strong><br />
leaders are abandoning the old paradigms and taking a more <strong>information</strong>-centric view<br />
of <strong>security</strong>. It is a more flexible, risk-based approach that is focused on protecting the<br />
organization’s critical <strong>information</strong>, and more suited to supporting a connected business<br />
model and today’s increasingly mobile and <strong>global</strong> workforce.<br />
By leveraging the <strong>information</strong> in this survey and taking action on the suggestions for<br />
improvement, organizations can achieve more effective <strong>information</strong> <strong>security</strong> and continue<br />
to outpace <strong>change</strong>.<br />
Key survey findings<br />
Managing risks<br />
• Improving <strong>information</strong> <strong>security</strong> risk management is a top <strong>security</strong> priority for the next year.<br />
• ►External and internal attacks are increasing.<br />
• ►Reprisals from recently separated employees have become a major concern.<br />
Addressing challenges<br />
• Availability of skilled <strong>information</strong> <strong>security</strong> resources is the greatest challenge to effectively delivering <strong>information</strong><br />
<strong>security</strong> initiatives.<br />
• ►Despite most organizations maintaining current spending on <strong>information</strong> <strong>security</strong>, adequate budget is still a significant<br />
challenge to delivering <strong>security</strong> initiatives.<br />
• ►Security training and awareness programs are falling short of expectations.<br />
Complying with regulations<br />
• ►Regulatory compliance continues to be an important driver for <strong>information</strong> <strong>security</strong>.<br />
• ►Cost of compliance remains high, with few companies planning to spend less in the next 12 months.<br />
• Too few organizations have taken the necessary steps to protect personal <strong>information</strong>.<br />
Leveraging technology<br />
• ►Implementing DLP technologies is the top <strong>security</strong> priority for many organizations.<br />
• The lack of endpoint encryption remains a key risk with few companies encrypting laptops or desktop computers.<br />
• ►Virtualization and cloud computing are gaining greater adoption, but few companies are considering the <strong>information</strong><br />
<strong>security</strong> implications.<br />
20 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
Our perspective<br />
Managing risks<br />
• Develop a formal response aimed at dealing with employees likely to leave the organization as a<br />
result of workforce reductions or job elimination.<br />
• Undertake a risk assessment exercise to identify potential exposure and put in place appropriate<br />
risk-based responses.<br />
• ►Take an <strong>information</strong>-centric view of <strong>security</strong>, better aligned with the organization’s <strong>information</strong> flows.<br />
• ►Continue to integrate <strong>information</strong> <strong>security</strong> with the business — becoming a flexible, responsible<br />
corporate citizen, rather than an “obstacle” to achieving business objectives.<br />
Addressing challenges<br />
• Adopt a risk-based <strong>security</strong> strategy to help prioritize initiatives, justify new investments and maximize<br />
the benefits from those investments which have already been committed.<br />
• ►Investigate potential co-sourced <strong>security</strong> alternatives, which may help provide much-needed access to<br />
skilled resources, without turning over control to others.<br />
Complying with regulations<br />
• Formally detail the regulations an organization is required to meet in the various geographies and<br />
validate this position with appropriate legal and operational groups across the enterprise.<br />
• Build an understanding of how compliance efforts can be integrated into wider <strong>change</strong> programs,<br />
delivering greater business benefit.<br />
• Implement a comprehensive <strong>information</strong> <strong>security</strong> program where regulatory compliance is considered<br />
a by-product rather than the primary driver.<br />
• Gain an understanding of the scope of privacy within operations and identify effective business<br />
champions to help ensure that normal business processes and practices do not contribute to potential<br />
privacy violations.<br />
Leveraging new technology<br />
• ►Assess the potential impact of any new technology that is being considered, looking beyond any<br />
promised benefits to the evaluation of the potential impact upon the organization’s ability to protect<br />
its assets.<br />
• Investigate the deployment of new <strong>security</strong> technologies to ensure that they are fit for purpose and<br />
will deliver the benefits required.<br />
• ►Define a position on new IT delivery models, such as virtualization and cloud computing, to ensure<br />
alignment with the overall business strategy and <strong>information</strong> technology strategy.<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey 21
Survey approach<br />
Ernst & Young’s <strong>12th</strong> <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey was developed with the<br />
help of our assurance and advisory clients in more than 60 countries.<br />
This year’s survey was conducted between June 2009 and August 2009. Nearly 1,900<br />
organizations across all major industries participated.<br />
Methodology<br />
The questionnaire was distributed to designated Ernst & Young professionals in each country<br />
practice, along with instructions for consistent administration of the survey process.<br />
Most of the survey responses were collected during face-to-face interviews with individuals<br />
responsible for <strong>information</strong> <strong>security</strong> at the participating organizations. When this was not<br />
possible, the questionnaire was administered electronically via the Internet.<br />
If you wish to participate in Ernst & Young’s 13th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey,<br />
you can do so by contacting your local Ernst & Young office or visiting www.ey.com and<br />
completing a brief request form.<br />
Profile of 2009 survey participants<br />
Survey participants by region<br />
9%<br />
29%<br />
Americas<br />
33%<br />
Asia/Pacific<br />
Europe<br />
Middle East/Africa<br />
29%<br />
Shown: percentage of respondents<br />
22 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
Survey participants by major industry group<br />
Financial services<br />
30%<br />
Manufacturing<br />
16%<br />
Retail, wholesale & distribution<br />
10%<br />
Technology<br />
Energy & utilities<br />
7%<br />
7%<br />
Health services<br />
Government & public sector<br />
6%<br />
6%<br />
Other<br />
19%<br />
Shown: percentage of respondents<br />
Survey participants by <strong>annual</strong> revenue (US$)<br />
$10 billion or more<br />
12%<br />
$1 billion–$9 billion<br />
23%<br />
$500 million–$999 million<br />
9%<br />
$100 million–$499 million<br />
22%<br />
Less than $100 million<br />
28%<br />
Not applicable<br />
6%<br />
Shown: percentage of respondents<br />
Survey participants by job title<br />
Chief Information Officer<br />
19%<br />
Information Technology Executive<br />
16%<br />
Information Security Executive<br />
Chief Information Security Officer<br />
13%<br />
12%<br />
Chief Security Officer<br />
5%<br />
Chief Technology Officer<br />
3%<br />
Other<br />
34%<br />
Shown: percentage of respondents<br />
<strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey<br />
23
About Ernst & Young<br />
At Ernst & Young, our services focus on our individual clients’ specific business needs and<br />
issues because we recognize that every need and issue is unique to that business.<br />
Information technology is one of the key enablers for modern organizations to compete. It gives the opportunity<br />
to get closer, more focused and faster in responding to customers, and can redefine both the effectiveness<br />
and efficiency of operations. But as opportunity grows, so does risk. Effective <strong>information</strong> technology risk<br />
management helps you to improve the competitive advantage of your <strong>information</strong> technology operations, to make<br />
these operations more cost efficient and to manage down the risks related to running your systems. Our 6,000<br />
<strong>information</strong> technology risk professionals draw on extensive personal experience to give you fresh perspectives<br />
and open, objective advice — wherever you are in the world. We work with you to develop an integrated, holistic<br />
approach to your <strong>information</strong> technology risk or to deal with a specific risk and <strong>information</strong> <strong>security</strong> issue. We<br />
understand that to achieve your potential you need a tailored service as much as consistent methodologies. We<br />
work to give you the benefit of our broad sector experience, our deep subject matter knowledge and the latest<br />
insights from our work worldwide. It’s how Ernst & Young makes a difference.<br />
For more <strong>information</strong> on how we can make a difference in your organization, contact your local Ernst & Young<br />
professional or any of the people listed in the table below.<br />
Contacts<br />
Global<br />
Norman Lonergan<br />
(Advisory Services Leader, London)<br />
Paul van Kessel<br />
(IT Risk and Assurance Services Leader, Amsterdam)<br />
Advisory Services<br />
Robert Patton<br />
(Americas Leader, Atlanta)<br />
Norman Lonergan<br />
(Europe, Middle East, India and Africa Leader, London)<br />
Nigel Knight<br />
(Far East Leader, Shanghai)<br />
Isao Onda<br />
(Japan Leader, Chiba-shi)<br />
Doug Simpson<br />
(Oceania Leader, Sydney)<br />
IT Risk and Assurance Services<br />
Bernie Wedge<br />
(Americas Leader, Atlanta)<br />
Paul van Kessel<br />
(Europe, Middle East, India and Africa Leader, Amsterdam)<br />
Troy Kelly<br />
(Far East Leader, Hong Kong)<br />
Giovanni Stagno<br />
(Japan Leader, Chiyoda-ku)<br />
Iain Burnet<br />
(Oceania Leader, Perth)<br />
+44 (0) 20 7980 0596 norman.lonergan@uk.ey.com<br />
+31 88 40 71271 paul.van.kessel@nl.ey.com<br />
+1 404 817 5579 robert.patton@ey.com<br />
+44 (0) 20 7980 0596 norman.lonergan@uk.ey.com<br />
+86 21 2228 8888 nigel.knight@cn.ey.com<br />
+81 4 3238 7011 onda-s@shinnihon.or.jp<br />
+61 2 9248 4923 doug.simpson@au.ey.com<br />
+1 404 817 5120 bernard.wedge@ey.com<br />
+31 88 40 71271 paul.van.kessel@nl.ey.com<br />
+81 2 2629 3238 troy.kelly@hk.ey.com<br />
+81 3 3503 1100 stagno-gvnn@shinnihon.or.jp<br />
+61 8 9429 2486 iain.burnet@au.ey.com<br />
24 <strong>Outpacing</strong> <strong>change</strong>: Ernst & Young’s 12 th <strong>annual</strong> <strong>global</strong> <strong>information</strong> <strong>security</strong> survey
Ernst & Young<br />
Assurance | Tax | Transactions | Advisory<br />
About Ernst & Young<br />
Ernst & Young is a <strong>global</strong> leader in assurance, tax,<br />
transaction and advisory services. Worldwide, our<br />
144,000 people are united by our shared values and<br />
an unwavering commitment to quality. We make a<br />
difference by helping our people, our clients and our<br />
wider communities achieve their potential.<br />
For more <strong>information</strong>, please visit www.ey.com.<br />
Ernst & Young refers to the <strong>global</strong> organization of<br />
member firms of Ernst & Young Global Limited, each<br />
of which is a separate legal entity. Ernst & Young<br />
Global Limited, a UK company limited by guarantee,<br />
does not provide services to clients.<br />
The Ernst & Young organization is divided into five<br />
geographic areas and firms may be members of<br />
the following entities: Ernst & Young Americas LLC,<br />
Ernst & Young EMEIA Limited, Ernst & Young Far East<br />
Area Limited and Ernst & Young Oceania Limited.<br />
These entities do not provide services to clients.<br />
About Ernst & Young’s Advisory Services<br />
The relationship between risk and performance<br />
improvement is an increasingly complex and central<br />
business challenge, with business performance<br />
directly connected to the recognition and effective<br />
management of risk. Whether your focus is on<br />
business transformation or sustaining achievement,<br />
having the right advisors on your side can make all<br />
the difference. Our 18,000 advisory professionals<br />
form one of the broadest <strong>global</strong> advisory networks of<br />
any professional organization, delivering seasoned<br />
multidisciplinary teams that work with our clients to<br />
deliver a powerful and superior client experience.<br />
We use proven, integrated methodologies to help<br />
you achieve your strategic priorities and make<br />
improvements that are sustainable for the longer<br />
term. We understand that to achieve your potential<br />
as an organization, you require services that<br />
respond to your specific issues, so we bring our<br />
broad sector experience and deep subject matter<br />
knowledge to bear in a proactive and objective way.<br />
Above all, we are committed to measuring the gains<br />
and identifying where the strategy is delivering the<br />
value your business needs. It’s how<br />
Ernst & Young makes a difference.<br />
© 2009 EYGM Limited.<br />
All Rights Reserved.<br />
EYG no. AU0383<br />
In line with Ernst & Young’s commitment to minimize its<br />
impact on the environment, this document has been printed<br />
on paper with a high recycled content.<br />
This publication contains <strong>information</strong> in summary form and is therefore<br />
intended for general guidance only. It is not intended to be a substitute<br />
for detailed research or the exercise of professional judgment. Neither<br />
EYGM Limited nor any other member of the <strong>global</strong> Ernst & Young<br />
organization can accept any responsibility for loss occasioned to any<br />
person acting or refraining from action as a result of any material in<br />
this publication. On any specific matter, reference should be made to<br />
the appropriate advisor.<br />
www.ey.com