While many organizations globally are making important strides in their information security practices, they are still falling behind the fast-changing risks involved with new technologies, according to a new study from Ernst and Young.
Government regulatory changes in recent years have meant information security has become more of a priority for the business, the company's 2012 Global Information Security Survey suggests. Business continuity has also become more of a priority over recent years, it noted.
Still, the uptake of technology such as cloud computing, social media and “bring your own device” (BYOD) policies means information security risks are continually evolving, Ernst and Young noted.
In Canada, 21% of organizations surveyed reported seeing more “IT security incidents” in the last year, according to the company’s survey. Globally, 31% of organizations said they noticed an increase in security incidents, while 10% noticed a decrease.
Canada, however, is behind most countries in terms of security innovation, with only about 5% of spending invested in new technologies and management processes targeting information security over the last 12 months., the survey noted. On a global level, 55% of respondents said they plan to spend more on “securing new technologies” over the next year.
"In recent years, businesses have made significant moves to respond to information security threats by addressing vulnerabilities with increased resources, training, governance and integration," Rafael Etges, Ernst and Young's information security practice leader in Toronto noted in a statement.
"But with better technology and smarter attacks occurring in greater numbers, short-term solutions and incremental changes are not enough. What we need now is a fundamental business transformation to close the gap."
While many organizations are making information security a priority for the entire business, rather than solely the IT department, they aren’t necessarily moving fast enough. Information security needs to be a board-level priority, Ernst and Young suggests.
In 2008, 33% of organizations said their information security strategies aligned to their IT strategies, and 18% said their information security strategy aligned to their business strategy. This year, those percentages increased to 56% and 42% respectively.
Ernst and Young’s report recommends linking security and business strategies. According to its findings, 42% of respondents in Canada don’t have information security strategies, and many don’t have threat intelligence programs.
The company also recommends involving company leadership in the security strategy. More than half (54%) of those surveyed said they discuss information security topics in the boardroom at least quarterly, while the remaining said they never or almost never discuss the subject with top-level company leadership.
However, more than a quarter (26%) of organizations surveyed have given information security responsibility to a C-suite executive.
Ernst and Young surveyed 1,836 respondents in C-level or information security management positions between May and July this year, either online or face-to-face. The survey included “all major industries,” across 64 countries.
The full report, including recommendations, is available on Ernst and Young’s website, www.ey.com.