Short-termism leaving companies exposed to cyber risk: E&Y
Written by staff reporter
Organisations need to fundamentally shift their approach to information security in order to meet the threats presented by existing and emerging technologies according to Ernst & Young’s 15th Global Information Security Survey 2012 results released today. Their report is based on responses from over 1,850 CIOs, CISOs and other information security executives in 64 countries.
With 88% of respondents experiencing a higher number of security incidents in the last two years and 77% using the cloud, the need to develop a robust security architecture framework has never been greater. However, 64% of organisations have no such framework in place and almost half of respondents (45%) admit to only discussing information security issues once a year with their boards.
Lack of specialist skills is cited as the main symptom that forces organisations (57%) to focus on the implementation of improvements to their information security capabilities that provide only short-term solutions instead of tackling the issues associated with the overall threat.
Mark Brown director of information security at Ernst & Young commented: “The results of our survey point at two necessary changes. On the one hand, businesses need to understand that information security can no longer simply be an IT issue. They need to transform their perception of information security and make it a board sponsored topic that is eventually embedded in the core strategy of a business.
“On the other hand, we need to look at the bigger picture – that of the lack of specialist skills. Since the late 1990s the number of UK-born graduates studying mathematics and science degrees has fallen by almost 70%. This has lead to an increasing shortage in relevant skills and has put the UK's efforts to tackle growing cyber security risks on the backfoot.
"Encouraging the workforce of the future to seek a career in IT and information security is key to a sustainable solution."
Information security continues to be IT-led within many organisations; with 61% of respondents in the UK indicating that their companies have placed the responsibility for information security in the hands of the IT function.
However, as information security begins to spread beyond traditional IT issues, decisions are now needed around selecting the right tools, processes and methods for monitoring threats, gauging performance and identifying coverage gaps. In addition, a reappraisal of responsibilities is required.
Only 11% of respondents, however, report discussing information security topics at each board meeting. When it comes to the extent to which the information security function meets an organisation’s needs, only 15% of UK corporates state that it does so fully. The main reason cited is the lack of skilled resources - 57% this year compared to 23% in 2011.
Organisations recognise that the risk environment is changing as the frequency and nature of information security threats increase and the number of security incidents rises. The vast majority (88%) of respondents agreed that there is an increasing risk from external attacks, but over half (61%) name budget constraints as the main obstacle to their company’s information security strategy.
New technologies are opening up tremendous opportunities for organisations; but also potential threats from previously unknown sources. Cloud computing continues to be one of the main drivers of business model innovation, with the numbers of organisations using the cloud globally almost doubling in the last two years. However, 20% of organisations in the UK have not taken any measures to mitigate the risks, such as stronger oversight on the contract management process for cloud providers or the use of encryption techniques.