2012 global information security survey - chapters site€¦ · page 2 fighting to close the gap:...
TRANSCRIPT
2012 Global Information Security Survey
January 2013
Fighting to close the gap
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 2
Now in its 15th year, Ernst & Young’s Global Information Security Survey is among the world’s leading sources of information and insight into the global state of information security.
This year’s 1,836 respondents from 64 countries represent most of the world’s largest and most-recognized global companies, and include some of the world’s leading information security authorities.
Strong data, blended with Ernst & Young’s industry-leading perspectives help our clients focus on the most critical risks, identify their strengths and weaknesses, and improve their information security.
Introduction
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 3
Survey demographics
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 4
Ernst & Young’s 2012 Global Information Security SurveySurvey participants by geography
46%
23%
20%
11%
EMEIAAmericasAsia-PacificJapan
1,836 respondents from 64 countries
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 5
Ernst & Young’s 2012 Global Information Security SurveySurvey participants by industry sector
5022
121515
29323337384141
49565657
6479
96121121
130148
154358
OtherPrivate equity
Private householdsAirlines
Aerospace and defenseProvider care
Mining and metalsTransportation
Life sciencesChemicals
Asset managementHealth careOil and gasAutomotive
Power and utilitiesProfessional firms and services
Real estateMedia and entertainment
TelecommunicationsRetail and wholesaleConsumer products
Diversified industrial productsGovernment and public sector
TechnologyInsurance
Banking and capital markets
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 6
Ernst & Young’s 2012 Global Information Security SurveySurvey participants by total annual company revenues
12666
6030
6548
8142
5086
170178
172169167
326
Not applicable (e.g., government, nonprofit)More than $50 billion
$20 billion to $50 billion$15 billion to $20 billion$10 billion to $15 billion
$7.5 billion to $10 billion$5 billion to $7.5 billion
$4 billion to $5 billion$3 billion to $4 billion$2 billion to $3 billion$1 billion to $2 billion
$500 million to $1 billion$250 million to $500 million$100 million to $250 million
$50 million to $100 millionLess than $50 million
$ = US dollars
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 7
Ernst & Young’s 2012 Global Information Security SurveySurvey participants by position
440
16
89
21
3040
5563
70226
249271
347
Other General counsel/legal department
Chief compliance officerChief financial officer
Chief risk officerChief operating officer
Business unit executive/vice …
Network/system administratorChief technology officer
Internal audit director/managerChief security officer
Chief information officerChief information security officer
Information security executiveInformation technology executive
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 8
Fighting to close the gapOur survey results
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 9
2006-2007Before 2006 information security was a component of mitigating financial risk and meeting new compliance requirements (e.g. SOX 404)
After 2006, information security needed to:
• Protect the organization more broadly in a globalized world
• Demonstrate a clear return on investment, requiring an alignment of risk and performance
The changing face of information security 2006-2012
Speed of change
Complexity of response
Severity of impact
2006-072008-092010-11
2012
2008-2009Against a background of global financial crisis and a changing competitive landscape, information security matured beyond compliance.
In an environment of escalating threats:
• Protecting brand and reputation was primary driver
• Leveraging technology to increase security was a focus
• Organizations also needed to concentrate on reshaping, restructuring and reinventing to keep up with new requirements and cost pressures.
2010-2011Global economy still in recovery with sustained cost pressures and scarce resources.
Companies realized:
• With globalization, data is everywhere
• Traditional boundaries were vanishing, with employees sending data over the internet or carrying it on mobile devices
• Data processing moved into the cloud, requiring information security function to rethink its approach to securing information
2012Velocity and complexity of change accelerates:
• Virtualization, cloud computing, social media, mobile and other new technologies open the door to internal and external threats.
• Emerging markets, continuing economic volatility, offshoring and increasing regulatory requirements add complexity.
• Organizations unable to keep pace with changes, create an information security gap.
Key trends in information security 2006-2012
Impact on organizations
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 10
Fighting to close the gap – survey overview
► Companies have made significant moves to respond to information security threats by addressing vulnerabilities with increased resources, training, governance and integration.
► However, the number and sophistication of threats has also increased, and is challenging information security functions to keep up
► As a result, the gap between what information security functions are doing and shouldbe doing has widened.
The Gap
2006 2012
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 11
Key highlights
►Information security is not getting the job doneOnly 16% indicated that their function fully meets their needs70% say that the function only partially meets their needs
►Incidents & threats on the rise31% see increases in security incidents, and only 10% saw a decrease; In 2009, 41% saw an increase in external attacks. In 2012, that number rose to 77%.
►Response to Cloud-related risks is slowIn 2010 only 30% indicated they were currently using or planned to use cloud computing services. By 2012, the number doubled. Yet, 38% indicated that they have not taken any measures to address cloud-related risks.
►Financial challenges62% cited budget constraints as main hurdle to effective information security.
►Governance impacts everythingAround a third align their information security strategy to their organization’s risk appetite and risk tolerance, and nearly two-thirds have no formal security architecture framework in place.
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 12
In-depth: Information security is rising in importance
Organizations have recently taken steps to enhance their information security capabilities, allocating more resources and attention.
Among the recent improvements are:
►Increased transparency
►Enhanced training
►Incorporating new technologies as well as the measures to help maintain information security around those technologies
►Improved governance
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 13
In-depth: Improvements are up, but so are threats and incidents
In 2009, 41% of respondents noticed an increase in external attacks. That number jumped to 72% in 2011, and then again to 77% in 2012.
Organizations have noticed an increase in internal vulnerabilities. This year, nearly half of respondents (46%) say they have noticed an increase over the last 12 months.
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 14
In-depth: Threats are more sophisticated and numerous
With smarter attacks occurring in greater numbers, information security incidents are on the rise. Nearly half of respondents indicated that they had at least 100 incidents last year.
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 15
In-depth: Priorities reflect some current security needsBusiness continuity, risk management and – most importantly – fundamental redesign rank among the highest information security priorities.
Key: 1st 2nd 3rd 4th 5th
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 16
In-depth: Stubborn issues fuel the gap
Obstacles like budget constraints, organizational issues and lack of the right resources prevent companies from closing this critical information security gap.
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 17
In-depth: Issues in alignment
The growing gap is being fed by compounding issues in the area of the alignment, with information security having to compete with other board-level responsibilities
• Broader alignment needed: The information security agenda continues to be IT-led rather than focused on the overall business strategy.
• Governance and monitoring responsibilities: Only 38% align their information security strategy to their organization’s risk appetite and risk tolerance
• Not part of broader strategic framework: Nearly two-thirds of organizations have no formal security architecture framework in place, nor are they planning to use one.
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 18
In-depth: Spending is up, but not always in critical areasFunding for important areas is still not keeping pace with the risk challenges, including threat and vulnerability management and security testing.
Key: Spend more Spend the same Spend less
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 19
In-depth: Vulnerability on the rise
A patchwork of non-integrated, complex and frequently fragile defenses creates significant gaps in security. Organizations seem increasingly inclined use bolt-on or work-around solutions. These processes are inconsistent, hard to test, not easy to understand, use, update or monitor.
Nearly a third of respondents claimed that the threat or vulnerability of their information security architecture had increased in the past year, mostly because of outdated controls.
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 20
In-depth: Cloud adopters - eager but uneasy
Cloud data management and storage is rapidly becoming the platform for choice for the support of initiatives such as supply chain improvement, deeper customer engagement and enhanced employee innovation. Quick, fast, and cheap - most companies are recognizing that they must adapt or perish.
In 2010, only 30% of organizations indicated they were currently using or planned to use cloud computing services. That number rose to 44% in 2011, and again this year to 59% -nearly double.
But many admit: their efforts to address cloud-related risk is minimal or non-existent.
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 21
In-depth: Mobile + tablets = risks on the move
Analysts predict that by 2016 there will be 10 billion internet-enabled mobile devices, smartphones and tablets; more than one for every person on the planet.
Tablet computer use for business has more than doubled since last year. 44% of organizations now allow the use of company or privately-owned tablets.
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 22
Closing the gapErnst & Young’s insights
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 23
Closing the gap requires a fundamental transformation
Short-term, incremental changes and bolt-on solutions are not enough. The only way an organization can close the gap is by fundamentally transforming its information security function.
Implementing an information security transformation aimed at closing the ever-growing gap between vulnerability and security does not require complex technology solutions. Rather, it requires leadership, as well as the commitment, capacity and courage to act — not a year or two from now, but today.
The Gap
2006 2012
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 24
The four key learnings
Organizations that can minimize the gap between what their information security functions are doing now and what they need to do will secure competitive advantage.
There are four key steps toward fundamental information security function change;
1. Link information security strategy to the business strategy
2. Redesign the architecture
3. Execute the transformation successfully and sustainably
4. Deep dive into the opportunities and risks of new technologies.
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 25
1. Link information security strategy to the business strategy
Link the information security strategy to the business strategy in these critical areas:
►GrowthOrganizations expanding overseas protect the business, safeguard revenue and free up revenue-enhancing resources.
►InnovationArmed with the assurance that data is secure, new technologies can be employed to help organizations keep in touch with their customers.
►OptimizationOrganizations can reduce costs across the business with well-structured and well-managed information security.
►ProtectionGovernance and transparency, along with an effective framework and strategy are critical to building stakeholder confidence.
1
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 26
2. Redesign the architecture
2► Identify the real risks: An effective strategy will include technologies
and issues such as cloud, social media, big data, mobile computing, globalization and borderless, rather than just “bolt-ons”
► Protect what matters most: An information security framework should assume that breaches will occur and therefore planning and protecting is even more important than detecting and responding
► Embed in the business: All employees, functions, business units, projects etc. have a role to play and should understand the risks.
► Sustain your security program: Keep information security frameworks effective, up-to-date and responding to the real risks with compliance measures, self-assessments, incident follow-up, continuous learning and improvement measures.
Demonstrate how information security can deliver business results Instead of looking at the existing landscape and how they can rework it,information security functions should undertake a fundamental redesign, allowing for innovation and incorporating new technologies.
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 27
3. Execute the transformation successfully and sustainably
Leadership: Involve leaders and decision-makers in defining future state; establish accountabilities and dashboards; link analysis to program approach; create a case for change
Alignment: Involve the entire organization in owning the future state; drive results early; perform active listening; implement continuous improvement; provide dedicated skills
Execution: Provide execution support; implement careful design; model program delivery risks
Adoption: Build long-term relationships; leverage social media; identify adoption techniques; communicate wins; be transparent with challenges and fixes
Enable the organization to successfully and sustainably change the way information security is delivered:3
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 28
4. Deep dive into the opportunities and risks of new technologies
Conduct a deep dive into the opportunities – and the risks – presented by social media, big data, cloud and mobile technologies.
Organizations need to take a 360˚look at each of the new technologies to identify and offset the associated risks.
4► How would you describe the impact that advancing technologies have had
on your overall business performance?
► Do you feel that your organization is leveraging these new technologies to their fullest? If not, why not?
► What kind of improvements have you made to your information security function and processes to address new risks introduced by increased usage of new technologies, such as cloud computing, social media and mobile working?► Would you characterize these changes as incremental or foundational? ► To what extent have these changes prepared your organization to
continue managing new risks going forward?
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 29
How can Ernst & Young help?
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 30
Our information security services are focused on sustainable business improvement solutions
Client outcomes• Business and
industry sector focus
• Technical research through Advanced Security Centers
• Diverse personnel who drive fact-based, creative business improvement
• Proprietary frameworks, tools and thought leadership
• Most globally aligned of the Big Four with an award-winning people culture
• Transformed security program driving business performance
• Integrated information security and IT risk approach across enterprise
• Identified and evaluated internal and external threats
• Optimized measures to mitigate threats
• Understand who has or needs access to important data and applications
• Sustainable, compliant and efficient access processes
• Protect information that matters and detect leakage
• Regulatory and industry compliance
Accelerators
Assess Transform Sustain
Security program management
Threat and vulnerability management
Identity and access management
Information protection and privacy
• Security strategy and road map
• Organization and governance• Information security risk
assessment
• Security reporting and metrics• Business continuity
management• Third-party risk management
• Attack and penetration• Cyber security investigations• Vulnerability management
• Application testing and secure SDLC
• Control system security
• Strategy and governance• Request and approval• Provisioning and de-
provisioning• Enforcement
• Review and certification• Role and rules management• Reconciliation• Reporting and analytics
• Data protection strategy• Privacy implementation design
• Data loss prevention• Privacy assessment and
remediation
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 31
Ernst & Young’s related insights and resources
Cloud computing issues and impacts
Protecting and strengthening your brand: social media governance and strategy
See www/ey.com/information security to download these documents. The full GISS report can be found on www.ey.com/giss2012
Ready for takeoff: preparing for your journey into the cloud
Privacy trends 2012
Mobile device security
Bringing IT into the fold: lessons in enhancing industrial
control system security
A path to making privacy count
Fighting to close the gap: Ernst& Young’s 2012 Global Information Security SurveyPage 32
Ernst & Young
Assurance | Tax | Transactions | Advisory
About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.
About Ernst & Young’s Advisory ServicesThe relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 25,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference.
© 2012 EYGM Limited. All Rights Reserved.Proprietary and confidential. Do not distribute without written permission.
1207-1373188ED None
www.ey.com/giss2012