• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
2009 Giss Summary Nov09
 

2009 Giss Summary Nov09

on

  • 1,433 views

 

Statistics

Views

Total Views
1,433
Views on SlideShare
1,297
Embed Views
136

Actions

Likes
0
Downloads
27
Comments
0

6 Embeds 136

http://www.risspa.ru 109
http://risspa.ru 21
http://www.risspa.org 2
http://www.slideshare.net 2
http://risspa.org 1
http://risspa.drupalgardens.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    2009 Giss Summary Nov09 2009 Giss Summary Nov09 Presentation Transcript

    • Outpacing change Ernst & Young’s 12th annual Global Information Security Survey Summary meeting deck November 2009
    • Contents • Introduction • Key survey findings • Managing risks • Addressing challenges • Complying with regulations • Leveraging technology • Our perspective • Appendix: profile of survey participants Confidential – Ernst & Young 2009 Global Information Security Survey | Page 1
    • Ernst & Young’s 12th annual global information security survey Ernst & Young’s 12th annual Global Information Security Survey (GISS) is one of the longest running and most highly respected surveys of its kind, providing our clients an opportunity to compare their organization with others on important information security issues and gain insights for making key decisions. This year’s survey was conducted from 1 June to 31 July 2009 with 1,865 organizations in 61 countries and across all major industries participating. Our 2009 GISS specifically examines how organizations are addressing their information security needs while staying ahead of change – adopting new technologies, complying with new regulations and operating in a changing global business environment. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 2
    • Key survey findings Managing • Improving information security risk management is the top security priority over the next year. risks • External and internal attacks are increasing. • Reprisals from recently separated employees have become a major concern. • Availability of skilled information security resources is the greatest challenge to effectively delivering information security initiatives. Addressing • Despite most organizations maintaining current spending on information security, adequate challenges budget is still a significant challenge to delivering security initiatives. • Security training and awareness programs are falling short of expectations. • Regulatory compliance continues to be an important driver for information security. Complying • Cost of compliance remains high, with few companies planning to spend less in the next 12 with months. regulations • Too few organizations have taken the necessary steps to protect personal information. • Implementing DLP technologies is a top security priority for many organizations. Leveraging • The lack of endpoint encryption remains a key risk with few companies encrypting laptops or technology desktop computers. • Virtualization and cloud computing are gaining greater adoption, but few companies are considering the information security implications. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 3
    • Managing risks Confidential – Ernst & Young 2009 Global Information Security Survey | Page 4
    • Managing risks Improving information security risk management is the top security priority over the next year. Survey results: 4Improving information security risk management was the top security priority for our survey participants, with 50% of respondents indicating that they plan to spend more and 39% planning to spend relatively the same amount on this initiative over the next year. Our perspective: 4Companies need to take an information-centric view of security to ensure better alignment with their information flows. Only by understanding the use of information within critical business processes can an organization truly begin to manage its security needs. 4Continue to integrate information security with the business — becoming a flexible, responsible corporate citizen, rather than an “obstacle” to achieving business objectives. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 5
    • Managing risks External and internal attacks are increasing. Survey results: 4Our survey found that 41% of respondents noted an increase in external attacks. 425% of respondents witnessed an increase in internal attacks, and 13% reported an increase in internally perpetrated fraud. Our perspective: 4To manage the increased external and internal risks, companies should undertake a specific risk assessment exercise to identify their potential exposure within this sphere and put in place appropriate risk-based responses. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 6
    • Managing risks Reprisals from recently separated employees have become a major concern. Survey results: 4A full 75% of respondents revealed that they are concerned (33% are very concerned) with the possible reprisal from employees recently separated from their organizations. 4Survey results also show that 42% of respondents are trying to understand the potential risks related to this issue and 26% are already taking steps to help mitigate the risks. Our perspective: 4To manage the increased risks related to employee reprisals, companies should develop a formal response aimed at dealing with employees likely to leave the organization as a result of workforce reductions or job elimination. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 7
    • Addressing challenges Confidential – Ernst & Young 2009 Global Information Security Survey | Page 8
    • Addressing challenges Availability of skilled information security resources is the greatest challenge to effectively delivering information security initiatives. Survey results: 4The primary challenge to effectively delivering information security was the lack of appropriate resources, with 56% of respondents ranking this as a high (4) or significant (5) challenge (on a 1 to 5 scale); this is an increase of eight percentage points compared to our 2008 survey results (48%). Our perspective: 4Organizations should investigate potential co-sourced security alternatives, which may help provide much-needed access to skilled resources, without turning over control to others. 4Such steps should be taken with care, as the operation of security by third parties requires different management competencies from those used to manage and deliver security to an organization using internal resources only. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 9
    • Addressing challenges Despite most organizations maintaining current spending on information security, adequate budget is still a significant challenge to delivering security initiatives. Survey results: 4Allocating adequate budget to information security continues to be a challenge in 2009, with a total of 50% of respondents ranking this as a high (4) or significant (5) challenge. This is a very notable increase of 17 percentage points over 2008 (33%). 4However, 40% of respondents indicated that they planned to increase their annual investment in information security as a percentage of total expenditures, and 52% planned on maintaining the same level of spending. Our perspective: 4Companies need to adopt a risk-based security strategy to help prioritize initiatives, justify new investments and maximize the benefits from those investments which have already been committed. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 10
    • Addressing challenges Security training and awareness programs are falling short of expectations. Survey results: 4While most organizations (74%) have a security awareness program, less than half of all respondents indicated that their program includes such things as: updates and alerts on current threats (44%), informational updates on new hot topics (42%), specific awareness activities for high-risk groups such as social networking users (35%). 473% of respondents have no plans to outsource their security training and awareness programs. Our perspective: 4More organizations should begin to look for outside help to design, execute, monitor and (or) measure the effectiveness of their security training and awareness programs. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 11
    • Complying with regulations Confidential – Ernst & Young 2009 Global Information Security Survey | Page 12
    • Complying with regulations Regulatory compliance continues to be an important driver for information security. Survey results: 4When asked about the importance of specific information security activities, 46% of respondents indicated that achieving compliance with regulations was very important (5) with an additional 31% considering it important (4). Our perspective: 4Organizations must formally detail all the regulations they are required to meet in the various geographies and validate this position with appropriate legal and operational groups across the enterprise. 4They also need to build an understanding of how their compliance efforts can be integrated into wider change programs, delivering greater business benefit. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 13
    • Complying with regulations Cost of compliance remains high, with few companies planning to spend less in the next 12 months. Survey results: 455% of respondents indicated that regulatory compliance costs were accounting for moderate to significant increases in their overall information security costs. 4Only 5% of respondents plan on spending less over the next 12 months on regulatory compliance. Our perspective: 4Organizations are spending too much of their security budgets on demonstrating point-in-time compliance and need to implement a comprehensive information security program where regulatory compliance is considered a by-product rather than the primary driver. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 14
    • Complying with regulations Too few organizations have taken the necessary steps to protect personal information. Survey results: 468% of respondents stated that they have a clear understanding of the privacy laws and regulations that may impact their organizations. 4Only 32% of respondents have produced an inventory of information assets covered by privacy requirements, and an even fewer number (26%) have conducted an assessment of the personal data life cycle (gathering, using, storing and disposing). Our perspective: 4Companies need to understand the scope of privacy within their operations and identify effective business champions who they can work with, to ensure that normal business processes and practices do not contribute to potential privacy violations. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 15
    • Leveraging technology Confidential – Ernst & Young 2009 Global Information Security Survey | Page 16
    • Leveraging technology Implementing DLP technologies is a top security priority for many organizations. Survey results: 440% of respondents identified Implementing DLP technologies as one of their top three priorities with 19% selecting DLP as their first priority for the next year. 450% of respondents are at some stage of the evaluation and implementation process; 22% have planned an implementation within 12 months; and another 28% are currently evaluating DLP technology. Our perspective: 4New evolving security technologies can potentially deliver substantial benefits to the overall management of information security across an enterprise. However, the deployment of such technologies must continue to be investigated to further ensure that they are fit for purpose and will deliver the benefits required. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 17
    • Leveraging technology The lack of endpoint encryption remains a key risk with few companies encrypting laptops or desktop computers. Survey results: 4Only 41% of respondents are encrypting their organization’s laptops today, with 17% planning to do so in the next year. Our perspective: 4Many breaches have occurred and continue to occur due to loss or theft of laptops. 4Organizations should make use of endpoint encryption technology due to the fact that it is readily available and affordable to implement; and the impact to users during deployment is relatively low and should no longer be a barrier. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 18
    • Leveraging technology Virtualization and cloud computing are gaining greater adoption, but few companies are considering the information security implications. Survey results: 478% of respondents indicating that they will have implemented virtualization before the end of the next year. 4Only 19% of the same respondents indicated that virtualization was a security priority. Our perspective: 4Organizations must assess the potential impact of any new technology that is being considered, looking beyond any promised benefits to the potential impact upon the organization’s ability to protect its assets. 4Each organization needs to define its position on new IT delivery models, including virtualization and cloud computing, to ensure that any decisions made are consistent with the overall business strategy, as well as the information technology strategy and direction of the organization. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 19
    • Our perspective Confidential – Ernst & Young 2009 Global Information Security Survey | Page 20
    • Our perspective • Take an information-centric view of security, better aligned with the organization’s information flows. centric • Continue to integrate information security with the business — becoming a flexible, responsible corporate citizen, rather than an Managing “obstacle” to achieving business objectives. risks • Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk risk-based responses. • Develop a formal response aimed at dealing with employees likely to leave the organization as a result of workforce reduction reductions or job elimination. • Adopt a risk-based security strategy to help prioritize initiatives, justify new investments and maximize the benefits from thos based those investments which have already been committed. Addressing • Investigate potential co-sourced security alternatives, which may help provide much sourced much-needed access to skilled resources, without challenges turning over control to others. • Organizations should look for outside help to design, execute, monitor and (or) measure the effectiveness of their security training and awareness programs. • Formally detail the regulations an organization is required to meet in the various geographies and validate this position wit with appropriate legal and operational groups across the enterprise. Complying • Build an understanding of how compliance efforts can be integrated into wider change programs, delivering greater business with benefit. • Implement a comprehensive information security program where regulatory compliance is considered a by by-product rather than regulations the primary driver. • Gain an understanding of the scope of privacy within operations and identify effective business champions to help ensure that normal business processes and practices do not contribute to potential privacy violations. • Assess the potential impact of any new technology that is being considered, looking beyond any promised benefits to the Leveraging evaluation of the potential impact upon the organization’s ability to protect its assets. technology • Investigate the deployment of new security technologies to ensure that they are fit for purpose and will deliver the benefits required. • Define a position on new IT delivery models, such as virtualization and cloud computing, to ensure alignment with the overall business strategy and information technology strategy. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 21
    • Appendix: profile of survey participants Confidential – Ernst & Young 2009 Global Information Security Survey | Page 22
    • Survey participants by geography 1,865 participants from 61 countries 40 68 Finland 45 22 Russian 25 Netherlands Luxembourg Federation 11 Ireland 13 Canada 29 Germany 35 105 Belgium Ukraine United 52 Kingdom 32 Switzerland 15 France Czech 351 11 20 Republic 13 United States Spain 50 Greece Korea Italy 84 Turkey 47 China 13 12 112 Egypt Jordan 145 Mexico India 45 34 Philippines Malaysia 19 106 Uganda Singapore 16 Brazil 13 Mauritius 77 17 Australia South Africa 26 Argentina 47 New Zealand Note: 27 other countries with 10 or less participants Confidential – Ernst & Young 2009 Global Information Security Survey | Page 23
    • Survey participants by industry groups Asset Management 68 Automotive 40 Banking & Capital Markets 343 Consumer Products 99 Government & Public Sector 106 Insurance 142 Media & Entertainment 49 Pharmaceutical 44 Power & Utilities 124 Professional Services 39 Provider Care 66 Real Estate & Construction 46 Retail & Wholesale 124 Technology 137 Telecommunications 63 Note: additional 375 participants from other industry groups Confidential – Ernst & Young 2009 Global Information Security Survey | Page 24
    • Survey participants by revenue More than $24 billion 112 $10 billion - $24 billion 115 $1 billion - $9 billion 433 $500 million - $999 million 163 $250 million - $499 million 176 $100 million - $249 million 249 Less than $100 million 523 Not applicable 92 Confidential – Ernst & Young 2009 Global Information Security Survey | Page 25
    • Survey participants by title Chief Information Officer 350 Information Technology Executive 296 Information Security Executive 237 Chief Information Security Officer 219 Chief Security Officer 85 Chief Technology Officer 47 Business Unit Executive / Vice President 24 Internal Audit Director 21 Network/System Administrator 13 Chief Risk Officer 11 Chief Financial Officer 11 Chief Executive Officer 11 Chief Operating Officer 6 Chief Compliance Officer 3 General Counsel 2 Note: additional 527 participants with other titles Confidential – Ernst & Young 2009 Global Information Security Survey | Page 26
    • Ernst & Young Assurance | Tax | Transactions | Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 135,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve potential. About Ernst & Young’s Information Technology Risk and Assurance Services Information technology is one of the key enablers for modern organizations to compete. It gives the opportunity to get closer, more focused and faster in responding to customers, and can redefine both the effectiveness and efficiency of operations. But as opportunity grows, so does risk. Effective information technology risk management helps you to improve the competitive advantage of your information technology operations, to make these operations more cost efficient and to manage down the risks related to running your systems. Our 6,000 information technology risk professionals draw on extensive personal experience to give you fresh perspectives and open, objective advice – wherever you are in the world. We work with you to develop an integrated, holistic approach to your information technology risk or to deal with a specific risk and security issue. And because we understand that, to achieve your potential, you need a tailored service as much as consistent methodologies, we work to give you the benefit of our broad sector experience, our deep subject matter knowledge and the latest insights from our work worldwide. It’s how Ernst & Young makes a difference. For more information, please visit www.ey.com. © 2009 EYGM Limited. All Rights Reserved. Proprietary and confidential. Do not distribute without written permission. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Confidential – Ernst & Young 2009 Global Information Security Survey | Page 27