Make the shift, close the gap

Ernst & Young Globals Information Security Survey 2012

November 2012

Contents

Contents

Page

1. The speed of change, a widening gap

2. A fundamental transformation

3
13

3. Make the shift, close the gap

4. EYs Information Security Services Appendix I. Appendix 1 Survey results

16
20

23 34 39

II. Appendix 2 Survey methodology III. Appendix 3 EYs approach to IT risk

Page 2

Ernst & Youngs Global Information Security Survey 2012

1. The speed of change, a widening gap

Page 3

Ernst & Youngs Global Information Security Survey 2012

Ernst & Youngs Global Information Security Survey

Ernst & Youngs Global lnformation Security Survey (GISS) is a survey conducted annual by Ernst & Young world-wide. The first GISS was conducted in 1998. We invited CIOs, CISOs, CFOs, CEOs and other information security executives to participate. The majority of the survey responses were collected during face-to-face interviews. When this was not possible, the questionnaire was conducted online. If you wish to participate in Ernst & Youngs 2013 Global Information Security Survey, please contact your local Ernst & Young office, or visit www.ey.com/US/en/Home/Home-ContactUs and complete a simple request form.
Ernst & Youngs Global Information Security Survey 2012

Page 4

Ernst & Youngs Global Information Security Survey

Unthinkable just a few years ago, the velocity of change in information security is staggering. Our 15th annual Global Information Security Survey (GISS), one of the longest running, most recognised and respected annual surveys of its kind, suggests that although organisations are taking steps to enhance their information security capabilities, few are keeping up with an ever-changing risk landscape. Ernst & Youngs GlSS 2012 was conducted between May 2012 and July 2012. We had 1,836 respondents across all major industries and in 64 countries participated.

Japan

Asia Pacific

Europe, Middle East, India, Africa

Americas

Page 5

Ernst & Youngs Global Information Security Survey 2012

Information Security capabilities from 2006 until today

Prior to 2006, information security was seen as an important component of mitigating financial risk and meeting new compliance requirements, such as SOX 404. After 2006, the scope of information security expanded in two directions: 1. Information security needed to protect the organisations more broadly, especially in a globalised world. 2. Information security needed to have a clear return on investment, requiring an alignment of risk and performance.

In 2008, information security matured beyond compliance. Protecting brand and reputation became the primary driver in an environment of escalating threats, through managing new risks and leveraging technology. At the same time, the world changed dramatically: A global financial crisis and economic downturn hit many organisations hard. Emerging markets gained much more prominence. The competitive landscape changed. Confronted with these challenges, organisations focused on restructuring and reinventing to keep up with the new requirements and increasing cost pressures.

Impact 2006 2008 Stay proactively involved in achieving Take a more business-centric view regulatory compliance Keep up investments in information security despite economic pressures Improve risk management of third-party Invest in training and awareness programs to keep people from being relationships the weakest link Invest more in privacy and personal data 2009 protection Co-sourcing to address a lack of resources and tighter budgets 2007 Assess the potential impact of new technology and the organisations Align information security with the business ability to protect its assets Face challenges of staffing information Survey Know 2012 the risks posed by increasing external and internal threats Page 6 theErnst & Youngs Global Information Security security functions Recommended steps

Key trends

Information Security capabilities from 2006 until today

With a global economy still in recovery, and in an environment of sustained cost pressures and scarce resources, two new waves of change emerged: 1. Organisations started to realise that with globalisation, data is everywhere. Employees were increasingly sending data to business partners over the internet or carrying the data with them on mobile devices. The traditional boundaries of an organisation were vanishing along with the traditional security paradigms. 2. Organisations understood the security requirements associated with IT outsourcing. Data processing moved into the cloud, which required the information security function to completely rethink its approach to securing information. The velocity and complexity of change accelerates at a staggering pace: Virtualisation, cloud computing, social media, mobile, and other new and emerging technologies open the door to a wave of internal and external threats. Emerging markets, continuing economic volatility, offshoring and increasing regulatory requirements add complexity to an already complicated information security environment. Organisations have made great strides in improving their information security capabilities. But for as many steps as they have taken, they continue to fall behind, creating an information security gap that grows ever larger.

Impact 2010 Address the risks associated with emerging technologies Increase investment in data loss prevention tools Take an information-centric view of security that better aligns to the business 2011 Bring information security into the boardroom Protect the information that matters most Embrace encryption as a fundamental control Page 7 & Youngs Global Information Security Survey 2012 Focus onErnst the fundamentals

Key trends

2012 Continue to make information security a board-level priority Develop an integrated strategy around corporate objectives, and consider the whole risk landscape Use data analytics to test the risk landscape and understand the data you need to protect most Use a three- to five-year horizon for budgeting to enable long-term planning Innovate, innovate, innovate Start working on a fundamental transformation

Recommended steps

What is happening
The gap is widening This year survey shows that threats are accelerating significantly faster than the enhancements organisation are making.

Page 8

Ernst & Youngs Global Information Security Survey 2012

What is happening
Accelerating threats

What is new for this year survey?

In 2012, 77% of respondents noticed an increase in external attacks (statesponsored espionage, hacktivism, organised crime and terrorism), comparing to 72% and 41% in 2011 and 2009; This year, 46% of respondents noticed an increase in internal vulnerabilities (in term of evolving technologies - mobiles, insufficient IS resources);

37% ranked careless or unaware employees as the threat increased the most over the last 12 months;
The gap is kept widening because of compounding issues of: mis-alignment of IS strategy/framework and the business; insufficient resources for information security activities; inadequate IS processes and architecture; and the fastest-ever blooming of new technologies.

Page 9

Ernst & Youngs Global Information Security Survey 2012

What is happening

Why the gap has grown some of the facts (1/2)

From the survey results, there are facts (*) that we need to think about:

A. Unbalanced alignment between IS strategy and Business stragety

The information security agenda continues to be IT-led rather than focused on the overall business strategy 46% of respondents almost never or never discuss information security strategy with the top governing structure of their organisation Only 42% of respondents say their Information Security strategy is aligned to their business strategy Only 5% have information security reporting to the chief risk officer the person most responsible for managing the organisations risk profile 63% of organisations have placed responsibility for Information Security with the IT function 70% of respondents indicate that their information security function only partially meets organisational needs and improvements are underway

(*) See appendix for more information

Page 10

Ernst & Youngs Global Information Security Survey 2012

What is happening
B. Resources contraints

Why the gap has grown some of the facts (2/2)

Only 22% of respondents indicate that they are planning on spending more in this area in the next 12 months. 37% of respondents see the threat that has most increased their organisations risk exposure as careless or unaware employees 63% of respondents in this years survey indicated that their organisations have no formal security architecture framework in place, nor are they necessarily planning on using one 19% of respondents dont conduct any attack and penetration test at all

C. Lack of formal security architecture framework

D. A torrent of technology

New technologies with new threats and risks: virtualisation, cloud computing, social media, BYOD, mobile devices 38% of respondents say they have not take any measures to mitigate the risks of using cloud computing services 38% of respondents say they do not have a coordinated approach to address social media Only 40% adopted encryption techniches to protect data on their mobile computing channel
Ernst & Youngs Global Information Security Survey 2012

Page 11

What is happening
The key issues causing the widening gap
Key issues: Mis-alignment with the business Insufficient resources with the appropriate experiences, skills and training Inadequate processes and architecture New and evolving technologies More specific for Vietnams context:

Lack of implementation of a formal IS framework, IS strategy Significantly lack of resources with the appropriate experiences, skills and training Informal and changing operational processes and corporates organisational structure New and evolving technologies (cloud computing, BYOD, mobile, social media) Emerging market with ever-changing governmental regulations Information Security is a strategic business imperative and requires an enterprise response.

Information Securitys responsibility belongs to IT function.

We need a SHIFT on the view of Information Security

Page 12

Ernst & Youngs Global Information Security Survey 2012

2. A fundamental transformation

Page 13

Ernst & Youngs Global Information Security Survey 2012

A fundamental transformation (1/2)

Organisations need to take FOUR key steps to fundamentally shift how their information security functions operate:

1 2

Link the information security strategy to the business strategy, and the overall desired results for the business.

To develop and align IT strategy/IS strategy with Business strategy

Start with a blank sheet when considering new technologies and redesigning the architecture, to better define what needs to be done. This presents an opportunity to break down barriers and remove existing biases that may hamper fundamental change.

To select and implement a formal information security architecture framework (ISO 27001, Open Group Architecture Framework)

Page 14

Ernst & Youngs Global Information Security Survey 2012

A fundamental transformation (2/2)

Execute the transformation by creating an environment that will enable the organisation to successfully and sustainably change the way information security is delivered.

Make leaders accountable for delivering results and visibility throughout the life of the program To commit on providing sufficient resources for IS program organisation-wise in a long term

When considering new technologies, conduct a deep dive into the opportunities and the risks they present. Social media, big data, cloud and mobile are here to stay, but organisations must prepare for their use. For every new technology implemented, besides all the benefits and oppoortunities, carefully consider the new threats and risks they present

To regularly assess on the changes of business environment to identify new risks and threats for immediate actions

Page 15

Ernst & Youngs Global Information Security Survey 2012

3. Make the shift, close the gap

Page 16

Ernst & Youngs Global Information Security Survey 2012

Conclusion
Changing environment

What company has done

New technology:

virtualisation

Added new features to the IS system

Cloud computing
Social media

Redefined strategies
Installed new information security function components Added more people

Mobile

The speed that technology has evolved Challenging markets of emerging

The financial crisis

However, our survey results suggest that companies have NOT improved enough
Page 17

Ernst & Youngs Global Information Security Survey 2012

Make the shift, close the gap

Effective

information security transformation does NOT require complex technology solutions. requires leadership and the commitment, capacity and willingness to act.

It

What some leading organisation are doing

Page 18

Ernst & Youngs Global Information Security Survey 2012

Questions for the C-suite --------------------------------------The s

What has your organisation done to adjust information security to address the changing environment? Has your organisation implemented the necessary information security improvements to keep up with the pace of change?

What impact have changes to security levels had on your organisation?

Has your organisation done enough? Are your information security objectives and measures aligned to your business strategy? What is your organisation annual budget for IT and specifically for IT Security?

How is your budget compared to internaltional standard in term of percentage of Page 19 Ernst & Youngs Global Information Security Survey 2012 annual revenue?

4. EYs Information Security Services

Page 20

Ernst & Youngs Global Information Security Survey 2012

Ernst & Youngs Information Security Services (1/2)

The History of Ernst & Youngs Information Security practice:

Ernst & Youngs Information Security services started very early in the 90s
Were proud to have our IS professionals as the authors of the famous Hacking exposed series First in 2002, Ernst & Young has established our global network of Advanced Security Centers (ASCs) provide controlled and physically secure environments in which our dedicated team of leading security professionals can conduct assessment focused on clients infrastructure, applications and people. Our IS professionals comprise former CSOs, CIOs and specialised subject matter professionals from all over the world. Drawing on our in-depth knowledge and extensive experience working with major organisations for nearly 20 years, we work with clients to deliver sustainable, measurable results in:

Transforming information security programs

Identifying and responding to cyber threats

Page 21

Managing identity and access effectively and efficiently

Mitigating the risk of information loss and addressing privacy regulations

Ernst & Youngs Global Information Security Survey 2012

Ernst & Youngs Information Security Services (2/2)

Page 22

Ernst & Youngs Global Information Security Survey 2012

Appendix 1 Survey results

Page 23

Ernst & Youngs Global Information Security Survey 2012

Top priorities over the coming 12 months

Page 24

Ernst & Youngs Global Information Security Survey 2012

Compared to the previous year, does your organisation plan to spend more, spend relatively the same amount or spend less over the next year for the following activities?

Page 25

Ernst & Youngs Global Information Security Survey 2012

What threats and vulnerabilities have most increased your risk exposure over the last 12 months?

Page 26

Ernst & Youngs Global Information Security Survey 2012

How does your organisation assess the efficiency and effectiveness of information security?

Page 27

Ernst & Youngs Global Information Security Survey 2012

What formal security architecture frameworks are used (or are you planning to use) within your organisation?

Page 28

Ernst & Youngs Global Information Security Survey 2012

Which of the following controls have you implemented to mitigate the new or increased risks related to the use of cloud computing?

Page 29

Ernst & Youngs Global Information Security Survey 2012

Which of the following controls have you implemented to mitigate the new or increased risks related to the use of social media?

Page 30

Ernst & Youngs Global Information Security Survey 2012

Does your organisation currently permit the use of tablet computers for business use?

Page 31

Ernst & Youngs Global Information Security Survey 2012

Which of the following controls have you implemented to mitigate the new or increased risks related to the use of mobile computing including tablets and smartphones?

Page 32

Ernst & Youngs Global Information Security Survey 2012

Which of the following actions has your organisation taken to control data leakage of sensitive information?

Page 33

Ernst & Youngs Global Information Security Survey 2012

Appendix 2 Survey methodology

Page 34

Ernst & Youngs Global Information Security Survey 2012

Survey methodology
Ernst & Youngs Global Information Security Survey was conducted between May 2012 and July 2012. We had 1,836 respondents across all major industries and in 64 countries participated.
Japan

For our survey, we invited CIOs, CISOs, CFOs, CEOs and other information security executives to participate. We distribute a questionnaire to designated Ernst & Young professionals in each country practice, along with instructions for consistent administration of the survey process.
The majority of the survey responses were collected during face-to-face interviews. When this was not possible, the questionnaire was conducted online. If you wish to participate in Ernst & Youngs 2013 Global Information Security Survey, please contact your local Ernst & Young office, or visit www.ey.com/US/en/Home/HomeContactUs and complete a simple request form. Page 35 Ernst & Youngs Global Information Security Survey 2012

Asia Pacific

EMEIA

Americas

Survey methodology
Respondents by industry (1,836 respondents from 64 countries)

Page 36

Ernst & Youngs Global Information Security Survey 2012

Survey methodology
Respondents by total annual company revenue

Page 37

Ernst & Youngs Global Information Security Survey 2012

Survey methodology
Respondents by position

Page 38

Ernst & Youngs Global Information Security Survey 2012

Appendix 3 EYs approach to IT risk

Page 39

Ernst & Youngs Global Information Security Survey 2012

Ernst & Youngs approach to IT risk

Page 40

Ernst & Youngs Global Information Security Survey 2012

Contacts
Global
Norman Lonergan Paul van Kessel Adivisory Services Robert Patton Andrew Embury Doug Simpson Shohei Harada Americas Leader Europe, Middle East, India and Africa Leader Asia-Pacific Leader Japan Leader +1 404 817 5579 +44 20 7951 1802 +61 2 9248 4923 +81 3 3503 2033 robert.patton@ey.com aembury@uk.ey.com doug.simpson@au.ey.com harada-shh@shinnihon.or.jp Advisory Services Leader IT Risk and Assurance Services Leader

Telephone
+44 20 7980 0596 +31 88 40 71271

Email
norman.lonergan@uk.ey.com paul.van.kessel@nl.ey.com

IT Risk and Assurance Services

Bernie Wedge
Manuel Giralt Herrero Jenny Chan

Americas Leader
Europe, Middle East, India and Africa Leader Asia-Pacific Leader

+1 404 817 5120

+34 91 573 7479 +86 21 2228 2602

bernard.wedge@ey.com
manuel.giraltherrero@es.ey.com jenny.s.chan@cn.ey.com

Haruyoshi Yokokawa
Henri Hoang Page 41

Japan Leader

+81 3 3503 1704

yokokawa-hrysh@shinnihon.or.jp
henri.hoang@vn.ey.com

Vietnam Leader Security Survey 2012 +84 97 205 4888 Ernst & Youngs Global Information

Ernst & Young Assurance Tax Transaction Advisory

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young Vietnam is dedicated to providing the highest quality professional services to all its clients through assisting them to achieve their objectives, whilst realizing the growth aspirations of the firm and our people and making a positive difference to the community it serves. For more information, please visit www.ey.com Ernst & Young refers to the global organisation of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. 2012 Ernst & Young Vietnam Limited. All Rights Reserved This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young Vietnam Limited nor any other member of the global Ernst & Young organisation can accept any responsibility for loss occasioned to any person acting or refraining in this publication. On any specific matter, reference should be made to the appropriate advisor. www.ey.com/vn

Page 42

Ernst & Youngs Global Information Security Survey 2012