This document discusses the results of Ernst & Young's 2010 Global Information Security Survey. Some key findings include:
- 60% of respondents perceived an increase in risk due to new technologies like social media, cloud computing, and mobile devices.
- 46% planned to increase spending on information security.
- Increased workforce mobility and data leakage were significant challenges for many organizations.
- Many organizations are taking steps to address mobile security risks through policies, encryption, and identity management controls.
Prof m01-2013 global information security workforce study - finalSelectedPresentations
The document summarizes key findings from a survey of over 12,000 information security professionals conducted in 2012. Some of the main findings include:
1) Application vulnerabilities, malware, and mobile devices were the top security concerns. Concern over cloud-based services also increased significantly since the previous survey in 2011.
2) Information security is seen as a stable career path, but workforce shortages persist. Knowledge and certification are important for career success and advancement.
3) While attack remediation is believed to be rapid, preparedness for security incidents showed signs of strain, with twice as many respondents saying preparedness had worsened compared to 2011.
The document provides an executive summary and key findings of the 2013 (ISC)2 Global Information Security Workforce Study, which surveyed over 12,000 information security professionals worldwide. Some of the main points from the summary are:
- The information security profession is large, growing, and dynamic as it must adapt to changing IT environments and evolving threats.
- While the field remains stable, there are shortages of professionals. Knowledge and certification are important for career success.
- Application vulnerabilities are the top security concern, followed by malware and mobile devices.
- While attack response is expected to be rapid, security incident preparedness may be strained.
- Information security professionals are seen as more important than
Etude PwC sécurité de l’information et protection des données (2014)PwC France
The document summarizes the key findings of the 2014 Global State of Information Security Survey conducted by PwC. It finds that while organizations have made improvements in security, they have not kept pace with today's sophisticated adversaries. As a result, many rely on outdated security practices that are ineffective against current threats. The survey also finds that security budgets and detected incidents are increasing, but costs per incident are rising as well. Leaders are more proactive in security and better able to detect and understand incidents. However, more work is still needed to address issues like mobile security, cloud services, and the growing insider threat.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Most tech and healthcare executives surveyed viewed cyber attacks as a serious threat to their business and data. While over half were moderately confident in their own security, far fewer were confident in their partners' security. In response, 98% of companies are maintaining or increasing cybersecurity resources, focusing more on response than prevention. Over half of companies now offer cybersecurity as part of their products and services. Increased media coverage has heightened awareness of cyber threats for many executives.
In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity.
Highlights
- 98% are maintaining or increasing resources devoted to cyber security
- 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur
- Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners
The top challenges to expect in network security in 2019 survey report Bricata, Inc.
The Bricata team conducted a survey to ask cybersecurity professionals about the challenges and opportunities they face in network security.
64% of respondents say network security is harder this year as compared to last and for a range of reasons. This includes the sophistication of threats, but also the proliferation of IT infrastructure and the complexity of environments given that changes stemming from cloud, IoT and BYOD, among others.
While insider threats (44%) and IT infrastructure (42%) topped the list of network security challenges no single topic drew a simple majority. Lack of leadership support, security technology interoperability, shadow IT, BYOD and the deluge of security alerts were among the top 10.
Most organizations used between 1-10 tools for the purpose of network security. About one-third of respondents said these tools were not integrated, while another 28% said these tools were just somewhat integrated. No respondents indicated tools in their environment were completely integrated.
About a quarter (26%) of respondents say their organization receives 1,000 or more security alerts per day. More importantly, the vast majority (84%) say these require 5 or more minutes each to triage. “A decent number of false-positives waste quite a bit of time,” wrote one respondent. “On the other hand, some alerts are- -critical, but we are missing vital information, which we then spend ages trying to locate.” Some admit they just can’t review all alerts.
While just about one-third (32%) say they are doing threat hunting today – a majority (61%) of respondents believe that threat hunting will be either more important or much more important in the next 12 months.
Security analytics, security integration and behavioral analysis were the top three areas of security respondents said organizations should focus on over the next year. Interestingly, collaboration out ranked machine learning and AI as a recommended area of focus.
Some 34% of respondents said the relationship between security and DevOps is strong, while 27% said it isn’t. By contrast, 51% of respondents said the relationship between security and the business is strong, while 22% said it isn’t.
Research insights - state of network securityMiguel Mello
This document summarizes the findings of a survey conducted by the Enterprise Strategy Group on the state of network security. The key findings are:
1) Network security operations have become more difficult for most organizations in the last two years due to factors like more devices/traffic on networks and evolving cyber threats.
2) While many organizations monitor network traffic and metadata for visibility, three-quarters believe visibility across their networks could be improved.
3) Adding more security tools may not solve challenges, as organizations already use 5-7 tools on average. A platform approach could better integrate existing tools.
Prof m01-2013 global information security workforce study - finalSelectedPresentations
The document summarizes key findings from a survey of over 12,000 information security professionals conducted in 2012. Some of the main findings include:
1) Application vulnerabilities, malware, and mobile devices were the top security concerns. Concern over cloud-based services also increased significantly since the previous survey in 2011.
2) Information security is seen as a stable career path, but workforce shortages persist. Knowledge and certification are important for career success and advancement.
3) While attack remediation is believed to be rapid, preparedness for security incidents showed signs of strain, with twice as many respondents saying preparedness had worsened compared to 2011.
The document provides an executive summary and key findings of the 2013 (ISC)2 Global Information Security Workforce Study, which surveyed over 12,000 information security professionals worldwide. Some of the main points from the summary are:
- The information security profession is large, growing, and dynamic as it must adapt to changing IT environments and evolving threats.
- While the field remains stable, there are shortages of professionals. Knowledge and certification are important for career success.
- Application vulnerabilities are the top security concern, followed by malware and mobile devices.
- While attack response is expected to be rapid, security incident preparedness may be strained.
- Information security professionals are seen as more important than
Etude PwC sécurité de l’information et protection des données (2014)PwC France
The document summarizes the key findings of the 2014 Global State of Information Security Survey conducted by PwC. It finds that while organizations have made improvements in security, they have not kept pace with today's sophisticated adversaries. As a result, many rely on outdated security practices that are ineffective against current threats. The survey also finds that security budgets and detected incidents are increasing, but costs per incident are rising as well. Leaders are more proactive in security and better able to detect and understand incidents. However, more work is still needed to address issues like mobile security, cloud services, and the growing insider threat.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Most tech and healthcare executives surveyed viewed cyber attacks as a serious threat to their business and data. While over half were moderately confident in their own security, far fewer were confident in their partners' security. In response, 98% of companies are maintaining or increasing cybersecurity resources, focusing more on response than prevention. Over half of companies now offer cybersecurity as part of their products and services. Increased media coverage has heightened awareness of cyber threats for many executives.
In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity.
Highlights
- 98% are maintaining or increasing resources devoted to cyber security
- 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur
- Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners
The top challenges to expect in network security in 2019 survey report Bricata, Inc.
The Bricata team conducted a survey to ask cybersecurity professionals about the challenges and opportunities they face in network security.
64% of respondents say network security is harder this year as compared to last and for a range of reasons. This includes the sophistication of threats, but also the proliferation of IT infrastructure and the complexity of environments given that changes stemming from cloud, IoT and BYOD, among others.
While insider threats (44%) and IT infrastructure (42%) topped the list of network security challenges no single topic drew a simple majority. Lack of leadership support, security technology interoperability, shadow IT, BYOD and the deluge of security alerts were among the top 10.
Most organizations used between 1-10 tools for the purpose of network security. About one-third of respondents said these tools were not integrated, while another 28% said these tools were just somewhat integrated. No respondents indicated tools in their environment were completely integrated.
About a quarter (26%) of respondents say their organization receives 1,000 or more security alerts per day. More importantly, the vast majority (84%) say these require 5 or more minutes each to triage. “A decent number of false-positives waste quite a bit of time,” wrote one respondent. “On the other hand, some alerts are- -critical, but we are missing vital information, which we then spend ages trying to locate.” Some admit they just can’t review all alerts.
While just about one-third (32%) say they are doing threat hunting today – a majority (61%) of respondents believe that threat hunting will be either more important or much more important in the next 12 months.
Security analytics, security integration and behavioral analysis were the top three areas of security respondents said organizations should focus on over the next year. Interestingly, collaboration out ranked machine learning and AI as a recommended area of focus.
Some 34% of respondents said the relationship between security and DevOps is strong, while 27% said it isn’t. By contrast, 51% of respondents said the relationship between security and the business is strong, while 22% said it isn’t.
Research insights - state of network securityMiguel Mello
This document summarizes the findings of a survey conducted by the Enterprise Strategy Group on the state of network security. The key findings are:
1) Network security operations have become more difficult for most organizations in the last two years due to factors like more devices/traffic on networks and evolving cyber threats.
2) While many organizations monitor network traffic and metadata for visibility, three-quarters believe visibility across their networks could be improved.
3) Adding more security tools may not solve challenges, as organizations already use 5-7 tools on average. A platform approach could better integrate existing tools.
The survey found that organizations are facing increasing endpoint security risks. 64% of respondents said their networks were not more secure than the previous year. Common incidents over the past year included virus/malware infections (98%), device theft (95%), and data loss from negligent/malicious insiders (89% and 61% respectively). The top security risks for the next year were expected to be advanced persistent threats, insider threats, and web-based malware. Current endpoint security approaches were found to be ineffective and costly. IT operating costs were rising mainly due to lost productivity and increased malware incidents.
This document contains a summary of articles from the (IN)SECURE Magazine issue for October/November 2016. It lists the editor and contributors and provides contact information. It then summarizes several articles:
1) It discusses an Online Trust Alliance report finding that most IoT device vulnerabilities could have been avoided through better security practices during development.
2) It summarizes updates to the PCI payment device security standard to require more robust protections against physical tampering and malware.
3) It provides projections for growth in the public cloud services market to $208.6 billion in 2016, with infrastructure as a service growing the most at 42.8%.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
The survey of 250 cybersecurity professionals attending the 2016 Black Hat conference found that concerns about major data breaches are increasing. Nearly three-quarters felt a breach at their organization in the next year was likely, up slightly from 2015. Respondents also reported shortages in security staff, budget, and training, making it difficult to address emerging threats like phishing and targeted attacks. The survey highlights how cybersecurity risks are rising as resource constraints grow.
McAfee Labs explores top threats expected in the coming year.
Welcome to the McAfee Labs 2017 Threats Predictions
report. We have split this year’s report into two sections.
The first section digs into three very important topics,
looking at each through a long lens.
The second section makes specific predictions about
threats activity in 2017. Our predictions for next year
cover a wide range of threats, including ransomware,
vulnerabilities of all kinds, the use of threat intelligence
to improve defenses, and attacks on mobile devices.
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?AGILLY
Bonjour,
Nous avons pensé que ce webinar devrait vous intéresser.
Comment la mobilité, l'Internet des objets et l'intelligence artificielle vont impacter la votre transformation digitale.
Toutes les entreprises modernes s'activent pour accélérer leur transformation numérique, mettant une pression immense sur les responsables informatiques pour la réalisation de projets nouveaux et ambitieux. Cela arrive à un moment où les équipes informatique et de sécurité sont invitées à s'intégrer davantage. Pendant ce temps, la travail quotidien de la gestion des utilisateurs, des appareils, des applications et du contenu devient plus encombrant.
Revivez ce webinar qui présente sur l'étude Forrester, basée sur la contribution de 556 professionnels de l'IT. Découvrez ce que l'avenir réserve pour mobilité, les terminaux et l'IoT en 2020:
Quel équipe IT sera responsable de la sécurisation de l'IoT?
Combien de systèmes seront nécessaires pour gérer les terminaux du futur?
Dans quelle mesure votre environnement de base changera-t-il radicalement dans quelques années?
D'ici 2020, quel pourcentage d'organisations utiliseront l'informatique propulsée par l'Intelligence Artificielle et l'Analyse Cognitive?
This survey was conducted from July 28-30, 2014 with 82 respondents involved in purchasing or managing mobile device security at their organizations. Key findings include: three of five organizations allow personal devices but only support them sometimes; lost/stolen devices caused one third of data compromises; and passwords, remote wipes, and encryption are security solutions a majority plan to use in the next year. Most organizations are only somewhat confident current measures can prevent issues and over half plan to tighten BYOD policies.
Sharing the blame: How companies are collaborating on data security breaches, is an Economist Intelligence Unit research project, sponsored by Akamai Technologies, exploring the ways in which organisations are collaborating to deal with the disclosure of data security breaches. How are they co-operating with governments, other companies and third parties in areas such as requirements for the public disclosure of such breaches? Do they have consistent cyber security policies? To what extent are they sharing best practices?
Webcast outlines how IT security and operations can address top security concerns and challenges and adapt to new technologies and trends surrounding the endpoint.
Ponemon Institute Data Breaches and Sensitive Data RiskFiona Lew
This document summarizes the results of a survey of 432 IT and security professionals about data breaches and sensitive data risks. Key findings include:
- The top concerns are not knowing where sensitive data is located and not knowing the data risk. A data breach is also the top security risk.
- Few respondents know the risk level of structured, unstructured, cloud, or big data, and data breach risks are seen as increasing.
- Companies use automated and classification tools to discover sensitive data and assess risk, but what is tracked is uncertain.
- Emerging trends like mobility and the "consumerization of IT" will most influence future security decision-making.
The document discusses strategies for preventing and protecting against data breaches. It notes that the number of data breaches reached a record high in 2014, with nearly 1 million new malware threats daily. While complete security is impossible, businesses must adapt through cost-effective security solutions. The document recommends asking what is currently being done to prevent breaches, what limitations exist, and how data/systems protection is validated. It advocates layered prevention and protection strategies, including regular security assessments to identify vulnerabilities, encryption of sensitive data, effective backups that facilitate rapid recovery, and ensuring basic tasks like patch and antivirus management are properly performed.
The document discusses how investing more in cybersecurity does not necessarily lead to better outcomes. While 99% of organizations have a security risk management strategy, those that are confident in their strategy (42%) significantly outperform those that are not (57%) in key business metrics like costs, efficiency, and customer satisfaction. The document advocates for focusing on a risk management strategy that is business-driven and updated regularly rather than excessive spending on cybersecurity, in order to free up resources for digital transformation initiatives. It provides perspectives from IT professionals on challenges with visibility, staying current on threats, and needing a framework to guide decisions.
The document summarizes the key findings of the 2011 Global Information Security Workforce Study conducted by Frost & Sullivan. Some of the main points from the summary include:
1) Application vulnerabilities were reported as the number one threat to organizations, with over 20% of security professionals reporting involvement in software development.
2) Mobile devices were the second highest security concern, despite most professionals having policies and tools in place to defend against mobile threats.
3) A skills gap exists as new technologies like cloud computing and social media are being adopted without sufficient security training for professionals. Over 70% needed new skills for cloud security.
4) The information security workforce is projected to grow significantly from 2.28 million in 2010
This year, CSO partnered with the CERT® Division of Software Engineering Institute at Carnegie Mellon University, U.S. Secret Service and KnowBe4 to evaluate trends in the frequency and impact of cybersecurity incidents
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.
Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats. This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.
For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
Cyber-security is the number one technology issue in the C-suite and Board Room. No wonder that many senior executives are asking what they can be doing to stem the tide of cyber-attacks on their firms.
In its second year, IDG’s 2018 Security Priorities study was conducted to gain a better understanding of organization’s current and future security posture.
The survey found that organizations do not feel more secure than the previous year due to ineffective endpoint security technologies. Malware incidents are increasing and driving up IT costs. Zero-day attacks, SQL injections, and exploiting old software vulnerabilities are the biggest challenges. Respondents expect the top IT security risks in the next year will be negligent or malicious insiders, mobile device threats, and advanced persistent threats. Current approaches to endpoint security are costly and ineffective at preventing the rise of malware attacks through third-party and web-based applications.
Digital has increased businesses’ cybersecurity risk – and yet few have elevated security to a senior leadership concern, according to our recent research. Here’s what businesses are thinking about cybersecurity, and a framework for strengthening their security strategies.
The 2010 IOUG Data Security Survey was conducted by Unisphere Research and sponsored by Oracle. It surveyed 430 members of the Independent Oracle Users Group on data security practices. The survey found that fewer than 30% encrypt personally identifiable information in databases, and close to 40% send unprotected or unsurely protected live data to external parties. Also, over 75% cannot prevent privileged users from accessing application data, and almost two-thirds cannot detect privileged user abuse. Overall, two-thirds expect or are unsure about a security incident in the next year. The survey assessed data privacy, access controls, activity monitoring, and operational security at respondents' organizations.
The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...Capgemini
Are banks and insurers a safe pair of hands when it comes to customer data? Our global survey of more than 180 senior data privacy and security professionals – as well as 7,600 consumers – found that less than a third (29%) of these organizations offer both strong data privacy practices and a sound security strategy. Just one in five (21%) are highly confident that they can detect a cybersecurity breach.
This picture has so far not unduly affected consumers’ perceptions of the industry. We found that 83% of consumers trust banks and insurers when it comes to data. And while one in four institutions have reported being victim of a hack, just 3% of consumers believe their own bank or insurer has ever been breached. However, with the pending General Data Protection Regulation (GDPR) regulations, this trust factor is likely to change as transparency increases. Financial organizations have to reveal a data breach 72 hours after the incident.
Banks and insurance firms have a clear incentive therefore to fortify their defences. As well as avoiding the prohibitive fines and penalties that will result from compromised data, protecting privacy offers a strategic business advantage. Addressing security concerns will drive greater adoption of low-cost digital channels. We found that security concerns deter nearly half of consumers (47%) from using digital channels. It will also reduce churn and attract competitors’ customers – 74% of consumers would switch their bank or insurer in the event of a data breach.
Preparing to be a trusted data steward is no easy task, however. It means raising the bar on multiple dimensions:
• Aligning data practices with consumers’ expectations
• Finding innovative ways of providing non-intrusive security to consumers
• Building the capabilities required to monitor cyber risks on a real-time basis
• Revisiting the data governance model.
Building your reputation for data privacy and robust security is definitely challenging. But, those who strike the right chord with consumers will enjoy a competitive advantage over their peers. The winners will be those who triumph in the trust game.
The survey found that organizations are facing increasing endpoint security risks. 64% of respondents said their networks were not more secure than the previous year. Common incidents over the past year included virus/malware infections (98%), device theft (95%), and data loss from negligent/malicious insiders (89% and 61% respectively). The top security risks for the next year were expected to be advanced persistent threats, insider threats, and web-based malware. Current endpoint security approaches were found to be ineffective and costly. IT operating costs were rising mainly due to lost productivity and increased malware incidents.
This document contains a summary of articles from the (IN)SECURE Magazine issue for October/November 2016. It lists the editor and contributors and provides contact information. It then summarizes several articles:
1) It discusses an Online Trust Alliance report finding that most IoT device vulnerabilities could have been avoided through better security practices during development.
2) It summarizes updates to the PCI payment device security standard to require more robust protections against physical tampering and malware.
3) It provides projections for growth in the public cloud services market to $208.6 billion in 2016, with infrastructure as a service growing the most at 42.8%.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
The survey of 250 cybersecurity professionals attending the 2016 Black Hat conference found that concerns about major data breaches are increasing. Nearly three-quarters felt a breach at their organization in the next year was likely, up slightly from 2015. Respondents also reported shortages in security staff, budget, and training, making it difficult to address emerging threats like phishing and targeted attacks. The survey highlights how cybersecurity risks are rising as resource constraints grow.
McAfee Labs explores top threats expected in the coming year.
Welcome to the McAfee Labs 2017 Threats Predictions
report. We have split this year’s report into two sections.
The first section digs into three very important topics,
looking at each through a long lens.
The second section makes specific predictions about
threats activity in 2017. Our predictions for next year
cover a wide range of threats, including ransomware,
vulnerabilities of all kinds, the use of threat intelligence
to improve defenses, and attacks on mobile devices.
Sécurité Mobile : Votre Entreprise est-elle préparée pour 2020?AGILLY
Bonjour,
Nous avons pensé que ce webinar devrait vous intéresser.
Comment la mobilité, l'Internet des objets et l'intelligence artificielle vont impacter la votre transformation digitale.
Toutes les entreprises modernes s'activent pour accélérer leur transformation numérique, mettant une pression immense sur les responsables informatiques pour la réalisation de projets nouveaux et ambitieux. Cela arrive à un moment où les équipes informatique et de sécurité sont invitées à s'intégrer davantage. Pendant ce temps, la travail quotidien de la gestion des utilisateurs, des appareils, des applications et du contenu devient plus encombrant.
Revivez ce webinar qui présente sur l'étude Forrester, basée sur la contribution de 556 professionnels de l'IT. Découvrez ce que l'avenir réserve pour mobilité, les terminaux et l'IoT en 2020:
Quel équipe IT sera responsable de la sécurisation de l'IoT?
Combien de systèmes seront nécessaires pour gérer les terminaux du futur?
Dans quelle mesure votre environnement de base changera-t-il radicalement dans quelques années?
D'ici 2020, quel pourcentage d'organisations utiliseront l'informatique propulsée par l'Intelligence Artificielle et l'Analyse Cognitive?
This survey was conducted from July 28-30, 2014 with 82 respondents involved in purchasing or managing mobile device security at their organizations. Key findings include: three of five organizations allow personal devices but only support them sometimes; lost/stolen devices caused one third of data compromises; and passwords, remote wipes, and encryption are security solutions a majority plan to use in the next year. Most organizations are only somewhat confident current measures can prevent issues and over half plan to tighten BYOD policies.
Sharing the blame: How companies are collaborating on data security breaches, is an Economist Intelligence Unit research project, sponsored by Akamai Technologies, exploring the ways in which organisations are collaborating to deal with the disclosure of data security breaches. How are they co-operating with governments, other companies and third parties in areas such as requirements for the public disclosure of such breaches? Do they have consistent cyber security policies? To what extent are they sharing best practices?
Webcast outlines how IT security and operations can address top security concerns and challenges and adapt to new technologies and trends surrounding the endpoint.
Ponemon Institute Data Breaches and Sensitive Data RiskFiona Lew
This document summarizes the results of a survey of 432 IT and security professionals about data breaches and sensitive data risks. Key findings include:
- The top concerns are not knowing where sensitive data is located and not knowing the data risk. A data breach is also the top security risk.
- Few respondents know the risk level of structured, unstructured, cloud, or big data, and data breach risks are seen as increasing.
- Companies use automated and classification tools to discover sensitive data and assess risk, but what is tracked is uncertain.
- Emerging trends like mobility and the "consumerization of IT" will most influence future security decision-making.
The document discusses strategies for preventing and protecting against data breaches. It notes that the number of data breaches reached a record high in 2014, with nearly 1 million new malware threats daily. While complete security is impossible, businesses must adapt through cost-effective security solutions. The document recommends asking what is currently being done to prevent breaches, what limitations exist, and how data/systems protection is validated. It advocates layered prevention and protection strategies, including regular security assessments to identify vulnerabilities, encryption of sensitive data, effective backups that facilitate rapid recovery, and ensuring basic tasks like patch and antivirus management are properly performed.
The document discusses how investing more in cybersecurity does not necessarily lead to better outcomes. While 99% of organizations have a security risk management strategy, those that are confident in their strategy (42%) significantly outperform those that are not (57%) in key business metrics like costs, efficiency, and customer satisfaction. The document advocates for focusing on a risk management strategy that is business-driven and updated regularly rather than excessive spending on cybersecurity, in order to free up resources for digital transformation initiatives. It provides perspectives from IT professionals on challenges with visibility, staying current on threats, and needing a framework to guide decisions.
The document summarizes the key findings of the 2011 Global Information Security Workforce Study conducted by Frost & Sullivan. Some of the main points from the summary include:
1) Application vulnerabilities were reported as the number one threat to organizations, with over 20% of security professionals reporting involvement in software development.
2) Mobile devices were the second highest security concern, despite most professionals having policies and tools in place to defend against mobile threats.
3) A skills gap exists as new technologies like cloud computing and social media are being adopted without sufficient security training for professionals. Over 70% needed new skills for cloud security.
4) The information security workforce is projected to grow significantly from 2.28 million in 2010
This year, CSO partnered with the CERT® Division of Software Engineering Institute at Carnegie Mellon University, U.S. Secret Service and KnowBe4 to evaluate trends in the frequency and impact of cybersecurity incidents
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.
Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats. This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.
For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
Cyber-security is the number one technology issue in the C-suite and Board Room. No wonder that many senior executives are asking what they can be doing to stem the tide of cyber-attacks on their firms.
In its second year, IDG’s 2018 Security Priorities study was conducted to gain a better understanding of organization’s current and future security posture.
The survey found that organizations do not feel more secure than the previous year due to ineffective endpoint security technologies. Malware incidents are increasing and driving up IT costs. Zero-day attacks, SQL injections, and exploiting old software vulnerabilities are the biggest challenges. Respondents expect the top IT security risks in the next year will be negligent or malicious insiders, mobile device threats, and advanced persistent threats. Current approaches to endpoint security are costly and ineffective at preventing the rise of malware attacks through third-party and web-based applications.
Digital has increased businesses’ cybersecurity risk – and yet few have elevated security to a senior leadership concern, according to our recent research. Here’s what businesses are thinking about cybersecurity, and a framework for strengthening their security strategies.
The 2010 IOUG Data Security Survey was conducted by Unisphere Research and sponsored by Oracle. It surveyed 430 members of the Independent Oracle Users Group on data security practices. The survey found that fewer than 30% encrypt personally identifiable information in databases, and close to 40% send unprotected or unsurely protected live data to external parties. Also, over 75% cannot prevent privileged users from accessing application data, and almost two-thirds cannot detect privileged user abuse. Overall, two-thirds expect or are unsure about a security incident in the next year. The survey assessed data privacy, access controls, activity monitoring, and operational security at respondents' organizations.
The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...Capgemini
Are banks and insurers a safe pair of hands when it comes to customer data? Our global survey of more than 180 senior data privacy and security professionals – as well as 7,600 consumers – found that less than a third (29%) of these organizations offer both strong data privacy practices and a sound security strategy. Just one in five (21%) are highly confident that they can detect a cybersecurity breach.
This picture has so far not unduly affected consumers’ perceptions of the industry. We found that 83% of consumers trust banks and insurers when it comes to data. And while one in four institutions have reported being victim of a hack, just 3% of consumers believe their own bank or insurer has ever been breached. However, with the pending General Data Protection Regulation (GDPR) regulations, this trust factor is likely to change as transparency increases. Financial organizations have to reveal a data breach 72 hours after the incident.
Banks and insurance firms have a clear incentive therefore to fortify their defences. As well as avoiding the prohibitive fines and penalties that will result from compromised data, protecting privacy offers a strategic business advantage. Addressing security concerns will drive greater adoption of low-cost digital channels. We found that security concerns deter nearly half of consumers (47%) from using digital channels. It will also reduce churn and attract competitors’ customers – 74% of consumers would switch their bank or insurer in the event of a data breach.
Preparing to be a trusted data steward is no easy task, however. It means raising the bar on multiple dimensions:
• Aligning data practices with consumers’ expectations
• Finding innovative ways of providing non-intrusive security to consumers
• Building the capabilities required to monitor cyber risks on a real-time basis
• Revisiting the data governance model.
Building your reputation for data privacy and robust security is definitely challenging. But, those who strike the right chord with consumers will enjoy a competitive advantage over their peers. The winners will be those who triumph in the trust game.
Information Security - Hiring Trends and Trends for the Future PDFAlexander Goodwin
The document discusses current trends and future predictions in the information security industry. It notes that information security incidents are increasing in both number and severity. This has led companies to increase spending on information security by over 50% in some sectors. There is currently high demand and a shortage of information security professionals. Salaries for information security roles range from £45,000 to over £200,000 depending on level of experience and role. The document predicts that detected security attacks will continue increasing and that niche information security startups will drive innovation in the industry within the next 5 years.
The document discusses the findings of a global survey on IT security risks conducted by Kaspersky Lab. Some key findings include:
- IT security is the top concern for businesses and almost half see cyber threats as a top emerging risk.
- The most common external threat experienced by companies is malware.
- Companies are cautious of new technologies like cloud computing and mobile devices.
- Most companies take measures like anti-malware protection but many feel more investment is needed in IT security.
This document summarizes the key findings of Kaspersky Lab's 2014 IT Security Risks Survey. Some of the main points include:
1) Protection of confidential data against targeted attacks was the top priority for 38% of IT managers surveyed, compared to not being a priority in previous years.
2) 94% of companies encountered cybersecurity issues originating outside their networks, up from 91% in 2013. About 12% faced targeted attacks, up from 9% previously.
3) The average cost of a data security incident was estimated at $720,000, while a successful targeted attack could cost over $2.5 million. Losses often included internal data, client data, and financial information.
Encuesta Mundial de Ciberseguridad de la Información 2017PwC España
Desde 2012, el presupuesto medio que las empresas dedican a ciberseguridad en el mundo casi se ha duplicado, pasando de 2,8 a 5,1 millones de dólares. En España, la inversión de las compañías en seguridad de la información ha seguido una evolución parecida –ha pasado de 3,1 a 3,9 millones de dólares de media- aunque algo más moderada. Todos los detalles en: http://www.pwc.es/es/digital/encuesta-mundial-estado-seguridad-informacion-2017.html.html
The survey found that organizations are facing increasing endpoint security risks. 64% of respondents said their networks were not more secure than the previous year. Common incidents over the past year included virus/malware infections (98%), device theft (95%), and data loss from negligent/malicious insiders (89% and 61% respectively). The top security risks for the next year were expected to be advanced persistent threats, insider threats, and web-based malware. Many organizations are not effectively managing applications and vulnerabilities on endpoints. Costs are increasing mainly due to lost productivity and IT staff time spent addressing malware incidents.
The survey found that organizations are facing increasing endpoint security risks. 64% of respondents said their networks were not more secure than the previous year. Common incidents over the past year included virus/malware infections (98%), device theft (95%), and data loss from negligent/malicious insiders (89% and 61% respectively). Respondents reported that malware attacks were among the most frequent network incidents and had increased over the past year for many organizations. The top security risks for the coming year were identified as advanced persistent threats, insider threats, and web-based threats. However, many organizations are not effectively addressing these risks through technology solutions or application and policy management.
The document summarizes the findings of a global study on consumer confidence and trust in mobile technologies. It found that while mobile device usage is widespread, many users lack confidence in the security of their devices and the networks and services they access. The rapid growth of mobile threats has not been matched with adequate security precautions by users. Building greater trust will require coordinated efforts across the entire mobile industry to address security and reliability issues.
Under cyber attack: EY's Global information security survey 2013EY
This document summarizes the key findings from a survey of over 1,900 organizations on cybersecurity threats and responses. Some of the main points include:
- Many organizations have improved their cybersecurity programs but still have work to do to address evolving threats. Top priorities include business continuity, cyber risks, and data protection.
- Budgets for cybersecurity are increasing for 43% of organizations, but information security professionals still feel budgets are insufficient.
- Focus is shifting from basic security operations to improving and innovating programs. However, skilled resources and executive support still lag behind needs.
- Around half of organizations now align their security strategy with business and IT strategies, showing increased understanding of security's importance.
The document discusses improvements organizations have made to address cyber threats, but also areas that still need work. It finds that many organizations now recognize the extent of cyber threats, with 76% owning information security policies at the highest level. 70% conduct security assessments of third parties accessing their data. However, the document notes that while improvements have been made, organizations need to do more quickly to address increasing cyber risks. Leading practices and innovation are needed to better protect against known and unknown future threats.
A critical gap exists between the enterprise mobility vision and
real-world implementations.
Enterprise mobility and trends like bring your own device
(BYOD) aren’t just hot topics of conversation.
According to the over 1,600 IT and security professionals we surveyed, mobility is a top priority for most IT departments.
Unfortunately, there’s a critical gap between the vision these IT leaders have for enterprise mobility and the real-world implementations.
The insights gathered from IT professionals in the Americas, Asia Pacific, Europe, the Middle East, and Africa demonstrate that organisations from around the world share many of the same priorities, challenges and risks.
When asked if their organization’s incident response efficiency and effectiveness is limited by the time and effort required for manual processes, 93% of the cybersecurity professionals surveyed responded, “yes”, according to The State of Incident Response ESG report.
This poses as a real problem since 22% of organizations find it challenging to keep up with the volume of security alerts.
Access this ESG research report and take a closer look at these obstacles while providing important factors for incident response excellence.
“The Impact of Mobile Devices on Information Security: A Survey of IT and Sec...Thierry Labro
1. The survey found that the number of personal mobile devices connecting to corporate networks continues to grow significantly, with 75% of companies now allowing personal devices on networks, up from 67% in 2013.
2. IT and security professionals expect that the rise in mobile devices will lead to more mobile security incidents, with 82% anticipating increased incidents in the coming year. The costs of remediating incidents is also increasing.
3. Employee behavior is seen as a major factor in mobile security risks, with most respondents saying careless employees pose a greater threat than cybercriminals and that employee actions likely enabled recent high-profile breaches.
This document discusses how emerging technologies will disrupt health and safety practices. It notes trends like rapid technological advances, big data, and changing work environments. The document outlines different potential futures for work and implications for health and safety professionals. It summarizes a survey of health and safety professionals that found they enjoy their work but see room for improved training and standards. The document also discusses capabilities frameworks, predictive analytics using new data sources, and how blockchain and a "Safety II" approach could reshape the industry to focus more on supporting success than procedural compliance alone.
In an era of global connectivity, online information and systems are playing an increasingly central role in business. According to data from Cisco, worldwide internet-connected devices will reach 50 billion by 2020, and with 15 billion devices already in 2015 it is apparent that an increasing numbers of companies, systems and information are working online.
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
We are living in an always-on world using different communications devices, systems and networks. As privacy and protecting one’s identity is becoming increasingly important, the task of protecting these devices, systems and networks from cyber attack is no longer an option, it is a necessity.
The document discusses a survey of 225 global executives about their Sarbanes-Oxley (SOX) compliance functions. While most organizations treat SOX compliance as a necessary burden, some have evolved to view it as an opportunity for innovation, automation, and competitive advantage. These forward-thinking companies see correlations between SOX practices and adding value to the business. The document outlines four actions for empowering SOX functions: 1) automating controls, 2) offshoring lower-cost resources, 3) leveraging IT investments, and 4) innovating strategies.
This document discusses opportunities to transform a company's Sarbanes-Oxley (SOX) compliance function for competitive advantage. It identifies four actions: 1) automating manual controls to significantly reduce SOX costs and resource burden, 2) offshoring SOX functions for lower costs, 3) leveraging existing IT investments to improve SOX processes, and 4) innovating SOX execution strategically to enhance competitive positioning. A survey found that while most firms treat SOX as a compliance exercise, some have transformed their functions to drive value through automation, cost efficiencies, and strategic innovation around SOX practices.
This document discusses current trends in business continuity management. It notes that effective BCM is rising in importance for corporations due to increased complexity, tighter margins for error, and higher expectations for resilience and recovery times after disruptions. Leading trends that companies are adopting to improve their ability to manage emergencies and minimize impacts include implementing an enterprise-wide BCM framework and governance model, integrating business impact analysis and risk assessments, leveraging technologies like cloud computing and virtualization, and fully understanding application interdependencies for recovery.
The document discusses the evolving IT risk landscape for businesses as new technologies like mobile computing, cloud services, and social media break down barriers between work and personal life. This has increased risks around data leakage, third party dependencies, and regulatory compliance. Effective IT risk management is important for businesses to address these challenges and support overall enterprise risk management and business objectives. The document outlines an "IT Risk Universe" framework that identifies 11 key risk categories including security, resilience, data, and strategy alignment that companies can use to assess their IT risk exposure. How much a company relies on defensive IT versus offensive IT impacts the priorities for managing these IT risks.
Building control efficiency: Rationalization, optimization and redesign Vladimir Matviychuk
Increased government reporting requirements have forced those responsible for internal controls to do more. The global recession has required them to do more with less. While regulators press for accountability, investors press for performance. Now, those responsible for internal controls must now take charge by assessing their processes and tools, and execute on efforts to make them as efficient – and effective – as possible. Those able to optimize their controls will be more able to move past compliance toward improved performance and competitive advantage.
This document discusses advanced persistent threats (APTs) and provides recommendations for countering them. It notes that APTs target specific organizations over long periods to steal large amounts of sensitive information undetected. Traditional security methods are ineffective against APTs, which require new detection and response approaches using multiple layers of defense. The document recommends assuming infrastructure infiltration and granting response teams autonomy to investigate incidents. It also stresses hardening web browsers, mobile devices, and cloud applications against emerging attack vectors.
Organizations face increasing privacy challenges in 2011 due to factors such as:
1) Stricter privacy regulations and enforcement globally, with regulators planning expanded reach and tougher penalties.
2) Additional data breach notification requirements being adopted worldwide, requiring organizations to adapt processes.
3) Growing emphasis on governance, risk and compliance initiatives to better integrate privacy monitoring and reduce redundancies.
4) Issues around use of cloud computing and mobile devices, requiring organizations to implement controls over personal data use by third parties.
Overall organizations need robust strategies to proactively address evolving privacy requirements across diverse jurisdictions.
Jill Pizzola's Tenure as Senior Talent Acquisition Partner at THOMSON REUTERS...dsnow9802
Jill Pizzola's tenure as Senior Talent Acquisition Partner at THOMSON REUTERS in Marlton, New Jersey, from 2018 to 2023, was marked by innovation and excellence.
Job Finding Apps Everything You Need to Know in 2024SnapJob
SnapJob is revolutionizing the way people connect with work opportunities and find talented professionals for their projects. Find your dream job with ease using the best job finding apps. Discover top-rated apps that connect you with employers, provide personalized job recommendations, and streamline the application process. Explore features, ratings, and reviews to find the app that suits your needs and helps you land your next opportunity.
Learnings from Successful Jobs SearchersBruce Bennett
Are you interested to know what actions help in a job search? This webinar is the summary of several individuals who discussed their job search journey for others to follow. You will learn there are common actions that helped them succeed in their quest for gainful employment.
Leadership Ambassador club Adventist modulekakomaeric00
Aims to equip people who aspire to become leaders with good qualities,and with Christian values and morals as per Biblical teachings.The you who aspire to be leaders should first read and understand what the ambassador module for leadership says about leadership and marry that to what the bible says.Christians sh
Resumes, Cover Letters, and Applying OnlineBruce Bennett
This webinar showcases resume styles and the elements that go into building your resume. Every job application requires unique skills, and this session will show you how to improve your resume to match the jobs to which you are applying. Additionally, we will discuss cover letters and learn about ideas to include. Every job application requires unique skills so learn ways to give you the best chance of success when applying for a new position. Learn how to take advantage of all the features when uploading a job application to a company’s applicant tracking system.
How to Prepare for Fortinet FCP_FAC_AD-6.5 Certification?NWEXAM
Begin Your Preparation Here: https://bit.ly/3VfYStG — Access comprehensive details on the FCP_FAC_AD-6.5 exam guide and excel in the Fortinet Certified Professional - Network Security certification. Gather all essential information including tutorials, practice tests, books, study materials, exam questions, and the syllabus. Solidify your knowledge of Fortinet FCP_FAC_AD-6.5 certification. Discover everything about the FCP_FAC_AD-6.5 exam, including the number of questions, passing percentage, and the time allotted to complete the test.
IT Career Hacks Navigate the Tech Jungle with a RoadmapBase Camp
Feeling overwhelmed by IT options? This presentation unlocks your personalized roadmap! Learn key skills, explore career paths & build your IT dream job strategy. Visit now & navigate the tech world with confidence! Visit https://www.basecamp.com.sg for more details.
5 Common Mistakes to Avoid During the Job Application Process.pdfAlliance Jobs
The journey toward landing your dream job can be both exhilarating and nerve-wracking. As you navigate through the intricate web of job applications, interviews, and follow-ups, it’s crucial to steer clear of common pitfalls that could hinder your chances. Let’s delve into some of the most frequent mistakes applicants make during the job application process and explore how you can sidestep them. Plus, we’ll highlight how Alliance Job Search can enhance your local job hunt.
2. iv Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Foreword......................................................................... 1
Borderless security.......................................................... 3
Data on the move............................................................. 4
Processing in the clouds.................................................. 8
Web connections............................................................ 12
Summary....................................................................... 16
Survey approach............................................................ 18
About Ernst & Young...................................................... 20
3. 1Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Foreword
The ways in which organizations interact with their people and with other organizations are changing
at an unprecedented rate. Through mobile computing and new technologies like cloud computing
and social media, the connections and flow of information now reach far beyond the walls of the
conventional office.
The result is that the traditional boundaries of an organization are vanishing along with the traditional
information security paradigm. Information security programs must expand and adapt to meet the
demands of the new and existing enterprise in an evolving borderless world.
Our 2010 survey results are encouraging in that many organizations recognize the risks associated with
current trends and new technologies. They are taking the necessary steps to protect their information
— no matter where it resides — by adopting new solutions and improving overall information security
program effectiveness. However, our survey also reveals that some organizations are challenged to
keep pace with emerging threats and risks due to a more connected, virtual business environment.
The Ernst & Young Global Information Security Survey is one of the longest running annual surveys
of its kind; we are very proud that for thirteen years our survey has helped our clients focus on the
most critical risks, identify their strengths and weaknesses and improve their information security.
We are also excited that this year’s survey attracted nearly 1,600 participants from 56 countries,
demonstrating that information security remains an important issue for our clients.
I would like to extend my warmest thanks to all of our survey participants for taking the time to share
their views on information security.
My colleagues and I hope you find this survey report useful, informative and insightful. We would
welcome the opportunity to speak with you personally about your specific information security risks
and challenges, and believe that such discussions would assist you in addressing your borderless
security issues, enabling you and your organization to achieve your full potential.
Paul van Kessel
Global Leader,
IT Risk and Assurance Services
1
4. 2 Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Borderless security
The trend toward anywhere, anytime access to information will continue
changing the business environment, blurring the lines between home
and office, co-worker and competitor, and removing traditional enterprise
boundaries.
The pace of change is accelerating, and the companies that embrace it are more likely
to fare better than those resisting it. Over the last year, we have witnessed a significant
increase in the use of external service providers and the business adoption of new
technologies such as cloud computing, social networking and Web 2.0. We have also seen
technology advances that have provided an increasingly mobile workforce with seemingly
endless ways to connect and interact with colleagues, customers and clients. Together,
these changes are extending the enterprise — driving professional collaboration and
personal interaction to new levels. These new technologies represent an opportunity for IT
to deliver significant benefits to the organization and fulfill the initial promise — or hype —
that many technologies have failed to live up to in the past.
However, new technology also means new risk.
The rising level of risk has not gone unnoticed by our survey participants; 60% of
respondents perceived an increase in the level of risk they face due to the use of social
networking, cloud computing and personal devices in the enterprise. It is in this changing
and borderless environment that information security professionals must find a way to
manage risks and protect their organizations’ most critical information assets.
60% of respondents
perceived an
increase in the level
of risk they face
due to the use of
social networking,
cloud computing and
personal devices in
the enterprise
Given current trends towards the use of such things as social networking, cloud
computing and personal devices in the enterprise, have you seen or perceived a change
in the risk environment facing your organization?
3%
37%
60%
Yes, increasing level of risk
No, decreasing level of risk
Relatively constant level of risk Shown: percentage of respondents
5. 3Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Despite continued economic pressures, organizations are spending more to address
information security challenges, including those related to delivering security in a
borderless environment. 46% of respondents indicated that their annual investment in
information security is increasing, with only 6% planning to reduce their information
security investment. Further investigation found that 55% of respondents are increasing the
level of information security investment related to their top five areas of IT risk.
Which of the following statements best describes your organization’s annual investment
in information security?
The survey findings are encouraging, but increasing investment alone will not provide
guarantees of protection. Companies must also establish more comprehensive IT risk
management programs that identify and address the risks associated with new and
emerging technologies. Our survey revealed that this is one area that most organizations
could improve upon, as only 30% of respondents indicated that they have an IT risk
management program in place that is capable of addressing the increasing risks related to
the use of new technologies.
In this report, we take a closer look at how organizations are specifically addressing their
evolving information security needs in the changing, borderless environment. We also
examine potential opportunities for improvement and identify important short and long-
term trends that will shape information security in the coming years.
46% of respondents
indicated that their
annual investment in
information security
is increasing
Shown: percentage of respondents
6%
48%
46%
Increasing as a percentage of total expenditures
Decreasing as a percentage of total expenditures
Relatively constant as a percentage of total expenditures
6. 4 Borderless security: Ernst & Young’s 2010 Global Information Security Survey
The mobile workforce
As today’s mobile workforce continues to grow, not only is the phrase “out of the office”
becoming less relevant, but the flow of information in and out of the organization is also
dramatically changing. Mobile computing devices (e.g., laptops, tablet PCs, multimedia-
enabled smartphones) are in widespread use, allowing individuals to access and distribute
business information from anywhere and at any time. Recent improvements in mobile
applications, bandwidth and connectivity have made it possible to interact with information
like never before: accessing information-intensive reports, retrieving corporate data and
even conducting remote meetings from a mobile device.
The increasing demand for information from the mobile workforce is driving changes in the
way organizations support and protect the flow of information. This presents a noteworthy
challenge for many of our survey participants; 53% of respondents indicated that increased
workforce mobility is a significant or considerable challenge to the effective delivery of their
information security initiatives, especially when coupled a security-awareness challenge
identified by 64% of respondents.
What is the level of challenge related to effectively delivering your organization’s
information security initiatives for each of the following?
Shown: percentage of respondents
53% of respondents
indicated that
increased
workforce mobility
is a significant
or considerable
challenge to
effectively delivering
their information
security initiatives
0
20
40 60 80 100
Business uncertainty
Social networking
Regulatory change or uncertainty
Emerging technologies
Organizational change
Management awareness and sponsorship
Increased workforce mobility
Adequate budget
Availability of skilled resources
Level of security awareness by the employees 22% 42% 27% 8%
20% 39% 27% 10% 4%
23% 31% 28% 12% 6%
17% 36% 29% 14% 4%
17% 31% 29% 17% 6%
13% 28% 34% 19% 6%
7% 28% 36% 22% 7%
8% 25% 36% 22% 9%
9% 24% 32% 21% 14%
7% 20% 35% 25% 13%
Significant challenge Not a challenge4 3 2
Data on the move
7. 5Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Mobile computing risks
The increased use of mobile computing devices for business purposes is not without serious
risks. The popularity and widespread use of these devices has led to the unwanted, but
somewhat predictable, outcome of such devices becoming a target for computer viruses
and sophisticated mobile malware. In addition, due to the small size of the portable devices,
simple theft of the device is also a real concern.
The most serious risk associated with mobile computing is the potential loss or leakage of
important business information. When we asked our survey participants to identify their
top five areas of IT risk, 64% of respondents indicated that data (i.e., disclosure of sensitive
data) was one of their top five IT risk areas, second only in overall ranking to the continuous
availability of critical IT resources.
Furthermore, when we examined the risk environment in the context of the current trend
toward the use of personal devices in the enterprise, 52% of our survey respondents
perceived an increase in data leakage risks. (See page 10.)
64% of respondents
indicated that data
(i.e., disclosure of
sensitive data) was
one of their top five
areas of IT risk
Shown: percentage of respondents
From the following list, which are the top five areas of IT risk for your organization?
Technology
Physical environment
Fraud and theft
Strategy and alignment
Programs and projects
Infrastructure
Staffing
Legal and regulatory
Operations
Third-party suppliers and outsourcing
Applications and databases
Data
Continuous availability of critical IT resources
Top IT risk Total2nd 3rd 4th 5th
31% 16% 11% 7% 6% 71%
19% 18% 13% 8% 6% 64%
14% 14% 10% 9% 8% 55%
5% 7% 8% 9% 12% 41%
4% 7% 9% 10% 10% 40%
6% 7% 8% 8% 7% 36%
3% 5% 6% 9% 10% 33%
3% 6% 8% 10% 6% 33%
4% 4% 7% 9% 8% 32%
4% 4% 6% 6% 8% 28%
4% 6% 5% 7% 6% 28%
3% 4% 4% 6% 20%
3% 4% 6% 17%
8. 6 Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Plugging the leak
Based on our survey results, it appears that many organizations are recognizing the
increased risks associated with mobile computing and are taking steps to address the
issues. Survey results showed that 50% of respondents plan on spending more over the
next year on data leakage/data loss prevention technologies and processes. This is a seven-
percentage-point increase over last year and a clear indication that preventing data leakage
is top of mind for many organizations.
Increased mobility and lack of control over end-user devices can also cause problems
when trying to implement effective and efficient business continuity and disaster
recovery capabilities — similarly identified by 50% of respondents as an area of increased
expenditure.
Data leakage prevention defined
Data leakage prevention (also known as
data loss prevention or information leak
prevention) is the combination of tools and
processes for identifying, monitoring and
protecting sensitive data or information
according to an organization’s policies
or government and industry regulations.
Data leakage prevention services will
typically focus on preventing specific data
or information from leaking out of the
organization and detecting any unauthorized
access or transmission of sensitive data.
50% of respondents
plan on spending
more over the next
year on data leakage/
data loss prevention
technologies and
processes.
Shown: percentage of respondents
Compared to the previous year, does your organization plan to spend more, less or
relatively the same amount over the next year for the following activities?
0
20
4060
Outsourcing security functions
Forensics/fraud support
Recruiting security resources
Incident response plans and capabilities
Compliance with corporate policies
Secure development processes
Implementing security standards
Security metrics and reporting
Protecting proprietary information
Vulnerability management technologies and processes
Protecting personal information
Security testing
Information security risk management
Compliance with regulatory requirements
Security awareness and training
Securing new technologies
Identity and access management
technologies and processes
Business continuity/disaster recovery plans and capabilities
Data leakage/data loss prevention technologies and processes 50% 46% 4%
50% 45% 5%
48% 45% 7%
44% 50% 6%
42% 53% 5%
41% 55% 4%
41% 55% 4%
36% 58% 6%
34% 61% 5%
33% 63% 4%
32% 64% 4%
32% 64% 4%
30% 61% 9%
30% 63% 7%
28% 67% 5%
26% 68% 6%
22% 63% 15%
18% 74% 8%
17% 64% 19%
Spend more Same or constant Spend less
Data on the move (continued)
9. 7Borderless security: Ernst & Young’s 2010 Global Information Security Survey
When we look closer at the steps organizations are taking to address the potential new
risks, we found that 39% of respondents are making policy adjustments, 38% are increasing
their security awareness activities, 29% are implementing encryption techniques, and 28%
are implementing stronger identity and access management controls.
It is also important to note that 42% of our survey respondents currently have an IT risk
management program in place, but only 30% have a program that also addresses the risks
associated with mobile computing.
Shown: percentage of respondents
Which of the following controls have you implemented to mitigate the new or
increased risks?
New disciplinary processes
Increased due diligence of service providers
Stronger contract management processes
Adjusted incident management processes
Architectural changes
Increased auditing capability
Stronger identity and access management controls
Encryption techniques
Increased security awareness activities
Policy adjustments 39%
38%
29%
28%
25%
24%
19%
19%
18%
11%
Our perspective
Our survey shows that as the mobile
workforce continues to grow, so does
the level of risk: many organizations
are now recognizing this fact and are
correspondingly increasing their investment
in data leakage prevention technologies,
encryption, and identity and access
management services.
The risk of data loss is further amplified
when the data provided to mobile devices
is inappropriate or much more than needed
to accomplish the task (e.g., an entire
customer database). Companies must
re-engineer information flows to ensure that
only essential data is provided for mobile
computing activities.
However, in addition to implementing new
technology solutions and re-engineering
information flows, companies must focus
on informing their people about the risks. It
is important that the business understands
and accepts the risk created by the
use of new technologies — this includes
technologies personally adopted by their
employees that may also be used for
business purposes. To help manage these
risks, information security policies should
be reviewed and adjusted appropriately
to establish acceptable use, and to define
any specific restrictions related to mobile
computing devices. The delivery of effective
and regular security awareness training
for the mobile workforce is also a critical
success factor. Companies will need to
increase these activities to keep pace with
the changing environment.
As the mobile workforce continues to
push the flow of information out beyond
the traditional borders of the company,
enterprise security must also encompass
end-point devices to protect critical business
information and provide better alignment
with the organization’s risk profile.
10. 8 Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Processing in the clouds
The cloud computing trend
Driven by pressures to reduce IT spending in the wake of an economic downturn and the
need to enhance flexibility and speed of implementation, many companies are looking
outside the organization for help. Their interest lies in computing services that require
significantly less initial investment, fewer skilled internal IT resources and lower operating
costs. As a result, cloud computing services are gaining greater adoption, and providers
are expanding the range of services offered to include infrastructure (e.g., storage and
CPU cycles), development platforms (e.g., open source, service-oriented architecture) and
software (e.g., enterprise applications, office productivity, web-based email). In addition to
having minimal up-front costs, cloud computing services are attractive because they offer
shorter contract durations, on-demand scaling of resources, and a way to deliver leading
IT services that would be beyond the budget threshold for many companies if delivered
internally.
Our survey results showed that 23% of respondents are currently using cloud computing
services, 7% are evaluating its use and 15% are planning to use within the next 12 months —
a surprisingly high number given that the reliability and security level of many cloud services
is still unknown. Despite an unproven track record, we expect cloud services to increase over
the next few years as performance and benefits are demonstrated, offerings and capabilities
expand, and cost-cutting pressures continue to force companies to look for alternative IT
solutions.
Shown: percentage of respondents
Cloud computing defined
Cloud computing refers to pooled, on-
demand computing resources across
networks such as the internet as rapidly
provisionable services (e.g., Software
as a Service, Platform as a Service,
Infrastructure as a Service). Cloud
computing providers make use of several
technologies, such as virtualization and
service-oriented architecture, to efficiently
deliver scalable computing services to
customers.
Does your organization currently use cloud-computing-based delivery solutions?
No, and no plans to use in the next 12 months
No, but planned within the next 12 months
Yes, under evaluation
Yes, currently in use 23%
7%
15%
55%
45% of respondents
are currently using,
evaluating or are
planning to use
cloud computing
services within the
next 12 months
11. 9Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Cloud Software as a Service (SaaS)
defined
The capability to use applications running
on a cloud infrastructure that are accessible
from various thin client devices (e.g., Web
browser).
Cloud Platform as a Service (PaaS)
defined
The capability to deploy onto the cloud
infrastructure custom or acquired
applications created using programming
languages and tools supported by the cloud
provider.
Cloud Infrastructure as a Service
(IaaS) defined
The capability to provision processing,
storage, networks, and other computing
resources where the consumer is able
to deploy and run software of choice,
which can include operating systems and
applications.
Source: National Institute of Standards
and Technology (NIST)
77% of respondents
who use cloud
services indicated
that they are using
Software as a
Service as the main
cloud service model
In regard to the kind of cloud computing services being used, or planned to use, 77%
of respondents indicated that they are using Software as a Service, 45% are using
Infrastructure as a Service and 34% are using Platform as a Service as their cloud service
model.
Interestingly, 54% of respondents who use cloud services are using private clouds. These
services dedicated solely for the organization — as opposed to being made available
to the general public — may provide better data security, corporate governance and
reliability. They do not, however, reach the full economic benefit potentials that a public
cloud deployment model can provide. This supports the trend that we see within many
organizations of adopting cloud technology while at the same time being cognizant of an
infantile trust model for public cloud services.
Shown: percentage of respondents
Which kind of cloud service are you using or do you plan to use?
Platform as a service (PaaS)
Infrastructure as a Service (IaaS)
Software as a service (SaaS) 77%
45%
34%
Shown: percentage of respondents
Which kind of cloud technology are you using or do you plan to use?
Public cloud
Encapsulated cloud
Private cloud 54%
45%
29%
12. 10 Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Processing in the clouds (continued)
39% of respondents
cited the loss of
visibility of what
happens to company
data as an increasing
risk when using cloud
-based services
Cloud computing risks
Although the potential benefits of cloud computing are very compelling, there are a number
of important information security issues and risks that should be addressed before business
critical applications are moved to the cloud. Due to the reliance on infrastructure that
favors scalability and flexibility, cloud service providers may not be able to meet specific
organizational or regulatory requirements for protecting sensitive information stored in the
cloud. This means that not only will existing risks remain but new issues and risks will be
introduced by adopting cloud computing.
The risks associated with cloud computing are not going undetected by our survey
participants — data leakage was identified by 52% of respondents as an increasing risk
resulting from current trends, and 39% of respondents cited the loss of visibility of what
happens to company data as an increasing risk. Unauthorized access was also identified
by 34% of respondents as increasing, which highlights the fact that many companies are
concerned about giving up control of access to their business information and relying on the
cloud to provide secure authentication, user credentials and role management.
Which of the following “new” or increased risks have you identified?
Performance management risks
Capacity management risks
Challenges in updating internal audit and compliance plans
Availability risks
Contract risks
Increased collaboration with individuals outside the enterprise
Difficulty in technical and procedural monitoring
Unauthorized access
Loss of visibility of what happens to company data
Data leakage risks 52%
39%
34%
29%
22%
18%
17%
15%
13%
11%
Shown: percentage of respondents
Cloud attack: Economic Denial of
Sustainability (EDoS) defined
During an EDoS cloud attack, a malicious
attacker identifies an organization that
relies upon on-demand cloud computing
to conduct an aspect of its business. They
then make bulk requests to it, to cause the
cloud infrastructure to scale in response
and increase the cost or reduce the quality
of service for the organization.
13. 11Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Securing the cloud
The issues and risks related to cloud computing are significant, but most of them are not
entirely new. Organizations can leverage lessons learned from managing IT outsourcing
contracts — or from similar services that have been implemented behind the firewall — such
as virtualization, which 76% of respondents are currently using.
Most importantly, organizations must define and establish minimum standards and security
requirements for cloud services. Then, once a contract that meets the organization’s
performance and information security requirements is in place with the provider, the focus
should turn to auditing and compliance. One-fourth of our survey respondents indicated that
they have increased auditing capability and 19% of respondents have implemented stronger
contract management processes to mitigate increased risks.
Certification is another option for evaluating or confirming the appropriateness of security
controls for cloud services. When asked if an external certification of cloud service providers
would increase trust, 85% of respondents said yes, with 43% stating that the certification
should be based upon an agreed standard and 22% requiring accreditation for the certifying
body.
Would some kind of external certification of cloud service providers increase your trust
in cloud computing?
Shown: percentage of respondents
No
Yes, in any case
Yes, but only if the certifying body can show accreditation
Yes, but only if this certificate is based
upon an agreed standard
43%
22%
20%
15%
Our perspective
Our survey results show that the trend
toward cloud computing services is one
that will likely continue as more companies
search for ways to reduce costs while at
the same time deliver more IT functionality.
Survey results also show that most
organizations have identified the potential
risks and are taking steps to address them,
but as the request for cloud services may
bypass the information security function,
this will be a difficult and ongoing challenge.
Cloud computing will continue to mature
and so will the security services offered
by cloud providers. But companies do not
need to wait until this happens to securely
utilize cloud services. Organizations should
assess the legal, organizational, and
technological risks as well as the security
issues related to placing information into the
cloud. They should develop a strategy and
an approach (that includes the information
security function) to help define policies
and guidelines, and set standards and
minimum requirements, so that they can
adopt cloud computing in as secure a
manner as possible. Cloud computing may
be a new technology trend, but like all new
technologies with significant benefits, the
security issues and risks must be addressed
or the trend will end.
14. 12 Borderless security: Ernst & Young’s 2010 Global Information Security Survey
33% of respondents
indicated that
social networking
is a considerable
challenge to
effectively delivering
information security
initiatives
Social media
The workforce is changing; there is a new generation of workers that have never known
a world without the internet, without social media and without sophisticated personal
technology to access information 24 hours a day. They will spend countless time texting,
chatting and browsing Facebook, LinkedIn, blogs, wikis and other social networking and
social media websites. They have a new set of expectations regarding technology and
their ability to connect to networks and communities, both inside and outside the business
environment.
For most organizations, this means that in order to attract and retain the best and brightest
people, they must find ways of providing the social networking and collaboration tools
that these individuals have increasingly come to expect. To address this issue, many
organizations are implementing infrastructure and applications that support social media
usage inside the enterprise (known as Enterprise 2.0). Such social tools provide the new
generation of employees with increased opportunities for professional collaboration and
personal interaction but within the protected and secure environment of the business
intranet. In addition, businesses are looking for new ways to make their people aware of the
risks, policies and acceptable behaviors related to the use of such tools both internally and in
the public environment.
Identifying social media risks
Our survey results show that social networking is not high on the list of challenges for most
of our participants (see page 4); only 33% of respondents indicated that social networking is
a considerable challenge to effectively delivering information security initiatives. We believe
this to be an indication that although most companies recognize the fact that there are
risks and information security issues related to social media and Web 2.0, only a few have
thoroughly examined the issue and developed an approach that will balance the business
opportunity with the risk exposure.
The fact that only 10% of respondents indicated the examination of new and emerging
IT trends as a critically important function is further evidence that few organizations
have assessed the impact of social networking. The question we would like to ask is if the
information security function is not evaluating the risks associated with new technologies
and IT trends, such as social media, then which function within the organization is?
Web connections
Enterprise 2.0 defined
Enterprise 2.0 is the use of social media
software inside the enterprise, enabling
users to connect and collaborate in
ways that mimic natural human social
behaviors. It includes social and networked
modifications to the corporate intranets and
software platforms used by companies for
internal communication.
15. 13Borderless security: Ernst & Young’s 2010 Global Information Security Survey
As the use of social networking and Web 2.0 sites continues to increase and become part of
the standard work environment, the behaviors related to sharing personal information are
often being transferred to sensitive business information, where they are not appropriate.
If no action is taken, this will likely lead to an increase in the disclosure of business
information or protected privacy-related data, either intentionally or accidentally through
the use of social media.
As a result, survey participants’ activities of primary focus — achieving compliance with
regulations (55%), protecting reputation and brand (51%), and managing privacy and
protecting personal information (44%) — could become increasingly difficult to achieve
without an effective process in place to evaluate the risks associated with new and
emerging IT trends. This is particularly true for those technologies that will make their way
into the organization, whether intended or not.
Only 10% of
respondents
indicated that
examining new and
emerging IT trends
was a very important
activity for the
information security
function to perform
Shown: percentage of respondents
How important is information security in supporting the following activities in
your organization?
0
20
40 60 80 100
Examining new and emerging IT trends
Facilitating mergers, acquisitions and divestitures
Enhancing new service or product launches
Managing external vendors
Improving IT and operational efficiencies
Improving stakeholder and investor confidence
Protecting intellectual property
Managing operational and (or) enterprise risk
Achieving compliance with corporate policies
Managing privacy and protecting personal information
Protecting reputation and brand
Achieving compliance with regulations 56% 26% 12% 4%
53% 29% 13% 4%
45% 36% 15% 3%
42% 33% 18% 5%
34% 43% 18% 4%
31% 30% 25% 10% 4%
25% 34% 25% 11% 5%
21% 40% 27% 10%
16% 37% 31% 12% 4%
14% 30% 34% 15% 7%
12% 20% 26% 20% 22%
10% 33% 38% 15% 4%
Very important Not important4 3 2
16. 14 Borderless security: Ernst & Young’s 2010 Global Information Security Survey
34% of respondents
include information
updates on the risks
associated with
social networking
Web connections (continued)
Securing social behavior
Understanding that this issue is primarily a behavior issue, organizations must profile
their technology users, update and align security policies, and increase awareness
communications in an attempt to successfully change behavior.
It is encouraging that only 15% of our survey participants indicated that they do not have a
security awareness program in place and that 42% plan on spending more over the next year
on security awareness and training (see page 6). However, just 34% of respondents currently
include information updates on the risks associated with social networking.
The simplest way to reduce the risks associated with social networking and Web 2.0 is to
restrict or limit the use of such tools in the work environment. It is doubtful that such an
approach can be successful — since it does not prevent the sharing of sensitive information
from personal devices or home computers; it could also drive additional unwanted behaviors,
such as connecting personal laptops to the business network. Another downside to such an
approach is that the organizations that do not offer or restrict the use of these tools may be
unable to attract and retain the best and brightest from the new generation of workers.
What elements are currently covered in your organization’s security awareness program?
We do not have a security awareness program
Measurement of the effectiveness of awareness activities
Information updates on the risks
associated with social networking
Specific awareness activities or training
sessions for high-risk user groups
Direct and frequent updates/alerts
on current threats to the organization
Informational updates on the risks
associated with mobile computing
Review and agreement with current
security policies and standards
General awareness of security topics 76%
47%
45%
43%
34%
34%
21%
15%
Shown: percentage of respondents
17. 15Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Shown: percentage of respondents
45% of respondents
indicated that they
restrict or prohibit
the use of instant
messaging or email
for sensitive data
In an attempt to control data leakage of sensitive information, 45% of respondents
indicated that they restrict or prohibit the use of instant messaging or email for sensitive
data.
Our perspective
Today’s social networking and collaboration tools are transforming the way in which business is conducted. People not only can share information and
collaborate around the world at astonishing speed and efficiency — but they demand it. While the potential benefits and opportunities associated with
the social trend are exciting, there are also new risks and information security issues that must be addressed.
The social media trend cannot be ignored by organizations that want to attract and retain the brightest talent of the new generation. Organizations
must provide the online communities and social collaboration tools that the new workforce while protecting sensitive business information in a way
that aligns enterprise requirements with personal responsibility. Specifically, organizations must raise security awareness and personal responsibility
to levels previously not achieved.
To create a secure and successful business environment, organizations must involve their people; a technology-savvy workforce will find a way
around controls, unless they fully understand the danger of the risks involved. By informing every member of the organization on the risks and issues
related to social media, information security becomes an expanded function that all employees are fully aware of and have a responsibility
to perform.
Which of the following actions has your organization taken to control data leakage of
sensitive information?
Restricted access to sensitive
information to specific periods
Prohibited use of camera devices
within sensitive or restricted areas
Implemented log-review tools
Restricted or prohibited use of instant
messaging or email for sensitive data
Locked down/restricted use of certain hardware components
Defined specific requirements for telecommuting
Implemented content monitoring/filtering tools
Utilized internal auditing for testing of controls
Implemented additional security mechanisms
for protecting information
Defined a specific policy for classification
and handling of sensitive information
73%
65%
54%
51%
48%
45%
45%
44%
29%
18%
18. 16 Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Summary
Our 2010 Global Information Security Survey shows that companies and information
security leaders are facing a changing business environment, where traditional enterprise
boundaries are quickly evaporating, an environment driven by an increase in workforce
mobility, greater adoption of cloud computing services, and a growing use of social media
and collaboration tools within the enterprise.
Organizations are struggling to manage these trends — while needing to adopt them to
get the most benefits and cost savings, where possible — but they need to understand and
mitigate the potential risks and security impact to the organization.
By leveraging the information in this survey and taking action on the suggested steps for
improvement, organizations can better manage the risks associated with an increasingly
borderless environment.
Survey findings
Borderless security
• 60% of respondents perceived an increase in the level of risk they face due to the use of social networking, cloud computing
and personal mobile devices in the enterprise.
• 46% of respondents indicated that their annual investment in information security is increasing.
• 30% of respondents indicated that they have an IT risk management program in place that addresses the increasing risks
related to the use of new technologies.
Mobile computing
• 51% of respondents indicated that increased workforce mobility is a considerable challenge to effectively delivering their
information security initiatives.
• 64% of respondents indicated that data (e.g., disclosure of sensitive data) was one of their top five areas of IT risk.
• 50% of respondents plan to spend more on data leakage/data loss prevention technologies and processes over the next year.
Cloud computing
• 45% of respondents are currently using, evaluating or are planning to use cloud computing services within the next
12 months.
• 77% of respondents who use cloud services indicated that they are using Software as a Service as the main cloud service
model.
• 39% of respondents cited the loss of visibility of company data as an increasing risk.
Social media
• 32% of respondents indicated that social networking is a considerable challenge to effectively delivering information security
initiatives.
• 10% of respondents indicated that examining new and emerging IT trends was a very important activity for the information
security function to perform.
• 34% include information updates on the risks associated with social networking.
• 45% of respondents indicated that they restrict or prohibit the use of instant messaging or email for sensitive data.
19. 17Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Our perspective
Borderless security
• Establish a detailed IT risk management program that identifies and addresses the risks associated with new and emerging technologies
• Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk based responses
• Take an information-centric view of security, which is better aligned with the organization’s business and information flows
Mobile computing
• Increase the investment in data leakage prevention technologies, encryption, and identity and access management services — focusing on the
people who use the technology
• Gain an understanding of the risks created by the use of new technologies — including technologies adopted personally by employees that may be
used for business purposes
• Information security policies should be reviewed and adjusted appropriately to establish the acceptable use and any specific restrictions related to
mobile computing devices
• Increase security awareness training activities for the mobile workforce
• Push enterprise security out to end-point devices to protect critical business information and provide better alignment with the organization’s risk
profile
Cloud computing
• Assess the legal, organizational and technological risks as well as the security issues related to placing information into the public cloud
• Develop a company strategy, a governance model and an operational approach to cloud computing use, including the information security function
to help define policies and guidelines
• Set standards and minimum requirements to enable your organization to adopt cloud computing in as secure a manner as possible
Social media
• Provide the online communities and social collaboration tools that the new workforce expects, but do so with a view that aligns enterprise
requirements with personal responsibility to protect sensitive business information
• Raise security awareness and personal responsibility to levels that have not been
achieved before
• Inform every member of the organization on the risks and issues related to social media
20. 18 Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Survey approach
Ernst & Young’s 2010 Global Information Security Survey was developed with the help of
our assurance and advisory clients.
This year’s survey was conducted between June 2010 and August 2010. Nearly 1,600
organizations across all major industries and in 56 countries participated.
Methodology
The questionnaire was distributed to designated Ernst & Young professionals in each
country practice, along with instructions for consistent administration of the survey
process.
The majority of the survey responses were collected during face-to-face interviews with
individuals responsible for information security at the participating organizations. When
this was not possible, the questionnaire was administered electronically via the internet.
If you wish to participate in Ernst & Young’s 2011 Global Information Security Survey,
you can do so by contacting your local Ernst & Young office, or visiting www.ey.com and
completing a brief request form.
Profile of 2010 survey participants
Survey participants by region
31%
37%
2%
30%
Americas
Asia/Pacific
Europe
Middle East
21. 19Borderless security: Ernst & Young’s 2010 Global Information Security Survey
Survey participants by industry
Survey participants by title
Survey participants by annual revenue (US$)
0 100 200 300 400 500 600
Other
Transportation
Professional services
Real estate
Health services
Telecommunications
Retail & wholesale
Utilities
Government & non-profit
Technology
Manufacturing
Financial services 509
233
139
126
93
76
67
62
44
41
33
175
0 100 200 300 400 500 600
Other
Chief Operating Officer
Chief Technology Officer
Internal Audit Director
Chief Security Officer
Information Security Executive
Information Technology Executive
Chief Information Security Officer
Chief Information Officer 273
208
204
185
70
46
38
20
554
0 100 200 300 400 500
Less than $100 million
$100 million - $249 million
$250 million - $499 million
$500 million - $999 million
$1 billion - $9 billion
$10 billion - $24 billion
More than $24 billion 81
98
333
141
137
212
459
22. 20 Borderless security: Ernst & Young’s 2010 Global Information Security Survey20
Contacts
About Ernst & Young
At Ernst & Young, our services focus on our individual clients’ specific
business needs and issues, because we recognize that every need and
issue is unique to that business.
IT is a critical enabler for organizations to compete in today’s global business environment.
IT provides the opportunity to get closer and respond faster to customers, and can
significantly enhance both the effectiveness and efficiency of operations. But as
opportunities through technology increase, so do the risks.
Our 6,500 IT risk and assurance professionals draw on extensive personal experience to
give you fresh perspectives and open, objective advice — wherever you are in the world.
We view IT as both a business and a business enabler. IT is critical in helping businesses
continuously improve their performance and sustain that improvement in a rapidly
changing business environment.
Our business advisory professionals bring the experience of working with major
organizations to help you deliver measurable and sustainable improvement in how your
business performs.
We assemble multidisciplinary teams, use a consistent methodology, proven approaches
and tools, and draw on the full breadth of Ernst & Young’s global reach, capabilities and
experience. We then work to give you the benefit of our broad sector experience, our deep
subject matter knowledge and the latest insights from our work worldwide. That’s how
Ernst & Young makes a difference.
For more information on how we can make a difference in your organization, contact your
local Ernst & Young professional or any of the people listed in the table below.
Global Telephone Email
Norman Lonergan (Advisory Services Leader) +44 20 7980 0596 norman.lonergan@uk.ey.com
Advisory Services
Robert Patton (Americas Leader) +1 404 817 5579 robert.patton@ey.com
Andrew Embury (Europe, Middle East, India and
Africa Leader)
+44 20 7951 1802 aembury@uk.ey.com
Doug Simpson (Asia Pacific) +61 2 9248 4923 doug.simpson@au.ey.com
Isao Onda (Japan Leader) +81 4 3238 7011 onda-s@shinnihon.or.jp
IT Risk and Assurance Services
Bernie Wedge (Americas Leader) +1 404 817 5120 bernard.wedge@ey.com
Paul van Kessel (Europe, Middle East, India and
Africa Leader)
+31 88 40 71271 paul.van.kessel@nl.ey.com
Troy Kelly (Asia Pacific Leader) +81 2 2629 3238 troy.kelly@hk.ey.com
Masahiko Tsukahara (Japan Leader) +81 3 3503 2900 tsukahara-mshk@shinnihon.or.jp