A sweeping global report has revealed that organisations across the world need to fundamentally change their attitude to information security if they are to successfully meet the challenges posed by new technologies and rising threat levels.
The report, Ernst & Young's 15th Global Information Security Survey 2012, pointed out that a majority of companies are failing to keep pace with information security needs. For example, 77% of the survey’s respondents said they are using cloud-based services yet 20% said they have no security measures in place to mitigate the risks such as encryption techniques or greater oversight into the service delivery.
Cloud computing is seen as one of the areas where potential new threats are coming from and the number of cloud users is expected to grow significantly in the next few years. Despite this, almost half of the survey’s respondents (45%) said they only discuss information security issues once a year with their boards.
Surprisingly, 64% said they have no robust security architecture in place with 57% of UK organisations citing a lack of skilled resources as the main obstacle to providing information security that is capable of meeting their needs.
The vast majority (88%) of respondents agreed that there is an increasing risk from external attacks. However, budgets remain an issue and owe Howver over half (61%) said financial constraints are the main obstacle to their company's information security strategy.
A lack of specialist security skills is also high on the list. Fifty seven percent of respondents said this forces them to focus on short-term security implementations rather than tackling the issues associated with the overall threat and also dovetails with a lack of security architecture.
Mark Brown Director of Information Security at Ernst & Young said: “Since the late 1990s the number of UK-born graduates studying mathematics and science degrees has fallen by almost 70%. This has lead to an increasing shortage in relevant skills and has put the UK's efforts to tackle growing cyber security risks on the back foot.”
Responsibility for IT security also remains with the IT function rather than the board. Despite long and continued calls for greater executive level involvement 61% of respondents in the UK said that their companies have placed the responsibility for information security in the hands of the IT function, reflecting the view that information security is seen as an IT area rather than a wider business issue.
But information security is spreading beyond traditional IT issues and decisions are now needed around selecting the right tools, processes and methods for monitoring threats, gauging performance and identifying coverage gaps. In addition, a reappraisal of responsibilities is required, say Ernst & Young.
Brown added: "The results of our survey point at two necessary changes. On the one hand, businesses need to understand that information security can no longer simply be an IT issue. They need to transform their perception of information security and make it a board sponsored topic that is eventually embedded in the core strategy of a business.”
The report is based on responses from over 1,850 CIOs, CISOs and other information security executives in 64 countries.