2012 global information security survey - chapters site€¦ · page 2 fighting to close the gap:...

2012 Global Information Security Survey

January 2013

Fighting to close the gap

Fighting to close the gap: Ernst& Young’s 2012 Global Information Security Survey

Now in its 15th year, Ernst & Young’s Global Information Security Survey is among the world’s leading sources of information and insight into the global state of information security.

This year’s 1,836 respondents from 64 countries represent most of the world’s largest and most-recognized global companies, and include some of the world’s leading information security authorities.

Strong data, blended with Ernst & Young’s industry-leading perspectives help our clients focus on the most critical risks, identify their strengths and weaknesses, and improve their information security.

Introduction


Survey demographics


Ernst & Young’s 2012 Global Information Security SurveySurvey participants by geography

46%

23%

20%

11%

EMEIAAmericasAsia-PacificJapan

1,836 respondents from 64 countries


Ernst & Young’s 2012 Global Information Security SurveySurvey participants by industry sector

5022

121515

29323337384141

49565657

6479

96121121

130148

154358

OtherPrivate equity

Private householdsAirlines

Aerospace and defenseProvider care

Mining and metalsTransportation

Life sciencesChemicals

Asset managementHealth careOil and gasAutomotive

Power and utilitiesProfessional firms and services

Real estateMedia and entertainment

TelecommunicationsRetail and wholesaleConsumer products

Diversified industrial productsGovernment and public sector

TechnologyInsurance

Banking and capital markets


Ernst & Young’s 2012 Global Information Security SurveySurvey participants by total annual company revenues

12666

6030

6548

8142

5086

170178

172169167

326

Not applicable (e.g., government, nonprofit)More than $50 billion

$20 billion to $50 billion$15 billion to $20 billion$10 billion to $15 billion

$7.5 billion to $10 billion$5 billion to $7.5 billion

$4 billion to $5 billion$3 billion to $4 billion$2 billion to $3 billion$1 billion to $2 billion

$500 million to $1 billion$250 million to $500 million$100 million to $250 million

$50 million to $100 millionLess than $50 million

$ = US dollars


Ernst & Young’s 2012 Global Information Security SurveySurvey participants by position

440

16

89

21

3040

5563

70226

249271

347

Other General counsel/legal department

Chief compliance officerChief financial officer

Chief risk officerChief operating officer

Business unit executive/vice …

Network/system administratorChief technology officer

Internal audit director/managerChief security officer

Chief information officerChief information security officer

Information security executiveInformation technology executive


Fighting to close the gapOur survey results


2006-2007Before 2006 information security was a component of mitigating financial risk and meeting new compliance requirements (e.g. SOX 404)

After 2006, information security needed to:

• Protect the organization more broadly in a globalized world

• Demonstrate a clear return on investment, requiring an alignment of risk and performance

The changing face of information security 2006-2012

Speed of change

Complexity of response

Severity of impact

2006-072008-092010-11

2012

2008-2009Against a background of global financial crisis and a changing competitive landscape, information security matured beyond compliance.

In an environment of escalating threats:

• Protecting brand and reputation was primary driver

• Leveraging technology to increase security was a focus

• Organizations also needed to concentrate on reshaping, restructuring and reinventing to keep up with new requirements and cost pressures.

2010-2011Global economy still in recovery with sustained cost pressures and scarce resources.

Companies realized:

• With globalization, data is everywhere

• Traditional boundaries were vanishing, with employees sending data over the internet or carrying it on mobile devices

• Data processing moved into the cloud, requiring information security function to rethink its approach to securing information

2012Velocity and complexity of change accelerates:

• Virtualization, cloud computing, social media, mobile and other new technologies open the door to internal and external threats.

• Emerging markets, continuing economic volatility, offshoring and increasing regulatory requirements add complexity.

• Organizations unable to keep pace with changes, create an information security gap.

Key trends in information security 2006-2012

Impact on organizations


Fighting to close the gap – survey overview

► Companies have made significant moves to respond to information security threats by addressing vulnerabilities with increased resources, training, governance and integration.

► However, the number and sophistication of threats has also increased, and is challenging information security functions to keep up

► As a result, the gap between what information security functions are doing and shouldbe doing has widened.

The Gap

2006 2012


Key highlights

►Information security is not getting the job doneOnly 16% indicated that their function fully meets their needs70% say that the function only partially meets their needs

►Incidents & threats on the rise31% see increases in security incidents, and only 10% saw a decrease; In 2009, 41% saw an increase in external attacks. In 2012, that number rose to 77%.

►Response to Cloud-related risks is slowIn 2010 only 30% indicated they were currently using or planned to use cloud computing services. By 2012, the number doubled. Yet, 38% indicated that they have not taken any measures to address cloud-related risks.

►Financial challenges62% cited budget constraints as main hurdle to effective information security.

►Governance impacts everythingAround a third align their information security strategy to their organization’s risk appetite and risk tolerance, and nearly two-thirds have no formal security architecture framework in place.


In-depth: Information security is rising in importance

Organizations have recently taken steps to enhance their information security capabilities, allocating more resources and attention.

Among the recent improvements are:

►Increased transparency

►Enhanced training

►Incorporating new technologies as well as the measures to help maintain information security around those technologies

►Improved governance


In-depth: Improvements are up, but so are threats and incidents

In 2009, 41% of respondents noticed an increase in external attacks. That number jumped to 72% in 2011, and then again to 77% in 2012.

Organizations have noticed an increase in internal vulnerabilities. This year, nearly half of respondents (46%) say they have noticed an increase over the last 12 months.


In-depth: Threats are more sophisticated and numerous

With smarter attacks occurring in greater numbers, information security incidents are on the rise. Nearly half of respondents indicated that they had at least 100 incidents last year.


In-depth: Priorities reflect some current security needsBusiness continuity, risk management and – most importantly – fundamental redesign rank among the highest information security priorities.

Key: 1st 2nd 3rd 4th 5th


In-depth: Stubborn issues fuel the gap

Obstacles like budget constraints, organizational issues and lack of the right resources prevent companies from closing this critical information security gap.


In-depth: Issues in alignment

The growing gap is being fed by compounding issues in the area of the alignment, with information security having to compete with other board-level responsibilities

• Broader alignment needed: The information security agenda continues to be IT-led rather than focused on the overall business strategy.

• Governance and monitoring responsibilities: Only 38% align their information security strategy to their organization’s risk appetite and risk tolerance

• Not part of broader strategic framework: Nearly two-thirds of organizations have no formal security architecture framework in place, nor are they planning to use one.


In-depth: Spending is up, but not always in critical areasFunding for important areas is still not keeping pace with the risk challenges, including threat and vulnerability management and security testing.

Key: Spend more Spend the same Spend less


In-depth: Vulnerability on the rise

A patchwork of non-integrated, complex and frequently fragile defenses creates significant gaps in security. Organizations seem increasingly inclined use bolt-on or work-around solutions. These processes are inconsistent, hard to test, not easy to understand, use, update or monitor.

Nearly a third of respondents claimed that the threat or vulnerability of their information security architecture had increased in the past year, mostly because of outdated controls.


In-depth: Cloud adopters - eager but uneasy

Cloud data management and storage is rapidly becoming the platform for choice for the support of initiatives such as supply chain improvement, deeper customer engagement and enhanced employee innovation. Quick, fast, and cheap - most companies are recognizing that they must adapt or perish.

In 2010, only 30% of organizations indicated they were currently using or planned to use cloud computing services. That number rose to 44% in 2011, and again this year to 59% -nearly double.

But many admit: their efforts to address cloud-related risk is minimal or non-existent.


In-depth: Mobile + tablets = risks on the move

Analysts predict that by 2016 there will be 10 billion internet-enabled mobile devices, smartphones and tablets; more than one for every person on the planet.

Tablet computer use for business has more than doubled since last year. 44% of organizations now allow the use of company or privately-owned tablets.


Closing the gapErnst & Young’s insights


Closing the gap requires a fundamental transformation

Short-term, incremental changes and bolt-on solutions are not enough. The only way an organization can close the gap is by fundamentally transforming its information security function.

Implementing an information security transformation aimed at closing the ever-growing gap between vulnerability and security does not require complex technology solutions. Rather, it requires leadership, as well as the commitment, capacity and courage to act — not a year or two from now, but today.

The Gap

2006 2012


The four key learnings

Organizations that can minimize the gap between what their information security functions are doing now and what they need to do will secure competitive advantage.

There are four key steps toward fundamental information security function change;

1. Link information security strategy to the business strategy

2. Redesign the architecture

3. Execute the transformation successfully and sustainably

4. Deep dive into the opportunities and risks of new technologies.


1. Link information security strategy to the business strategy

Link the information security strategy to the business strategy in these critical areas:

►GrowthOrganizations expanding overseas protect the business, safeguard revenue and free up revenue-enhancing resources.

►InnovationArmed with the assurance that data is secure, new technologies can be employed to help organizations keep in touch with their customers.

►OptimizationOrganizations can reduce costs across the business with well-structured and well-managed information security.

►ProtectionGovernance and transparency, along with an effective framework and strategy are critical to building stakeholder confidence.

1


2. Redesign the architecture

2► Identify the real risks: An effective strategy will include technologies

and issues such as cloud, social media, big data, mobile computing, globalization and borderless, rather than just “bolt-ons”

► Protect what matters most: An information security framework should assume that breaches will occur and therefore planning and protecting is even more important than detecting and responding

► Embed in the business: All employees, functions, business units, projects etc. have a role to play and should understand the risks.

► Sustain your security program: Keep information security frameworks effective, up-to-date and responding to the real risks with compliance measures, self-assessments, incident follow-up, continuous learning and improvement measures.

Demonstrate how information security can deliver business results Instead of looking at the existing landscape and how they can rework it,information security functions should undertake a fundamental redesign, allowing for innovation and incorporating new technologies.


3. Execute the transformation successfully and sustainably

Leadership: Involve leaders and decision-makers in defining future state; establish accountabilities and dashboards; link analysis to program approach; create a case for change

Alignment: Involve the entire organization in owning the future state; drive results early; perform active listening; implement continuous improvement; provide dedicated skills

Execution: Provide execution support; implement careful design; model program delivery risks

Adoption: Build long-term relationships; leverage social media; identify adoption techniques; communicate wins; be transparent with challenges and fixes

Enable the organization to successfully and sustainably change the way information security is delivered:3


4. Deep dive into the opportunities and risks of new technologies

Conduct a deep dive into the opportunities – and the risks – presented by social media, big data, cloud and mobile technologies.

Organizations need to take a 360˚look at each of the new technologies to identify and offset the associated risks.

4► How would you describe the impact that advancing technologies have had

on your overall business performance?

► Do you feel that your organization is leveraging these new technologies to their fullest? If not, why not?

► What kind of improvements have you made to your information security function and processes to address new risks introduced by increased usage of new technologies, such as cloud computing, social media and mobile working?► Would you characterize these changes as incremental or foundational? ► To what extent have these changes prepared your organization to

continue managing new risks going forward?


How can Ernst & Young help?


Our information security services are focused on sustainable business improvement solutions

Client outcomes• Business and

industry sector focus

• Technical research through Advanced Security Centers

• Diverse personnel who drive fact-based, creative business improvement

• Proprietary frameworks, tools and thought leadership

• Most globally aligned of the Big Four with an award-winning people culture

• Transformed security program driving business performance

• Integrated information security and IT risk approach across enterprise

• Identified and evaluated internal and external threats

• Optimized measures to mitigate threats

• Understand who has or needs access to important data and applications

• Sustainable, compliant and efficient access processes

• Protect information that matters and detect leakage

• Regulatory and industry compliance

Accelerators

Assess Transform Sustain

Security program management

Threat and vulnerability management

Identity and access management

Information protection and privacy

• Security strategy and road map

• Organization and governance• Information security risk

assessment

• Security reporting and metrics• Business continuity

management• Third-party risk management

• Attack and penetration• Cyber security investigations• Vulnerability management

• Application testing and secure SDLC

• Control system security

• Strategy and governance• Request and approval• Provisioning and de-

provisioning• Enforcement

• Review and certification• Role and rules management• Reconciliation• Reporting and analytics

• Data protection strategy• Privacy implementation design

• Data loss prevention• Privacy assessment and

remediation


Ernst & Young’s related insights and resources

Cloud computing issues and impacts

Protecting and strengthening your brand: social media governance and strategy

See www/ey.com/information security to download these documents. The full GISS report can be found on www.ey.com/giss2012

Ready for takeoff: preparing for your journey into the cloud

Privacy trends 2012

Mobile device security

Bringing IT into the fold: lessons in enhancing industrial

control system security

A path to making privacy count

http://www.ey.com/giss2012


Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.

About Ernst & Young’s Advisory ServicesThe relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 25,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference.

© 2012 EYGM Limited. All Rights Reserved.Proprietary and confidential. Do not distribute without written permission.

1207-1373188ED None

www.ey.com/giss2012

http://www.ey.com

http://www.ey.com/giss2012

2012 global information security survey - chapters site€¦ · page 2 fighting to close the gap:...

Documents