Your SlideShare is downloading. ×
12th Annual Giss
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

12th Annual Giss


Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Outpacing change Ernst & Young’s 12th annual global information security survey
  • 2. Foreword ........................................................................ 1 Introduction: outpacing change ....................................... 3 Managing risks................................................................ 4 Addressing challenges .................................................... 8 Complying with regulations ........................................... 12 Leveraging technology .................................................. 16 Summary ...................................................................... 20 Survey approach ........................................................... 22 About Ernst & Young..................................................... 24 iv Outpacing change: Ernst & Young’s 12th annual global information security survey
  • 3. Foreword Over the last year, we have witnessed unprecedented changes in the global economic environment. Increased pressure to reduce costs, coupled with increased government and industry regulations, has presented new risks and challenges — challenges that many organizations are now struggling to address Yf o`a[` [Yf ka_faÕ[Yfldq Y^^][l l`]aj af^gjeYlagf k][mjalq hgklmj]k& O] `Yn] also witnessed new technologies introduced and adopted, some that helped improve information security and some that brought new risks and concerns. The survey results are encouraging in that many organizations are now taking a more holistic view of security and focusing on the overall health of their information security programs. However, our survey also reveals that the lack of adequate Zm_]l Yf j]kgmj[]k [gflafm]k lg Z] Y ka_faÕ[Yfl [`Ydd]f_] ^gj eYfq gj_YfarYlagfk& The Ernst & Young global information security survey is one of the longest-running and most recognized annual surveys of its kind. We are very proud that for 12 years, our survey has helped our clients focus on the right risks and priorities, identify their strengths and weaknesses, and improve their information security. We are also impressed that this year’s survey received the highest levels of participation since its inception more than a decade ago, demonstrating that information security continues to be an important issue for our clients. I would like to extend my warmest thanks to all of our nearly 1,900 survey participants for taking the time to share their views on information security. My [gdd]Y_m]k Yf A Yj] [gfÕ]fl qgm oadd Õf l`ak kmjn]q j]hgjl mk]^md$ af^gjeYlan] and insightful. We welcome the opportunity to speak with you personally about qgmj kh][aÕ[ af^gjeYlagf k][mjalq jakck Yf [`Ydd]f_]k& O] Yj] []jlYaf km[` discussions will position you to stay ahead of change and allow you and your organization to achieve your full potential. Paul van Kessel Global Leader, IT Risk and Assurance Services Outpacing change: Ernst & Young’s 12th annual global information security survey 1
  • 4. 2 Outpacing change: Ernst & Young’s 12th annual global information security survey
  • 5. Introduction: outpacing change How do you protect your organization’s brand and reputation in an environment of change? How do you identify and manage new risks? How Information security do you overcome increasing challenges to deliver an effective information is not immune to security program? How do you comply with new regulations and industry requirements? How do you leverage technology to not only meet business external economic objectives but also improve security? ^gj[]k Yf emkl Õf These are just some of the questions that information security leaders are struggling ways to improve oal` È Yf emkl Õf Yfko]jk lg È a^ l`]q Yj] _gaf_ lg gmlhY[] [`Yf_] Yf hjgl][l l`]aj organization’s most critical information assets. ]^Õ[a]f[q Yf Over the last year, we have witnessed a global economic downturn become a crisis effectiveness while for many countries and many organizations. We have seen the competitive landscape drastically altered for many industries. Although there are signs of economic recovery, the keeping spending to aehY[l g^ l`]k] a^Õ[mdl lae]k oadd [gflafm] lg Z] ^]dl Zq eYfq [gehYfa]k Yk l`]q j]k`Yh]$ restructure and reinvent themselves. a minimum. Information security leaders are facing considerable challenges as a result of the current environment. It would be naive to think that information security has not also been impacted by economic pressures; the need to reduce costs and provide more results from investments already made extends to all areas of the enterprise, including the information security function. To support this statement, there is evidence from our survey that many more organizations are struggling with a lack of skilled and trained information security j]kgmj[]k& Gmj kmjn]q j]khgf]flk Yj] Ydkg j]hgjlaf_ l`Yl Õfaf_ Y]imYl] Zm_]l ^gj information security is a major challenge for the coming year. These are clear indicators l`Yl af^gjeYlagf k][mjalq ak fgl aeemf] lg ]pl]jfYd ][gfgea[ ^gj[]k Yf emkl Õf oYqk lg aehjgn] ]^Õ[a]f[q Yf ]^^][lan]f]kk o`ad] c]]haf_ kh]faf_ lg Y eafaeme& The current environment is also producing a rise in both internal and external threats. Our survey participants reveal a growing concern with reprisals from recently separated employees as well as noting an increase in external attacks on their company websites and networks. Regulatory compliance is also top of mind for information security leaders, and our survey [gfÕjek l`Yl al [gflafm]k lg Z] Yf aehgjlYfl jan]j g^ af^gjeYlagf k][mjalq aehjgn]e]flk& Several industries and countries are moving toward more regulation, primarily related to data protection and privacy. Correspondingly, companies are reporting an increase in the cost of compliance as the complexity and number of regulations also increases. In this 12th annual global information security survey we take a closer look at how gj_YfarYlagfk Yj] kh][aÕ[Yddq Yj]kkaf_ l`] [`Yf_af_ ]fnajgfe]fl$ af[dmaf_ l`] jakck$ challenges, increasing regulatory requirements and new technologies. We also identify and examine potential opportunities for improvement and important short-term and long-term trends that will shape information security in the coming years. Outpacing change: Ernst & Young’s 12th annual global information security survey 3
  • 6. Managing risks In the last several years, we have seen a shift in the way technology is being deployed to kmhhgjl l`] Ögo g^ af^gjeYlagf& L`] af[j]Ykaf_dq egZad] Yf _dgZYd ogjc^gj[]$ [gmhd] oal` Improving the rapid adoption of broadband and over-the-air technologies, has changed the way many organizations use technology and information. As a result, it has expanded or perhaps even information security eliminated the traditional borders of the organization and the conventional digital perimeter paradigm. Organizations must now adjust their information security risk management risk management approach — from “keeping the bad guys out” to protecting information no matter where it is the top security resides. We consider this to be a more “information-centric” view of security and a more effective approach. Not surprisingly, improving information security risk management was priority over the the top security priority for our survey participants, with 50% of respondents indicating that they plan to spend more and 39% planning to spend relatively the same amount on this next year. initiative over the next year. Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the next year for the following activities? Improving information security risk management 50% 39% 5% 6% Implementing or improving DLP technologies and processes 43% 47% 5% 5% Implementing virtualization technologies 41% 42% 9% 8% Internal security awareness and training 39% 49% 7% 5% Risk management 36% 54% 4% 6% Performing security testing 32% 55% 8% 5% Implementing or improving secure development processes 30% 56% 6% 8% Implementing or improving IAM technologies and processes 28% 57% 7% 8% Regulatory compliance 28% 60% 6% 6% Implementing standards 24% 59% 9% 8% StafÕng 20% 58% 16% 6% Implementing other technologies 17% 39% 5% 39% Forensics/fraud support 14% 67% 9% 10% Outsourcing of security functions 14% 59% 18% 9% Spend Same or Spend Not more constant less answered Shown: percentage of respondents The role of regulators in promoting an information-centric security approach In Singapore, the Monetary Authority of Singapore (MAS) has recently released a set of guidelines requiring ÕfYf[aYd k]jna[] afklalmlagfk lg ]nYdmYl] l`] jakck g^ af^gjeYlagf Z]af_ [gehjgeak] l`jgm_` ]fhgaflk& L`ak YhhjgY[` hdY[]k l`] ]eh`Ykak gf ]klYZdak`af_ [gfljgdk l`Yl ^gddgo l`] Ögo g^ af^gjeYlagf$ Yk o]dd Yk the organization’s understanding of risk and the controls they have in place to protect the data. 4 Outpacing change: Ernst & Young’s 12th annual global information security survey
  • 7. Increased threats In addition to the technology shift, the current economic environment is fueling an increase in the number of threats organizations are facing. The increase is driven not only from 41% of respondents external sources — our survey found that 41% of respondents noted an increase in external attacks — but also from within the organization: 25% of respondents witnessed an increase noted an increase in internal attacks, and 13% reported an increase in internally perpetrated fraud. in external Given the current economic environment, have you seen or perceived a change in the threats facing your organization? attacks and 25% No perceived changes noted 44% of respondents witnessed an Increase in external attacks (e.g., phishing, website attacks) 41% increase in Increase in internal attacks (e.g., abuse of employee privileges, theft of information) 25% internal attacks. Increase in externally perpetrated fraud 19% Increase in internally perpetrated fraud 13% Shown: percentage of respondents Information security risk eYfY_]e]fl ]Õf] Information security risk management is the ongoing process of (1) identifying and understanding the potential threats and risks; (2) assessing to determine the extent of the risk; (3) remediating the risks; and (4) continuing these activities over time. It also includes the necessary communication and risk reporting within the organization. Outpacing change: Ernst & Young’s 12th annual global information security survey 5
  • 8. Managing risks (continued) Egj] afl]j]klaf_ l`Yf l`] jak] af afl]jfYd Yf ]pl]jfYd YllY[ck ak l`] ^Y[l l`Yl Y ^mdd /- g^ respondents revealed that they are concerned (33% are very concerned) with the possible 75% of respondents reprisal from employees recently separated from their organizations. Survey results also show that 42% of respondents are trying to understand the potential risks related to this revealed that akkm] Yf *. Yj] Ydj]Yq lYcaf_ kl]hk lg `]dh eala_Yl] l`] jakck they are concerned Given the current economic environment, how concerned is your organization with the possible reprisal from employees recently separated from your organization? with the possible Somewhat concerned, and we are trying reprisal from to understand the potential risks 42% employees recently Very concerned, and we are taking steps to help mitigate the risks 26% separated from their Not a concern 25% organization. Very concerned, but we haven’t 7% addressed the potential risks Shown: percentage of respondents Information security management system A structured and repeatable risk management approach is the core element of an information security management system (ISMS). It is also the approach chosen by a majority of companies to address their information security risks. Our survey results show that 44% of respondents currently have an ISMS in place or are in the process of implementing one, with another 32% considering an ISMS solution. Information security standards are also playing an increasingly important role in shaping the ISMS for many organizations. Although only 8% of respondents have achieved formal []jlaÕ[Ylagf$ +. g^ j]khgf]flk afa[Yl] l`Yl l`]q Yj] mkaf_ l`] AKG'A=; */(()2*((- security standard as the basis for their ISMS. Standards can provide organizations with a set of leading practices related to information security risk management and are a logical starting point in developing an effective and comprehensive ISMS. 6 Outpacing change: Ernst Young’s 12th annual global information security survey
  • 9. Has your organization implemented an information security management system (ISMS) that covers the overall management of information security? K][mjalq klYfYjk ]Õf] ISO/IEC 27001:2005 — This standard provides Yes, implemented and formally certiÕed 8% a model for establishing, implementing, operating, monitoring, reviewing, maintaining Yes, without certiÕcation objective 19% and improving an ISMS. ISO/IEC 27002:2005 — This standard Yes, currently in the process of implementing 17% outlines the potential controls and control mechanisms which may be implemented No, but considering it 32% based on the guidance provided within AKG'A=; */(()2*((- Al ]klYZdak`] _ma]daf]k No, and not considering it 24% and general principles for establishing, implementing, operating, monitoring, reviewing, maintaining and improving Shown: percentage of respondents information security management within an organization. Information Security Forum (ISF): The Our perspective Standard of Good Practice for Information Security — This standard addresses Our survey shows that the levels of internal and external risk continue to increase. To information security from a business manage the increased risks, companies should develop a formal response aimed at dealing perspective, providing a practical basis for with employees likely to leave the organization as a result of workforce reductions or job implementing and assessing an organization’s ]daeafYlagf ;gehYfa]k k`gmd Ydkg mf]jlYc] Y kh][aÕ[ jakc Ykk]kke]fl ]p]j[ak] lg a]fla^q information security arrangements. their potential exposure within this sphere and put in place appropriate risk-based responses. EYfY_af_ af^gjeYlagf k][mjalq jakck [Yf Z] a^Õ[mdl È eY] egj] kg af Y [`Yf_af_ ]fnajgfe]fl È Yf j]imaj]k Yf YhhjgY[` l`Yl ak Ö]paZd] Yf ^g[mk] gf o`Yl eYll]jk egkl to the organization: protecting critical information. Companies need to take an information- []flja[ na]o g^ k][mjalq lg ]fkmj] Z]ll]j Yda_fe]fl oal` l`]aj af^gjeYlagf Ögok Gfdq Zq understanding the use of information within critical business processes can an organization, and in particular its information security function, truly begin to manage its security needs. Information-centric security moves far beyond the boundaries of information technology (IT), and to deliver such an approach successfully, information security functions need to be more closely integrated with the business. This will help change how security should be na]o] oal`af l`] gj_YfarYlagf È Yk Y Ö]paZd]$ j]khgfkaZd] [gjhgjYl] [alar]f jYl`]j l`Yf Yf “obstacle” to achieving business objectives. Outpacing change: Ernst Young’s 12th annual global information security survey 7
  • 10. Addressing challenges L`ak [gfÕjek l`Yl l`] af^gjeYlagf k][mjalq ^mf[lagf ak fgl aeemf] lg l`] hj]kkmj]k g^ l`] current economic environment, and like any other organizational function, it is competing In 2009, the for scarce resources. The availability of resources, budget and organizational awareness continue to dominate this category. However, this year’s survey results show an increase in primary challenge to l`] fmeZ]j g^ gj_YfarYlagfk kljm__daf_ oal` Zgl` j]kgmj[]k Yf Zm_]l L`ak [gfÕjek l`Yl the information security function is not immune to the pressures of the current economic effectively delivering environment and like any other organizational function it is competing for scarce resources. information Availability of resources security was the In 2009, the primary challenge to effectively delivering information security was the lack g^ YhhjghjaYl] j]kgmj[]k$ oal` -. g^ j]khgf]flk jYfcaf_ l`ak Yk Y `a_` ,! gj ka_faÕ[Yfl lack of appropriate (5) challenge (on a 1 to 5 scale); this is an increase of eight percentage points compared to our 2008 survey results (48%). In somewhat of a contradiction, our respondents resources. indicated that the two leading areas for reducing spending over the coming 12 months will Z] ^gj gmlkgmj[af_ k]jna[]k )0! Yf af%`gmk] klY^Õf_ ).! Al Yhh]Yjk l`Yl Ydl`gm_` gj_YfarYlagfk j][g_far] l`] YnYadYZadalq g^ j]kgmj[]k lg Z] l`]aj egkl ka_faÕ[Yfl [`Ydd]f_]$ only 20% of respondents plan to hire more in-house resources and only 14% plan to spend more on outsourcing to help alleviate this issue. What is the level of challenge related to effectively delivering your organization’s information security initiatives for each of the following? Availability of resources 20% 36% 28% 11% 5% Adequate budget 19% 31% 29% 14% 7% Organizational awareness 13% 35% 33% 14% 5% Assessing new threats and vulnerabilities 9% 29% 36% 19% 7% Organizational change 11% 23% 23% 20% 23% Business uncertainty 12% 21% 27% 20% 20% Regulatory change or uncertainty 8% 22% 31% 23% 16% Understanding emerging technologies 5% 22% 35% 25% 13% Management sponsorship 8% 19% 29% 25% 19% SigniÕcant challenge 4 3 2 Not a challenge Shown: percentage of respondents 8 Outpacing change: Ernst Young’s 12th annual global information security survey
  • 11. Af Yalagf$ gmj kmjn]q j]n]Yd] l`Yl l`]j] ak Y ]Õfal] mfoaddaf_f]kk ^gj eYfq gj_YfarYlagfk to outsource their security functions. With the exception of attack and penetration testing --! Yf k][mjalq Ykk]kke]flk'Ymalk ,,!$ l`] eYbgjalq g^ j]khgf]flk afa[Yl] l`Yl Allocating l`]q `Y fg hdYfk lg gmlkgmj[] egkl g^ l`]aj k][mjalq%kh][aÕ[ Y[lanala]k Given this aversion to outsourcing and the fact that organizations continue to struggle to adequate budget to Õf Yf eYaflYaf Y]imYl] j]kgmj[]k$ al ak [d]Yj l`Yl l`]q f]] lg dggc lg gl`]j kgdmlagfk lg information security alleviate their resource challenges. O`a[` g^ l`] ^gddgoaf_ k][mjalq%kh][aÕ[ Y[lanala]k `Yn] Z]]f gmlkgmj[] gj [gfka]j] continues to for outsourcing? be a challenge. Attack and penetration testing 55% 18% 27% Security assessments/audits 44% 16% 40% Firewall or other device management 30% 9% 61% Application testing 21% 12% 67% Help desk 23% 7% 70% Forensics/fraud support 14% 13% 73% Disaster recovery/business continuity 15% 12% 73% Security training and awareness 12% 15% 73% Vulnerability/patch management 17% 8% 75% Incident response 10% 6% 84% Currently Under evaluation/ No plans outsourced planned for outsourcing to outsource Shown: percentage of respondents While adoption of new technologies to automate and sustain controls can help offset the [`Ydd]f_] g^ Õfaf_ Y]imYl] `meYf j]kgmj[]k$ gj_YfarYlagfk k`gmd Z] [Yj]^md g^ Z][geaf_ too reliant on technology at the expense of people and processes. Therefore, organizations should consider adopting co-sourced security models, wherein they can access appropriately skilled resources from their co-sourcing partners without relinquishing control over their security function to the degree associated with outsourcing. Adequate budget Allocating adequate budget to information security continues to be a challenge in 2009, oal` Y lglYd g^ -( g^ j]khgf]flk jYfcaf_ l`ak Yk Y `a_` ,! gj ka_faÕ[Yfl -! [`Ydd]f_]3 l`ak ak Y n]jq fglYZd] af[j]Yk] g^ )/ h]j[]flY_] hgaflk gn]j *((0 ++! L`ak ak Ydkg hYjla[mdYjdq interesting in light of the fact that 40% of respondents indicated that they planned to increase their annual investment in information security as a percentage of total expenditures, and 52% planned on maintaining the same level of spending. Outpacing change: Ernst Young’s 12th annual global information security survey 9
  • 12. Addressing challenges (continued) L`] kmjn]q j]kmdlk [d]Yjdq k`go l`Yl af^gjeYlagf k][mjalq Zm_]lk Yj] fgl Z]af_ ka_faÕ[Yfldq reduced, nor is the security function being asked to take on more responsibility than in previous q]Yjk Kg o`q g gj_YfarYlagfk [gflafm] lg kljm__d] lg Õf Y]imYl] k][mjalq Zm_]lk7 One contributing factor may be that 44% of the organizations that participated in the survey still don’t have a documented information security strategy. In the absence of a well-thought- gml af^gjeYlagf k][mjalq kljYl]_q$ al oadd [gflafm] lg Z] a^Õ[mdl lg Yjla[mdYl] Yf Zmad l`] business case for an appropriate budget allocation, particularly in today’s economic climate. L`] dY[c g^ Y [g`]kan] kljYl]_q Ydkg eYc]k al a^Õ[mdl lg hjagjalar] kh]faf_ ][akagfk Yf lg ]fkmj] l`Yl k[Yj[] j]kgmj[]k Yj] Z]af_ Yddg[Yl] lg o`]j] l`]q oadd hjgna] l`] egkl Z]f]Õl It is more important than ever for organizations to develop comprehensive, risk-based security strategies, prioritizing spend based on the value of the assets at risk, both in order to bmkla^q Zm_]l j]im]klk Yf lg eYc] kmj] l`Yl l`]q Yj] _]llaf_ eYpaeme Z]f]Õl gml g^ l`gk] budgets. Does your organization have a documented information security strategy for the next one to three years? 44% Yes No 56% Shown: percentage of respondents Kg[aYd f]logjcaf_ ]Õf] Organizational security awareness Social networking is the interaction between It has long been generally accepted that authorized users and employees pose the greatest people over the internet on websites security threat to an organization and that raising and maintaining the awareness level of that attempt to mimic real-life encounters those people is a crucial part of an effective information security strategy. In spite of this (e.g.,, cfgod]_]$ l`ak j]eYafk Y ka_faÕ[Yfl [`Ydd]f_] Yf Y ka_faÕ[Yfl akkm] ^gj eYfq Social networking sites present many gj_YfarYlagfk O`ad] egkl gj_YfarYlagfk /,! `Yn] Y k][mjalq YoYj]f]kk hjg_jYe$ d]kk potential risks, including: identity theft, than half of all respondents indicated that their program includes such things as: legal or libel issues, viruses, malicious code, as well as disclosure of sensitive  Updates and alerts on current threats (44%) company information. Organizations  Informational updates on new hot topics (42%) should take steps to inform and educate  Kh][aÕ[ YoYj]f]kk Y[lanala]k ^gj `a_`%jakc _jgmhk km[` Yk kg[aYd f]logjcaf_ mk]jk +-! their people about the issues related to social networking as an important part Furthermore, only 20% of respondents indicated that they measure the effectiveness of of their of security awareness programs. their awareness programs and modify those programs based on the results. 10 Outpacing change: Ernst Young’s 12th annual global information security survey
  • 13. What elements are currently covered in your organization’s security awareness program? General awareness of security topics in general 74% Security training and Review and agreement of compliance with current security policies and standards 61% awareness programs Direct and frequent updates/alerts on current threats to the organization 44% are not working as Informational updates on new hot topics 42% well as they could be. Kh][aÕ[ YoYj]f]kk Y[lanala]k gj ljYafaf_ k]kkagfk 35% for high-risk user groups Measuring the effectiveness of awareness activities and 20% improving the program based on these measurements Shown: percentage of respondents Given that the challenge associated with organizational security awareness has not been reduced over time, it can be concluded that many current security training and awareness hjg_jYek Yj] fgl ogjcaf_ Yk o]dd Yk l`]q [gmd Z] Al k`gmd Ydkg Z] fgl] l`Yl /+ of respondents have no plans to outsource their security training and awareness programs. Yet, when we look closer at the 12% of respondents who currently outsource this activity, o] Õf l`Yl gj_YfarYlagfYd YoYj]f]kk ak d]kk dac]dq lg Z] Y ka_faÕ[Yfl [`Ydd]f_] Af ^Y[l$ al does not make it into the top three challenges for these organizations. This may illustrate the fact that more organizations should begin to look for outside help to design, execute, monitor and (or) measure the effectiveness of their security training and awareness programs. Our perspective Our survey shows that organizations continue to be impacted by a lack of information security resources and inadequate budgets. They are also struggling to make improvements in the area of organizational security awareness. These challenges are not new, but they are increasing under the pressure of the current economic climate; information security leaders emkl ]phdgj] f]o Yf egj] [j]Ylan] kgdmlagfk$ Yf aehjgn] gh]jYlagfYd ]^Õ[a]f[q k`gmd be considered a fundamental aspect of all new security initiatives. Companies need to adopt a risk-based security strategy to help prioritize initiatives, justify f]o afn]kle]flk Yf eYpaear] l`] Z]f]Õlk ^jge l`gk] afn]kle]flk o`a[` `Yn] Ydj]Yq Z]]f committed. Organizations should also investigate potential co-sourced security alternatives, which may help provide much-needed access to skilled resources, without turning over control to others. However, such steps should be taken with care, as the operation of security by third parties requires different management competencies from those used to manage and deliver security to an organization using internal resources only. Outpacing change: Ernst Young’s 12th annual global information security survey 11
  • 14. Complying with regulations Regulatory compliance continues to be one of the top priorities for organizations and an important objective of the information security function. When asked about the Regulatory aehgjlYf[] g^ kh][aÕ[ af^gjeYlagf k][mjalq Y[lanala]k$ ,. g^ j]khgf]flk afa[Yl] l`Yl achieving compliance with regulations was very important (5) with an additional 31% compliance considering it important (4). This is not surprising, given the considerable attention and focus on compliance efforts over the last several years by most organizations. continues to be How important is information security in supporting the following activities in your one of the top organization? priorities for Protecting reputation and brand 61% 20% 10% 7% 2% Managing privacy and the protection of personal information 27% 15% 4% 1% organizations and an Achieving compliance with regulations 46% 53% 31% 14% 6% 3% important objective Achieving compliance with corporate policies 38% 36% 19% 5% 2% Supporting operational and (or) enterprise risk management 27% 39% 25% 7% 2% of the information Protecting intellectual property 40% 25% 20% 10% 5% security function. Aehjgnaf_ AL Yf gh]jYlagfYd ]^Õ[a]f[a]k 26% 37% 26% 9% 2% Aehjgnaf_ klYc]`gd]j Yf afn]klgj [gfÕ]f[] 30% 30% 24% 10% 6% Managing external vendors 15% 33% 32% 14% 6% Enhancing new service or product launches 18% 26% 31% 15% 10% Examining new and emerging technologies 11% 28% 38% 17% 6% Facilitating mergers, acquisitions and divestitures 13% 20% 26% 18% 23% Very important 4 3 2 Not important Shown: percentage of respondents Cost of compliance When we asked how much companies were spending on compliance efforts, we found that 55% of respondents indicated that regulatory compliance costs were accounting for moderate lg ka_faÕ[Yfl af[j]Yk]k af l`]aj gn]jYdd af^gjeYlagf k][mjalq [gklk O`ad] l`ak fmeZ]j ak gof ^jge .- ^gj l`] hj][]af_ l`j]] q]Yjk$ gfdq - g^ j]khgf]flk hdYf gf kh]faf_ d]kk gn]j the next 12 months on regulatory compliance. This may be an indication that organizations are spending too much of their security budgets on demonstrating point-in-time compliance as opposed to implementing a comprehensive information security program where compliance is a by-product and not the primary driver. L`] hgafl ak ^mjl`]j kmhhgjl] Zq l`] ^Y[l l`Yl gfdq +. g^ gmj kmjn]q j]khgf]flk `Yn] deployed a solution for continuous monitoring of security controls. Moving to a more risk-driven security program and leveraging continuous compliance monitoring technologies may allow organizations to reduce the amount they spend on demonstrating compliance and either reduce their overall security investment or focus it on more value-added information security services. 12 Outpacing change: Ernst Young’s 12th annual global information security survey
  • 15. What impact has regulatory compliance had on the annual cost of information security for your organization? Ka_faÕ[Yfl af[j]Yk] af [gkl g^ af^gjeYlagf k][mjalq 16% 55% of respondents Moderate increase in cost 39% indicated that No change in cost 40% regulatory Cost was reduced 5% compliance costs Shown: percentage of respondents were accounting for moderate to Compliance-driven improvements ka_faÕ[Yfl af[j]Yk]k When we look at the impact of regulatory compliance on the effectiveness of information k][mjalq$ o] ak[gn]j l`Yl ., g^ j]khgf]flk Z]da]n] al `Yk af[j]Yk] ]^^][lan]f]kk$ oal` in their overall *) afa[Ylaf_ Y ka_faÕ[Yfl af[j]Yk] af ]^^][lan]f]kk gj j]_mdYlgjq [gehdaYf[] lg `Yn] this dramatic an effect on information security performance, we believe that for many information organizations compliance is still the primary driver of information security improvements. security costs. What impact has regulatory compliance had on the annual cost of information security for your organization? SigniÕcant increase in the effectiveness 21% Moderate increase in the effectiveness 43% No change 34% Reduced the effectiveness 2% Shown: percentage of respondents Outpacing change: Ernst Young’s 12th annual global information security survey 13
  • 16. Complying with regulations (continued) Privacy laws and regulations Data protection and privacy are key components of regulatory compliance and are gaining Too few more attention from governments and regulators. The number and complexity of privacy- organizations have j]dYl] j]_mdYlagfk ak af[j]Ykaf_3 q]l$ .0 g^ j]khgf]flk klYl] l`Yl l`]q `Yn] Y [d]Yj understanding of the privacy laws and regulations that may impact their organizations. In taken the necessary Yalagf$ .+ g^ j]khgf]flk afa[Yl] l`Yl l`]q af[dm] hjanY[q j]imaj]e]flk af [gfljY[lk with external partners, vendors and contractors. Although it is encouraging that companies steps to protect are recognizing their privacy requirements, it is also clear that far too few organizations have taken the necessary steps to protect personal information. Only 32% of respondents personal information. have produced an inventory of information assets covered by privacy requirements, and Yf ]n]f ^]o]j fmeZ]j *.! `Yn] [gfm[l] Yf Ykk]kke]fl g^ l`] h]jkgfYd YlY da^] [q[d] (gathering, using, storing and disposing). Which of the following statements can be made by your organization regarding privacy? We have a clear understanding of the privacy laws 68% and regulations that may impact the organization We have included privacy requirements in contracts 63% with external partners, vendors and contractors We have implemented speciÕc controls to 59% protect personal information We have established a response and management 34% process speciÕc to privacy-related incidents We have produced an inventory of information 32% assets covered by privacy requirements We have implemented a process to monitor 29% and maintain privacy-related controls We have conducted an assessment 26% of the personal data life cycle Shown: percentage of respondents 14 Outpacing change: Ernst Young’s 12th annual global information security survey
  • 17. EuroPriSe L`] =mjgHjaK] []jlaÕ[Ylagf hjg_jYe g^^]jk Y ngdmflYjq hjgm[l Ymal L`] hjg[]mj] [gfkaklk g^ Yf evaluation of the IT product or IT service by accredited legal and IT experts and a validation of the ]nYdmYlagf j]hgjl Zq Yf af]h]f]fl []jlaÕ[Ylagf Zgq L`] =mjgh]Yf HjanY[q K]Yd =mjgHjaK]! nakmYdar]k that a product has been checked and approved by an independent privacy organization and indicates a trustworthy product that can be used in compliance with European data protection laws. Privacy and protection of personal data will become an even greater challenge for organizations as new technologies and services, such as social networking, virtualization, [dgm [gehmlaf_ Yf jYag%^j]im]f[q a]flaÕ[Ylagf JA! _Yaf egj] oa]khj]Y mk] Privacy and data protection will also likely gain increased focus of governments and regulators as they attempt to keep privacy regulations out in front of the potential risks associated with these new technologies. The combination of increased regulations and l][`fgdg_a]k l`Yl ^Y[adalYl] Y egj] gh]f Ögo g^ h]jkgfYd af^gjeYlagf oadd hj]k]fl Y ka_faÕ[Yfl [`Ydd]f_] ^gj ]n]f l`] egkl ÉhjanY[q kYnnqÊ gj_YfarYlagfk Our perspective J]_mdYlgjq [gehdaYf[] `Yk Z]]f Y ka_faÕ[Yfl jan]j g^ af^gjeYlagf k][mjalq ^gj k]n]jYd q]Yjk$ Yf gmj kmjn]q [gfÕjek l`Yl al [gflafm]k lg ka_faÕ[Yfldq afÖm]f[] l`] af^gjeYlagf security agenda. Most organizations still spend a considerable amount of their information security budgets on compliance and plan to continue doing so in the coming year. Organizations must formally detail all the regulations they are required to meet in the various geographies and validate this position with appropriate legal and operational groups across the enterprise. They also need to build an understanding of how their compliance efforts can be integrated into wider change programs, delivering greater Zmkaf]kk Z]f]Õl 9k hYjl g^ l`]k] ]^^gjlk$ [gehYfa]k f]] lg aehd]e]fl Y [gehj]`]fkan] information security program where regulatory compliance is considered a by-product rather than the primary driver. We also found compliance with privacy regulations to be a growing area of focus for many organizations, but with limited progress or improvement shown in the last year. Companies need to understand the scope of privacy within their operations and identify effective business champions who they can work with, to ensure that normal business processes and practices do not contribute to potential privacy violations. Consistent privacy policies and procedures are becoming the norm across globally distributed enterprises and something that all organizations should strive for. Outpacing change: Ernst Young’s 12th annual global information security survey 15
  • 18. Leveraging technology When considering how organizations are leveraging new technologies, there are two distinct aspects related to information security that should be examined: Implementing or 1. Which technologies are organizations implementing to improve their information security programs? improving Data 2. What are organizations doing to address the risks that are inherent with the Leakage Prevention introduction of new technologies? Our survey results provide an insight into how technology can have both a positive and (DLP) technologies is negative effect on information security. the second-highest Data leakage protection security priority Due to increasing and new risks organizations are facing, data protection is now top of mind for many information security leaders. Implementing or improving data leakage prevention in the coming DH! l][`fgdg_a]k ak l`] k][gf%`a_`]kl k][mjalq hjagjalq af l`] [geaf_ )* egfl`k$ a]flaÕ] by 40% of respondents as one of their top three priorities. Implementing DLP technologies is 12 months. now a higher priority for many organizations than both security awareness training (39%) and j]_mdYlgjq [gehdaYf[] */! Aehjgnaf_ af^gjeYlagf k][mjalq jakc eYfY_]e]fl ,/! oYk l`] only priority that topped DLP technologies from an overall perspective, but more respondents )1! k]d][l] DH Yk l`]aj Õjkl hjagjalq ^gj l`] f]pl q]Yj Al ak Ydkg ogjl` fglaf_ l`Yl 1( g^ j]khgf]flk hdYf gf kh]faf_ j]dYlan]dq l`] kYe] ,/! gj egj] ,+! gn]j l`] f]pl q]Yj gf implementing or improving DLP technologies and processes. Please indicate your top three security priorities for the coming 12 months? Improving information security risk management 16% 17% 14% Implementing/improving DLP technologies and processes 19% 12% 9% Internal security awareness and training 11% 14% 14% Regulatory compliance 11% 9% 7% Performing security testing 4% 8% 12% Risk management 6% 8% 8% Implementing/improving IAM technologies and processes 8% 6% 6% Implementing standards 7% 7% 6% Implementing virtualization technologies 8% 5% 6% Implementing/improving secure development processes 2% 5% 7% Sta^Õng 2% 2% 3% 1st priority 2nd priority 3rd priority Shown: percentage of respondents 16 Outpacing change: Ernst Young’s 12th annual global information security survey
  • 19. DLP tools will be the leading security technology implemented over the next year. According to our survey results, 50% of respondents are at some stage of the evaluation and implementation process; 22% have planned an implementation within 12 months; and Few companies are another 28% are currently evaluating the technology. However, it isn’t just DLP technology being implemented to protect data. Of the top encrypting their information security technologies planned for implementation in the coming 12 months, laptops. Only 41% most are also related to this objective, including: encryption of portable media (19%), dYhlgh ]f[jqhlagf )/! Yf ]eYad ]f[jqhlagf )-! Yf A9E hjgm[lk )-! O`]f o] of respondents are look at the information security technologies that are currently in use by our survey j]khgf]flk$ o] Õf l`Yl l`j]] g^ l`] lgh Õn] Yj] Ydkg Yae] Yl hjgl][laf_ k]fkalan] YlY2 encrypting them [gfl]fl egfalgjaf_ Yf Õdl]jaf_ lggdk .1!$ dYhlgh ]f[jqhlagf ,)!$ Yf ]eYad encryption (35%). today, with 17% O`a[` g^ l`] ^gddgoaf_ k][mjalq l][`fgdg_a]k Yj] mk] gj `Yn] Z]]f a]flaÕ] ^gj mk] Zq planning to do so in your organization? Data leakage prevention tools 25% 22% 28% 25% the next year. Encryption of portable media 25% 19% 29% 27% Laptop encryption 41% 17% 23% 19% Governance, risk and compliance tools 36% 17% 24% 23% Email encryption 35% 15% 25% 25% YlY d]YcY_] hj]n]flagf DH! ]Õf] IAM products 31% 15% 25% 29% Data leakage prevention (also known as data loss prevention or information leak Enhanced authentication (802.1x, tokens) 49% 12% 18% 21% prevention) is the combination of tools and Desktop encryption 15% 12% 34% 39% processes for identifying, monitoring and protecting sensitive data or information Digital rights management 14% 10% 31% 45% according to an organization’s policies or Content monitoring and Õltering tools 69% 9% 10% 12% government and industry regulations. DLP solutions typically focus on preventing Physical and logical security convergence 24% 9% 26% 41% certain data or information from leaking out of the organization and detecting any Currently Planned within Under Not using 12 months evaluation using unauthorized access or transmission of Shown: percentage of respondents sensitive data. Gf] g^ l`] egkl fgl]ogjl`q kmjn]q Õfaf_k ak `go ^]o [gehYfa]k Yj] ]f[jqhlaf_ l`]aj dYhlghk Gfdq ,) g^ j]khgf]flk Yj] ]f[jqhlaf_ l`]e lgYq$ oal` )/ hdYffaf_ lg g kg af the next year. This is notable for a number of reasons: many breaches have occurred and continue to occur due to loss or theft of laptops; the technology is readily available and affordable to implement; and the impact to users during deployment is relatively low and should no longer be a barrier. Outpacing change: Ernst Young’s 12th annual global information security survey 17
  • 20. Leveraging technology (continued) Virtualization and cloud computing New technologies are making an impact in the corporate enterprise, particularly 78% of respondents virtualization and cloud computing. Both are unquestionably receiving a lot of media will have attention, and given the current economic environment, virtualization offers some attractive options for business leaders looking to cut costs, increase manageability and implemented aehjgn] gn]jYdd AL ]^Õ[a]f[q L`] hgl]flaYd [gkl kYnaf_k ^jge najlmYdarYlagf È ]kk]flaYddq$ Y egj] ]^Õ[a]fl hggdaf_ g^ AL j]kgmj[]k$ af[dmaf_ f]logjck$ k]jn]jk Yf klgjY_] È [Yf Z] virtualization before ka_faÕ[Yfl @go]n]j$ l`]j] Yj] k][mjalq%j]dYl] [gf[]jfk the end of the next NajlmYdarYlagf ak gf] g^ l`] `a_`]kl%jYfcaf_ l][`fgdg_a]k ^gj Yghlagf$ oal` /0 g^ respondents indicating that they will have implemented virtualization before the end of year. However, the next year. However, only 19% of the same respondents indicated that virtualization was a security priority. Clearly, our survey respondents do not recognize the same level of only 19% of the jakc oal` najlmYdarYlagf Yk ogmd Z] ]ph][l] oal` km[` Y ka_faÕ[Yfl Yf ]pl]fkan] [`Yf_] effort. More alarming is the fact that virtualization security should be a concern, but the same respondents majority of organizations and security leaders are ignoring its implications. indicated that Cloud computing is another technology that has been very visible recently in industry publications, with some analysts predicting the cloud computing services market to reach virtualization was a as high as US$42 billion by 20121. Yet, we are seeing adoption rates for cloud computing lg Z] em[` kdgo]j [gehYj] lg najlmYdarYlagf Gfdq )/ g^ j]khgf]flk afa[Yl] l`Yl l`]q security priority. Yj] mkaf_ l`] l][`fgdg_q gj hdYffaf_ lg mk] al af l`] f]pl q]Yj$ Yf ,/ klYl] l`]q `Yn] fg hdYfk ^gj mkaf_ l`] l][`fgdg_q @go]n]j$ Y ka_faÕ[Yfl h]j[]flY_] +.! g^ j]khgf]flk Yj] currently evaluating its use. O`a[` g^ l`] ^gddgoaf_ l][`fgdg_a]k Yj] mk] gj `Yn] Z]]f a]flaÕ] ^gj mk] Zq qgmj organization? ;dgm [gehmlaf_ ]Õf] Grid computing 7% 5% 31% 57% Cloud computing essentially involves the outsourcing of computing capacity through Cloud computing 9% 8% 36% 47% third-party services over the internet, on an as-needed, “pay-as-you-go” basis. It can Radio frequency identiÕers 15% 4% 29% 52% potentially help cut your power, storage, hardware, personnel and real estate-related Voice over IP 63% 9% 15% 13% costs. In addition, some companies are also employing a version of cloud computing — Virtualization 67% 11% 12% 10% known as “Software-as-a-Service” (SaaS) — to help reduce daily technical operations and Wireless 69% 6% 10% 15% support business and consumer software. Storage area networks 80% 5% 6% 9% Currently using Planned within Under evaluation Not using 12 months 1 Source: IDC survey of 244 IT leaders released Shown: percentage of respondents October 2008 18 Outpacing change: Ernst Young’s 12th annual global information security survey
  • 21. Key information security risks and considerations for virtualization  Spread the risk — Companies should spread out the critical application instances across physical machines as much as possible. This can be accomplished by combining them with different types of applications while maintaining an appropriate ratio between physical and virtual machines. This helps achieve higher application availability and reduce security risks.  Limit access — Inappropriate access to server administrative interfaces can expose numerous production applications at once in virtualized environments. Develop a checklist in accordance with leading practices for k][mjaf_ YeafakljYlan] afl]j^Y[]k$ af[dmaf_ klja[l hYkkogj hgda[a]k Yf Õd] h]jeakkagfk  Use secure networks — Secure networks should be utilized for data migrations involving virtualization software, since data is not typically encrypted in these migrations.  Monitor threats — Properly functioning applications on virtual machines can hide latent security vulnerabilities. Thus, it is critical to continuously monitor both the virtual machines and the underlying virtual machine monitor, for potential threats. Cloud computing has its own potential data privacy and security issues. The companies that provide cloud computing services may provide those services in different data systems in various data centers in cities around the world. Unlike a more traditional IT outsourcing arrangement, cloud computing clients do not have dedicated servers or dedicated lines. This raises issues about exactly where clients’ data exists, and under whose jurisdiction it resides at any one given point in time. In addition, the possible need to recode data may increase the exposure to errors and security risks. Our perspective Technology can play a major role in helping a company meet its information security and larger business objectives. However, technology can also expose an organization to additional risks. Our survey suggests that some organizations may be more focused on the Z]f]Õlk Yf [gkl kYnaf_k l`Yf gf Yfq hgkkaZd] k][mjalq akkm]k j]dYl] lg l`] f]o l][`fgdg_a]k Organizations must assess the potential impact of any new technology that is being [gfka]j]$ dggcaf_ Z]qgf Yfq hjgeak] Z]f]Õlk lg l`] ]nYdmYlagf g^ l`] hgl]flaYd aehY[l upon the organization’s ability to protect its assets. F]o ]ngdnaf_ k][mjalq l][`fgdg_a]k [Yf hgl]flaYddq ]dan]j kmZklYflaYd Z]f]Õlk lg l`] gn]jYdd management of information security across an enterprise. However, the deployment of km[` l][`fgdg_a]k emkl [gflafm] lg Z] afn]kla_Yl] lg ^mjl`]j ]fkmj] l`Yl l`]q Yj] Õl ^gj hmjhgk] Yf oadd ]dan]j l`] Z]f]Õlk j]imaj] =Y[` gj_YfarYlagf f]] lg ]Õf] alk hgkalagf gf f]o AL ]dan]jq eg]dk$ af[dmaf_ virtualization and cloud computing, to ensure that any decisions made are consistent with the overall business strategy, as well as the information technology strategy and direction of the organization. Outpacing change: Ernst Young’s 12th annual global information security survey 19
  • 22. Summary Our 2009 survey shows that companies and information security leaders are facing an environment of change; escalating levels of risk, new challenges and increasing regulatory complexity are now driving information security decisions. Companies are also struggling lg d]n]jY_] f]o l][`fgdg_a]k È lg _]l l`] egkl Z]f]Õl Yf [gkl kYnaf_k hgkkaZd] È o`ad] understanding the potential security impact to the organization. Our survey also revealed that many organizations continue to be challenged by a lack of skilled information security resources and inadequate budget. These challenges have been a]flaÕ] af gmj hj]nagmk kmjn]qk$ Zml l`ak q]Yj$ l`]q `Yn] Z][ge] egj] ka_faÕ[Yfl$ jan]f by heightened economic uncertainty. To address the risks and challenges of the changing environment, information security leaders are abandoning the old paradigms and taking a more information-centric view g^ k][mjalq Al ak Y egj] Ö]paZd]$ jakc%ZYk] YhhjgY[` l`Yl ak ^g[mk] gf hjgl][laf_ l`] organization’s critical information, and more suited to supporting a connected business model and today’s increasingly mobile and global workforce. By leveraging the information in this survey and taking action on the suggestions for improvement, organizations can achieve more effective information security and continue to outpace change. C]q kmjn]q Õfaf_k Managing risks  Improving information security risk management is a top security priority for the next year.  =pl]jfYd Yf afl]jfYd YllY[ck Yj] af[j]Ykaf_  J]hjakYdk ^jge j][]fldq k]hYjYl] ]ehdgq]]k `Yn] Z][ge] Y eYbgj [gf[]jf Addressing challenges  Availability of skilled information security resources is the greatest challenge to effectively delivering information security initiatives.  ]khal] egkl gj_YfarYlagfk eYaflYafaf_ [mjj]fl kh]faf_ gf af^gjeYlagf k][mjalq$ Y]imYl] Zm_]l ak kladd Y ka_faÕ[Yfl challenge to delivering security initiatives.  K][mjalq ljYafaf_ Yf YoYj]f]kk hjg_jYek Yj] ^Yddaf_ k`gjl g^ ]ph][lYlagfk Complying with regulations  J]_mdYlgjq [gehdaYf[] [gflafm]k lg Z] Yf aehgjlYfl jan]j ^gj af^gjeYlagf k][mjalq  ;gkl g^ [gehdaYf[] j]eYafk `a_`$ oal` ^]o [gehYfa]k hdYffaf_ lg kh]f d]kk af l`] f]pl )* egfl`k  Too few organizations have taken the necessary steps to protect personal information. Leveraging technology  Aehd]e]flaf_ DH l][`fgdg_a]k ak l`] lgh k][mjalq hjagjalq ^gj eYfq gj_YfarYlagfk  The lack of endpoint encryption remains a key risk with few companies encrypting laptops or desktop computers.  NajlmYdarYlagf Yf [dgm [gehmlaf_ Yj] _Yafaf_ _j]Yl]j Yghlagf$ Zml ^]o [gehYfa]k Yj] [gfka]jaf_ l`] af^gjeYlagf security implications. 20 Outpacing change: Ernst Young’s 12th annual global information security survey
  • 23. Our perspective Managing risks  Develop a formal response aimed at dealing with employees likely to leave the organization as a result of workforce reductions or job elimination.  Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk-based responses.  LYc] Yf af^gjeYlagf%[]flja[ na]o g^ k][mjalq$ Z]ll]j Yda_f] oal` l`] gj_YfarYlagfÌk af^gjeYlagf Ögok  ;gflafm] lg afl]_jYl] af^gjeYlagf k][mjalq oal` l`] Zmkaf]kk È Z][geaf_ Y Ö]paZd]$ j]khgfkaZd] corporate citizen, rather than an “obstacle” to achieving business objectives. Addressing challenges  Adopt a risk-based security strategy to help prioritize initiatives, justify new investments and maximize l`] Z]f]Õlk ^jge l`gk] afn]kle]flk o`a[` `Yn] Ydj]Yq Z]]f [geeall]  Afn]kla_Yl] hgl]flaYd [g%kgmj[] k][mjalq Ydl]jfYlan]k$ o`a[` eYq `]dh hjgna] em[`%f]]] Y[[]kk lg skilled resources, without turning over control to others. Complying with regulations  Formally detail the regulations an organization is required to meet in the various geographies and validate this position with appropriate legal and operational groups across the enterprise.  Build an understanding of how compliance efforts can be integrated into wider change programs, ]dan]jaf_ _j]Yl]j Zmkaf]kk Z]f]Õl  Implement a comprehensive information security program where regulatory compliance is considered a by-product rather than the primary driver.  Gain an understanding of the scope of privacy within operations and identify effective business champions to help ensure that normal business processes and practices do not contribute to potential privacy violations. Leveraging new technology  9kk]kk l`] hgl]flaYd aehY[l g^ Yfq f]o l][`fgdg_q l`Yl ak Z]af_ [gfka]j]$ dggcaf_ Z]qgf Yfq hjgeak] Z]f]Õlk lg l`] ]nYdmYlagf g^ l`] hgl]flaYd aehY[l mhgf l`] gj_YfarYlagfÌk YZadalq lg hjgl][l its assets.  Afn]kla_Yl] l`] ]hdgqe]fl g^ f]o k][mjalq l][`fgdg_a]k lg ]fkmj] l`Yl l`]q Yj] Õl ^gj hmjhgk] Yf oadd ]dan]j l`] Z]f]Õlk j]imaj]  ]Õf] Y hgkalagf gf f]o AL ]dan]jq eg]dk$ km[` Yk najlmYdarYlagf Yf [dgm [gehmlaf_$ lg ]fkmj] alignment with the overall business strategy and information technology strategy. Outpacing change: Ernst Young’s 12th annual global information security survey 21
  • 24. Survey approach Ernst Young’s 12th annual global information security survey was developed with the `]dh g^ gmj YkkmjYf[] Yf Ynakgjq [da]flk af egj] l`Yf .( [gmflja]k This year’s survey was conducted between June 2009 and August 2009. Nearly 1,900 organizations across all major industries participated. Methodology The questionnaire was distributed to designated Ernst Young professionals in each country practice, along with instructions for consistent administration of the survey process. Most of the survey responses were collected during face-to-face interviews with individuals responsible for information security at the participating organizations. When this was not possible, the questionnaire was administered electronically via the Internet. If you wish to participate in Ernst Young’s 13th annual global information security survey, qgm [Yf g kg Zq [gflY[laf_ qgmj dg[Yd =jfkl Qgmf_ g^Õ[] gj nakalaf_ ooo]q[ge Yf completing a brief request form. HjgÕd] g^ *((1 kmjn]q hYjla[ahYflk Survey participants by region 9% 29% Americas Asia/PaciÕc 33% Europe Middle East/Africa 29% Shown: percentage of respondents 22 Outpacing change: Ernst Young’s 12th annual global information security survey
  • 25. Survey participants by major industry group Financial services 30% Manufacturing 16% Retail, wholesale distribution 10% Technology 7% Energy utilities 7% Health services 6% Government public sector 6% Other 19% Shown: percentage of respondents Survey participants by annual revenue (US$) $10 billion or more 12% $1 billion–$9 billion 23% $500 million–$999 million 9% $100 million–$499 million 22% Less than $100 million 28% Not applicable 6% Shown: percentage of respondents Survey participants by job title Chief Information O^Õcer 19% Information Technology Executive 16% Information Security Executive 13% Chief Information Security O^Õcer 12% Chief Security O^Õcer 5% Chief Technology O^Õcer 3% Other 34% Shown: percentage of respondents Outpacing change: Ernst Young’s 12th annual global information security survey 23
  • 26. About Ernst Young 9l =jfkl Qgmf_$ gmj k]jna[]k ^g[mk gf gmj afanamYd [da]flkÌ kh][aÕ[ Zmkaf]kk f]]k Yf issues because we recognize that every need and issue is unique to that business. Information technology is one of the key enablers for modern organizations to compete. It gives the opportunity lg _]l [dgk]j$ egj] ^g[mk] Yf ^Ykl]j af j]khgfaf_ lg [mklge]jk$ Yf [Yf j]]Õf] Zgl` l`] ]^^][lan]f]kk Yf ]^Õ[a]f[q g^ gh]jYlagfk :ml Yk ghhgjlmfalq _jgok$ kg g]k jakc =^^][lan] af^gjeYlagf l][`fgdg_q jakc management helps you to improve the competitive advantage of your information technology operations, to make l`]k] gh]jYlagfk egj] [gkl ]^Õ[a]fl Yf lg eYfY_] gof l`] jakck j]dYl] lg jmffaf_ qgmj kqkl]ek Gmj .$((( information technology risk professionals draw on extensive personal experience to give you fresh perspectives and open, objective advice — wherever you are in the world. We work with you to develop an integrated, holistic YhhjgY[` lg qgmj af^gjeYlagf l][`fgdg_q jakc gj lg ]Yd oal` Y kh][aÕ[ jakc Yf af^gjeYlagf k][mjalq akkm] O] understand that to achieve your potential you need a tailored service as much as consistent methodologies. We ogjc lg _an] qgm l`] Z]f]Õl g^ gmj ZjgY k][lgj ]ph]ja]f[]$ gmj ]]h kmZb][l eYll]j cfgod]_] Yf l`] dYl]kl insights from our work worldwide. It’s how Ernst Young makes a difference. For more information on how we can make a difference in your organization, contact your local Ernst Young professional or any of the people listed in the table below. Contacts Global Norman Lonergan #,, (! *( /10( (-1. (Advisory Services Leader, London) Paul van Kessel #+) 00 ,( /)*/) (IT Risk and Assurance Services Leader, Amsterdam) Advisory Services Robert Patton #) ,(, 0)/ --/1 (Americas Leader, Atlanta) Norman Lonergan #,, (! *( /10( (-1. (Europe, Middle East, India and Africa Leader, London) Robert Der #0. *) ***0 *... (Far East Leader, Shanghai) Isao Onda #0) , +*+0 /()) (Japan Leader, Chiba-shi) Doug Simpson #.) * 1*,0 ,1*+ (Oceania Leader, Sydney) IT Risk and Assurance Services Bernie Wedge #) ,(, 0)/ -)*( (Americas Leader, Atlanta) Paul van Kessel #+) 00 ,( /)*/) (Europe, Middle East, India and Africa Leader, Amsterdam) Troy Kelly #0) * *.*1 +*+0 (Far East Leader, Hong Kong) Giovanni Stagno +81 3 3503 1100 (Japan Leader, Chiyoda-ku) Iain Burnet #.) 0 1,*1 *,0. (Oceania Leader, Perth) 24 Outpacing change: Ernst Young’s 12th annual global information security survey
  • 27. Ernst Young Assurance | Tax | Transactions | Advisory About Ernst Young Ernst Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. For more information, please visit Ernst Young refers to the global organization of member firms of Ernst Young Global Limited, each of which is a separate legal entity. Ernst Young Global Limited, a UK company limited by guarantee, does not provide services to clients. About Ernst Young’s Advisory Services The relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 18,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization, you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst Young makes a difference. © 2009 EYGM Limited. All Rights Reserved. EYG no. XXXXXX Ernst Young is committed to minimizing its impact on the environment. This document has been printed using recycled paper and vegetable-based ink. This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.