Companies should use benchmarking exercises to get an objective view of their information security position in relation to their peers and identify appropriate steps to close any gaps.
This is the view of Shaun Nel, technology and security risk director at Ernst & Young. However, he emphasises that standards such as ISO 27001 should not be used on their own to browbeat companies into making new or additional information security investments.
"It is key for each company to identify the most appropriate action to take, because companies of different kinds have different information security needs. Therefore, any benchmarking exercise needs to be interpreted in terms of a company`s specific requirements," he explains.
Nel adds that budgets for information security should also be allocated only in accordance with the value of the resource to be protected.
Although reluctant to pre-empt the results of the Ernst & Young`s 2006 information security survey, to be released in the fourth quarter, Nel says the trend locally is towards using co-sourced or outsourced security services.
According to Nel, this trend is being driven by a lack of security skills in the face of high demand as well as the need for different skills at different times.
"Outsourcing security is growing in popularity because it relieves companies of employing and supporting a permanent staff contingent," he says.
Nel also notes that compliance with regulations continues to be a major market force as companies orientate themselves to operate within the increasingly regulated business environment.
Related story:
There`s no cure for stupidity
Share