Top Banner

of 28

12th Annual Giss

May 16, 2015

ReportDownload

Technology

risspa

  • 1. Outpacing change Ernst & Youngs 12th annual global information security survey

2. Foreword ........................................................................ 1Introduction: outpacing change ....................................... 3Managing risks................................................................ 4Addressing challenges .................................................... 8Complying with regulations ........................................... 12Leveraging technology .................................................. 16Summary ...................................................................... 20Survey approach ........................................................... 22About Ernst & Young..................................................... 24iv Outpacing change: Ernst & Youngs 12th annual global information security survey 3. Foreword Over the last year, we have witnessed unprecedented changes in the global economic environment. Increased pressure to reduce costs, coupled with increased government and industry regulations, has presented new risks and challenges challenges that many organizations are now struggling to address Yf o`a[` [Yf ka_fa[Yfldq Y^^][l l`]aj af^gjeYlagf k][mjalq hgklmj]k& O] `Yn] also witnessed new technologies introduced and adopted, some that helped improve information security and some that brought new risks and concerns. The survey results are encouraging in that many organizations are now taking a more holistic view of security and focusing on the overall health of their information security programs. However, our survey also reveals that the lack of adequate Zm_]l Yf j]kgmj[]k [gflafm]k lg Z] Y ka_fa[Yfl [`Ydd]f_] ^gj eYfq gj_YfarYlagfk& The Ernst & Young global information security survey is one of the longest-running and most recognized annual surveys of its kind. We are very proud that for 12 years, our survey has helped our clients focus on the right risks and priorities, identify their strengths and weaknesses, and improve their information security. We are also impressed that this years survey received the highest levels of participation since its inception more than a decade ago, demonstrating that information security continues to be an important issue for our clients. I would like to extend my warmest thanks to all of our nearly 1,900 survey participants for taking the time to share their views on information security. My [gdd]Y_m]k Yf A Yj] [gf]fl qgm oadd f l`ak kmjn]q j]hgjl mk]^md$ af^gjeYlan] and insightful. We welcome the opportunity to speak with you personally about qgmj kh][a[ af^gjeYlagf k][mjalq jakck Yf [`Ydd]f_]k& O] Yj] []jlYaf km[` discussions will position you to stay ahead of change and allow you and your organization to achieve your full potential. Paul van Kessel Global Leader, IT Risk and Assurance Services Outpacing change: Ernst & Youngs 12th annual global information security survey1 4. 2 Outpacing change: Ernst & Youngs 12th annual global information security survey 5. Introduction: outpacing change How do you protect your organizations brand and reputation in anenvironment of change? How do you identify and manage new risks? How Information security do you overcome increasing challenges to deliver an effective information is not immune to security program? How do you comply with new regulations and industryrequirements? How do you leverage technology to not only meet business external economicobjectives but also improve security? ^gj[]k Yf emkl fThese are just some of the questions that information security leaders are struggling ways to improveoal` Yf emkl f Yfko]jk lg a^ l`]q Yj] _gaf_ lg gmlhY[] [`Yf_] Yf hjgl][l l`]ajorganizations most critical information assets. ]^[a]f[q YfOver the last year, we have witnessed a global economic downturn become a crisis effectiveness whilefor many countries and many organizations. We have seen the competitive landscapedrastically altered for many industries. Although there are signs of economic recovery, the keeping spending toaehY[l g^ l`]k] a^[mdl lae]k oadd [gflafm] lg Z] ^]dl Zq eYfq [gehYfa]k Yk l`]q j]k`Yh]$restructure and reinvent themselves. a minimum. Information security leaders are facing considerable challenges as a result of the currentenvironment. It would be naive to think that information security has not also beenimpacted by economic pressures; the need to reduce costs and provide more results frominvestments already made extends to all areas of the enterprise, including the informationsecurity function. To support this statement, there is evidence from our survey that manymore organizations are struggling with a lack of skilled and trained information securityj]kgmj[]k& Gmj kmjn]q j]khgf]flk Yj] Ydkg j]hgjlaf_ l`Yl faf_ Y]imYl] Zm_]l ^gjinformation security is a major challenge for the coming year. These are clear indicatorsl`Yl af^gjeYlagf k][mjalq ak fgl aeemf] lg ]pl]jfYd ][gfgea[ ^gj[]k Yf emkl f oYqk lgaehjgn] ]^[a]f[q Yf ]^^][lan]f]kk o`ad] c]]haf_ kh]faf_ lg Y eafaeme& The current environment is also producing a rise in both internal and external threats. Oursurvey participants reveal a growing concern with reprisals from recently separated employeesas well as noting an increase in external attacks on their company websites and networks. Regulatory compliance is also top of mind for information security leaders, and our survey[gfjek l`Yl al [gflafm]k lg Z] Yf aehgjlYfl jan]j g^ af^gjeYlagf k][mjalq aehjgn]e]flk&Several industries and countries are moving toward more regulation, primarily related todata protection and privacy. Correspondingly, companies are reporting an increase in thecost of compliance as the complexity and number of regulations also increases.In this 12th annual global information security survey we take a closer look at howgj_YfarYlagfk Yj] kh][a[Yddq Yj]kkaf_ l`] [`Yf_af_ ]fnajgfe]fl$ af[dmaf_ l`] jakck$challenges, increasing regulatory requirements and new technologies. We also identify andexamine potential opportunities for improvement and important short-term and long-termtrends that will shape information security in the coming years.Outpacing change: Ernst & Youngs 12th annual global information security survey3 6. Managing risks In the last several years, we have seen a shift in the way technology is being deployed tokmhhgjl l`] go g^ af^gjeYlagf& L`] af[j]Ykaf_dq egZad] Yf _dgZYd ogjc^gj[]$ [gmhd] oal` Improvingthe rapid adoption of broadband and over-the-air technologies, has changed the way manyorganizations use technology and information. As a result, it has expanded or perhaps even information security eliminated the traditional borders of the organization and the conventional digital perimeterparadigm. Organizations must now adjust their information security risk management risk managementapproach from keeping the bad guys out to protecting information no matter where itis the top securityresides. We consider this to be a more information-centric view of security and a moreeffective approach. Not surprisingly, improving information security risk management was priority over thethe top security priority for our survey participants, with 50% of respondents indicatingthat they plan to spend more and 39% planning to spend relatively the same amount on this next year. initiative over the next year. Compared to the previous year, does your organization plan to spend more, less orrelatively the same amount over the next year for the following activities? Improving information security risk management 50% 39% 5% 6%Implementing or improving DLP technologies and processes 43% 47%5% 5% Implementing virtualization technologies 41% 42%9% 8% Internal security awareness and training 39% 49% 7% 5%Risk management 36% 54% 4% 6%Performing security testing32% 55%8% 5% Implementing or improving secure development processes 30% 56% 6%8%Implementing or improving IAM technologies and processes28% 57%7% 8% Regulatory compliance28% 60% 6% 6%Implementing standards24%59% 9% 8% Stafng 20%58% 16%6% Implementing other technologies17% 39%5% 39%Forensics/fraud support 14%67%9% 10%Outsourcing of security functions 14% 59% 18% 9%Spend Same or Spend Not moreconstantlessanswered Shown: percentage of respondents The role of regulators in promoting an information-centric security approach In Singapore, the Monetary Authority of Singapore (MAS) has recently released a set of guidelines requiring fYf[aYd k]jna[] afklalmlagfk lg ]nYdmYl] l`] jakck g^ af^gjeYlagf Z]af_ [gehjgeak] l`jgm_` ]fhgaflk& L`ak YhhjgY[` hdY[]k l`] ]eh`Ykak gf ]klYZdak`af_ [gfljgdk l`Yl ^gddgo l`] go g^ af^gjeYlagf$ Yk o]dd Yk the organizations understanding of risk and the controls they have in place to protect the data. 4Outpacing change: Ernst & Youngs 12th annual global information security survey 7. Increased threats In addition to the technology shift, the current economic environment is fueling an increase in the number of threats organizations are facing. The increase is driven not only from41% of respondents external sources our survey found that 41% of respondents noted an increase in external attacks but also from within the organization: 25% of respondents witnessed an increasenoted an increase in internal attacks, and 13% reported an increase in internally perpetrated fraud. in external Given the current economic environment, have you seen or perceived a change in the threats facing your organization?attacks and 25%No perceived changes noted44% of respondentswitnessed anIncrease in external attacks (e.g., phishing, website attacks) 41%increase in Increase in internal attacks (e.g., abuse of employee privileges, theft of information)25%internal attacks.Increase in externally perpetrated fraud19% Increase in internally perpetrated fraud 13% Shown: percentage of respondentsInformation security riskeYfY_]e]fl ]f]Information security risk management isthe ongoing process of (