Security Experts:

Global Security Survey: Security Budgets Increasing, But Strategy Lacking

Rush for New Technology Often Makes Security an After-Thought, Putting Organizations at Risk

According to Ernst & Young’s just-released 2011 Global Information Security, organizations are rushing to adopt new technologies including cloud computing, tablets and social media, but are often leaving security as an after-thought.

The survey, in its 14th year, includes responses from 1,700 organizations globally, and showed that despite increased security budgets, many organizations still lack the ability to tackle new and increasingly complex security threats.

While it’s good news that 59 percent of respondents plan to increase their information security budgets in the coming 12 months, only 51 percent of respondents said they have a documented information security strategy in place. Additionally, 35 percent of respondents said security budgets would remain the same over the next year, and 6 percent said information security budgets would decrease.

What’s Broken in the Information Security Function?

As information security budgets as a percentage of overall IT spend have increased over the years, budget increases alone don’t appear to be solving many of the problems organizations face when it comes to security. When asked if the information security function is meeting the needs of their organization, only 49 percent of respondents answered with a “yes”. For those who answered “No”, only 17 percent cited budget constraints as the reason why. Other reasons cited included lack of skilled resources (13%) and lack of executive support (9%).

Ernst & Young 2011 Information Security SurveyWhile 72% of respondents are seeing an increasing level of risk coming from increased external threats, only about a third of respondents have updated their information security strategy in the past 12 months.

Threat Concerns

Mobile

With 80% of organizations currently using or considering using tablets, the adoption of tablets and smartphones ranked second-highest on the list of technology challenges perceived as most significant, with more than half of respondents listing it as a difficult or very difficult challenge.

Policy adjustments and awareness programs are the top two measures used to address risks posed new mobile technology. The adoption of security techniques and software, however, is still low. For instance, encryption techniques are used by fewer than half (47%) of the organizations. Alarmingly, 66% of respondents said they have not implemented data loss prevention (DLP) tools.

“Data is everywhere. Confronted with diminishing borders, cloud services and business models in the cloud, companies are asking themselves how to respond to new and emerging risks and whether their strategy needs to be revisited,” said Paul van Kessel, Ernst & Young Global IT Risk and Assurance Leader. “The focus must move from short-term fixes to a more holistic approach integrated with long-range strategic corporate goals.”

Cloud

Despite 61 percent of respondents saying they were currently using or considering the use of cloud computing services within the next year, many organizations are still unclear of the implications of cloud and are increasing their efforts to better understand the impact and the risks. In 2011, 48% of respondents listed the implementation of cloud computing as a difficult or very difficult challenge, and more than half have not implemented any controls to mitigate the risks associated with cloud computing. The most frequently taken measure is stronger oversight on the contract management process with cloud providers, but even this is only done by 20% of respondents.

“In the absence of clear guidance, many organizations seem to be making ill-informed decisions, either moving to the cloud prematurely and without appropriately considering the associated risk, or avoiding it altogether. Although many organizations have moved to the cloud, many have done so reluctantly.”

In terms of funding, cloud computing was marked as the top information security funding priority for the coming 12 months.

Social Media

For many companies, social networking is becoming an essential component of business. From online marketing to supporting clients and interacting with prospective customers, social networking is a valuable tool for businesses small and large. While social media brings many benefits to an organization, it can also lead to decreased productivity and increased risk, with confidential company information leaking, or inappropriate content exposing companies to risks such as non-compliance, data loss, and legal issues.

To help address potential risks posed by social media, organizations seem to be adapting a strict policy measures as a response, with more than half (53%) saying their organization blocks access to sites rather than embracing the change and adopting enterprise-wide measures. However, these strict security measures and outright blocking of social media can be a hindrance to marketing efforts and other communications efforts and putting organizations at disadvantage.

Alex Thurber, SVP Worldwide Channel Operations for McAfee, suggests that companies give employees the tools to use social media responsibly. "Although users can’t trust every link that people post or control, companies can put forward best practices to arm employees with the tools they need to be productive and safe. Between this type of education, and technology that can block dangerous links and applications, Web 2.0 can be used safely for business," Thurber wrote in a SecurityWeek column.

Security in The Board Room

This years’ survey revealed that only 12 percent of respondents are presenting information security topics at board meetings, something that is likely to change soon.

Increased compliance and regulatory requirements, combined with the damaging cyber attacks that are costing organizations millions, information security is sure to become a board level concern.

Also, earlier this month, the U.S. Securities and Exchange Commission’s Corporation Finance division released guidance to publically traded companies on cybersecurity incident disclosure, with the goal to inform investors of risk, and release more information when filing with the SEC.

Oracle President Mark Hurd, while speaking at the Oracle Chief Security Officer Summit in New York City earlier this year, emphasized the importance of risk management and security, and said he believed that IT security would soon be a board-level concern. “There is talk of making risk management a staple of every board,” Hurd said. “Board members don’t like this. IT security is not an event, it’s an ongoing risk. And that is one reason that people don’t like dealing with the subject,” he added. Later in his speech, Hurd said, “the number of bad guys is increasing. The sophistication of the bad guys is increasing. So is the complexity of the IT environments the bad guys want to attack.”

“A pragmatic and pro-active response rather than a reactive one is required. Information security needs to be more visible in the boardroom with a clearly defined strategy that will support the business in the cloud and elsewhere. Most companies still have a long way to go to make this a reality,” Ernst & Young’s Van Kessel concluded.

Ernst & Young’s 2011 Global Information Security Survey is a worthy read, as it’s more than an informal poll and includes responses from 1,700 organizations globally, including CIOs, CISOs, CFOs, CEOs and other information security executives that were specifically invited to participate.

The full report is available here. (Free PDF download, no registration required)

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.