06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
Transcript of 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
1/42
Ernst & Young Globals Information
Security Survey 2012
November 2012
Make the shift, close the gap
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
2/42
Ernst & Youngs Global Information Security Survey 2012Page 2
Contents
Contents Page
1. The speed of change, a widening gap
2. A fundamental transformation
3. Make the shift, close the gap
4. EYs Information Security ServicesAppendix
I. Appendix 1Survey results
II. Appendix 2Survey methodology
III. Appendix 3EYs approach to IT risk
3
13
16
20
23
34
39
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
3/42
Ernst & Youngs Global Information Security Survey 2012Page 3
1. The speed of change, a widening gap
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
4/42
Ernst & Youngs Global Information Security Survey 2012Page 4
Ernst & Youngs Global Information Security Survey
Ernst & Youngs Global lnformation Security
Survey (GISS) is a survey conducted annualby Ernst & Young world-wide.
The first GISS was conducted in 1998.
We invited CIOs, CISOs, CFOs, CEOs and
other information security executives to
participate. The majority of the surveyresponses were collected during face-to-face
interviews. When this was not possible, the
questionnaire was conducted online.
If you wish to participate in Ernst & Youngs
2013 Global Information Security Survey,please contact your local Ernst & Young
office, or visit
www.ey.com/US/en/Home/Home-ContactUs
and complete a simple request form.
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
5/42
Ernst & Youngs Global Information Security Survey 2012Page 5
Ernst & Youngs Global Information Security Survey
Unthinkable just a few years ago, the
velocity of change in information securityis staggering. Our 15thannual Global
Information Security Survey(GISS),
one of the longest running, most
recognised and respected annual
surveys of its kind, suggests that
although organisations are taking stepsto enhance their information security
capabilities, few are keeping up with an
ever-changing risk landscape.
Ernst & Youngs GlSS 2012 wasconducted between May 2012 and July2012. We had 1,836respondents across
all major industries and in 64countries
participated.
Japan
Asia -
Pacific
Americas
Europe,Middle
East,
India,
Africa
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
6/42
Ernst & Youngs Global Information Security Survey 2012Page 6
Information Security capabilities from 2006 until today
Keytrends
Prior to 2006, information security was seen as
an important component of mitigating financial
risk and meeting new compliance requirements,
such as SOX 404.
After 2006, the scope of information security
expanded in two directions:
1. Information security needed to protect the
organisations more broadly, especially in a
globalised world.2. Information security needed to have a
clear return on investment, requiring an
alignment of risk and performance.
In 2008, information security matured beyond compliance. Protecting brand
and reputation became the primary driver in an environment of escalating
threats, through managing new risks and leveraging technology. At the
same time, the world changed dramatically:
A global financial crisis and economic downturn hit many organisations
hard.
Emerging markets gained much more prominence.
The competitive landscape changed.
Confronted with these challenges, organisations focused on restructuringand reinventing to keep up with the new requirements and increasing cost
pressures.
Impact
R
ecommendedsteps
2006 Stay proactively involved in achieving
regulatory compliance
Improve risk management of third-party
relationships
Invest more in privacy and personal data
protection
2007
Align information security with the business
Face the challenges of staffing informationsecurity functions
2008 Take a more business-centric view
Keep up investments in information security despite economic pressures
Invest in training and awareness programs to keep people from being
the weakest link
2009
Co-sourcing to address a lack of resources and tighter budgets
Assess the potential impact of new technology and the organisationsability to protect its assets
Know the risks posed by increasing external and internal threats
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
7/42
Ernst & Youngs Global Information Security Survey 2012Page 7
Information Security capabilities from 2006 until today
Keytrends
With a global economy still in recovery, and in an environment ofsustained cost pressures and scarce resources, two new waves
of change emerged:
1. Organisations started to realise that with globalisation, data
is everywhere. Employees were increasingly sending data
to business partners over the internet or carrying the data
with them on mobile devices. The traditional boundaries of
an organisation were vanishing along with the traditional
security paradigms.
2. Organisations understood the security requirementsassociated with IT outsourcing. Data processing moved into
the cloud, which required the information security function
to completely rethink its approach to securing information.
The velocity and complexity of change accelerates at astaggering pace:
Virtualisation, cloud computing, social media, mobile,
and other new and emerging technologies open the
door to a wave of internal and external threats.
Emerging markets, continuing economic volatility,
offshoring and increasing regulatory requirements add
complexity to an already complicated information
security environment.
Organisations have made great strides in improving theirinformation security capabilities. But for as many steps as
they have taken, they continue to fall behind, creating an
information security gap that grows ever larger.
Impact
Re
commendedsteps
2010
Address the risks associated with emerging technologies
Increase investment in data loss prevention tools
Take an information-centric view of security that better aligns
to the business
2011
Bring information security into the boardroom
Protect the information that matters most
Embrace encryption as a fundamental control Focus on the fundamentals
2012
Continue to make information security a board-level
priority
Develop an integrated strategy around corporate
objectives, and consider the whole risk landscape
Use data analytics to test the risk landscape and
understand the data you need to protect most
Use a three- to five-year horizon for budgeting to
enable long-term planning Innovate, innovate, innovate
Start working on a fundamental transformation
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
8/42
Ernst & Youngs Global Information Security Survey 2012Page 8
What is happeningThe gap is widening
This year
survey shows
that threatsare
accelerating
significantly
fasterthan the
enhancementsorganisation
are making.
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
9/42
Ernst & Youngs Global Information Security Survey 2012Page 9
What is happeningAccelerating threats
What is new for this year survey? In 2012, 77%of respondents noticed an increase in external attacks(state-
sponsored espionage, hacktivism, organised crime and terrorism),
comparing to 72% and 41% in 2011 and 2009;
This year, 46% of respondents noticed an increase in internal
vulnerabilities (in term of evolving technologies - mobiles, insufficient ISresources);
37% ranked careless or unaware employees as the threat increased the
most over the last 12 months;
The gapis kept wideningbecause of compounding issues of: mis-alignment of IS strategy/framework and the business;
insufficient resources for information security activities;
inadequate IS processes and architecture; and
the fastest-ever blooming of new technologies.
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
10/42
Ernst & Youngs Global Information Security Survey 2012Page 10
What is happeningWhy the gap has grownsome of the facts (1/2)
From the survey results, there are facts (*) that we need to think about:
A. Unbalanced alignment between IS strategy and Business stragety
The information security agenda continues to be IT-led rather than focused on the overall
business strategy
46%of respondents almost neveror neverdiscuss information security strategy withthe top governing structure of their organisation
Only 42%of respondents say their Information Security strategy is aligned to theirbusiness strategy
Only 5%have information security reporting to the chief risk officer the person mostresponsible for managing the organisations risk profile
63%of organisations have placed responsibility for Information Security with the IT
function
70%of respondents indicate that their information security function only partiallymeets
organisational needs and improvements are underway
(*) See appendix for more information
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
11/42
Ernst & Youngs Global Information Security Survey 2012Page 11
What is happeningWhy the gap has grownsome of the facts (2/2)
B. Resources contraints
Only 22% of respondents indicate that they are planning on spending more in this areain the next 12 months.
37% of respondents see the threat that has most increased their organisations riskexposure as careless or unaware employees
C. Lack of formal security architecture framework
63% of respondents in this years survey indicated that their organisations have no
formal security architecture framework in place, nor are they necessarily planning onusing one
19% of respondents dont conduct any attack and penetration test at all
D. A torrent of technology
New technologies with new threats and risks: virtualisation, cloud computing, social
media, BYOD, mobile devices 38% of respondents say they have not take any measures to mitigate the risks of using
cloud computing services
38% of respondents say they do not have a coordinated approach to address social
media
Only 40% adopted encryption techniches to protect data on their mobile computing
channel
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
12/42
Ernst & Youngs Global Information Security Survey 2012Page 12
What is happeningThe key issues causing the widening gap
Key issues:
Mis-alignment with the business Insufficient resources with the appropriate experiences, skills and training
Inadequate processes and architecture
New and evolving technologies
More specific for Vietnams context:
Lack of implementation of a formal IS framework, IS strategy
Significantly lack of resources with the appropriate experiences, skills and training Informal and changing operational processes and corporates organisational structure New and evolving technologies (cloud computing, BYOD, mobile, social media) Emerging market with ever-changing governmental regulations
We need a SHIFTon the
view of Information
Security
Information
Securitysresponsibilitybelongs to IT
function.
Information Security is a
strategic businessimperative and requires
an enterprise
response.
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
13/42
Ernst & Youngs Global Information Security Survey 2012Page 13
2. A fundamental transformation
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
14/42
Ernst & Youngs Global Information Security Survey 2012Page 14
A fundamental transformation (1/2)
Organisations need to take FOUR key steps to fundamentally shift how their
information security functions operate:
Link the information security strategy to the business strategy,
and the overall desired results for the business.
To develop and align IT strategy/IS strategy with Business strategy
Start with a blank sheet when considering new technologies and
redesigning the architecture, to better define what needs to be done.
This presents an opportunity to break down barriers and remove existing
biases that may hamper fundamental change.
To select and implement a formal information security architecture
framework (ISO 27001, Open Group Architecture Framework)
1
2
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
15/42
Ernst & Youngs Global Information Security Survey 2012Page 15
A fundamental transformation (2/2)
Execute the transformationby creating an environment that will enable theorganisation to successfully and sustainably change the way information
security is delivered.
Make leaders accountable for delivering results and visibility throughout
the life of the program
To commit on providing sufficient resources for IS programorganisation-wise in a long term
When considering new technologies, conduct a deep dive into the
opportunities and the risks they present.Social media, big data, cloud
and mobile are here to stay, but organisations must prepare for their use.
For every new technology implemented, besides all the benefits and
oppoortunities, carefully consider the new threats and risks they present To regularly assess on the changes of business environment to identify
new risks and threats for immediate actions
3
4
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
16/42
Ernst & Youngs Global Information Security Survey 2012Page 16
3. Make the shift, close the gap
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
17/42
Ernst & Youngs Global Information Security Survey 2012Page 17
Conclusion
New technology:
virtualisation
Cloud computing
Social media Mobile
The speed that technology has
evolved
Challenging of emerging
markets
The financial crisis
Changing environment What company has done
Added new features to the
IS system
Redefined strategies
Installed new information
security functioncomponents
Added more people
However, our survey results suggest that companies have NOT improved enough
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
18/42
Ernst & Youngs Global Information Security Survey 2012Page 18
Make the shift, close the gap
Effective information security transformation does NOT
require complex technology solutions.
It requires leadership and the commitment, capacity and
willingness to act.
What some leading organisation are doing
Questions for the C suite
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
19/42
Ernst & Youngs Global Information Security Survey 2012Page 19
The s
Questions for the C-suite
---------------------------------------
Has your organisation implemented
the necessary information securityimprovements to keep up with the
pace of change?
What impact have changes to
security levels had on your
organisation?
Has your organisation done
enough?
Are your information security
objectives and measures aligned
to your business strategy?
What is your organisationannual budget for IT and
specifically for IT Security?
How is your budget
compared to
internaltional standard
in term of percentage ofannual revenue?
What has your organisation done to
adjust information security to address
the changing environment?
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
20/42
Ernst & Youngs Global Information Security Survey 2012Page 20
4. EYs Information Security Services
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
21/42
Ernst & Youngs Global Information Security Survey 2012Page 21
Ernst & Youngs Information Security Services (1/2)
The History of Ernst & Youngs Information Security practice: Ernst & Youngs Information Security services started very early in the 90s
Were proud to have our IS professionals as the authors of the famous Hackingexposed series
First in 2002, Ernst & Young has established our global network of Advanced Security
Centers(ASCs) provide controlled and physically secure environments in which our
dedicated team of leading security professionals can conduct assessment focused on
clients infrastructure, applications and people. Our IS professionalscomprise former CSOs, CIOs and specialised subject matter
professionals from all over the world.
Drawing on our in-depth knowledge and extensive experience working with major
organisations for nearly 20 years, we work with clients to deliver sustainable,
measurable results in:
Transforming information security programs
Identifying and responding to cyber threats
Managing identity and access effectively and efficiently
Mitigating the risk of information loss and addressing privacy regulations
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
22/42
Ernst & Youngs Global Information Security Survey 2012Page 22
Ernst & Youngs Information Security Services (2/2)
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
23/42
Ernst & Youngs Global Information Security Survey 2012Page 23
Appendix 1Survey results
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
24/42
Ernst & Youngs Global Information Security Survey 2012Page 24
Topprioritiesover thecoming 12
months
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
25/42
Ernst & Youngs Global Information Security Survey 2012Page 25
Compared to the
previous year,
does your
organisation plan
to spend more,spend relatively
the same amount
or spend less
over the next year
for the following
activities?
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
26/42
Ernst & Youngs Global Information Security Survey 2012Page 26
What threats
and
vulnerabilities
have most
increased yourrisk exposure
over the last
12 months?
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
27/42
Ernst & Youngs Global Information Security Survey 2012Page 27
How does your organisation assess the efficiency and effectiveness
of information security?
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
28/42
Ernst & Youngs Global Information Security Survey 2012Page 28
What formal security architecture frameworks are used (or are you
planning to use) within your organisation?
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
29/42
Ernst & Youngs Global Information Security Survey 2012Page 29
Which of the
following
controls have
you
implementedto mitigate the
new or
increased
risks related
to the use ofcloud
computing?
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
30/42
Ernst & Youngs Global Information Security Survey 2012Page 30
Which of the following controls have you implemented to mitigate the
new or increased risks related to the use of social media?
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
31/42
Ernst & Youngs Global Information Security Survey 2012Page 31
Does your organisation currently permit the use of tablet computers
for business use?
c o e o ow ng con ro s ave you mp emen e o m ga e e
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
32/42
Ernst & Youngs Global Information Security Survey 2012Page 32
g y p gnew or increased risks related to the use of mobile computing
including tablets and smartphones?
Which of the following actions has your organisation taken to control
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
33/42
Ernst & Youngs Global Information Security Survey 2012Page 33
Which of the following actions has your organisation taken to control
data leakage of sensitive information?
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
34/42
Ernst & Youngs Global Information Security Survey 2012Page 34
Appendix 2Survey methodology
S th d l
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
35/42
Ernst & Youngs Global Information Security Survey 2012Page 35
Survey methodologyErnst & Youngs Global Information SecuritySurvey was conducted between May 2012 and
July 2012. We had 1,836 respondents across
all major industries and in 64 countriesparticipated.
For our survey, we invited CIOs, CISOs, CFOs,
CEOs and other information security executives
to participate. We distribute a questionnaire to
designated Ernst & Young professionals in each
country practice, along with instructions for
consistent administration of the survey process.
The majority of the survey responses were
collected during face-to-face interviews. When
this was not possible, the questionnaire was
conducted online.
If you wish to participate in Ernst & Youngs2013 Global Information Security Survey,
please contact your local Ernst & Young office,
or visit www.ey.com/US/en/Home/Home-
ContactUs and complete a simple request form.
Japan
Asia -
Pacific
Americas
EMEIA
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
36/42
Ernst & Youngs Global Information Security Survey 2012Page 36
Survey methodologyRespondents by industry (1,836 respondents from 64 countries)
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
37/42
Ernst & Youngs Global Information Security Survey 2012Page 37
Survey methodologyRespondents by total annual company revenue
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
38/42
Ernst & Youngs Global Information Security Survey 2012Page 38
Survey methodologyRespondents by position
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
39/42
Ernst & Youngs Global Information Security Survey 2012Page 39
Appendix 3EYs approach to IT risk
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
40/42
Ernst & Youngs Global Information Security Survey 2012Page 40
Ernst & Youngs approach to IT risk
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
41/42
Ernst & Youngs Global Information Security Survey 2012Page 41
Contacts
Global Telephone Email
Norman Lonergan Advisory Services Leader +44 20 7980 0596 [email protected]
Paul van Kessel IT Risk and Assurance
Services Leader
+31 88 40 71271 [email protected]
Adivisory Services
Robert Patton Americas Leader +1 404 817 5579 [email protected]
Andrew Embury Europe, Middle East, India
and Africa Leader
+44 20 7951 1802 [email protected]
Doug Simpson Asia-Pacific Leader +61 2 9248 4923 [email protected]
Shohei Harada Japan Leader +81 3 3503 2033 [email protected]
IT Risk and Assurance Services
Bernie Wedge Americas Leader +1 404 817 5120 [email protected]
Manuel Giralt Herrero Europe, Middle East, India
and Africa Leader
+34 91 573 7479 [email protected]
Jenny Chan Asia-Pacific Leader +86 21 2228 2602 [email protected]
Haruyoshi Yokokawa Japan Leader +81 3 3503 1704 [email protected]
Henri Hoang Vietnam Leader +84 97 205 4888 [email protected]
-
8/21/2019 06.VNISD, EY, Henri Hoang, Make the Shift - Close the Gap
42/42
Ernst & Young
Assurance Tax Transaction Advisory
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisoryservices. Worldwide, our 152,000 people are united by our shared values
and an unwavering commitment to quality. We make a difference by helpingour people, our clients and our wider communities achieve their potential.
Ernst & Young Vietnam is dedicated to providing the highest quality
professional services to all its clients through assisting them to achieve their
objectives, whilst realizing the growth aspirations of the firm and our peopleand making a positive difference to the community it serves.
For more information, please visit www.ey.com
Ernst & Young refers to the global organisation of member firms of Ernst &Young Global Limited, each of which is a separate legal entity. Ernst &
Young Global Limited, a UK company limited by guarantee, does not
provide services to clients.
2012 Ernst & Young Vietnam Limited.
All Rights Reserved
This publication contains information in summary form and istherefore intended for general guidance only. It is not intended to be a
substitute for detailed research or the exercise of professional
judgment. Neither Ernst & Young Vietnam Limited nor any othermember of the global Ernst & Young organisation can accept any
responsibility for loss occasioned to any person acting or refraining in
this publication. On any specific matter, reference should be made tothe appropriate advisor.
www.ey.com/vn