Paul van Kessel Global Leader, Technology and Security Risk Services Ernst & Young

The tenth Ernst & Young Global Information Security Survey shows a growing number of organizations recognize information security can provide more than just protection of corporate assets.

The annual survey, which canvassed nearly 1,300 senior executives in more than 50 countries, shows that delivering information technology (IT) and operational efficiencies and improving overall business performance are emerging as critical objectives. Although compliance-based initiatives continue to be the primary driver of information security, nearly half (45 percent) of the survey respondents ranked meeting business objectives among the top three drivers of information security.

“Over the past 10 years, we have seen a positive evolution in the role of information security,” said Paul van Kessel, Global Leader of Ernst & Young’s Technology and Security Risk Services. “Many organizations now view information security as a critical factor in meeting business objectives and significant performance improvements are resulting from this increased interaction with corporate leadership and other key stakeholders.  This alignment has a positive impact on the bottom line and elevates information security from a technology deployment function to a strategic imperative. Organizations that aren’t fostering these relationships are missing a key opportunity to move their businesses forward.”

“While we see information security improving overall, many companies are struggling to find the right balance between a process that provides adequate protection but allows the access and usability to help enhance performance,” said Ed Napoleon, Global Leader Information Security Solutions Development.  “For this to occur, information security teams must connect with executive management and be involved with the strategic decision-making process from the beginning.”

Many information security functions are struggling to balance their traditional risk management roles with the growing focus on performance improvement; a struggle that is exacerbated when information security is not closely connected to executive management and the strategic decision-making process. Scarcity of experienced resources is another contributing factor, according to the GISS survey. 

“The survey also confirms that organizations still struggle to find the right people to deliver their information security initiatives,” said Napoleon.  “This issue won’t go away anytime soon, and management needs to investigate alternative staffing options.  This means looking to other parts of the organization, such as internal audit, to fill gaps in their resource needs and using third parties in the most cost effective and productive ways possible.”

Among the key findings:
Information security is better aligned with organizational risk initiatives. In addition to the growing focus on business objectives, information security is more integrated into overall risk management with four out of five (82 percent) respondents reporting at least some levels of integration. Organizations that have fully integrated information security with risk management have nearly doubled since last year (from 15 percent to 29 percent).

Information security is now credited with improving IT and operational efficiency. More than two-thirds (69 percent) of respondents feel that information security improves IT and operational efficiencies. This is in sharp contrast to previous years, when information security was viewed as a barrier to IT and operational efficiency.

Compliance continues to be the primary driver of information security improvements and a top-ranked influencer in risk management integration. For the third year in succession, respondents (64 percent in 2007) ranked compliance as the principal information security driver.  A positive outcome is that 82 percent believe that information security has improved due to its role in supporting compliance initiatives.

Privacy and data protection increased significantly as drivers of information security.     Media stories surrounding identity theft and loss of personal information have heightened consumer awareness and, along with it, corporate leadership’s sense of accountability for data protection. Fifty-eight percent of this year’s respondents placed privacy and data protection in the top three drivers, up from 41 percent in 2006.

Information security is too isolated from executive management and the strategic decision-making process.  A worrying separation persists between the information security function and the strategic decision-making process, with nearly one-third (32 percent) never meeting with their board or audit committee. While involvement with corporate officers and business unit leaders continues to increase, it does so at a slow pace with the majority meeting less than once a quarter.

The greatest challenge to delivering information security projects is the availability of experienced and trained resources. More than half of our respondents indicated that as the role of information security expands within organizations, the lack of experienced and skilled resources is the number one challenge to delivering information security projects. Correspondingly, more than 60 percent of respondents say they are outsourcing certain elements of information security.

The full report is available at www.ey.com

The 10th annual Ernst & Young Information Security Survey was developed with help from Ernst & Young’s assurance and advisory clients in more than 50 countries. The fieldwork was conducted between May and August 2007. The results were primarily collected through interviews held with executives from approximately 1,300 organizations across all major industries.
About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 130,000 people are united by our shared values and an unwavering commitment to quality.  We make a difference by helping our people, our clients and our wider communities achieve potential. 

For more information, please visit www.ey.com