Organizations need to fundamentally shift their approach to information security in order to meet the threats presented by existing and emerging technologies according to Ernst & Young's Global Information Security Survey 2012 report - "Fighting to Close the Gap" - released October 29. The report, now in its fifteenth year, is one of the most comprehensive surveys in its field and is based on responses from over 1,850 CIOs, CISOs and other information security executives in 64 countries.
Companies are implementing incremental improvements to their information security capabilities to provide short-term solutions - without tackling the issues associated with the overall information security threat. With 31 percent experiencing a higher number of security incidents in the last two years, the need to develop a robust security architecture framework has never been greater. However 63 percent of organizations have no such framework in place and only 16 percent of respondents report that their information security function fully meets the needs of the organization.
Commenting on the findings, Paul van Kessel, Ernst & Young Global IT Risk and Assurance Services Leader says, "The new normal for the CIO is that fast is not fast enough. The velocity and complexity of change is happening at a staggering pace, with emerging markets, continuing economic volatility, off-shoring and increasing regulatory requirements adding to an already complicated information security environment."
Threat level continues to rise
Organizations recognize that the risk environment is changing, as the frequency and nature of information security threats increase and the number of security incidents rises. Over three-quarters (77 percent) of respondents agreed that there is an increasing risk from external attacks, but this is not the only source for concern for global organizations, with 46 percent reporting that internal vulnerabilities are also on the rise.
The unstoppable march of new technology
New technologies are opening up tremendous opportunities for organizations; but also potential threats from previously unknown sources. Cloud computing continues to be one of the main drivers of business model innovation, with the numbers of organizations using the cloud almost doubling in the last two years. However, 38 percent of organizations have not taken any measures to mitigate the risks, such as stronger oversight on the contract management process for cloud providers or the use of encryption techniques.
Another significant new technology is internet-enabled mobile devices, whose technology advancements - and the associated business benefits - have vastly increased adoption rates.
Van Kessel comments, "With 44 percent of organizations now allowing the use of company or privately-owned tablets - up from 20 percent in 2011 - substantial levels of information are now flowing in and out of the office, making control increasingly difficult."
Organizations recognize that they need to do more on mobile technology. However, in the fast-moving mobile computing market the adoption of security techniques and software is still relatively low, with just 40 percent of organizations using some form of encryption technique on mobile devices.
More money, but is it well spent?
With more risks and more technology to secure, organizations are responding by increasing budgets and adjusting their priorities. Fifty-one percent of organizations reported plans to increase their budget by more than 5 percent in the next 12 months. While 32 percent of respondents spend over $1 million on information security, the level of investment varies globally, with 48 percent of Americas' organizations allocating in excess of $1 million, compared with 35 percent and 26 percent in Asia-Pacific and EMEIA (Europe, Middle East, India, and Africa) respectively. In terms of where the budget is assigned, the top investment priorities are securing new technologies (55 percent) and business continuity (47 percent).
Responsibility shift needed from IT to the risk function
The budget increases planned can only be effective with the right decision makers taking responsibility. Information security continues to be IT-led within many organizations; with 63 percent of respondents indicating that their organizations have placed the responsibility for information security in the hands of the IT function.
However, as information security begins to spread beyond traditional IT issues, decisions are now needed around selecting the right tools, processes, and methods for monitoring threats, gauging performance, and identifying coverage gaps, and a reappraisal of responsibilities is required.
With just 5 percent of chief risk officers currently responsible for information security, many organizations lack the formal risk assessment mechanism provided by the risk function, resulting in 52 percent of organizations having no threat intelligence program in place. The proliferation of threats - and the acceleration of the gap between vulnerability and security - require multiple sources of assessment, such as internal audit, internal self-assessments, and third-party assessments, to monitor and evaluate security incidents.
Van Kessel concludes, "For some organizations, skills resources, security maturity, or budget may be playing a role in their decision making; but these bolt-on or stack work-around solutions being seen today - which fix short-term information security needs - are masking a bigger problem around vulnerability."
When looking to the future, he adds, "Although we've identified some of the current gaps, there are still more on the horizon, in the form of government intervention and new regulatory pressures. If organizations don't take action to develop comprehensive security frameworks today, the combined consequences of the current and future issues will only fuel the information security threat further."
Read the complete survey findings and recommendations for organizations.
Source: Ernst & Young