Ernst&Young: Information Security Improves Amid Challenges and Change
December 2007 by Emmanuelle Lamandé
The 10th Annual Ernst & Young Global Information Security Survey shows that a growing number of organizations recognize that information security can provide more than just protection of corporate assets. Delivering information technology (IT) and operational efficiencies and improving overall business performance are emerging as critical objectives. Although compliance-based initiatives continue to be the primary driver of information security, nearly half (45%) of the survey respondents ranked meeting business objectives among the top three drivers of information security.
Many information security functions are struggling to balance their traditional risk management roles with the growing focus on performance improvement; a struggle that is exacerbated when information security is not closely connected to executive management and the strategic decision-making process. Scarcity of experienced resources is another contributing factor.
Paul van Kessel, Global Leader of Ernst & Young’s Technology and Security Risk Services, comments, “Over the past 10 years, we have seen a positive evolution in the role of information security. Many organizations now view information security as a critical factor in meeting business objectives and significant performance improvements are resulting from this increased interaction with corporate leadership and other key stakeholders. This alignment is having a positive impact on the bottom line and elevating information security from a technology deployment function to a strategic imperative. Organizations that aren’t fostering these relationships are missing a key opportunity to move their businesses forward.”
The survey canvassed nearly 1,300 senior executives in more than 50 countries to explore the information security issues faced by businesses today. Among the key findings:
Information security is better aligned with organizational risk initiatives. In addition to the growing focus on business objectives, information security is more integrated into overall risk management with four out of five (82%) respondents reporting at least some levels of integration. Organizations that have fully integrated information security with risk management have nearly doubled since last year (from 15% to 29%).
Information security is now credited with improving IT and operational efficiency. More than two-thirds (69%) of respondents feel that information security improves IT and operational efficiencies. This is in sharp contrast to previous years, when information security was viewed as a barrier to IT and operational efficiency.
Compliance continues to be the primary driver of information security improvements and a top-ranked influencer in risk management integration. For the third year in succession, respondents (64% in 2007) ranked compliance as the principal information security driver. A positive outcome is that 82% believe that information security has improved due to its role in supporting compliance initiatives.
Privacy and data protection increased significantly as drivers of information security. Media stories surrounding identity theft and loss of personal information have heightened consumer awareness and, along with it, corporate leadership’s sense of accountability for data protection. Fifty-eight percent of this year’s respondents placed privacy and data protection in the top three drivers, up from 41% in 2006.
Information security is too isolated from executive management and the strategic decision-making process. A worrying separation persists between the information security function and the strategic decision-making process, with nearly one-third (32%) never meeting with their board or audit committee. While involvement with corporate officers and business unit leaders continues to increase, it does so at a slow pace with the majority meeting less than once a quarter.
The greatest challenge to delivering information security projects is the availability of experienced and trained resources. More than half of our respondents indicated that as the role of information security expands within organizations, the lack of experienced and skilled resources is the number one challenge to delivering information security projects. Correspondingly, more than 60% of respondents say they are outsourcing certain elements of information security.
Van Kessel adds, “Our survey confirms that many organizations still struggle to find the right people to deliver their information security initiatives. We don’t believe this issue will go away anytime soon, and management needs to be creative and investigate alternative staffing options. This means looking to other parts of the organization, such as internal audit, to fill gaps in their resource needs and using third parties in the most cost effective and productive ways possible."
About the Global Information Security Survey
The 10th annual Ernst & Young Information Security Survey was developed with help from Ernst & Young’s assurance and advisory clients in more than 50 countries. The fieldwork was conducted between May and August 2007. The results were primarily collected through interviews held with executives from approximately 1,300 organizations across all major industries.