While the awareness about information security has been growing, there is a need for more concerted effort - BusinessToday reports
Data protection: way to go
Securing your workplace
Information Security is increasingly being recognized as a driver of business impro-vement according to Ernst & Young's ninth Annual Global Information Security Survey. But companies still need to do much more to improve their information security posture in the globalised business environment, where the largest opportunities also carry the greatest risks. Comments Paul van Kessel, global leader of Ernst & Young's Technology and Security Risk Services, "We have identified five major information security priorities in which companies are showing significant progress, and also where continuous improvements are necessary to keep pace with the growing requirements of effective risk management." The survey, Achieving Success In A Globalized World - Is Your Way Secure? sought the views of nearly 1,200 senior information security professionals in 48 countries, as well as benchmarking the current information security practices of more than 350 organizations in 38 countries.
High five
These are areas where progress has been made but where there is an ongoing need for continuous improvement.
Integrating information security with the organisation: The process of embedding information security into the mainstream of the business requires increased visibility as well as resources.
Extending the impact of compliance: Shifting attitudes from compliance as a distraction to being an enabler, bringing advances in risk based security for organisations.
Managing the risk of third party relationships: Recognising the challenges, issues and actions needed to manage the risks with global suppliers and outsourced partners.
Focusing on privacy and personal data prot-ection: Taking a proactive and comprehensive approach to mitigating the risks related to privacy and personal data protection.
Designing and building information security: Using externally imposed compliance deadlines and security incidents as a catalyst for proactive investments in stronger capabilities and defences.
The report also identifies five key priorities for future success. The one issue making the most dramatic leap up the boardroom risk agenda is privacy and personal data protection, the most consumer-driven of these issues. "The biggest priority is privacy and personal data protection. It has become a high-stakes business issue, catapulted up the board agenda by consumer concerns caused by well-publicised lapses of security and the growing response of government and legislative activism. Understandably, it is the area where companies are being most active, with privacy and data protection practices becoming increasingly more formalised." This trend is sure to streng-then in the coming years.
Compliance issues
While privacy and personal data protection have become a major information security issue, compliance with regulations continues to be the main driver of information security for the second year running. The report expects compliance to continue to be the prime mover in the coming 12 months. There is emphatic agreement by almost 80 per cent of survey participants that efforts and activities undertaken to achieve regulatory compliance have actually improved companies' information security. It is now important for companies to be proactive in carrying out security rationalisation and optimisation, to sustain and embed their information security compliance controls and processes into their normal operations.
Third party risk
Companies are recognizing the challenges, issues and action needed to manage the risks of third-party relationships, particularly with the use of customer data by customer service outsourcing companies in rapidly developing economies. More than one-third of survey participants say they have formal procedures in place for vendor risk management. Vendors themselves are expected to spend more time over the next year complying with information security certification requirements. Yet the survey shows companies having inconsistent policies and procedures in place to manage these relationships. More than 50 per cent of survey respondents say they address the issue of vendor risk only informally, or not at all. And just 14 per cent of organisations require their vendors to have an independent review of their information and privacy practices against best practices. Driving the surge in awareness is the notoriety corporations and government agencies have received from well-publicized lapses in consumer data security, combined with a significant increase in the collection and sharing of information. Inherent in globalization is the risk to business information as it is more frequently and easily moved, used by companies globally and entrusted to third parties. Says Kessel, "Companies know all too well that the problem of privacy and personal data protection is broader and deeper than what is in the headlines. Our survey reports that this will continue to be a top business issue, requiring vigilant oversight on the part of organizations and even more formalisation of measures to mitigate the risks."
Looking ahead
The 2006 Global Information Security Survey points to strong challenges and priorities that will almost certainly be reflected in the future.
Regulatory compliance will continue to dominate information security, challenging organisations on how to sustain compliance and integrate it into an overriding risk management framework and internal control processes.
Privacy will continue to preoccupy companies and their information security executives.
Certification against recognised standards will continue to gain wider acceptance as a key component of information security.
Benchmarking against recognised standards and peers will continue to broaden in scope.
The recognition that information security risks are intertwined with achieving broader business objectives will make it even more of a priority for information security to play a proactive role.
Concludes Kessel, "Overall, our 2006 Global Information Security Survey confirms that information security has never been more important. It shows that many companies are making significant progress in mitigating risk by strengthening their information security. This is due to greater investments, greater board involvement, positive influences of regulatory pressures and maturity in information security leadership.
However, the dynamics of risk require continuous improvements and updates to information security measures." Hopefully companies will take make concerted efforts to secure their work environment in the coming years.
Stealing a march
Companies in Oman are becoming increasingly aware of the need for information security. A clear proof of this can be seen in the fact that the highest number of respondents in Ernst & Young's ninth Annual Global Information Security Survey in the Middle East were from Oman. Says Mohammed Salem, partner, E&Y, "Worms and viruses continue to be the main threat to business. Information security is seen as an important tool to achieve their business objectives."
So why is information security important? One, if a rival company gets its hands on sensitive data it can pose a severe risk to its fortunes. "In the financial sector hackers can get access to one's system and carry out frauds causing severe financial damage to an institution," says Mohamed Nayaz, senior manager, business advisory solutions. And lastly, information security is not just an inter-organizational need but more of an intra-organisational need. For example, if someone gets access to the company's payrolls, it can create a lot of problems. Most companies in Oman feel that internal risks are higher than external risks.
While awareness about information security is not up to the requisite level in Oman, some notable steps have been taken during the last year. The government particularly seems to be taking rapid strides in this direction. Close to 40 per cent of the respondents from Oman were from the government. The formal establishment of the Information Technology Authority (ITA) in June 2006 is expected to give the process a further boost. ITA is responsible for defining standards for different ministries and improving information security is one of the areas that the authority is looking into.
Are the requisite tools to make sure that one's company is secure available in Oman? "We have the infrastructure and risk management tools to ensure information security. And it is not very expensive compared to the value that a company gets," says Salem.
businesstoday 2006
