Ernst & Young Report: Execs Still Disconnected from SecurityBy Ericka Chickowski | Posted 2007-12-12 Email Print
Ernst & Young reported companies continue to make strides in integrating security with risk management processes, yet there is still a troubling disconnect between security operations and board room executives.The firm recently released the results of its 10th Annual Global Information Security Survey, which polled nearly 1,300 organizations in 50 countries about security practices and concerns. The survey results suggest that businesses are improving the way information security fits within the overall risk management framework and in enabling business initiatives.
The number of organizations that have either partially or fully integrated information security functions with risk management operations jumped from just 40 percent in 2005 up to 82 percent this year. On the performance side, a full 8 out of 10 organizations said that information security's contributions resulted in improvements in overall information security operational efficiency. Six out of 10 organizations also noted that information security was instrumental enabling strategic initiatives.
However, consultants at Ernst & Young believe that information security is not running at optimum performance due to a lack of communication with the top of the food chain.
"This is a step in the right direction," said Richard Brown in a statement, head of technology security and risk services at Ernst & Young. "There is however some concern that many information security functions are struggling to balance their traditional risk management roles with a growing focus on information security being a contributor to performance improvementa struggle that is exacerbated when information security is not closely connected to the strategic decision-making process."
According to Ernst & Young, half of the organizations it surveyed meet with their board of directors only once a year or not at all. And 20 percent say their security departments never meet with corporate executives.
"There needs to be strong effective engagement with the business leaders to achieve a holistic approach across the entire organization," Brown said.
As in years past, compliance continues to be the main driver for information security activities, with 64 percent of organizations listing it within the top three factors impacting their programs. And though 80 percent of organizations agreed or strongly agreed that compliance efforts have improved their security programs, other drivers are growing in importance.
*For more on the relationship of compliance and security, take a look at Study: Frequency of Data Loss Connected to Compliance Efforts.
The percentage of respondents who ranked privacy and data protection as a key driver grew from 41 percent to 58 percent in the last year. The third-most frequently noted driver was meeting business objectives, with 45 percent rating that within its top three.
Besides the previously noted challenges regarding communication with upper level executives, information security managers also face an uphill battle in regard to finding qualified staff to perform security functions. More than half of those surveyed said that the greatest challenge to delivering security projects was finding well-trained IT staff and security specialists to do the job.
As a result, many organizations are relying more heavily on outsourced security services than ever before. In 2002 only 21 percent of those questioned by Ernst & Young outsourced any of their information security activities. Today more than 60 percent of the surveyed organizations outsource at least part of their security functions. Most common on the list of outsourced activities are penetration testing, architecture development, procedure development and development of awareness and training programs.