Compliance makes for better security, say Irish firms

16 Nov 2006

Almost three quarters of large Irish organisations believe that regulatory compliance has improved their information security and more than eight out of 10 have an official IT security function in their business, Ernst & Young has found.

The firm polled 1,200 information security professionals from 350 organisations in 48 countries, including 35 from Ireland. The Irish respondents were in the areas of insurance, financial services, banking and asset management, energy and utilities.

According to the Irish survey results, 74pc of organsiations agreed or strongly agreed that corporate governance and compliance were driving the IT security agenda. In addition, 83pc have an official information security function within the business.

Pat Moran, a partner with the risk advisory services arm of Ernst & Young in Dublin, said this result was encouraging. “Five years ago that statistic would have been closer to 50pc so there’s recognition that this is needed. Directors and boards recognise that it’s their heads on the block if there’s a breach of corporate governance,” he told

Of more concern is the fact that just 22pc of Irish organisations that outsource key activities actually review the IT security and privacy procedures of the partner company. “If you consider an organisation that outsources its helpdesk to a call centre, that helpdesk probably has a lot of information about the organisation’s customers, behaviours and patterns but a lot of organisations don’t bother to check out what practices exist to protect their data,” commented Moran. “That’s a big gap and it’s definitely lower than internationally.”

Moran acknowledged that this result is partly due to the slow take-up of outsourcing in Ireland to date but he warned that there is still not sufficient attention paid to security controls being up to scratch. “It’s Irish culture: until something happens, nobody bothers to do anything about it,” he commented.

The results were somewhat more encouraging for the area of business continuity planning, with 61pc of organisations having tested the plan within the past 12 months. However, Moran noted that this still leaves 39pc who are not as rigorous. “In this day and age when there’s such a dependence on technology to keep business processes running, if organsiations are taking the luxury of not testing the plan for at least 12 months, that’s worrying,” he said.

Ernst & Young’s research uncovered five key security priorities. The first of these involves integrating information security with the organisation so that it gets increased visibility and resources. The next is to extend the impact of compliance so that it becomes an enabler rather than a distraction, bringing advances in risk-based security.

Another priority is to manage the risk of third-party relationships with suppliers and partners, the survey found. It also highlighted the importance of taking a proactive and comprehensive approach to mitigating the risks related to privacy and personal data protection. Lastly, the findings recommended using externally imposed compliance deadlines or security incidents as a catalyst for investments in stronger security capabilities and defences.

By Gordon Smith