IT security is now a boardroom issue

2 Nov 2005

Complying with regulations such as Sarbanes-Oxley Act, 2002 or European legislation is now the primary driver of information security in Irish and global businesses, for the first time surpassing worms and viruses as a motivator. As a result, says Ernst & Young, IT security is becoming a strategic boardroom issue in an increasing number of firms.

According to Ernst & Young’s eighth annual global information security survey, the sheer number of regulations and the consequences of not complying with them means information security has become a board-level issue.

Nearly two thirds of survey respondents – representing 1,300 global companies, government and non-profit agencies in 55 nations – cited compliance with regulations such as Sarbanes-Oxley, the EU’s Eight Directive or its equivalent, as the primary driver of information security.

This increased requirement for compliance is forcing organisations to spend more than ever on information security.

However, while IT security is being discussed in increasingly more boardrooms, a significant number of organisations are not promoting IT security as an integral part of their business by incorporating information security into business strategy or through training and communications with staff.

“Despite the increased focus, compliance is proving more of a distraction than acting as a catalyst for information security to become strategically aligned within organisations,” Pat Moran, partner of Ernst & Young’s Technology and Security Risk Services, said.

“One might assume with the attention information security is receiving due to regulatory compliance, organisations’ information security postures are improving and information security is becoming more integral to their strategic initiatives. Unfortunately, this is not happening on a consistent basis.

“The gap continues to widen between the growing risks brought on by rapid changes in the global business environment and what information security is doing to address those risks. This pattern is consistent across organisations, regardless of size or location,” Moran explained.

The Ernst & Young survey found that business demands and the declining cost of wireless connectivity are driving rapid adoption of mobile technology. But with these devices leaving the safety of the corporate control environment, the information assets and intellectual property they carry are increasingly becoming the responsibility of individuals to protect–a responsibility that many organisations have not yet fully accepted nor anticipated.

“Less than half of organisations make provision for general users of information to be trained or made aware of the impact of information security issues with these technologies and fewer still receive training on responding to security incidents,” Moran noted.

Other rapidly developing technologies such as voice over internet protocol telephony, open source and server virtualisation, which hold the potential of increasing organisations’ competitive advantage, are reported to be a significant security concern among fewer than 20pc of organisations, despite the serious threats they bring with them.

Organisations consider emerging technologies in general to be a growing security concern in the next 12 months. However, over a quarter of them have no plans to take action to address the concern during that time period or beyond, the survey states.

Outsourcing remains an information security threat as many organisations are still not paying adequate attention to vendor risk management — the process of assessing and mitigating risks, including due diligence and regular reviews of practices and procedures supporting vendors’ products and services. The survey reveals that one fifth of respondents do not address the issue of vendor risk management at all and one third report they have only informal procedures in place to do so.

“It is no longer enough for organisations to consider just their own information security issues and threats,” Moran said. “As the world becomes increasingly smaller and with more information flowing between companies, all organisations need to consider is the security of their business partners, outsourcing arrangements, suppliers and customers. Otherwise, the value created by these arrangements can quickly diminish or disappear due to perceived or real security, privacy or identity breaches.

“Organisations should also consider demonstrating their own commitment to good information security by applying recognised standards or becoming certified,” Moran said.

He also pointed to the ongoing misalignment between IT and the rest of the business and said IT security tends to be addressed on a tactical basis rather than an overall strategic basis.

“With proper organisational alignment and execution, information security can make significant contributions to the organisation’s strategic initiatives and overall risk management,” Moran said.

By John Kennedy