This year’s Ernst & Young Global Information Security Survey 2006 is out and it is always an interesting read. Arguments aside about the statistical accuracy of such surveys, it still provides useful information and also helps to track progress in the topics covered as the years march on. The history alone involved with the survey, this is the 9th year for it, are quite revealing. My, my how concerns have changed in less than a decade!
The survey obtained information from “executives in nearly 1,200 organizations in 48 countries.”
A few of the more interesting statistics and snippets:
* “For the first time in nine years organisations are listing privacy and data protection as a significant issue.”
This is rather ironic, given information security should always have been primarily about protecting data. Many organizations I speak with have clearly lost their true purpose for having information security practices, tools and dedicated staff when I hear them focus solely on just the technical aspects and don’t even consider the business and how they are supporting it.
* “A growing percentage of survey participants‚Äî43% in 2006, compared with 40% in 2005‚Äîsay information security is integrated with their organizations‚Äô risk management programs and processes.”
As it should be to effectively support business. Information security is not a stand-alone process or service; it needs to be part of the business fabric…within all processes and activities. Doesn’t it seem odd that organizations are just realizing this? And that information assurance professionals are just realizing this? Well, I guess hindsight is 20/20.
* “Over half of survey participants confirm their compliance work is part of an integrated organization-wide compliance effort and risk management framework.”
Regulations and laws have forced organizations to pursue compliance throughout the enterprise. The regulations and oversight agency published guidance documents make it clear that, even though information security and privacy responsibilities must be formally assigned, they must also be incorporated throughout all personnel activity.
* “There is emphatic agreement‚Äîalmost 80% of participants‚Äîthat efforts and activities to achieve regulatory compliance have improved their companies‚Äô information security.”
Yes, while some regulations, perhaps most noticeably SOX, have seemed to redirect information security efforts from more high-risk issues, overall regulatory compliance requirements has forced the issue for business leaders and made them realize that investing in information security is no longer an option; they have personal skin in the game if they ignore the requirements. This is a great motivator to allocate resources to information assurance programs.
* “Compliance is projected to be the primary driver of information security in the next 12 months by survey respondents.”
That’s fine. If compliance is the key to implementing an effective information security and privacy program, then kudos to compliance.
* “Currently, fewer than half of survey respondents meet with business unit leaders and corporate officers at least quarterly about their business objectives and information security needs. The frequency of these meetings is even lower with their organizations‚Äô legal groups.”
Getting input from all areas of the enterprise is vital to having a successful information security and privacy program. Information assurance practitioners must always keep in mind that they are there to limit the risk to the business, and they must understand the business well to succeed. To understand the business well they must meet regularly with all business leaders.
* “Over a third of survey participants say they have informal procedures in place for vendor risk management.” 21% do not address vendor risk management.
While the report indicates this is positive news, I do not agree. When you are entrusting your information to another entity blindly, without any due diligence that they have appropriate and adequate safeguards in place, you are in effect playing Roulette…facing some severe business impact in the very possible event your vendor has an incident with your information.
* “Only 14% of organizations who rely on vendors require that vendors have an independent third party review their information security and privacy practices against leading practices.”
Having an independent 3rd party review is a good practice, but even more important from my experience is having formally documented procedures for evaluating and otherwise addressing vendor risk. A component of this could very well include reviewing independent reviews of the vendor.
* “A stolen notebook computer with two million customer records, missing health data on a few million health care policyholders e-mailed without authorization, e-mail or telephone scams to trick people into divulging personal data and the headlines scream for action.”
It is ironic that E&Y themselves experienced multiple highly publicized privacy breaches during the past couple of years. Yes, addressing privacy screams for action!
* “Nearly 60% of organizations currently address privacy and personal data protection with formal procedures.”
If the number is actually high, this is a great improvement over what I have seen! Hopefully this number will continue to grow.
* “Only slightly more than a quarter of survey respondents report having privacy projects underway, despite it being ranked the second highest requirement impacting their organizations. Privacy also ranked among the lowest in terms of time allocated to it as compared to other security activities.”
Hmm…interesting. I wonder if the survey clearly defined what qualified as “privacy projects.” If not it could account for this seemingly contradictory number.
* “The ISO 17799-based benchmark questionnaire reveals that user awareness relating to logical access controls, such as selection of passwords and protection of unattended equipment, remains quite low. Overall, explicit requirements for mobile computing and teleworking access control exist but are not yet fully documented.”
I wish the survey would have explored information security and privacy training and awareness in more depth. Personnel education for these issues truly is a underutilized activity, but reaps such huge benefits in safeguarding PII at a comparatively low cost when considering other information security and privacy costs for other technical and physical controls, systems and various types of safeguards.
Tags: awareness and training, Information Security, IT compliance, policies and procedures, privacy, privacy incident, regulatory compliance, security survey