New Developments

Report Sheds Light on Data Security Efforts

Many organizations are making progress in mitigating risks and improving their information security efforts as a result of regulatory pressures and management's awareness of information security (IS), says the 10th Annual Ernst & Young Global Information Security Survey. The purpose of the study, which represents nearly 1,300 organizations in 50 countries, is to provide insight into how the challenges facing the IS function have evolved and how companies have reacted in addressing their security needs. Participants in the 2007 survey include chief information officers (CIOs), IT executives, chief information security officers, chief technology officers, and chief executive officers (CEOs), among other senior-level managers.

The report divides survey results into four categories: aligning IS efforts, key IS drivers, managing IS, and staff constraints:

Aligning IS Efforts

According to survey results, meeting business objectives is a growing focus for IS efforts. In addition, IS activities are more integrated into overall risk management initiatives — 82 percent of respondents said that their organizations have partially or fully integrated IS functions with risk management operations, compared to 43 percent in 2006 and 40 percent in 2005. However, IS activities still remain isolated from executive management and the strategic decision-making process. For instance, the majority of IS functions represented in the study meet less than once a quarter with leadership, and 20 percent of respondents said that their IS groups do not meet with corporate officers or business unit leaders at all.

To improve alignment efforts, Ernst & Young recommends that companies leverage business relationships to better meet strategic objectives, improve alignment of IS activities with overall risk management efforts, and incorporate IS in corporate strategic decision-making processes through routine dialogue with and reporting to executive managers. "Information security can no longer focus solely on the operational aspects of security to protect corporate assets," states the report. "A key challenge for information security leaders will be their ability to balance tactical demands, react to changes, and sustain operational activities, while leveraging the role of information security to form part of the strategic decision-making process of both corporate and business unit leaders."

Key IS Drivers

Improving IT and operational efficiency is emerging as important drivers for IS. "The need to detect and protect the organization from threats and viruses has become a principal driving force in managing risk and supporting business risks," says the report. Furthermore, compliance with regulatory obligations continues to be the primary driver of IS improvements as stated by 64 percent of executives who participated in the survey. Finally, privacy and data protection have become increasingly important drivers for IS, with 73 percent of CEOs and 64 percent of CIOs placing a high level of importance on protecting privacy and data assets.

To take advantage of existing drivers, the survey report recommends that organizations approach IS from a business improvement perspective, use privacy and data protection as a competitive advantage in their respective markets, and build on compliance initiatives to establish a sustainable compliance program. For instance, business entities that demonstrate leading practices in implementing strong privacy safeguards and enforcing IS controls can leverage these attributes to increase market share, reputation, and profitability.

Managing IS

When managing IS efforts, many organizations rely on audits and self-assessments to evaluate the effectiveness of their IS programs. As the report explains, 63 percent of organizations use self-assessments to evaluate their IS functions, and of those, 91 percent are using corporate policies, procedures, and internal standards as a basis. Organizations also are demanding more from vendors and business partners in managing third-party relationships. Because IT and IS are forming more relationships with third parties that may increase the company's vulnerability to external threats, many organizations surveyed are requiring business partners and vendors to abide by the policies, procedures, and standards of client organizations, an increase from 66 percent in 2006 to 78 percent in 2007.

To oversee IS activities, Ernst & Young suggests that companies adopt more formal and consistent procedures for managing the risks in third-party relationships by making sure outside resources conform to the organization's security objectives. In addition, the survey report recommends that companies use a combination of self-assessments, internal and external audits, and benchmarking to effectively evaluate and monitor information security. "Organizations need to continuously assess, improve, and monitor the capabilities of the information security function," the report states. "The use of a range of effective tools for evaluating information security will enable them to do so."

Staff Constraints

The Ernst & Young study cites the lack of experienced and trained IT staff and IS resources as the greatest challenge to delivering IS projects. For instance, survey participants said that the lack of skilled staff can ultimately disrupt an organization's ability to make strategic business decisions and execute them and is an important consideration in the decision to seek third-party assistance. Factors that affect an organization's ability to find and keep experienced and well-trained staff include emerging business models, technology advances, and balanced investments.

To counter this lack of internal resources, the study suggests that organizations investigate alternative staffing options to help address this growing challenge. "The well-recognized talent shortage in IT and information security can be a challenge for many organizations, but it can also be an opportunity to rethink how information security reacts to resource demands," explains the report. "We believe that the realignment along strategic, governance, operational, and architectural functional lines provides an opportunity for information security to evaluate new resource pools that were unavailable in the past."

To download a full copy of the survey results, visit the Ernst & Young Web site.

Site Search: