Ernst & Young's 2008 Global Information Security Survey begs the eternal question, depending on how you look at the numbers: Is the
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
glass half full or half empty?
 |
||||
|
|
|||
|
||||
For example, the survey clearly shows that many companies may be slow to address growing security concerns, such as reliance on third parties -- partners, vendors and contractors. Only 45% of respondents include specific security requirements in all third-party contracts, but an optimist might say this reflects a trend in the right direction. One wonders if the other 55% write language into their more sensitive contracts that involve sharing confidential data or access to key systems.
The 11th annual survey by Ernst & Young (E&Y) polled nearly 1,400 organizations in more than 50 countries with annual revenues ranging from less than $100 million to more than $25 billion, as well as non-profits. Nearly a third of the organizations polled were in the financial services sector and 13% were in manufacturing, the second highest group.
The report comes on the heels of PricewaterhouseCoopers' annual Global State of Information Security Survey.
On a positive note, adoption of international information security standards is clearly trending up. Use of ISO/IEC 27001:2005 was up 15% over 2007 and ISO/IEC 27002:2005 rose 9% over 2007. The E&Y report stated that management standards, such as ISO 9000, have been adopted in certain industries where information security standards are becoming a necessity for doing business.
The survey also found that organizations are overwhelmingly planning to increase or maintain information security spending as a percentage of their total expenditures. The survey was conducted from June 6 to August 1, before the international economic crisis was in full bloom, so the question going forward is: What was the impact on total expenditures? It would be interesting to see the results if the survey was conducted now.
|
|
Interestingly, 50% of the respondents said organizational awareness was the most significant challenge to information security initiatives, edging out availability of resources, budget and addressing new threats and vulnerabilities. While the survey didn't specifically address training or awareness programs, only 19% of the respondents said they ran social engineering tests, while Internet and infrastructure testing is also common practice at 85% and 73% respectively.
While E&Y says regulatory compliance has been the leading driver for information security since 2005, it reports that protecting reputation and brand has become a significant driver as well. However, the question asked was not what drives information security initiatives and spending, but rather, what are the perceived consequences of security incidents? What is the "level of significance if information is lost, compromised or unavailable" Eighty-five percent of respondents said damage to reputation and brand was "significant" or "very significant," followed closely by loss of stakeholder confidence, loss of revenue, regulatory action and legal action.
Though the report cites compliance as a driver for raising security awareness and improvements, there's room for healthy skepticism about how much companies would do if they weren't compelled. Every car should have seatbelts, but how many had them before they were mandated?
Other key findings: