Firms are still failing to implement a holistic approach towards information security as the security function remains too isolated from executive management and the strategic decision-making process, according to Ernst & Young’s tenth annual Global Information Secuirity survey.
Among its key findings, the survey highlights that a separation still persists between the information security function and the strategic decision-making process. Nearly one-third (32%) of security leaders say they never meet with their board or audit committee, and over a quarter admit they not reporting to business leaders on information security compliance or incidents.
The survey found that monthly meetings are three times more likely to take place between information security and IT than with corporate officers.
Richard Brown, head of technology security and risk services at Ernst & Young, said recent incidents in the UK such as the HMRC data breach had “done much to highlight the lack of protection of information assets held by organisations.”
He said information security had never been so high up on the corporate and private individual’s agenda, which meant it had to move forward “on the business, and not just the IT agenda.
“Data protection and privacy are increasingly big drivers for information security, and with corporate reputations at stake there needs to be strong, effective engagement with the business leaders to achieve a holistic approach across the entire organisation.”
But the survey’s finding were not all bad news. It found that that information security is becoming more integrated into overall risk management of companies with four out of five (82%) respondents reporting at least some levels of integration. Organisations that have fully integrated information security into their overall risk management approach have nearly doubled since last year –from 15% to 29%.
The research also found that privacy and data protection had increased significantly as drivers of information security. Fifty-eight percent of this year’s respondents placed privacy and data protection in the top three drivers, up from 41% a year ago.
And although compliance-based initiatives continue to be the primary driver of information security, nearly half (45%) of the survey respondents ranked helping the business to meet its overall objectives among the top three drivers of information security.
But the survey found the greatest challenge to delivering information security projects was the availability of experienced and trained resources.
More than half of respondents indicated that, as the role of information security expands within organisations, the lack of experienced and skilled resources was the number-one challenge to delivering strategic information security projects.
Ernst & Young said that today the changing face of technology was creating increasing risks. Removable media such as USB memory sticks and CDs which can hold vast amounts of valuable corporate data, and mobile devices such as PDAs and smart phones were the top security concerns, it said.
Brown said business leaders needed to work with their risk and security teams to “clearly understand their changing business risks through comprehensive and timely risk assessment. This can then be responded to with the right processes and procedures, supported by awareness and compliance activities across the organisation.