Ninety-six percent of South African organisations rate information security as important to the success of their organisation, a survey by Ernst & Young has found.
The finding is consistent with the results of the global survey released recently, which indicated that 90% of organisations rate information security as a top priority.
In addition, 93% of South African organisations believe that risk reduction is the primary reason why new information security solutions are considered for implementation. This compares with the 78% highlighted in the global survey.
According to the survey, the mainline findings are:
96% of South African organisations see information security as important
52% of organisations don’t see a strong alignment between information
security and business objectives
Nearly two thirds of organisations don’t communicate or understand the value of information security
Two thirds of organisations cite lack of budget and management commitment as the greatest obstacles to successful information security programmes
78% of respondents continue to include technology amongst security management and investment areas, without sufficient focus on people
93% of organisations believe that risk reduction is the primary reason why new information security solutions are considered for implementation and few organisations are implementing information security solutions as an enabler of business
75% of respondents rate business continuity amongst the top three investment areas
Viruses and employee misconduct pose the greatest security threat to
organisations.
“The confident response that South African organisations rate information security as a top priority should be contrasted against the response that more than 50% of the 30 South African organisations surveyed did not see a strong alignment between information security and business objectives,” says Grant Brewer, partner in charge of information security at audit and business advisory firm Ernst & Young.
“We believe this highlights the communication and expectation gap between those responsible for information security and line management within the area of business functions,” adds Brewer.
The respondents of the survey were drawn from organisations covering a broad range of industries, and the majority of respondents (60%) were information technology executives, chief information officers, information security executives and chief risk officers.
According to Brewer, alignment with business objectives and strategy is one of the characteristics of successful information security programs.
“Lack of alignment leads to poor involvement of business people in information security initiatives and can lead to resistance of the need to invest in information security,” he says.
This is reflected in the key finding, that almost 60% of organisations in South Africa rarely or never calculate a return on investment for information security expenditure. This is higher than the average global response of 50%, thus reflecting a lower level of measurement maturity in respect of security within South Africa.
“The lack of effective investment criteria and key performance indicators for security makes it challenging to deliver effective business cases for increased investment in information security,” says Brewer.
In addition, the effectiveness of information security programs is typically not measured through a reliable but simple process such as a Security Scorecard. “This often results in security programs that struggle to become sustainable,” says Brewer.
Furthermore, the results show that few South African boards or management teams receive regular communication on security threats, vulnerabilities or strategy.
The survey also found:
49% of boards do not receive security reports more than once per year.
67% of executive management teams do not assess security policies against business processes more than once a year.
It is therefore not surprising that two-thirds of South African organisations cited lack of budget as the primary obstacle to the successful implementation of security programmes.
Brewer attributes this to the fact that executive and line management still do not perceive that sufficient value is derived from investment in security and that the threat to the business is great enough to warrant an investment to decrease the risk exposure.
He says the lack of belief in the value of information security results from the challenges most security teams are experiencing in measuring the success of their programs, in measuring effective return on investment, and in communicating effective business cases.
“This lack of belief is also manifested in the perceived lack of management commitment to information security programs,” says Brewer.
In addition, respondents believe that executive management are unaware of the importance of information security.
“We believe that the increased focus on risk management and corporate governance within the marketplace will go some way to addressing the lack of awareness among management,” says Brewer. – I-Net Bridge