Organisations need to fundamentally shift their approach to information security, to meet the threats presented by existing and emerging technologies. That is according to audit firm Ernst & Young’s 15th Global Information Security Survey 2012. The report is the auditors say based on responses from 1,850 CIOs, CISOs and other information security executives in 64 countries.
With 88 per cent of respondents experiencing a higher number of security incidents in the last two years and 77pc using the cloud, the need to develop a robust security architecture framework has never been greater, it is claimed. However, 64pc of organisations have no such framework in place and almost half of respondents (45pc) admit to only discussing information security issues once a year with their boards.
Lack of specialist skills is cited as the main symptom that forces organisations (57pc) to focus on the implementation of improvements to their information security capabilities that provide only short-term solutions instead of tackling the issues associated with the overall threat.
Mark Brown Director of Information Security at Ernst & Young said: “The results of our survey point at two necessary changes. On the one hand, businesses need to understand that information security can no longer simply be an IT issue. They need to transform their perception of information security and make it a board sponsored topic that is eventually embedded in the core strategy of a business.
“On the other hand, we need to look at the bigger picture – that of the lack of specialist skills. Since the late 1990s the number of UK-born graduates studying mathematics and science degrees has fallen by almost 70pc. This has lead to an increasing shortage in relevant skills and has put the UK’s efforts to tackle growing cyber security risks on the backfoot.
“Encouraging the workforce of the future to seek a career in IT and information security is key to a sustainable solution.”
Responsibility shift
Information security continues to be IT-led within many organisations; with 61pc of respondents in the UK indicating that their companies have placed the responsibility for information security in the hands of the IT function.
However, as information security begins to spread beyond traditional IT issues, decisions are now needed around selecting the right tools, processes and methods for monitoring threats, gauging performance and identifying coverage gaps. In addition, a reappraisal of responsibilities is required.
Only 11pc of respondents, however, report discussing information security topics at each board meeting. When it comes to the extent to which the information security function meets an organisation’s needs, only 15pc of UK corporates state that it does so fully. The main reason cited is the lack of skilled resources – 57pc this year compared to 23pc in 2011.
Threat level
Organisations recognise that the risk environment is changing as the frequency and nature of information security threats increase and the number of security incidents rises. The vast majority (88pc) of respondents agreed that there is an increasing risk from external attacks, but over half (61pc) name budget constraints as the main obstacle to their company’s information security strategy.
March of new technology
New technologies are opening up opportunities for organisations; but also potential threats from previously unknown sources. Cloud computing continues to be one of the main drivers of business model innovation, with the numbers of organisations using the cloud globally almost doubling in the last two years. However, 20pc of organisations in the UK have not taken any measures to mitigate the risks, such as stronger oversight on the contract management process for cloud providers or the use of encryption techniques.
