Organizations are implementing incremental improvements to their information security capabilities to provide short-term solutions — without tackling the issues associated with the overall information security threat.
With 31% experiencing a higher number of security incidents in the last two years, the need to develop a robust security architecture framework has never been greater. However 63% of organizations have no such framework in place and only 16% of respondents report that their information security function fully meets the needs of the organization.
Commenting on the findings, Paul van Kessel, Ernst & Young Global IT Risk and Assurance Services Leader says, "The new normal for the CIO is that fast is not fast enough. The velocity and complexity of change is happening at a staggering pace, with emerging markets, continuing economic volatility, off-shoring and increasing regulatory requirements adding to an already complicated information security environment."
Threat level continues to rise
Organizations recognize that the risk environment is changing, as the frequency and nature of information security threats increase and the number of security incidents rises. Over three-quarters (77%) of respondents agreed that there is an increasing risk from external attacks, but this is not the only source for concern for global organizations, with 46% reporting that internal vulnerabilities are also on the rise.
The unstoppable march of new technology
New technologies are opening up tremendous opportunities for organizations; but also potential threats from previously unknown sources. Cloud computing continues to be one of the main drivers of business model innovation, with the numbers of organizations using the cloud almost doubling in the last two years.
However, 38% of organizations have not taken any measures to mitigate the risks, such as stronger oversight on the contract management process for cloud providers or the use of encryption techniques.
Another significant new technology is internet-enabled mobile devices, whose technology advancements — and the associated business benefits — have vastly increased adoption rates.
Van Kessel comments, "With 44% of organizations now allowing the use of company or privately-owned tablets — up from 20% in 2011 — substantial levels of information are now flowing in and out of the office, making control increasingly difficult."
Organizations recognize that they need to do more on mobile technology. However, in the fast-moving mobile computing market the adoption of security techniques and software is still relatively low, with just 40% of organizations using some form of encryption technique on mobile devices.
More money, but is it well spent?
With more risks and more technology to secure, organizations are responding by increasing budgets and adjusting their priorities. Fifty-one percent of organizations reported plans to increase their budget by more than 5% in the next 12 months.
While 32% of respondents spend over US$1m on information security, the level of investment varies globally, with 48% of Americas' organizations allocating in excess of US$1m, compared with 35% and 26% in Asia-Pacific and EMEIA (Europe, Middle East, India and Africa) respectively. In terms of where the budget is assigned, the top investment priorities are securing new technologies (55%) and business continuity (47%).
Responsibility shift needed from IT to the risk function
The budget increases planned can only be effective with the right decision-makers taking responsibility. Information security continues to be IT-led within many organizations; with 63% of respondents indicating that their organizations have placed the responsibility for information security in the hands of the IT function.
However, as information security begins to spread beyond traditional IT issues, decisions are now needed around selecting the right tools, processes and methods for monitoring threats, gauging performance and identifying coverage gaps, and a reappraisal of responsibilities is required.
With just 5% of chief risk officers currently responsible for information security, many organizations lack the formal risk assessment mechanism provided by the risk function, resulting in 52% of organizations having no threat intelligence program in place. The proliferation of threats — and the acceleration of the gap between vulnerability and security — requires multiple sources of assessment, such as internal audit, internal self assessments and third-party assessments, to monitor and evaluate security incidents.
Van Kessel concludes, "For some organizations, skills resources, security maturity or budget may be playing a role in their decision-making; but these bolt-on or stack work-around solutions being seen today — which fix short-term information security needs — are masking a bigger problem around vulnerability."
When looking to the future, he adds, "Although we've identified some of the current gaps, there are still more on the horizon, in the form of government intervention and new regulatory pressures. If organizations don't take action to develop comprehensive security frameworks today, the combined consequences of the current and future issues will only fuel the information security threat further."