Archives

Chief Information Officers and Chief Information Security Officers need to get better at explaining how information security is relevant to a company's business strategy, a new global survey by Ernst & Young has revealed.

The results of the Ernst & Young's Global Information Security Survey 2003 in which 1,400 companies representing 26 industries across 66 countries participated, are out and we wish to release the findings to the press to create general awareness among the corporate community of the importance of information security.

The survey concludes that many organisations are continuing to take a piecemeal approach to information security, and consequently have major gaps in their risk coverage. Meanwhile, the impact of information security failures on market value has grown exponentially.

The 2003 Ernst & Young Global Information Security Survey found that with budgets under continued pressure, spending on technology, education, training and infrastructure to support information security is slipping further down the corporate priority list. More than half of the 1,400 companies representing 26 industries across 66 countries including Sri Lanka that were surveyed cited insufficient budget as the number one obstacle to effectively safeguarding their information.

Though scarcity of funds is a major problem, it appears to be compounded by the fact that barely half of the chief information officers, chief information security officers and other technology executives surveyed believed they successfully aligned their spending with their key business objectives.

There's a clear difference between what organisations define as a major business objective protecting their information resources and where they allocate funding, a representative of Ernst & Young's Technology and Security Risk Services, said. Few organisations are influenced by a broad spectrum of factors, including opportunities and benefits, when addressing information security. Mostly, they take a one-dimensional, risk-averse approach rather than an holistic one.

According to Ernst & Young, three initiatives organisations can undertake to strengthen the performance of their organisation's security program are:

(a) communicate information security issues in terms that are meaningful to stakeholders;

(b) align security and business objectives throughout the organisation; and

(c) backup talk about security concerns with action.

Traditionally, calculating the return on investment in information technology has been a critical factor in building a business case for further investment. However, 60 per cent of companies surveyed said they rarely or never calculate return on investment as part of building their business case for information security. Return on investment appears to have fallen out of favour as a measure of the effectiveness of information security spending, the Ernst & Young representative said. It looks like we need to find a credible alternative to conventional ROI approaches in order to secure funds for the information security function.

Traditionally, information security had been perceived as the domain of the 'IT experts', the Ernst & Young representative said. However, there appears to be an intense and immediate need for information security specialists to capture the attention of senior leaders and board members by communicating about security in a language they can understand.

The survey results also highlighted a significant difference between types of spending on information security. Eighty-three per cent of organisations listed technology spending as the largest component of their information security budgets, and only 29 per cent said the majority of their information security budget is spent on employee awareness and training.

Having the technology in place is crucial but ensuring people know how to take the greatest advantage of the technology is equally important," Ernst & Young representative said.

Other key findings included:

More than one-third of organisations rated themselves as less than adequate in their ability to determine whether their systems were under attack; One-third of organisations describe their ability to respond to incidents as inadequate; and Only 34 per cent of companies claimed to be compliant with applicable security-driven regulations.

Many senior executives continue to focus on information security lapses that attract media attention, such as virus outbreaks and malicious hackers.

The Ernst & Young representative said more attention should be paid to less obvious and less publicised threats, such as disgruntled employees and ex-employees, network links to business partners with untrustworthy systems, theft of lap top and hand held computers, and insecure wireless access points set up by employees.

These factors cannot only cause serious information security damage but also severely damage a company's reputation, he said.

www.crescat.com

News | Business | Features | Editorial | Security
Politics | World | Letters | Sports | Obituaries

Produced by Lake House
Copyright © 2003 The Associated Newspapers of Ceylon Ltd.
Comments and suggestions to :Web Manager