12th Annual Giss

Outpacing changeErnst & Young’s 12th annual global information security survey

iv Outpacing change: Ernst & Young’s 12th annual global information security survey

Foreword ........................................................................ 1

Introduction: outpacing change ....................................... 3

Managing risks ................................................................ 4

Addressing challenges .................................................... 8

Complying with regulations ........................................... 12

Leveraging technology .................................................. 16

Summary ...................................................................... 20

Survey approach ........................................................... 22

About Ernst & Young ..................................................... 24

1Outpacing change: Ernst & Young’s 12th annual global information security survey

ForewordOver the last year, we have witnessed unprecedented changes in the global economic environment. Increased pressure to reduce costs, coupled with increased government and industry regulations, has presented new risks and challenges — challenges that many organizations are now struggling to address �� also witnessed new technologies introduced and adopted, some that helped improve information security and some that brought new risks and concerns.

The survey results are encouraging in that many organizations are now taking a more holistic view of security and focusing on the overall health of their information security programs. However, our survey also reveals that the lack of adequate ��

The Ernst & Young global information security survey is one of the longest-running and most recognized annual surveys of its kind. We are very proud that for 12 years, our survey has helped our clients focus on the right risks and priorities, identify their strengths and weaknesses, and improve their information security.We are also impressed that this year’s survey received the highest levels of participation since its inception more than a decade ago, demonstrating that information security continues to be an important issue for our clients.

I would like to extend my warmest thanks to all of our nearly 1,900 survey participants for taking the time to share their views on information security. My �� and insightful. We welcome the opportunity to speak with you personally about �� discussions will position you to stay ahead of change and allow you and your organization to achieve your full potential.

Paul van KesselGlobal Leader, IT Risk and Assurance Services


2 Outpacing change: Ernst & Young’s 12th annual global information security survey2 Outpacing change: Ernst & Young’s 12th annual global information security survey


Introduction: outpacing change

How do you protect your organization’s brand and reputation in an environment of change? How do you identify and manage new risks? How do you overcome increasing challenges to deliver an effective information security program? How do you comply with new regulations and industry requirements? How do you leverage technology to not only meet business objectives but also improve security?

These are just some of the questions that information security leaders are struggling �� organization’s most critical information assets.

Over the last year, we have witnessed a global economic downturn become a crisis for many countries and many organizations. We have seen the competitive landscape drastically altered for many industries. Although there are signs of economic recovery, the �� restructure and reinvent themselves.

Information security leaders are facing considerable challenges as a result of the current environment. It would be naive to think that information security has not also been impacted by economic pressures; the need to reduce costs and provide more results from investments already made extends to all areas of the enterprise, including the information security function. To support this statement, there is evidence from our survey that many more organizations are struggling with a lack of skilled and trained information security ��!�� "�� information security is a major challenge for the coming year. These are clear indicators �� # ��

The current environment is also producing a rise in both internal and external threats. Our survey participants reveal a growing concern with reprisals from recently separated employees as well as noting an increase in external attacks on their company websites and networks.

Regulatory compliance is also top of mind for information security leaders, and our survey �� Several industries and countries are moving toward more regulation, primarily related to data protection and privacy. Correspondingly, companies are reporting an increase in the cost of compliance as the complexity and number of regulations also increases.

In this 12th annual global information security survey we take a closer look at how �� challenges, increasing regulatory requirements and new technologies. We also identify and examine potential opportunities for improvement and important short-term and long-term trends that will shape information security in the coming years.

Information securityis not immune toexternal economic�� ways to improve��effectiveness whilekeeping spending toa minimum.

4 Outpacing change: Ernst & Young’s 12th annual global information security survey

Managing risks

In the last several years, we have seen a shift in the way technology is being deployed to �� $�� %�� the rapid adoption of broadband and over-the-air technologies, has changed the way many organizations use technology and information. As a result, it has expanded or perhaps even eliminated the traditional borders of the organization and the conventional digital perimeter paradigm. Organizations must now adjust their information security risk management approach — from “keeping the bad guys out” to protecting information no matter where it resides. We consider this to be a more “information-centric” view of security and a more effective approach. Not surprisingly, improving information security risk management was the top security priority for our survey participants, with 50% of respondents indicating that they plan to spend more and 39% planning to spend relatively the same amount on this initiative over the next year.

Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the next year for the following activities?

14%

14%

17%

20%

24%

28%

28%

30%

32%

36%

39%

41%

43%

50%

59%

67%

39%

58%

59%

60%

57%

56%

55%

54%

49%

42%

47%

39%

18%

9%

5%

16%

9%

6%

7%

6%

8%

4%

7%

9%

5%

5%

9%

10%

39%

6%

8%

6%

8%

8%

5%

6%

5%

8%

5%

6%

Outsourcing of security functions

Forensics/fraud support

Implementing other technologies

Staf�ng

Implementing standards

Regulatory compliance

Implementing or improving IAM technologies and processes

Implementing or improving secure development processes

Performing security testing

Risk management

Internal security awareness and training

Implementing virtualization technologies

Implementing or improving DLP technologies and processes

Improving information security risk management

Spend more

Not answered

Spend less

Same or constant

The role of regulators in promoting an information-centric security approach

In Singapore, the Monetary Authority of Singapore (MAS) has recently released a set of guidelines requiring �� %�� $�� the organization’s understanding of risk and the controls they have in place to protect the data.

Shown: percentage of respondents

Improving information security risk management is the top security priority over the next year.


Increased threatsIn addition to the technology shift, the current economic environment is fueling an increase in the number of threats organizations are facing. The increase is driven not only from external sources — our survey found that 41% of respondents noted an increase in external attacks — but also from within the organization: 25% of respondents witnessed an increase in internal attacks, and 13% reported an increase in internally perpetrated fraud.

Given the current economic environment, have you seen or perceived a change in the threats facing your organization?

13%

19%

25%

41%

44%

Increase in internally perpetrated fraud

Increase in externally perpetrated fraud

Increase in internal attacks (e.g., abuse of employee privileges, theft of information)

Increase in external attacks (e.g., phishing, website attacks)

No perceived changes noted

Information security risk ��

Information security risk management is the ongoing process of (1) identifying and understanding the potential threats and risks; (2) assessing to determine the extent of the risk; (3) remediating the risks; and (4) continuing these activities over time. It also includes the necessary communication and risk reporting within the organization.


41% of respondents noted an increase in external attacks and 25% of respondents witnessed an increase in internal attacks.


Managing risks (continued)

Information security management systemA structured and repeatable risk management approach is the core element of an information security management system (ISMS). It is also the approach chosen by a majority of companies to address their information security risks. Our survey results show that 44% of respondents currently have an ISMS in place or are in the process of implementing one, with another 32% considering an ISMS solution.

Information security standards are also playing an increasingly important role in shaping the ISMS for many organizations. Although only 8% of respondents have achieved formal �� *+/�� 6!7�<=�>@BBDF>BBJ�security standard as the basis for their ISMS. Standards can provide organizations with a set of leading practices related to information security risk management and are a logical starting point in developing an effective and comprehensive ISMS.


7%Very concerned, but we haven’t addressed the potential risks

25%Not a concern

26%Very concerned, and we are takingsteps to help mitigate the risks

42%Somewhat concerned, and we are tryingto understand the potential risks

Given the current economic environment, how concerned is your organization with the possible reprisal from employees recently separated from your organization?

K�� # �� @J/��respondents revealed that they are concerned (33% are very concerned) with the possible reprisal from employees recently separated from their organizations. Survey results also show that 42% of respondents are trying to understand the potential risks related to this ��>+/��

75% of respondents revealed that they are concerned with the possible reprisal from employees recently separated from their organization.


Has your organization implemented an information security management system (ISMS) that covers the overall management of information security? ��

ISO/IEC 27001:2005 — This standard provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS.

ISO/IEC 27002:2005 — This standard outlines the potential controls and control mechanisms which may be implemented based on the guidance provided within �6!7�<=�>@BBDF>BBJ�� and general principles for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security management within an organization.

Information Security Forum (ISF): The Standard of Good Practice for Information Security — This standard addresses information security from a business perspective, providing a practical basis for implementing and assessing an organization’s information security arrangements.

Our perspectiveOur survey shows that the levels of internal and external risk continue to increase. To manage the increased risks, companies should develop a formal response aimed at dealing with employees likely to leave the organization as a result of workforce reductions or job �� =�� #�� their potential exposure within this sphere and put in place appropriate risk-based responses.

K�� "�� $�#�� to the organization: protecting critical information. Companies need to take an information-�� $��!��understanding the use of information within critical business processes can an organization, and in particular its information security function, truly begin to manage its security needs. Information-centric security moves far beyond the boundaries of information technology (IT), and to deliver such an approach successfully, information security functions need to be more closely integrated with the business. This will help change how security should be �� $�#�� “obstacle” to achieving business objectives.

24%No, and not considering it

32%No, but considering it

17%Yes, currently in the process of implementing

19%Yes, without certi�cation objective

8%Yes, implemented and formally certi�ed



Addressing challenges

%�� current economic environment, and like any other organizational function, it is competing for scarce resources. The availability of resources, budget and organizational awareness continue to dominate this category. However, this year’s survey results show an increase in �� %�� the information security function is not immune to the pressures of the current economic environment and like any other organizational function it is competing for scarce resources.

Availability of resourcesIn 2009, the primary challenge to effectively delivering information security was the lack �� J+/�� PQU�� (5) challenge (on a 1 to 5 scale); this is an increase of eight percentage points compared to our 2008 survey results (48%). In somewhat of a contradiction, our respondents indicated that the two leading areas for reducing spending over the coming 12 months will �� PDV/U��X�� PD+/U�� only 20% of respondents plan to hire more in-house resources and only 14% plan to spend more on outsourcing to help alleviate this issue.

What is the level of challenge related to effectively delivering your organization’s information security initiatives for each of the following?

In 2009, the primary challenge to effectively delivering information security was the lack of appropriate resources.

8%

5%

8%

12%

11%

9%

13%

19%

20%

19%

22%

22%

21%

23%

29%

35%

31%

36%

29%

35%

31%

27%

23%

36%

33%

29%

28%

25%

25%

23%

20%

20%

19%

14%

14%

11%

19%

13%

16%

20%

23%

7%

5%

7%

5%

Management sponsorship

Understanding emerging technologies

Regulatory change or uncertainty

Business uncertainty

Organizational change

Assessing new threats and vulnerabilities

Organizational awareness

Adequate budget

Availability of resources

Signi�cant challenge 4 3 2 Not a challenge



�� to outsource their security functions. With the exception of attack and penetration testing PJJ/U�� 7�� PQQ/U�� Z�� X��

Given this aversion to outsourcing and the fact that organizations continue to struggle to �� "�� alleviate their resource challenges.

�� for outsourcing?

10%

17%

12%

15%

14%

23%

21%

30%

44%

55%

6%

8%

15%

12%

13%

7%

12%

9%

16%

18%

84%

75%

73%

73%

73%

70%

67%

61%

40%

27%

Incident response

Vulnerability/patch management

Security training and awareness

Disaster recovery/business continuity

Forensics/fraud support

Help desk

Application testing

Firewall or other device management

Security assessments/audits

Attack and penetration testing

Currently outsourced

Under evaluation/planned for outsourcing

No plans to outsource

While adoption of new technologies to automate and sustain controls can help offset the ��"�� too reliant on technology at the expense of people and processes. Therefore, organizations should consider adopting co-sourced security models, wherein they can access appropriately skilled resources from their co-sourcing partners without relinquishing control over their security function to the degree associated with outsourcing.

Adequate budgetAllocating adequate budget to information security continues to be a challenge in 2009, �� JB/�� PQU�� PJU��[� �� D@�� >BBV�P**/U��%�� interesting in light of the fact that 40% of respondents indicated that they planned to increase their annual investment in information security as a percentage of total expenditures, and 52% planned on maintaining the same level of spending.


Allocating adequate budget to information security continues to be a challenge.


Addressing challenges (continued)

%�� reduced, nor is the security function being asked to take on more responsibility than in previous ��6�� "�� \

One contributing factor may be that 44% of the organizations that participated in the survey still don’t have a documented information security strategy. In the absence of a well-thought-�� business case for an appropriate budget allocation, particularly in today’s economic climate. %�� It is more important than ever for organizations to develop comprehensive, risk-based security strategies, prioritizing spend based on the value of the assets at risk, both in order to Z� �� "�� #�� budgets.

Does your organization have a documented information security strategy for the next one to three years?

56%

44%Yes

No

Organizational security awareness It has long been generally accepted that authorized users and employees pose the greatest security threat to an organization and that raising and maintaining the awareness level of those people is a crucial part of an effective information security strategy. In spite of this �� P@Q/U�� than half of all respondents indicated that their program includes such things as:

]� Updates and alerts on current threats (44%)

]� Informational updates on new hot topics (42%)

]� 6�� X�� P*J/U

Furthermore, only 20% of respondents indicated that they measure the effectiveness of their awareness programs and modify those programs based on the results.


��

Social networking is the interaction between people over the internet on websites that attempt to mimic real-life encounters (e.g., Facebook.com, LinkedIn.com). Social networking sites present many potential risks, including: identity theft, legal or libel issues, viruses, malicious code, as well as disclosure of sensitive company information. Organizations should take steps to inform and educate their people about the issues related to social networking as an important part of their of security awareness programs.


What elements are currently covered in your organization’s security awareness program?

20%

35%

42%

44%

61%

74%

Measuring the effectiveness of awareness activities andimproving the program based on these measurements

�� for high-risk user groups

Informational updates on new hot topics

Direct and frequent updates/alerts on currentthreats to the organization

Review and agreement of compliance with currentsecurity policies and standards

General awareness of security topics in general

Given that the challenge associated with organizational security awareness has not been reduced over time, it can be concluded that many current security training and awareness �� @*/� of respondents have no plans to outsource their security training and awareness programs. Yet, when we look closer at the 12% of respondents who currently outsource this activity, �� does not make it into the top three challenges for these organizations. This may illustrate the fact that more organizations should begin to look for outside help to design, execute, monitor and (or) measure the effectiveness of their security training and awareness programs.

Our perspectiveOur survey shows that organizations continue to be impacted by a lack of information security resources and inadequate budgets. They are also struggling to make improvements in the area of organizational security awareness. These challenges are not new, but they are increasing under the pressure of the current economic climate; information security leaders �� #�� be considered a fundamental aspect of all new security initiatives.

Companies need to adopt a risk-based security strategy to help prioritize initiatives, justify �� #�� committed. Organizations should also investigate potential co-sourced security alternatives, which may help provide much-needed access to skilled resources, without turning over control to others. However, such steps should be taken with care, as the operation of security by third parties requires different management competencies from those used to manage and deliver security to an organization using internal resources only.


Security training and awareness programs are not working as well as they could be.


Complying with regulations

Regulatory compliance continues to be one of the top priorities for organizations and an important objective of the information security function. When asked about the �� Q+/�� achieving compliance with regulations was very important (5) with an additional 31% considering it important (4). This is not surprising, given the considerable attention and focus on compliance efforts over the last several years by most organizations.

How important is information security in supporting the following activities in your organization?

13%

11%

18%

15%

30%

26%

40%

27%

38%

46%

53%

61%

20%

28%

26%

33%

30%

37%

25%

39%

36%

31%

27%

20%

26%

38%

31%

32%

24%

26%

20%

25%

19%

14%

15%

10%

18%

17%

15%

14%

10%

9%

10%

7%

5%

6%

4%

7%

23%

6%

10%

6%

6%

2%

5%

2%

2%

3%

1%

2%

Facilitating mergers, acquisitions and divestitures

Examining new and emerging technologies

Enhancing new service or product launches

Managing external vendors

��

��

Protecting intellectual property

Supporting operational and (or) enterprise risk management

Achieving compliance with corporate policies

Achieving compliance with regulations

Managing privacy and the protection of personal information

Protecting reputation and brand

Very important Not important234

Cost of complianceWhen we asked how much companies were spending on compliance efforts, we found that 55% of respondents indicated that regulatory compliance costs were accounting for moderate �� +J/�� J/�� the next 12 months on regulatory compliance. This may be an indication that organizations are spending too much of their security budgets on demonstrating point-in-time compliance as opposed to implementing a comprehensive information security program where compliance is a by-product and not the primary driver.

%�� *+/�� deployed a solution for continuous monitoring of security controls. Moving to a more risk-driven security program and leveraging continuous compliance monitoring technologies may allow organizations to reduce the amount they spend on demonstrating compliance and either reduce their overall security investment or focus it on more value-added information security services.


Regulatory compliance continues to be one of the top priorities for organizations and an important objective of the information security function.


What impact has regulatory compliance had on the annual cost of information security for your organization?

5%

40%

39%

16%

Cost was reduced

No change in cost

Moderate increase in cost

��

Compliance-driven improvementsWhen we look at the impact of regulatory compliance on the effectiveness of information �� +Q/�� >D/�� ̀�� this dramatic an effect on information security performance, we believe that for many organizations compliance is still the primary driver of information security improvements.

What impact has regulatory compliance had on the annual cost of information security for your organization?

2%

34%

43%

21%

Reduced the effectiveness

No change

Moderate increase in the effectiveness

Signi�cant increase in the effectiveness



55% of respondents indicated that regulatory compliance costs were accounting for moderate to ��in their overall information security costs.


Complying with regulations (continued)

Privacy laws and regulationsData protection and privacy are key components of regulatory compliance and are gaining more attention from governments and regulators. The number and complexity of privacy-�� [�� +V/�� understanding of the privacy laws and regulations that may impact their organizations. In �� +*/�� "�� with external partners, vendors and contractors. Although it is encouraging that companies are recognizing their privacy requirements, it is also clear that far too few organizations have taken the necessary steps to protect personal information. Only 32% of respondents have produced an inventory of information assets covered by privacy requirements, and ��P>+/U�� (gathering, using, storing and disposing).

Which of the following statements can be made by your organization regarding privacy?

26%

29%

32%

34%

59%

63%

68%

We have conducted an assessment of the personal data life cycle

We have implemented a process to monitor and maintain privacy-related controls

We have produced an inventory of information assets covered by privacy requirements

We have established a response and managementprocess speci�c to privacy-related incidents

We have implemented speci�c controls toprotect personal information

We have included privacy requirements in contractswith external partners, vendors and contractors

We have a clear understanding of the privacy laws and regulations that may impact the organization


Too few organizations have taken the necessary steps to protect personal information.


Privacy and protection of personal data will become an even greater challenge for organizations as new technologies and services, such as social networking, virtualization, �� X��"�� P}`�~U��Privacy and data protection will also likely gain increased focus of governments and regulators as they attempt to keep privacy regulations out in front of the potential risks associated with these new technologies. The combination of increased regulations and �� $��

Our perspective}�� $�� security agenda. Most organizations still spend a considerable amount of their information security budgets on compliance and plan to continue doing so in the coming year.

Organizations must formally detail all the regulations they are required to meet in the various geographies and validate this position with appropriate legal and operational groups across the enterprise. They also need to build an understanding of how their compliance efforts can be integrated into wider change programs, delivering greater �� information security program where regulatory compliance is considered a by-product rather than the primary driver.

We also found compliance with privacy regulations to be a growing area of focus for many organizations, but with limited progress or improvement shown in the last year. Companies need to understand the scope of privacy within their operations and identify effective business champions who they can work with, to ensure that normal business processes and practices do not contribute to potential privacy violations. Consistent privacy policies and procedures are becoming the norm across globally distributed enterprises and something that all organizations should strive for.

EuroPriSe

%��<��6�� %�� evaluation of the IT product or IT service by accredited legal and IT experts and a validation of the �� %��<��6��P<��6�U��that a product has been checked and approved by an independent privacy organization and indicates a trustworthy product that can be used in compliance with European data protection laws.


Leveraging technology

When considering how organizations are leveraging new technologies, there are two distinct aspects related to information security that should be examined: 1. Which technologies are organizations implementing to improve their information

security programs? 2. What are organizations doing to address the risks that are inherent with the

introduction of new technologies? Our survey results provide an insight into how technology can have both a positive and negative effect on information security.

Data leakage protectionDue to increasing and new risks organizations are facing, data protection is now top of mind for many information security leaders. Implementing or improving data leakage prevention P~��U� �� X�� D>�� by 40% of respondents as one of their top three priorities. Implementing DLP technologies is now a higher priority for many organizations than both security awareness training (39%) and �� P>@/U�� PQ@/U�� only priority that topped DLP technologies from an overall perspective, but more respondents PD�/U�� ~�� # �� B/�� PQ@/U��PQ*/U�� # ��implementing or improving DLP technologies and processes.

Please indicate your top three security priorities for the coming 12 months?


2%

2%

8%

7%

8%

6%

4%

11%

11%

19%

16%

2%

5%

5%

7%

6%

8%

8%

9%

14%

12%

17%

3%

7%

6%

6%

6%

8%

12%

7%

14%

9%

14%

Sta��ng

Implementing/improving secure development processes

Implementing virtualization technologies

Implementing standards

Implementing/improving IAM technologies and processes

Risk management

Performing security testing

Regulatory compliance

Internal security awareness and training

Implementing/improving DLP technologies and processes

Improving information security risk management

1st priority 2nd priority 3rd priority

Implementing or improving Data Leakage Prevention (DLP) technologies is the second-highest security priority in the coming 12 months.


DLP tools will be the leading security technology implemented over the next year. According to our survey results, 50% of respondents are at some stage of the evaluation and implementation process; 22% have planned an implementation within 12 months; and another 28% are currently evaluating the technology.

However, it isn’t just DLP technology being implemented to protect data. Of the top information security technologies planned for implementation in the coming 12 months, most are also related to this objective, including: encryption of portable media (19%), �� PD@/U�� PDJ/U��K�� PDJ/U��look at the information security technologies that are currently in use by our survey �� F�� P+�/U�� PQD/U�� encryption (35%).

�� your organization?

24%

69%

14%

15%

49%

31%

35%

36%

41%

25%

25%

9%

9%

10%

12%

12%

15%

15%

17%

17%

19%

22%

26%

10%

31%

34%

18%

25%

25%

24%

23%

29%

28%

41%

12%

45%

39%

21%

29%

25%

23%

19%

27%

25%

Physical and logical security convergence

Content monitoring and �ltering tools

Digital rights management

Desktop encryption

Enhanced authentication (802.1x, tokens)

IAM products

Email encryption

Governance, risk and compliance tools

Laptop encryption

Encryption of portable media

Data leakage prevention tools

Currently using

Planned within 12 months

Under evaluation

Not using


��!�"#$��

Data leakage prevention (also known as data loss prevention or information leak prevention) is the combination of tools and processes for identifying, monitoring and protecting sensitive data or information according to an organization’s policies or government and industry regulations. DLP solutions typically focus on preventing certain data or information from leaking out of the organization and detecting any unauthorized access or transmission of sensitive data.

!�� !��QD/�� D@/�� the next year. This is notable for a number of reasons: many breaches have occurred and continue to occur due to loss or theft of laptops; the technology is readily available and affordable to implement; and the impact to users during deployment is relatively low and should no longer be a barrier.

Few companies are encrypting their laptops. Only 41% of respondents are encrypting them today, with 17% planning to do so in the next year.


Leveraging technology (continued)

Virtualization and cloud computingNew technologies are making an impact in the corporate enterprise, particularly virtualization and cloud computing. Both are unquestionably receiving a lot of media attention, and given the current economic environment, virtualization offers some attractive options for business leaders looking to cut costs, increase manageability and ��%��%�� %�� X��

�� X�� @V/��respondents indicating that they will have implemented virtualization before the end of the next year. However, only 19% of the same respondents indicated that virtualization was a security priority. Clearly, our survey respondents do not recognize the same level of �� #�� # ��effort. More alarming is the fact that virtualization security should be a concern, but the majority of organizations and security leaders are ignoring its implications.

Cloud computing is another technology that has been very visible recently in industry publications, with some analysts predicting the cloud computing services market to reach as high as US$42 billion by 20121. Yet, we are seeing adoption rates for cloud computing �� !��D@/�� # ��Q@/� � �� P*+/U�� currently evaluating its use.

�� organization?

80%

69%

67%

63%

15%

9%

7%

5%

6%

11%

9%

4%

8%

5%

6%

10%

12%

15%

29%

36%

31%

9%

15%

10%

13%

52%

47%

57%

Storage area networks

Wireless

Virtualization

Voice over IP

Radio frequency identi�ers

Cloud computing

Grid computing

Currently using Planned within 12 months

Under evaluation Not using


'��

Cloud computing essentially involves the outsourcing of computing capacity through third-party services over the internet, on an as-needed, “pay-as-you-go” basis. It can potentially help cut your power, storage, hardware, personnel and real estate-related costs. In addition, some companies are also employing a version of cloud computing — known as “Software-as-a-Service” (SaaS) — to help reduce daily technical operations and support business and consumer software.

1 Source: IDC survey of 244 IT leaders released October 2008

78% of respondents will have implemented virtualization before the end of the next year. However, only 19% of the same respondents indicated that virtualization was a security priority.


Cloud computing has its own potential data privacy and security issues. The companies that provide cloud computing services may provide those services in different data systems in various data centers in cities around the world. Unlike a more traditional IT outsourcing arrangement, cloud computing clients do not have dedicated servers or dedicated lines. This raises issues about exactly where clients’ data exists, and under whose jurisdiction it resides at any one given point in time. In addition, the possible need to recode data may increase the exposure to errors and security risks.

Our perspectiveTechnology can play a major role in helping a company meet its information security and larger business objectives. However, technology can also expose an organization to additional risks. Our survey suggests that some organizations may be more focused on the ��

Organizations must assess the potential impact of any new technology that is being �� upon the organization’s ability to protect its assets.

�� management of information security across an enterprise. However, the deployment of �� "��

<�� %��virtualization and cloud computing, to ensure that any decisions made are consistent with the overall business strategy, as well as the information technology strategy and direction of the organization.

Key information security risks and considerations for virtualization

*� Spread the risk — Companies should spread out the critical application instances across physical machines as much as possible. This can be accomplished by combining them with different types of applications while maintaining an appropriate ratio between physical and virtual machines. This helps achieve higher application availability and reduce security risks.

*� Limit access — Inappropriate access to server administrative interfaces can expose numerous production applications at once in virtualized environments. Develop a checklist in accordance with leading practices for ��

*� Use secure networks — Secure networks should be utilized for data migrations involving virtualization software, since data is not typically encrypted in these migrations.

*� Monitor threats — Properly functioning applications on virtual machines can hide latent security vulnerabilities. Thus, it is critical to continuously monitor both the virtual machines and the underlying virtual machine monitor, for potential threats.


Summary

Our 2009 survey shows that companies and information security leaders are facing an environment of change; escalating levels of risk, new challenges and increasing regulatory complexity are now driving information security decisions. Companies are also struggling �� understanding the potential security impact to the organization.

Our survey also revealed that many organizations continue to be challenged by a lack of skilled information security resources and inadequate budget. These challenges have been �� by heightened economic uncertainty.

To address the risks and challenges of the changing environment, information security leaders are abandoning the old paradigms and taking a more information-centric view �� $�#��X�� organization’s critical information, and more suited to supporting a connected business model and today’s increasingly mobile and global workforce.

By leveraging the information in this survey and taking action on the suggestions for improvement, organizations can achieve more effective information security and continue to outpace change.

+�� Managing risks

]� Improving information security risk management is a top security priority for the next year.]� <# �� ]� }�� Z��


]� Availability of skilled information security resources is the greatest challenge to effectively delivering information security initiatives.

]� ~�� "�� challenge to delivering security initiatives.

]� 6�� #��


]� }�� ]� =� �� # �D>�� ]� Too few organizations have taken the necessary steps to protect personal information.

Leveraging technology

]� �� ~�� ]� The lack of endpoint encryption remains a key risk with few companies encrypting laptops or desktop computers.]� ��

security implications.

21Outpacing change: Ernst & Young’s 12th annual global information security survey 21

Our perspective

Managing risks

]� Develop a formal response aimed at dealing with employees likely to leave the organization as a result of workforce reductions or job elimination.

]� Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk-based responses.

]� %�� X�� $��]� =�� $�#��

corporate citizen, rather than an “obstacle” to achieving business objectives.


]� Adopt a risk-based security strategy to help prioritize initiatives, justify new investments and maximize ��

]� �� X�� X�� skilled resources, without turning over control to others.


]� Formally detail the regulations an organization is required to meet in the various geographies and validate this position with appropriate legal and operational groups across the enterprise.

]� Build an understanding of how compliance efforts can be integrated into wider change programs, ��

]� Implement a comprehensive information security program where regulatory compliance is considered a by-product rather than the primary driver.

]� Gain an understanding of the scope of privacy within operations and identify effective business champions to help ensure that normal business processes and practices do not contribute to potential privacy violations.

Leveraging new technology

]� �� its assets.

]� �� "��

]� ~�� %�� alignment with the overall business strategy and information technology strategy.


Survey approach

Ernst & Young’s 12th annual global information security survey was developed with the �� +B��

This year’s survey was conducted between June 2009 and August 2009. Nearly 1,900 organizations across all major industries participated.

MethodologyThe questionnaire was distributed to designated Ernst & Young professionals in each country practice, along with instructions for consistent administration of the survey process.

Most of the survey responses were collected during face-to-face interviews with individuals responsible for information security at the participating organizations. When this was not possible, the questionnaire was administered electronically via the Internet.

If you wish to participate in Ernst & Young’s 13th annual global information security survey, �� <�� completing a brief request form.

#��<==>�� Survey participants by region

29%

29%

33%

9%

Americas

Asia/Paci�c

Europe

Middle East/Africa



Survey participants by major industry group

Other

Government & public sector

Health services

Energy & utilities

Technology

Retail, wholesale & distribution

Manufacturing

Financial services

16%

10%

30%

7%

19%

7%

6%

6%

Survey participants by annual revenue (US$)

6%

28%

22%

9%

23%

12%

Not applicable

Less than $100 million

$100 million–$499 million

$500 million–$999 million

$1 billion–$9 billion

$10 billion or more

Survey participants by job title

34%

3%

5%

12%

13%

16%

19%

Other

Chief Technology O��cer

Chief Security O��cer

Chief Information Security O��cer

Information Security Executive

Information Technology Executive

Chief Information O��cer





About Ernst & Young

� �<�� issues because we recognize that every need and issue is unique to that business.

Information technology is one of the key enablers for modern organizations to compete. It gives the opportunity �� <�� management helps you to improve the competitive advantage of your information technology operations, to make �� !��+�BBB�information technology risk professionals draw on extensive personal experience to give you fresh perspectives and open, objective advice — wherever you are in the world. We work with you to develop an integrated, holistic �� understand that to achieve your potential you need a tailored service as much as consistent methodologies. We �� #��Z� �� insights from our work worldwide. It’s how Ernst & Young makes a difference.

For more information on how we can make a difference in your organization, contact your local Ernst & Young professional or any of the people listed in the table below.

ContactsGlobal Norman Lonergan (Advisory Services Leader, London)

�QQ�PBU�>B�@�VB�BJ�+� [email protected]

Paul van Kessel (IT Risk and Assurance Services Leader, Amsterdam)

�*D�VV�QB�@D>@D� [email protected]

Advisory ServicesRobert Patton (Americas Leader, Atlanta)

�D�QBQ�VD@�JJ@� [email protected]

Norman Lonergan(Europe, Middle East, India and Africa Leader, London)

�QQ�PBU�>B�@�VB�BJ�+� [email protected]

Robert Der (Far East Leader, Shanghai)

�V+�>D�>>>V�>+++�� [email protected]

Isao Onda(Japan Leader, Chiba-shi)

�VD�Q�*>*V�@BDD�� [email protected]

Doug Simpson (Oceania Leader, Sydney)

�+D�>��>QV�Q�>*� [email protected]

IT Risk and Assurance ServicesBernie Wedge (Americas Leader, Atlanta)

�D�QBQ�VD@�JD>B�� [email protected]

Paul van Kessel (Europe, Middle East, India and Africa Leader, Amsterdam)

�*D�VV�QB�@D>@D�� [email protected]

Troy Kelly (Far East Leader, Hong Kong)

�VD�>�>+>��*>*V�� [email protected]

Giovanni Stagno (Japan Leader, Chiyoda-ku)

+81 3 3503 1100 [email protected]

Iain Burnet (Oceania Leader, Perth)

�+D�V��Q>��>QV+�� [email protected]

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

For more information, please visit www.ey.com.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

About Ernst & Young’s Advisory Services The relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 18,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization, you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference.

© 2009 EYGM Limited. All Rights Reserved.

EYG no. XXXXXX

Ernst & Young is committed to minimizing its impact on the environment. This document has been printed using recycled paper and vegetable-based ink.

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

www.ey.com

12th Annual Giss

Technology

information security

information security

gjinformation security

effective information

holistic view of security

years survey

survey results

critical information