06.vnisd, ey, henri hoang, make the shift - close the gap

8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap

1/42

Ernst & Young Globals Information

Security Survey 2012

November 2012

Make the shift, close the gap


2/42

Ernst & Youngs Global Information Security Survey 2012Page 2

Contents

Contents Page

1. The speed of change, a widening gap

2. A fundamental transformation

3. Make the shift, close the gap

4. EYs Information Security ServicesAppendix

I. Appendix 1Survey results

II. Appendix 2Survey methodology

III. Appendix 3EYs approach to IT risk

3

13

16

20

23

34

39


3/42


1. The speed of change, a widening gap


4/42


Ernst & Youngs Global Information Security Survey

Ernst & Youngs Global lnformation Security

Survey (GISS) is a survey conducted annualby Ernst & Young world-wide.

The first GISS was conducted in 1998.

We invited CIOs, CISOs, CFOs, CEOs and

other information security executives to

participate. The majority of the surveyresponses were collected during face-to-face

interviews. When this was not possible, the

questionnaire was conducted online.

If you wish to participate in Ernst & Youngs

2013 Global Information Security Survey,please contact your local Ernst & Young

office, or visit

www.ey.com/US/en/Home/Home-ContactUs

and complete a simple request form.


5/42


Ernst & Youngs Global Information Security Survey

Unthinkable just a few years ago, the

velocity of change in information securityis staggering. Our 15thannual Global

Information Security Survey(GISS),

one of the longest running, most

recognised and respected annual

surveys of its kind, suggests that

although organisations are taking stepsto enhance their information security

capabilities, few are keeping up with an

ever-changing risk landscape.

Ernst & Youngs GlSS 2012 wasconducted between May 2012 and July2012. We had 1,836respondents across

all major industries and in 64countries

participated.

Japan

Asia -

Pacific

Americas

Europe,Middle

East,

India,

Africa


6/42


Information Security capabilities from 2006 until today

Keytrends

Prior to 2006, information security was seen as

an important component of mitigating financial

risk and meeting new compliance requirements,

such as SOX 404.

After 2006, the scope of information security

expanded in two directions:

1. Information security needed to protect the

organisations more broadly, especially in a

globalised world.2. Information security needed to have a

clear return on investment, requiring an

alignment of risk and performance.

In 2008, information security matured beyond compliance. Protecting brand

and reputation became the primary driver in an environment of escalating

threats, through managing new risks and leveraging technology. At the

same time, the world changed dramatically:

A global financial crisis and economic downturn hit many organisations

hard.

Emerging markets gained much more prominence.

The competitive landscape changed.

Confronted with these challenges, organisations focused on restructuringand reinventing to keep up with the new requirements and increasing cost

pressures.

Impact

R

ecommendedsteps

2006 Stay proactively involved in achieving

regulatory compliance

Improve risk management of third-party

relationships

Invest more in privacy and personal data

protection

2007

Align information security with the business

Face the challenges of staffing informationsecurity functions

2008 Take a more business-centric view

Keep up investments in information security despite economic pressures

Invest in training and awareness programs to keep people from being

the weakest link

2009

Co-sourcing to address a lack of resources and tighter budgets

Assess the potential impact of new technology and the organisationsability to protect its assets

Know the risks posed by increasing external and internal threats


7/42


Information Security capabilities from 2006 until today

Keytrends

With a global economy still in recovery, and in an environment ofsustained cost pressures and scarce resources, two new waves

of change emerged:

1. Organisations started to realise that with globalisation, data

is everywhere. Employees were increasingly sending data

to business partners over the internet or carrying the data

with them on mobile devices. The traditional boundaries of

an organisation were vanishing along with the traditional

security paradigms.

2. Organisations understood the security requirementsassociated with IT outsourcing. Data processing moved into

the cloud, which required the information security function

to completely rethink its approach to securing information.

The velocity and complexity of change accelerates at astaggering pace:

Virtualisation, cloud computing, social media, mobile,

and other new and emerging technologies open the

door to a wave of internal and external threats.

Emerging markets, continuing economic volatility,

offshoring and increasing regulatory requirements add

complexity to an already complicated information

security environment.

Organisations have made great strides in improving theirinformation security capabilities. But for as many steps as

they have taken, they continue to fall behind, creating an

information security gap that grows ever larger.

Impact

Re

commendedsteps

2010

Address the risks associated with emerging technologies

Increase investment in data loss prevention tools

Take an information-centric view of security that better aligns

to the business

2011

Bring information security into the boardroom

Protect the information that matters most

Embrace encryption as a fundamental control Focus on the fundamentals

2012

Continue to make information security a board-level

priority

Develop an integrated strategy around corporate

objectives, and consider the whole risk landscape

Use data analytics to test the risk landscape and

understand the data you need to protect most

Use a three- to five-year horizon for budgeting to

enable long-term planning Innovate, innovate, innovate

Start working on a fundamental transformation


8/42


What is happeningThe gap is widening

This year

survey shows

that threatsare

accelerating

significantly

fasterthan the

enhancementsorganisation

are making.


9/42


What is happeningAccelerating threats

What is new for this year survey? In 2012, 77%of respondents noticed an increase in external attacks(state-

sponsored espionage, hacktivism, organised crime and terrorism),

comparing to 72% and 41% in 2011 and 2009;

This year, 46% of respondents noticed an increase in internal

vulnerabilities (in term of evolving technologies - mobiles, insufficient ISresources);

37% ranked careless or unaware employees as the threat increased the

most over the last 12 months;

The gapis kept wideningbecause of compounding issues of: mis-alignment of IS strategy/framework and the business;

insufficient resources for information security activities;

inadequate IS processes and architecture; and

the fastest-ever blooming of new technologies.


10/42


What is happeningWhy the gap has grownsome of the facts (1/2)

From the survey results, there are facts (*) that we need to think about:

A. Unbalanced alignment between IS strategy and Business stragety

The information security agenda continues to be IT-led rather than focused on the overall

business strategy

46%of respondents almost neveror neverdiscuss information security strategy withthe top governing structure of their organisation

Only 42%of respondents say their Information Security strategy is aligned to theirbusiness strategy

Only 5%have information security reporting to the chief risk officer the person mostresponsible for managing the organisations risk profile

63%of organisations have placed responsibility for Information Security with the IT

function

70%of respondents indicate that their information security function only partiallymeets

organisational needs and improvements are underway

(*) See appendix for more information


11/42


What is happeningWhy the gap has grownsome of the facts (2/2)

B. Resources contraints

Only 22% of respondents indicate that they are planning on spending more in this areain the next 12 months.

37% of respondents see the threat that has most increased their organisations riskexposure as careless or unaware employees

C. Lack of formal security architecture framework

63% of respondents in this years survey indicated that their organisations have no

formal security architecture framework in place, nor are they necessarily planning onusing one

19% of respondents dont conduct any attack and penetration test at all

D. A torrent of technology

New technologies with new threats and risks: virtualisation, cloud computing, social

media, BYOD, mobile devices 38% of respondents say they have not take any measures to mitigate the risks of using

cloud computing services

38% of respondents say they do not have a coordinated approach to address social

media

Only 40% adopted encryption techniches to protect data on their mobile computing

channel


12/42


What is happeningThe key issues causing the widening gap

Key issues:

Mis-alignment with the business Insufficient resources with the appropriate experiences, skills and training

Inadequate processes and architecture

New and evolving technologies

More specific for Vietnams context:

Lack of implementation of a formal IS framework, IS strategy

Significantly lack of resources with the appropriate experiences, skills and training Informal and changing operational processes and corporates organisational structure New and evolving technologies (cloud computing, BYOD, mobile, social media) Emerging market with ever-changing governmental regulations

We need a SHIFTon the

view of Information

Security

Information

Securitysresponsibilitybelongs to IT

function.

Information Security is a

strategic businessimperative and requires

an enterprise

response.


13/42


2. A fundamental transformation


14/42


A fundamental transformation (1/2)

Organisations need to take FOUR key steps to fundamentally shift how their

information security functions operate:

Link the information security strategy to the business strategy,

and the overall desired results for the business.

To develop and align IT strategy/IS strategy with Business strategy

Start with a blank sheet when considering new technologies and

redesigning the architecture, to better define what needs to be done.

This presents an opportunity to break down barriers and remove existing

biases that may hamper fundamental change.

To select and implement a formal information security architecture

framework (ISO 27001, Open Group Architecture Framework)

1

2


15/42


A fundamental transformation (2/2)

Execute the transformationby creating an environment that will enable theorganisation to successfully and sustainably change the way information

security is delivered.

Make leaders accountable for delivering results and visibility throughout

the life of the program

To commit on providing sufficient resources for IS programorganisation-wise in a long term

When considering new technologies, conduct a deep dive into the

opportunities and the risks they present.Social media, big data, cloud

and mobile are here to stay, but organisations must prepare for their use.

For every new technology implemented, besides all the benefits and

oppoortunities, carefully consider the new threats and risks they present To regularly assess on the changes of business environment to identify

new risks and threats for immediate actions

3

4


16/42


3. Make the shift, close the gap


17/42


Conclusion

New technology:

virtualisation

Cloud computing

Social media Mobile

The speed that technology has

evolved

Challenging of emerging

markets

The financial crisis

Changing environment What company has done

Added new features to the

IS system

Redefined strategies

Installed new information

security functioncomponents

Added more people

However, our survey results suggest that companies have NOT improved enough


18/42


Make the shift, close the gap

Effective information security transformation does NOT

require complex technology solutions.

It requires leadership and the commitment, capacity and

willingness to act.

What some leading organisation are doing

Questions for the C suite


19/42


The s

Questions for the C-suite

---------------------------------------

Has your organisation implemented

the necessary information securityimprovements to keep up with the

pace of change?

What impact have changes to

security levels had on your

organisation?

Has your organisation done

enough?

Are your information security

objectives and measures aligned

to your business strategy?

What is your organisationannual budget for IT and

specifically for IT Security?

How is your budget

compared to

internaltional standard

in term of percentage ofannual revenue?

What has your organisation done to

adjust information security to address

the changing environment?


20/42


4. EYs Information Security Services


21/42


Ernst & Youngs Information Security Services (1/2)

The History of Ernst & Youngs Information Security practice: Ernst & Youngs Information Security services started very early in the 90s

Were proud to have our IS professionals as the authors of the famous Hackingexposed series

First in 2002, Ernst & Young has established our global network of Advanced Security

Centers(ASCs) provide controlled and physically secure environments in which our

dedicated team of leading security professionals can conduct assessment focused on

clients infrastructure, applications and people. Our IS professionalscomprise former CSOs, CIOs and specialised subject matter

professionals from all over the world.

Drawing on our in-depth knowledge and extensive experience working with major

organisations for nearly 20 years, we work with clients to deliver sustainable,

measurable results in:

Transforming information security programs

Identifying and responding to cyber threats

Managing identity and access effectively and efficiently

Mitigating the risk of information loss and addressing privacy regulations


22/42


Ernst & Youngs Information Security Services (2/2)


23/42


Appendix 1Survey results


24/42


Topprioritiesover thecoming 12

months


25/42


Compared to the

previous year,

does your

organisation plan

to spend more,spend relatively

the same amount

or spend less

over the next year

for the following

activities?


26/42


What threats

and

vulnerabilities

have most

increased yourrisk exposure

over the last

12 months?


27/42


How does your organisation assess the efficiency and effectiveness

of information security?


28/42


What formal security architecture frameworks are used (or are you

planning to use) within your organisation?


29/42


Which of the

following

controls have

you

implementedto mitigate the

new or

increased

risks related

to the use ofcloud

computing?


30/42


Which of the following controls have you implemented to mitigate the

new or increased risks related to the use of social media?


31/42


Does your organisation currently permit the use of tablet computers

for business use?

c o e o ow ng con ro s ave you mp emen e o m ga e e


32/42


g y p gnew or increased risks related to the use of mobile computing

including tablets and smartphones?

Which of the following actions has your organisation taken to control


33/42


Which of the following actions has your organisation taken to control

data leakage of sensitive information?


34/42


Appendix 2Survey methodology

S th d l


35/42


Survey methodologyErnst & Youngs Global Information SecuritySurvey was conducted between May 2012 and

July 2012. We had 1,836 respondents across

all major industries and in 64 countriesparticipated.

For our survey, we invited CIOs, CISOs, CFOs,

CEOs and other information security executives

to participate. We distribute a questionnaire to

designated Ernst & Young professionals in each

country practice, along with instructions for

consistent administration of the survey process.

The majority of the survey responses were

collected during face-to-face interviews. When

this was not possible, the questionnaire was

conducted online.

If you wish to participate in Ernst & Youngs2013 Global Information Security Survey,

please contact your local Ernst & Young office,

or visit www.ey.com/US/en/Home/Home-

ContactUs and complete a simple request form.

Japan

Asia -

Pacific

Americas

EMEIA


36/42


Survey methodologyRespondents by industry (1,836 respondents from 64 countries)


37/42


Survey methodologyRespondents by total annual company revenue


38/42


Survey methodologyRespondents by position


39/42


Appendix 3EYs approach to IT risk


40/42


Ernst & Youngs approach to IT risk


41/42


Contacts

Global Telephone Email

Norman Lonergan Advisory Services Leader +44 20 7980 0596 [email protected]

Paul van Kessel IT Risk and Assurance

Services Leader

+31 88 40 71271 [email protected]

Adivisory Services

Robert Patton Americas Leader +1 404 817 5579 [email protected]

Andrew Embury Europe, Middle East, India

and Africa Leader


Doug Simpson Asia-Pacific Leader +61 2 9248 4923 [email protected]

Shohei Harada Japan Leader +81 3 3503 2033 [email protected]

IT Risk and Assurance Services

Bernie Wedge Americas Leader +1 404 817 5120 [email protected]

Manuel Giralt Herrero Europe, Middle East, India

and Africa Leader


Jenny Chan Asia-Pacific Leader +86 21 2228 2602 [email protected]

Haruyoshi Yokokawa Japan Leader +81 3 3503 1704 [email protected]

Henri Hoang Vietnam Leader +84 97 205 4888 [email protected]


42/42

Ernst & Young

Assurance Tax Transaction Advisory

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisoryservices. Worldwide, our 152,000 people are united by our shared values

and an unwavering commitment to quality. We make a difference by helpingour people, our clients and our wider communities achieve their potential.

Ernst & Young Vietnam is dedicated to providing the highest quality

professional services to all its clients through assisting them to achieve their

objectives, whilst realizing the growth aspirations of the firm and our peopleand making a positive difference to the community it serves.

For more information, please visit www.ey.com

Ernst & Young refers to the global organisation of member firms of Ernst &Young Global Limited, each of which is a separate legal entity. Ernst &

Young Global Limited, a UK company limited by guarantee, does not

provide services to clients.

2012 Ernst & Young Vietnam Limited.

All Rights Reserved

This publication contains information in summary form and istherefore intended for general guidance only. It is not intended to be a

substitute for detailed research or the exercise of professional

judgment. Neither Ernst & Young Vietnam Limited nor any othermember of the global Ernst & Young organisation can accept any

responsibility for loss occasioned to any person acting or refraining in

this publication. On any specific matter, reference should be made tothe appropriate advisor.

www.ey.com/vn

06.vnisd, ey, henri hoang, make the shift - close the gap

Documents