Achieving Success in a Globalized World

Transcription

1 Achieving Success in a Globalized World Is Your Way Secure? 2006 Global Information Security Survey

2 Table of Contents Foreword 1 Summary of Key Findings 2 Introduction: Information Security in a Globalized World 4 Five Global Priorities for Information Security 8 > Integrating Information Security with the Organization 10 > Extending the Impact of Compliance 14 > Managing the Risks of Third Party Relationships 18 > Focusing on Privacy and Personal Data Protection 22 > Designing and Building Information Security 26 Know Where You Are: Benchmarking Your Information Security 30 Global Information Security Risk Challenges: 2007 and Beyond 32 Next Action Steps: Securing Your Way in the Globalized World 34 Survey Methodology 36 A CHIEVING SUCCESS IN A GLOBALIZED WORLD

3 Foreword Senior executives face the daily demands of running the enterprise. The stock market is continuously measuring their performance and their contribution to shareholder value. The spotlight is primarily focused on margins and the expectations for year-to-year revenue growth and increased market share. Companies increasingly are looking for better ways to deliver on the fi nancial performance expected by stakeholders through a variety of key business initiatives. These initiatives may include capital investments and change management activities, such as IT implementations and upgrades, acquisitions, off-shoring various operations, establishing shared services centers and expanding into international markets. The success of these programs is predicated upon the delivery of a defi ned benefi t, the effective use of capital resources and the assumption of measured business risks. How comfortable, though, are companies that the business risks around these major programs and change initiatives are being properly controlled and managed? Almost daily, companies are reporting failure to realize desired outcomes of major programs, signifi cant overruns in budgets and late delivery of programs resulting from inadequately managing the associated risks. Every day Ernst & Young helps companies to manage their risks that can keep them out of trouble, and improve their performance that can make their business better. Our risk advisory services are multidisciplinary in nature and are among other things focused on corporate governance, enterprise risk management, internal control structures, information technology risks, fraud and transactions. Many of the key business initiatives require the use of information technology and therefore information risk management plays an important role in our risk advisory services. This survey report is focused on information security, which is the foundation of any information risk management system. I am proud that for almost a decade Ernst & Young s Global Information Security Survey has helped senior executives to focus on the right information security risks, benchmark the strength of their information security management systems with peer companies and build an improvement agenda for the future. Overall, our 2006 Global Information Security Survey confi rms that information security has never been more important. It shows that many companies are making signifi cant progress in mitigating risk by strengthening their information security. This is due to greater investments, greater board involvement, positive infl uences of regulatory pressures and maturity in information security leadership. However, the dynamics of risk require continuous improvements and updates to information security measures. This year s survey report covers both the positive information security trends and areas for further improvements. I want to close by thanking the survey participants for taking the time to share their views on information security risks, the challenges they are facing and their improvement ideas. My colleagues and I welcome the opportunity to talk with you personally about the risks your company are facing, how to stay out of trouble and how to make your business better. Paul van Kessel Global Leader of Technology and Security Risk Services Risk Advisory Services Ernst & Young 1

4 Summary of Key Findings 12 Positive Trends Including the 2006 results, Ernst & Young s Global Information Security Survey has shown over the past years that many companies are making signifi cant progress in mitigating risks by strengthening their information security. Integrating Information Security with the Organization Trend 1: Information risk management is becoming integrated into overall risk management. Trend 2: Information security is now more integrated in companies cultures. Trend 3: The information security function is now more integrated in outsourcing discussions. Extending the Impact of Compliance Trend 4: The impact of compliance continues to grow. Trend 5: Compliance is promoting teaming between information security and other functional business groups. Trend 6: Compliance is improving information security. Managing the Risks of Third Party Relationships Trend 7: Companies are managing their suppliers vendor-related risks. Trend 8: Suppliers are managing their own vendor-related risks. Focusing on Privacy and Personal Data Protection Trend 9: There is an increasing focus on proactive privacy and personal data protection. Trend 10: Privacy and personal data protection practices are becoming increasingly formalized. Designing and Building Information Security Trend 11: Information security is becoming more proactive in meeting business objectives and business continuity planning. Trend 12: Information security is increasingly adopting recognized standards. 2 ACHIEVING SUCCESS IN A GLOBALIZED WORLD

5 Integrating Information Security with the Organization > Involve information security early and substantially in key business initiatives. > Report on a regular basis about information security issues to the board of directors and business unit leaders. > Consider outsourcing part of the information security function. Extending the Impact of Compliance > Stay proactively involved in achieving regulatory compliance, while continuing to team with other functional business groups to meet business objectives. > Carry out security rationalization and optimization. 12 Areas For Continuous Improvement The 2006 Global Information Security Survey suggests information security s organizational position will be strengthened through the convergence of continuous improvements and companies recognizing and taking more seriously complex global business risks. Managing the Risks of Third Party Relationships > Adopt formal procedures for managing vendor-related risks. > Apply recognized standards, and independent control reviews. Focusing on Privacy and Personal Data Protection > Invest in privacy security initiatives, including privacy training for executive management. > Formalize access controls around information and information processing. Designing and Building Information Security > Enable business to be conducted more securely with new technologies. > Approach business continuity planning as an integrated effort with management and information technology. > Adopt a standard that provides a framework for deploying effective information security practices. 3

6 Introduction: Information Security in a Globalized World In today s globalized business environment, growth and risk are more closely linked than ever, with the largest opportunities accompanied by the largest risks. Success in executing global business strategies has never been more dependent upon effective risk management than today. In our networked world, small- and medium-sized companies are just as likely to participate in global business ventures as large companies, because electronic commerce has provided a more level playing fi eld. Companies expanding into new markets and deploying operations in rapidly emerging economies face exponentially greater business risk, including risk to vital corporate and customer information. Today s huge opportunity can quickly become tomorrow s nightmare particularly if the nightmare involves loss or corruption of company information, theft of trade secrets, exposure of customer information, or infi ltration of systems. What Has Been Achieved? Fortunately, many companies are making progress in mitigating these risks by strengthening their information security. Including the 2006 results, our Global Information Security Survey has shown over the past years: Greater investments. There have been signifi cant investments in information security in recent years, which encompass investments in: > People more security offi cers in central and decentralized information security functions. > Processes more formal, documented and certifi ed procedures. > Technology more hardware and software for access control, intrusion detection and virus protection. Greater board involvement. Information security is now higher on the business agenda and radar screens of corporate boards of directors, as the mass media publicize the frequency and seriousness of information security incidents. Positive influences from regulatory pressures. Compliance with regulations regarding internal controls, fi nancial reporting, and privacy is now a substantial catalyst for companies to understand and invest in addressing information risk challenges. Maturity in leadership. Information security is maturing in its overall capabilities and sustained impact on company business operations, regulatory compliance, and reputation. 4 ACHIEVING SUCCESS IN A GLOBALIZED WORLD

7 In today s globalized business environment, growth and risk are more closely linked than ever, with the largest opportunities accompanied by the largest risks. Continuous Improvements Are Necessary Looking forward, the importance of information for business will continue to grow. We expect more detailed regulations on fi nancial reporting and protection of sensitive business information and privacy. We also expect companies around the globe now that businesses understand more about the information risks they are facing and the impact of those risks to continue strengthening their information security. Enterprises will need to further develop and support their information security infrastructure, which will enable them to achieve their business goals. This report will help them to obtain a broader and deeper understanding of the current security trends and focus on those areas where we expect continuous improvement to be most necessary.

8 Distinctive Features of this Survey Report Security trends. In our well-known executive questionnaire, we asked companies information security leaders, including CIOs (Chief Information Offi cers) and CISOs (Chief Information Security Offi cers) to respond to questions focused on the business drivers for information security and how organizations are responding to them. Our ISO based benchmark questionnaire invited organizations information security teams to respond to questions that focus on information security practices. The security trends derived from both questionnaires are presented throughout this report. Five global priorities. Based on the survey results, we identifi ed fi ve global priorities for information security that focus on strategies and investments for managing risks over the next several years. These fi ve priorities form the main part of the discussion in this report and represent the continuous improvement opportunities going forward. Next steps All companies face the changing global risk landscape as they pursue global opportunities. In this part of the report we provide an overview of the information security risk challenges to help you identify your organization s global information security risks, threats, and vulnerabilities and next action steps for building your own 2007 continuous improvement agenda for information security. Ernst & Young s insights. To provide a unique perspective on the important information security issues, we invited senior security practitioners of Ernst & Young s Technology and Security Risk Services practice to share their views on the fi ve global priorities for information security that are discussed in this report. You will fi nd their views as quotes throughout this section of the report. Benchmarking. A genuine, standards-driven benchmarking approach helps organizations develop a clear understanding of their information security posture and establish an agenda for continuous improvement. We present in the report a brief description of the Ernst & Young ISO based benchmark and how companies can participate. The survey results and discussion in this report will be helpful to all organizations, wherever they are located in the global arena. Information security is pivotal to the success of each of them, whatever their size or aspirations. 6 ACHIEVING SUCCESS IN A GLOBALIZED WORLD

9 Success in executing global business strategies has never been more dependent upon effective risk management than today.

10 Five Global Priorities for Information Security As global business risk becomes more complex and all-encompassing, organizations must enhance their risk management in order to achieve their business strategies. There must be continuing alignment of companies business, governance, information technology, and information security activities. One cannot talk productively about expanding into new markets or taking on new partners without assessing and addressing signifi cant risks to data access and integrity, customer service and privacy, and network communication and security (a subject previously confi ned to information security teams alone). Similarly, corporate governance and regulatory compliance require effective alignment of fi nancial management, operational, and information security controls. In this report, we focus on fi ve global priorities for information security that will have an accelerating impact on organizations ability to manage their risks and, ultimately, on their success. The fi ve priorities are: > Integrating Information Security with the Organization > Extending the Impact of Compliance > Managing the Risks of Third Party Relationships > Focusing on Privacy and Personal Data Protection > Designing and Building Information Security Information security leaders are encouraged to address these priorities within the context of their companies business strategies, and develop explicit risk management approaches to support their global business initiatives. 8 ACHIEVING SUCCESS IN A GLOBALIZED WORLD

11 There must be continuing alignment of companies business, governance, information technology, and information security activities.

12 Integrating Information Security with the Organization An enduringly interesting topic for information security management is the actual role and perceived importance of information security within companies. In the past, Ernst & Young s Global Information Security Survey has shown that while information security was viewed as necessary to support the business after important decisions were made, it was essentially considered an isolated function. Over the years, our survey and extensive discussions with information security executives has told us that the information security function is slowly but steadily entering the mainstream of organizations, gaining visibility and resources. This is shown by a number of trends; the most important are described here. Trend 1: Information Risk Management is Becoming Integrated into Overall Risk Management The pressing requirements of regulatory compliance the top focus of information security time and resources during the past year have been a strong driver of organizations bringing information risk management into their overall risk management activities. Corporate leaders are starting to recognize that information security needs to have a permanent place at the risk management table to help with compliance, as well as proactively identify and manage other enterprise risk areas. Nearly two thirds of survey respondents say their companies use regular meetings, steering groups, and formal frameworks to ensure information security involvement. A growing percentage of survey participants 43% in 2006, compared with 40% in 2005 say information security is integrated with their organizations risk management programs and processes. Trend 2: Information Security is Now More Integrated in Companies Cultures Effective information security is dependent on company employees having a clear understanding of policies and their individual responsibilities. If that is the case, information security resources will be consistently deployed and the company will be able to better control its risks and vulnerabilities. This year s ISO based benchmark questionnaire suggests that companies information security policies, roles, and responsibilities are not only reasonably well-developed, but also more clearly and effectively communicated and understood by employees. The growing interest in company level controls which has resulted in greater attention to employee awareness and knowledge sharing has helped make information security a more integral part of companies cultures. 10 A CHIEVING SUCCESS IN A GLOBALIZED WORLD

13 Information security integrated in overall risk management is a key leading practice. Teri Shaffer, Ernst & Young, United States Trend 3: The Information Security Function is Now More Integrated in Outsourcing Discussions Increasingly information security outsourcing is the subject of corporate outsourcing discussions. These discussions are being driven in part by what survey participants are saying is the biggest challenge in delivering strategic information security the availability of experienced and well-trained practitioners. According to our survey, what has emerged from these discussions, are two different views about information security outsourcing. Participants in both the 2006 and 2005 surveys were overwhelmingly emphatic about not wanting to outsource their information security activities. On the other hand, 60% of 2006 survey participants who are planning or who have already outsourced information security duties say outsourcing is a way to make more of these valuable resources available within their companies. Is there better proof that information security is seen as an important and valuable business function?

14 More than half of survey participants need to integrate information risk management into their overall risk management activities. Percentage of respondents reporting strategic efforts in which information security is proactively involved There are additional opportunities to advance the integration of information security with organizations. Enhancing service or product launch or delivery 43% Enabling strategic initiatives 41% Protecting intellectual property 40% Enhancing customers experience 36% Facilitating mergers and acquisitions 15% 0% 10% 20% 30% 40% 50% Multiple responses allowed A significant number of organizations are not reporting about information security to their board of directors and business unit leaders on a regular basis. Frequency of information security leaders reporting to the following groups Board of directors or equivalent 57% 28% 13% 44% 15% 39% 57% 27% 14% Projects Business unit leaders or equivalent Incidents Compliance At least annually Less often 60% 28% 10% 48% 40% 11% 55% 30% 12% Never Projects Incidents Compliance Totals do not equal 100% due to rounding

15 Continuous Improvements While it is encouraging to see information security becoming increasingly more integrated within their organizations, our survey indicates that there are additional opportunities to advance this integration even further. Information risk management. More than half of the survey participants need to take steps to integrate information risk management into their overall risk management activities. Information security is too often cast in a reactive role. It is after strategic decisions are made about acquisitions or establishing new business units that information security deals with the issues of architecture and frameworks and developing policies and procedures. However, our experience tells us that when companies involve information security early and substantially in acquiring or divesting assets, and in other business initiatives, they dramatically reduce the risks and tangibly enhance the benefi ts of strategic changes. Information security culture. Many companies need to make further progress in strengthening their information security culture, including setting the tone at the top. A signifi cant number of organizations represented in the survey are not reporting about information security issues to their board of directors and business unit leaders on a regular basis. We see routine reporting as an excellent opportunity for information security to gain more visibility and build a secure culture within their organizations. Information security outsourcing. In the upcoming years, companies should continue to discuss outsourcing options for their security function. We acknowledge that outsourcing any aspect of information security requires great selectivity and careful monitoring of the outsourcing provider and individual people. But, many companies have learned over the years that outsourcing even sensitive fi nance and legal areas is an effective solution as long as it is well managed and controlled. Given the scarcity of security resources and the increasing level of specialization that has to be maintained, companies that are not open to outsourcing opportunities may not meet the security requirements of their customers and industry. This in turn will adversely impact the ability of these companies to achieve their business goals. 13

16 Extending the Impact of Compliance That compliance with regulatory demands continues this year to be a top driver of information security time and resource allocation is no surprise. In this age of government and investor scrutiny, the failure to satisfy fully regulatory compliance requirements, particularly involving internal controls, is one of the most serious business risks companies face. In last year s survey we saw that companies were working diligently on compliance-based information security, tackling initiatives specifi cally related to regulatory compliance. In pragmatic terms, this heavy focus meant that less attention was focused on proactive risk-based information security initiatives. What is surprising is that, unlike in 2005 when compliance was seen more as a distraction than as an enabler, this year s survey participants strongly believe their work on compliance has resulted in advances in risk-based security for their companies. The following trends support this view. Trend 4: The Impact of Compliance Continues to Grow The business world is fully engaged in regulatory compliance: > We are now three years into Sarbanes-Oxley Section 404 implementation (a requirement for all companies listed on the U.S. stock exchanges). > Other compliance deadlines are looming (Basel II, Solvency II, and the European Union s 8th Directive). > Countries without current legislated fi nancial reporting requirements are considering their own Sarbanes-Oxley- like legislation (e.g., Japan, Canada, and Sweden). The result is that regulatory compliance is providing a substantial catalyst for companies to invest in addressing information security risk challenges. For the second year in a row, survey participants say compliance is the top driver that has most signifi cantly impacted their information security practices. Trend 5: Compliance is Promoting Teaming Between Information Security and Other Functional Business Groups Over half of survey participants confi rm their compliance work is part of an integrated organization-wide compliance effort and risk management framework. Within this framework, information security professionals are working with information technology, fi nance, internal audit, and corporate management to strengthen or create internal controls. This also involves reengineering fi nancial management and reporting processes as well as corporate security requirements. 14 A CHIEVING SUCCESS IN A GLOBALIZED WORLD

17 Regulatory compliance projects were successful during the most recent years; now the time has come for security rationalization and optimization. Monique Otten, Ernst & Young, The Netherlands Trend 6: Compliance is Improving Information Security There is emphatic agreement almost 80% of participants that efforts and activities to achieve regulatory compliance have improved their companies information security. These results suggest information security organizations are progressing along a maturity curve regarding how they look at compliance requirements. They see that compliance, while demanding and sometimes distracting, cannot be treated as a mere distraction; in fact, companies have now seen that compliance work can be a catalyst for resolving issues that would have needed to be resolved anyway, and for proactively developing helpful new controls and processes.

18 Regulatory compliance is providing a substantial catalyst for companies to invest in addressing information security risk challenges. Compliance is projected to be the primary driver of information security in the next 12 months. Compliance with regulations Privacy and personal data protection Meeting business objectives Top three drivers that most significantly impacted or will significantly impact organizations information security practices 42% 38% 41% 50% 47% 56% 0% 20% 40% 60% Last 12 months Next 12 months Multiple responses allowed

19 Continuous Improvements The positive impact of regulatory compliance on companies information security is certainly good news. Our survey also indicates that for it to continue bringing benefi ts, more companies need to extend their regulatory compliance investments into more areas of their business. Sustaining the impact of compliance. Compliance is projected to be the primary driver of information security in the next 12 months by survey respondents. The question is, how will leaders of information security respond so that it continues to be a catalyst for their organizations to invest in addressing information security risk challenges? Half of this year s survey respondents reported that they were proactively involved in achieving regulatory compliance. This level of involvement needs to grow if compliance is to continue to be an enabler to information security that includes improving the effi ciency of controls testing and reducing its costs. Teaming between information security and other functional business groups. The lessons learned by information security and the other functional business groups from teaming on regulatory compliance need to be applied to other areas of the business. This is in order to provide their organizations with proactive and integrated information security processes that support achieving business objectives. Currently, fewer than half of survey respondents meet with business unit leaders and corporate offi cers at least quarterly about their business objectives and information security needs. The frequency of these meetings is even lower with their organizations legal groups. Extending information security improvements. Looking beyond the initial cycles of compliance work, it will be important for companies to be proactive in carrying out security rationalization and optimization to sustain and embed their information security compliance controls and processes into their normal operations. Furthermore, it will be important to apply continuous security monitoring to confi rm that these controls and processes are in place and functioning effectively. This is an organizational challenge and, in fact, the ISO based benchmark questionnaire suggests information security offi cers see evidence that compliance processes covering both regulatory and internal control compliance have not yet been fully and sustainably deployed within their organizations. 17

20 Managing the Risks of Third Party Relationships Companies, large and small, are simultaneously purchasers and suppliers of products and services. The risks and vulnerabilities of global supply and distribution chains that involve potentially thousands of companies are often underestimated. When companies outsource critical functions involving confi dential customer or employee data, they incur even more risk and vulnerability. From our survey and work with companies that are concerned about information security issues involving their third party relationships, we have seen progress in how companies are recognizing the challenges, issues, and actions needed to manage the associated risks. With the increasing globalization of strategic outsourcing, which places sensitive information at increased risk, we see trends that point to more attention on how companies vet, contract with, and monitor the information security compliance of their suppliers and outsourcing partners. Trend 7: Companies Are Managing Their Suppliers Vendor-Related Risks That over a third of survey participants say they have formal procedures in place for vendor risk management is positive news. For many, it is giving them the confi dence that their vendor risk management is under control. Indeed, two-thirds of companies surveyed believe that their vendors and partners have the ability to support their policies, procedures, and standards. Over a third of survey participants say they have informal procedures in place for vendor risk management. How organizations are addressing vendor risk management Not addressed 21% Informal procedures 33% Formal procedures 36% Formal procedures validated by a third party 6% 0% 10% 20% 30% 40% Total does not equal 100% due to rounding 18 A CHIEVING SUCCESS IN A GLOBALIZED WORLD

21 After a terrorist attack occurs near an outsourcing center in Mumbai it is too late to be asking about your outsourcing partner s disaster recovery plans. Terry Thomas, Ernst & Young, India Trend 8: Suppliers Are Managing Their Own Vendor-Related Risks Vendors themselves are increasingly recognizing the importance of information security in their third party arrangements. They say they expect to spend more time over the next year complying with information security certifi cation requirements prescribed in supplier agreements into which their companies have entered. For this, we expect to see SAS 70 audits and ISO certifi cation continue to gain prominence as a means of addressing their information security controls and demonstrating their soundness to customers.