| More funding and a seat at the boardroom table keys to effective information security Business leaders in Canada rate information security as a top priority in achieving business goals, but less than half report their organisations back that up by aligning security spending with key objectives, according to a survey on information security published by professional services firm Ernst & Young. "There is a clear disconnect between the very high level of importance assigned to information security (almost 90 percent of Canadian companies gave it this rating) and the relatively low number (46 percent) of respondents who say their organisations' spending on information security is aligned with overall objectives," says Kent Kaufield of Ernst & Young's Technology and Security Risk Services group. "Keeping information secure can no longer just be the domain of 'computer gurus' - it's important that these issues capture the attention and focus of senior management and boards. It's clear from our survey that many organisations have much ground to cover in achieving truly effective enterprise-wide information security programs," says Mr. Kaufield. Ernst & Young's Global Information Security Survey 2003, which polled senior managers, mostly chief information officers (CIOs) and chief information security officers (CISOs), including those from major companies in Canada, suggests the lack of alignment is further reflected in the distance between what organisations are deeming a major business objective - information security - and where they are allocating funding. Sixty-three percent of respondents identified both budget constraints and resource priorities as the leading obstacles to their organisations' ability to achieve effective information security. 74 percent of Canadian respondents say their companies rarely or never calculate return on investment on information security expenditures. "CIOs and CISOs need to make a better long-term case for information security investments, as opposed to investing over the short term to patch vulnerabilities" says Mr. Kaufield, "and it seems there is a need to find a credible alternative to conventional ROI approaches for getting the required funding for information security." The survey also reveals there is insufficient regular contact between business unit leaders and those in an organisation responsible for information security. "About 40 percent said they report regularly (monthly, quarterly or semi-annually) on the status of information security to a board or the equivalent," says Mr. Kaufield. "That's encouraging news, although the number does seem high in our experience. Overall, the lack of reporting – for example only 42 percent give accountings annually or less, and 19 percent never report – is not a good sign. It reflects the great deal of work needed to transform information security into an issue that gets equal status in the boardroom with other major business concerns," he says. The survey conclusions as they relate to Canadian respondents are generally in keeping with global survey results. Among the other Canadian findings of Ernst & Young's Global Information Security Survey 2003: * The top three areas of information spending
are technology (85 percent), "There are three main things an organisation can start to do as it moves to strengthen information security," says Mr. Kaufield. "One, you need to communicate security issues in terms that are meaningful in order to gain the support of key stakeholders. Two, security and business objectives need to be aligned across the company. And three, any talk about security concerns must be followed up with concrete action."
•Date:
16th July 2003 • Region: N.America
•Type: Article •Topic:
ISM
|
