"Too much work, very few resources - is a well-known phrase, especially in the current expenses restraint. But lack of resources is only part of the problem. Information security does not require at this time only more resources, but a clever plan to take into account this threat, and especially people with specific skills and training to respond to rapid changes in the risk environment," comments Carmen Adamescu , Director of Assistance in IT Risk Department, Ernst & Young Romania.
The 15th annual Global Information Security Survey suggests that organizations are taking steps to enhance their information security capabilities, but few are keeping up with an ever-changing risk landscape.
Virtualization, cloud computing, social media, mobile devices, the disappearing lines that once divided business and personal IT activities – as each year passes, the speed and complexity of change accelerates.
Combined with the ever-growing incidents of cyber crime and advanced persistent threats, this is creating a gap between where an organization’s information security program is and where it needs to be.
The origins of the gap are as complex. However, based on our survey results, the issues can be organized into four distinct categories:
- Alignment with the business
- Insufficient resources with the right skills and training
- Processes and architecture
- New and evolving technologies
What cannot be categorized yet are the issues looming on the horizon in the form of governmental intervention and regulatory pressures to address information security risk.
Short-term fixes and bolt-on solutions are not enough. Organizations fighting to narrow the gap need to take four steps to fundamentally shift how their information security functions operate:
- Link the information security strategy to the business strategy, and the overall desired results for the business.
- Start with a blank sheet when considering new technologies and redesigning the architecture, to better define what needs to be done. This presents an opportunity to break down barriers and remove existing biases that may hamper fundamental change.
- Execute the transformationby creating an environment that enables the organization to successfully and sustainably change the way information security is delivered.
- When considering new technologies, conduct a deep dive into the opportunities and the risks they present.Social media, big data, cloud and mobile are here to stay, but organizations must prepare for their use.
Effective information security transformation does not require complex technology solutions. It requires leadership and the commitment, capacity and willingness to act.
Find the complete version of Global Information Security Survey 2012 here