“Meeting today’s challenges in information security” by Warren R. Bituin (February 1, 2010)

SUITS THE C-SUITE By Warren R. Bituin
Business World (02/01/2010)

Philippine firms must find ways to improve the effectiveness of information security management initiatives as they face more sophisticated threats in this turbulent economic landscape and fast-evolving technology environment.

This much is confirmed in the 12th annual Ernst & Young 2009 Global Information Security Survey.

The results of the global survey outline the information security challenges that organizations need to be aware of to stay ahead and protect their most critical information assets. Nearly 1,900 senior executives across all major industries in more than 60 countries participated in the survey. There were 45 respondents from the Philippines from government and the financial, manufacturing, and insurance industries.

Information-centric approach

Technological shifts are changing the way organizations view their information security risk management approach. The rapid adoption of broadband and over-the-air technologies, and the increasing use of mobile devices have expanded, or perhaps even eliminated, the traditional borders of the organization’s IT network.

Of the local respondents, 62% say improving security continues to be a top priority for 2010; however, the approach is no longer focused on “keeping the bad guys out.” Perimeter security such as firewalls and intrusion prevention systems are no longer adequate.

Organizations must now protect their information assets wherever they reside. This requires the information security function to be highly integrated with the business. Key information assets need to be identified, located, and classified as to importance to the organization. Various stakeholders such as internal users, business partners and even customers need to be involved in the process. Only then can a more responsive security management approach be implemented by the organization. Entities need to truly understand how information is accessed and used within their business processes before they can begin to manage their security needs.

While compliance with regulations and corporate policies continues to be an important objective of the information security function, a good number of survey respondents mentioned addressing increasing threats as a main driver for information security management.

In fact, more than 50% noted an increase in both external and internal attacks on Web sites and networks given the current economic and technology environments. Organizations have therefore mentioned protecting reputation and brand (96%), intellectual property (87%), privacy of personal information (89%) and improving stakeholder and investor confidence (89%) as equally important security objectives.

As such, it is not enough for companies to comply consistently with regulations. A cohesive information security strategy should be in place to add value to the business, enabling a secure flow of information exchange both internally and externally. Philippine companies should focus on implementing a comprehensive program where compliance is a by-product and not the primary driver to provide more value-added information security services.

Delivering on information security initiatives is hampered by the failure to allocate an adequate budget to cover the organization’s security needs.

Globally, 50% of the survey respondents ranked this as a “high” or “significant” challenge — a notable increase from 2008 (33%). This is particularly interesting in that 40% of the respondents are willing to spend more in the area of improving information security.

The problem may result from misplaced importance on spending for regulatory compliance where information security becomes a “necessary evil” rather than a very critical initiative that enables the organization to achieve its business objectives.

Security spending decisions should be prioritized with the end in view of enabling a secure flow of information among its stakeholders. Companies must have a focused information security strategy that is integrated with the business to ensure that resources are being allocated to where they will provide the most benefit to the company.

Unfortunately, 44% of the respondents claim a lack of documented information security strategy.

In fact, 64% do not have a system in place for inventory and classification of information assets — an important step in developing a focused information security strategy.

Despite all this, Philippine companies continue to make strides in information security management. One respondent said it has adopted a global standard in implementing an information security management system and has received certification; 22% have implemented without certification; 29% are in process of implementing, and 36% are considering implementation.

Nonetheless, information security is still in its developing stage in the Philippines. Although most organizations have information security awareness programs, the survey shows that very few measure the effectiveness of these programs. In addition, quite a number have indicated that they do not have clear understanding of data privacy requirements that may impact their organization.

Companies who operate globally or who deal with external partners, vendors, contractors, and, much more, direct customers, need to understand the scope of privacy within their operations to ensure that normal business processes and practices do not contribute to potential privacy violations.

Out with the old, in with the new

Despite the challenges, organizations must abandon the old paradigms of perimeter controls and of purely adhering to regulatory compliance, by adopting a more information-centric view of security to address the risks and challenges of the changing environment.

It is a more flexible and risk-based approach focuses on protecting critical information assets and is more suited to respond to rapidly evolving technology and an increasingly mobile and global workforce.

In today’s economy, organizations must enable information exchange while ensuring its security.
The full report on the survey is available on request at www.ey.com.
(Warren R. Bituin is a partner of SGV & Co.)

This article was originally published in the BusinessWorld newspaper. It is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.