Johannesburg, 30 Jul 2003
The Ernst & Young Global Information Security Survey has found that 90% of organisations define protecting their information resources as a major business objective, but that this area is not allocated the appropriate funding.
Of the 1 400 companies surveyed in 66 countries, 56% cited insufficient budget as the number one obstacle to effective information security. The survey says this is not surprising, in view of the tight economic picture that prevailed in most nations during the survey period.
"Most companies take on a one-dimensional, reactive and risk-adverse approach rather than a proactive holistic one," says Grant Brewer, a partner in charge of information security at Ernst & Young.
"All too often, it requires a security breach, a competitor being attacked or a regulatory mandate for organisations to take action. Then, the core business objectives are ignored and a temporary 'fix` is applied to the problem. Measured proactive spending is less costly in the long run than reactive spending, which is often overspending in response to an incident."
In the SA, India and Russia regions, 94% of respondents stated that security is somewhat or very important.
"This is not reflected in the fact that information security is usually the responsibility of the CIO, rather than an individual tasked specifically with that function," says Brewer.
Of those, 50% report on security issues annually or less often, and a further 20% don`t report at all. "Most of their IT spend goes on technology and not enough is spent on awareness and the training of human capital elements to create people in the organisation responsible for security."
In the SA, India and Russia regions, 47% of companies have experienced unscheduled downtime in the last 12 months, compared to a similar 52% globally. Brewer lists the major reasons for that as hardware failure, telecommunications failure, software failure, major viruses or worms and operational errors.
This paints a fairly bleak picture, and according to Brewer, organisations need to strengthen the performance of their security programme by communicating information security issues in terms that are meaningful to stakeholders, aligning security and business objectives throughout the organisation and backing up their talk about security and the importance of protecting digital assets by investing in information security.
Other findings include:
* More than 34% of organisations rate themselves as less than adequate in their ability to determine whether their systems are currently under attack.
* More than 33% of organisations say they are inadequate in their ability to respond to incidents.
* Only 34% of organisations claim to be compliant with applicable security-driven regulations.
Share