Information Security Driving Business Process Improvements - But Need for Continuous Attention to Minimize Risk
Information Security is increasingly recognized as a driver of business improvement, says Ernst & Young's 9th Annual Global Information Security Survey, but companies still need to do more to improve their information security posture in the globalized business environment where the largest opportunities also carry the greatest risks. Among the five key priorities identified by the report as being most critical to future success, the one making the most dramatic leap up the boardroom risk agenda is privacy and personal data protection; the most consumer-driven of these issues.
The survey, "Achieving Success in a Globalized World — Is Your Way Secure?" sought the views of nearly 1,200 senior information security professionals in 48 countries, as well as benchmarking the current information security practices of more than 350 organizations in 38 countries.
Paul van Kessel, Global Leader of Ernst & Young's Technology and Security Risk Services, comments, “We have identified five major information security priorities in which companies are showing significant progress, but also where continuous improvements are necessary to keep pace with the growing requirements of effective risk management.
“Among the most notable priorities is privacy and personal data protection, which is the one information security issue most-consumer driven. It has become a high-stakes business issue, catapulted up the board agenda by consumer concerns caused by well publicized lapses of security and the growing response of government and legislative activism. Understandably it is the area where companies are being most active, with privacy and data protection practices becoming increasingly more formalized.”
Paul van Kessel adds, “Companies know all too well that the problem of privacy and personal data protection is broader and deeper than what is in the headlines. Our survey reports that this will continue to be a top business issue, requiring vigilant oversight on the part of organizations and even more formalization of measures to mitigate the risks.”
Driving the surge in awareness of privacy issues is the notoriety corporations and government agencies have received from well publicized lapses in consumer data security, combined with a significant increase in the collection and sharing of information. Inherent in globalization is the risk to business information as it is more frequently and easily moved, used by companies globally and entrusted to third parties.
Five Major Priorities for Information Security
Based on its latest survey and the results from previous years, Ernst & Young has identified five major priorities for information security, where progress has been made but where there is an ongoing need for continuous improvement. These are:
- integrating information security with the organization: embedding information security into the mainstream of the business with increased visibility and resources.
- extending the impact of compliance: shifting attitudes from compliance as a distraction to being an enabler, bringing advances in risk-based security for organizations.
- managing the risk of third party relationships: recognizing the challenges, issues and actions needed to manage the risks with global suppliers and outsourced partners.
- focusing on privacy and personal data protection: taking a proactive and comprehensive approach to mitigating the risks related to privacy and personal data protection.
- designing and building information security: using externally imposed compliance deadlines and security incidents as a catalyst for proactive investments in stronger capabilities and defenses.
Compliance Still the Top Driver
While privacy and personal data protection has become a major information security issue, compliance with regulations, for the second year running, is still the top driver that has most impacted, and will probably continue to impact, information security practices over the next 12 months. There is emphatic agreement — by almost 80% of survey participants — that efforts and activities undertaken to achieve regulatory compliance have actually improved companies' information security. It will now be important for companies to be proactive in carrying out security rationalization and optimization, to sustain and embed their information security compliance controls and processes into their normal operations.
Companies are recognizing the challenges, issues and action needed to manage the risks of third-party relationships, particularly with the use of customer data by customer service outsourcing companies in rapidly developing economies. More than one-third of survey participants say they have formal procedures in place for vendor risk management. Vendors themselves are expected to spend more time over the next year complying with information security certification requirements. Yet the survey shows companies have inconsistent policies and procedures in place to manage these relationships. More than 50% of survey respondents say they address the issue of vendor risk only informally, or not at all. Just 14% of organizations require their vendors to have an independent review of their information and privacy practices against leading practices.
Van Kessel concludes, “Overall our 2006 Global Information Security Survey confirms that information security has never been more important. It shows that many companies are making significant progress in mitigating risk by strengthening their information security. This is due to greater investments, greater board involvement, positive influences of regulatory pressures and maturity in information security leadership. However, the dynamics of risk require continuous improvements and updates to information security measures.”
Looking Ahead: 2007 Challenges and Priorities
The 2006 Global Information Security Survey points to strong challenges and priorities that will almost certainly be reflected in the future:
- regulatory compliance will continue to dominate information security, challenging organizations in how they sustain compliance and integrate it into an overriding risk management framework and internal control processes.
- privacy will continue to preoccupy companies and their information security executives.
- certification against recognized standards will continue to gain wider acceptance as a key component of information security.
- benchmarking against recognized standards and peers will continue to broaden in scope and influence.
- the recognition that information security risks are intertwined with achieving broader business objectives will make it even more of a priority for information security to play a proactive role.
See the 2005 Survey