Ernst & Young: New approach needed to close information security gap

Organisations worldwide are making strides in beefing up their information security capabilities. But they continue to lose ground in the race to protect their vital data and networks, according to Ernst & Young’s 15th annual Global Information Security Survey. 

The study concludes that there is a widening gap between where organisations should be with information security and where they actually are. E&Y attributes the gap’s growth to the velocity of change in information security. Those changes can be seen in two main areas:  

• The rapid development of mobile technologies, bring your own device, cloud computing, social media, and virtualisation – each contributing to an environment in which more and more people can use their personal smartphones and tablets to connect to employer networks and access proprietary information through cloud software and other services. The type of anywhere, anytime connectivity gives employees much more flexibility but also creates opportunities for security breaches.
• Rising cybercrime rates and myriad other threats that are increasing in number, scope, and complexity.

Organisations face four main areas of concern in their information security efforts, the E&Y study says:

• Alignment with the business.
• Insufficient resources with the right skills and training.
• Processes and architecture.
• New and evolving technologies.

 In addition, organisations must deal with the uncertain impact of potential governmental intervention and regulatory pressure to deal with information security threats.

Small changes won’t be enough for organisations to narrow the information security gap, the study concludes. Instead, E&Y recommends that organisations take the following four steps:

1. Link their information security strategy to their business strategy and the overall desired results for the business.
2. Start with a blank sheet when considering new technologies and redesigning the architecture to better define what needs to be done. This presents an opportunity to break down barriers and remove existing biases that may hamper fundamental change.
3. Execute the transformation by creating an environment that enables the organisation to successfully and sustainably change the way information security is delivered.
4. When considering new technologies, conduct a deep dive into the opportunities and the risks they present. Social media, big data, cloud and mobile are here to stay, but organisations must prepare for their use.

Ultimately, E&Y says, organisations need to make information security a board-level priority and provide seats on the board to the executives heading up the information security efforts.

The E&Y Information Security Survey, conducted between May and July, polled 1,836 chief information officers, chief information security officers, CFOs, chief executives and other information security executives in 64 countries and across all major industries. Most of the responses were collected during face-to-face interviews, with the others coming via an online survey. The regional breakdown for the responses was: 46% from Europe, the Middle East, India, and Africa; 23% from the Americas; 20% from the Asia-Pacific; and 11% from Japan. 

For more details on the survey results and what they mean for organisations, visit the report’s web home page or view a PDF of the report.  
 
—Jeff Drew (jdrew@aicpa.org) is a CGMA Magazine senior editor.