For the second year in a row regulation compliance has proved to be the main driver behind improving information security, according to Ernst & Young’s annual global information security survey
The professional services provider polled 1,200 security professionals in 48 countries for the survey. Six New Zealand companies took part.
Last year regulatory compliance topped the executives’ list of concerns for the first time — ahead of worms and viruses. In this year’s survey worms and viruses were not even mentioned as drivers behind installing information security measures.
“Our experience would indicate that [worms and viruses] are still of concern and that work which is being undertaken to respond to regulatory compliance also [addresses] the threats posed by worms and viruses,” says Susan Steedman, national practice leader for risk advisory services at Ernst & Young New Zealand.
Almost 80% of our survey’s participants found that the efforts and activities they undertook to achieve regulatory compliance also improved their companies’ information security, she adds.
This year, privacy and personal data protection have moved up to second place on executives’ concern list.
Nearly 60% of respondents have formal procedures in place for privacy and personal data protection. And close to 75% say that privacy and personal data protection is the area in which they are most proactive.
Organisations are making good progress in improving their information security and thereby mitigating against risks, says the report.
Forty-three percent of respondents said that information security is integrated with their organisation’s risk management programmes and processes, compared with 40% in 2005.
And nearly two-thirds of respondents said they used regular meetings and formal frameworks to ensure information security involvement.
Over half of the respondents said that their compliance work is part of an integrated, organisation-wide compliance and risk-management framework. Within this framework information security professionals work with, for example, IT, finance and corporate management to meet common goals.
The survey also showed that there has been an improvement in the extent to which third-party risks are being addressed, says Steedman. Thirty-six percent of respondents now have formal procedures in place for third-party risk management.
A lack of experienced security professionals is still a concern, according to the survey, and this is one of the drivers behind information security outsourcing.
The survey highlights two views on outsourcing, according to Steedman.
First, survey participants, in both the 2005 and 2006 surveys, were emphatic that they do not want to outsource their information security activities. Second, those who already do outsource information security activities, or are planning to, see outsourcing as a way of making more use of the valuable resources available within their organisations, she says.
“For me, the most interesting finding [of the survey] was the positive impact that regulatory compliance has had on information security practices,” says Steedman.
She says it will be interesting to see to which extent these good practices are adopted by New Zealand organisations that are not legally required to comply with regulations.
Overall, the survey does indicate higher levels of investment in activities related to information security, says Steedman. However, she warns that the newer technologies — such as removable media, mobile computing and wireless networks — and the security risks these technologies introduce could become areas of concern.