Ernst & Young's 9th Annual Global Information Security Survey
Information Security is increasingly recognised as a driver
of business improvement, informs Ernst & Youngs 9th Annual Global
Information Security Survey, but companies need to do more to improve their
information security posture in a globalised business environment. Among the
five key priorities for information security, the one making the most dramatic
leap up the boardroom risk agenda is privacy and personal data protection; which
is also the most consumer-driven and a direct consequence of the outsourcing
The survey, sought the views of nearly 1,200 senior information
security professionals in 48 countries, with 144 respondents from India, representing
both multinational and local organisations.
Says Sunil Chandiramani, National Director, Risk & Business
Solutions, Ernst & Young India, With the rapid globalisation of Indian
business, we are seeing increasing integration of information security into
both the overall risk management framework and the culture of the organisation.
Though about a third of the companies are still not routinely reporting on information
security to their boards, we expect increasing visibility on these issues from
Compliance still remains the top driver
While privacy and personal data protection has become a major
information security issue, compliance with regulations, for the second year
running, is still the top driver that has most impacted, and will probably continue
to impact, information security practices over the next 12 months. There is
emphatic agreement - by almost 80 percent of survey participants - that efforts
and activities undertaken to achieve regulatory compliance have actually improved
companies information security. It will now be important for companies
to be proactive in carrying out security rationalisation and optimisation, to
sustain and embed their information security compliance controls and processes
into their normal operations.
Among new technologies, removable media such as USB drives,
web applications and wireless networks were rated as the topmost security concerns
- Compliance, Privacy meeting business objectives
are the key drivers for Indian information security practices.
- Removable media, Web applications and
wireless networks is rated as first three security concerns by Indian
- 37 percent of Indian respondents either
do not address or only have informal procedures for vendor risk management
and outsourcing issues.
Third Party Risk
Even as the growth in third party outsourcing continues to
accelerate, as many as 37 percent Indian respondents either do not address or
have informal procedures for vendor risk management issues. While 44 percent
respondents said they have formal procedures; 11 percent have got these validated
by an independent agency. At a global level, 36 percent respondents had formal
procedures and 6 percent had got these validated.
16 percent of organisations require their vendors to have
an independent review of their information and privacy practices against leading
Nearly 60 percent of Indian respondents reported formal procedures
to address privacy and data protection issues, with 10 percent having been validated,
compared to 52 percent and 6 percent respectively at the global level. The pressure
to control and protect an individuals personal information will only increase
in the foreseeable future, making proactive involvement of information security
in this area a priority, adds the survey.
Proactive Information Security
More than 30 percent of information security executives in
India say they have adopted or plan to adopt (or become certified under) an
information security standard. In addition, most survey participants subscribe
to structured evaluation of their information security posture. Internal audit
was reported as the leading evaluation method by nearly three-quarters of survey
respondents, followed by formal external audit at 56 percent.
Further, business continuity plans are getting more streamlined.
Over 80 percent companies surveyed in India had identified and prioritized critical
processes for these plans. However, with 36 percent of the respondents not having
tested or invoked these plans, it calls for a proactive, continued, integrated
effort and commitment for information security from management, information
technology and other stakeholders like critical third parties and business partners.
Five Major Priorities for Information Security
Based on its latest survey and the results from previous
years, Ernst & Young has identified five major priorities for information
security globally, where progress has been made but where there is an ongoing
need for continuous improvement.
These include integrating information security with the organisation,
embedding information security into the mainstream of the business with increased
visibility and resources, using externally imposed compliance deadlines and
security incidents as a catalyst for proactive investments in stronger capabilities