Lack of management sponsorship threatens CI security

Wednesday 18 November 2009
Send this article to a friend      Print this article     
Jersey technology
Adequate security budgets and lack of management sponsorship are major concerns for local IT professionals, according to the 12th annual Ernst & Young 2009 Global Information Security Survey.

This year the global survey of over 1,900 senior executives in more than 60 countries, included a wide range of Channel Islands businesses. In many cases the results for the Channel Islands mirrored those at a global level. However, in a small number of areas there were dramatic differences. For example, globally 75% of respondents are concerned with possible reprisals from employees who have recently left their organisations, and 26% were taking action as a result. Locally only 59% saw this as an issue, and none of these respondents cited this as a major concern or said they were taking steps to mitigate the risks.

Carl Ceillam, Senior Manager of Ernst & Young Channel Islands’ IT Risk and Assurance services, comments: “The recession has led to redundancies and other cut backs that may impact employee morale and loyalty. Staff reductions can also lead to knowledge retention issues and have an adverse effect on the organisation’s control environment. Companies should undertake a specific risk assessment exercise to identify their potential exposure and put in place appropriate risk-based responses.”

Management sponsorship - a major concern in the Islands
One of the most notable findings in the local results was around the challenges that organisations face in delivering information security. In top position, management support was ranked as a significant challenge by 29% of local businesses. This is in stark contrast to the global results where the same challenge was at the bottom of the league, with only 6% seeing this as a major issue. Organisational awareness was also regarded as a moderate or higher challenge by 94%, suggesting that senior management may lack sufficient understanding of security risks to allow them to deliver sufficient support.

Finding adequate budgets - still a significant challenge
Allocating adequate budget to information security continues to be a challenge in 2009, with a total of 47% of local respondents ranking this as a “high” (4) or “significant” (5) challenge; global figures were almost the same at 50%. This finding is also particularly striking in light of the fact that 35% of CI respondents indicated that they planned to increase their annual investment in information security as a percentage of total expenditures and 59% planned on maintaining the same level of spending.

Mr. Ceillam continues: “These days information security requires a lot more investment, as organisations race to catch up with an accelerating threat landscape, after a much delayed start. However, information security is not immune to external economic forces and senior IT professionals will need to improve efficiency and effectiveness while keeping spending to a minimum.”

Complying with regulations
The survey revealed that regulatory compliance is also a top priority for information security leaders and continues to be an important driver of information security improvements.

When asked how much their companies were spending on compliance efforts, 78% of respondents indicated that regulatory compliance costs had led to moderate to significant increases in their overall information security costs over the last three years. However, over 60% also said that regulatory compliance has led to a similar increase in the effectiveness of information security in their organisation.

Mr. Ceillam explains: “When we look into these figures in even more detail, it does seem that there is a clear link between increased regulatory compliance and improved security. This is a good thing, but for many organisations this has been a fortunate by-product of compliance, rather than a proactive move to adopt best practice.”

Leveraging technology
Due to a heightening occurrence of data breaches, data protection is at the forefront of many information security leaders’ minds. Implementing or improving Data Leakage Prevention (DLP) technologies is the second-highest security priority in the coming 12 months, identified locally by 53% (40% globally) of respondents as one of their top three priorities. Data leakage prevention is the combination of tools and processes for identifying, monitoring and protecting sensitive data or information.

One of the most startling findings is how few companies are encrypting their laptops. In line with global findings, locally 50% of respondents are currently encrypting them with 28% planning to do so in the next year. This is surprising for a number of reasons: the number of breaches that have occurred due to loss or theft of laptops; the fact that the technology is readily available and affordable to implement; and that the impact to users during deployment is relatively low and should no longer be a barrier.

Mr. Ceillam concludes: “Our survey shows that local businesses are facing and responding to many of the same risks as their international counterparts. We are also slowly starting to see a shift in attitude from protecting the perimeter to protecting data wherever it is held. But I am deeply concerned that gaining management sponsorship appears to be such a problem. I have said before that an organisation’s information security stance has to come from the top down. Otherwise best efforts can be fragmented, misplaced and ineffective. This issue is something that we intend to explore with our respondents over the coming months.”
Featured Companies
Local Market Property
Local Market Properties
VIEW PROPERTY
Local Market Properties
Houses, Flats and Apartments
Price: From £200,000
Open Market Property
Various Properties
VIEW PROPERTY
Various Properties
Houses, and Investments
Price: From £500,000