Compliance Pays-off in Information Security
14 November 2006
Complying with Regulations Pays-off in Information Security
Information Security is increasingly recognised as an enabler of business improvement, says Ernst & Young’s 9th Annual Global Information Security Survey, with regulatory compliance the top driver in improving information security within organisations.
The survey, Achieving success in a globalised world – Is your way secure? sought the views of nearly 1200 senior information security professionals in 48 countries, as well as benchmarking the current information security practices of more than 350 organisations in 38 countries.
There is emphatic agreement – by almost 80% of survey participants – that efforts and activities undertaken to achieve regulatory compliance have actually improved companies’ information security.
Susan Steedman, Ernst & Young New Zealand’s national practice leader for Risk Advisory Services, comments, “The survey identifies five major information security priorities in which companies are showing significant progress, but also where continuous improvements are necessary to keep pace with the growing requirements of effective risk management.
“For New Zealand companies, compliance and third party risk are the most notable priorities,” says Susan.
“The limited availability of experienced and well-trained security practitioners in New Zealand puts a greater emphasis on New Zealand organisations rationalisng and optimisng their security compliance efforts as part of normal operations. It also heightens the need for proactive management of third party providers of security related services.”
Only one-third of survey participants say they have formal procedures in place for vendor risk management. Vendors themselves are expected to spend more time over the next year complying with information security certification requirements.
The survey also shows companies have inconsistent policies and procedures in place to manage these relationships. More than 50% of survey respondents say they address the issue of vendor risk only informally, or not at all. Just 14% of organisations require their vendors to have an independent review of their information and privacy practices against leading practices.
“Overall our 2006 Global Information Security Survey confirms that information security has never been more important,”Susan concludes.
“It shows that many companies are making significant progress in mitigating risk by strengthening their information security. This is due to greater investments, greater board involvement, positive influences of regulatory pressures and maturity in information security leadership. However, the dynamics of risk require continuous improvements and updates to information security measures.”
Five Major Priorities for Information Security
Based on its latest survey and the results from previous years, Ernst & Young has identified five major priorities for information security, where progress has been made but where there is an ongoing need for continuous improvement. These are:
Integrating information security with the organisation: embedding information security into the mainstream of the business with increased visibility and resources.
Extending the impact of compliance: shifting attitudes from compliance as a distraction to being an enabler, bringing advances in risk-based security for organisations.
Managing the risk of third party relationships: recognising the challenges, issues and actions needed to manage the risks with global suppliers and outsourced partners.
Focusing on privacy and personal data protection: taking a proactive and comprehensive approach to mitigating the risks related to privacy and personal data protection.
Designing and building information security: using externally imposed compliance deadlines and security incidents as a catalyst for proactive investments in stronger capabilities and defenses.
In Brief: Some Other Key Survey Findings
Other positive trends in information
Forty-three percent in 2006, compared with 40% in 2005, say information security is integrated with their organisations’ risk management programs and processes.
This year’s survey suggests that companies’ information security policies, roles and responsibilities are not only reasonably well-developed, but also more clearly and effectively communicated and understood by employees.
Increasingly information security outsourcing is a topic for discussion of corporate outsourcing, being driven in part by the limited availability of experienced and well-trained security practitioners.
More than half of survey participants confirm their compliance work is part of an integrated organisation-wide compliance effort and risk management framework.
Over the next year, after working on compliance and privacy, more survey participants say they will be working proactively to help their organisations meet global business objectives.
Nearly 80% of survey respondents have identified and prioritized critical business processes as part of their business continuity plans; three quarters of them have undertaken an IT risk assessment in developing their plans.
Nearly half of information security executives say they have adopted or plan to adopt an information security standard.
Other areas for continuous improvement:
More than half of survey participants have yet to take steps to integrate information risk management into their overall risk management activities.
Over 40% of survey participants indicate they are not reporting about information security issues to their board of directors and business unit leaders on a regular basis.
Only half of organisations have their information security function proactively involved in achieving regulatory compliance.
Information security is least proactive today when addressing new technologies.
One-third of survey respondents say disaster recovery timescales have not been agreed to with the business, only half of business continuity plans have been tested, just over half of organisations have agreed on escalation procedures in response to a disaster, and less than half have developed an internal and external communication strategy for business continuity.