Well, it looks like it's finally getting through to the world's corporations. Information security IS about more than just staying out of trouble. Ernst & Young issued findings from its tenth Global Information Security Survey and concluded that a growing number of firms recognize the other fringe benefits of keeping data safe.E&Y polled about 1,300 senior executives in over 50 countries and found that although compliance is still a big driver of info sec initiatives, almost half of respondents (45 percent) said that meeting business objectives were among their top three drivers of information security.
I think this trend can also be examined from the angle of compliance with PCI standards- payment card industry data security standards (PCI DSS). There has been a huge about face among large and midsize merchants in this country and their attitudes toward PCI DSS. I actually explore this topic a bit more in the upcoming January issue. PCI DSS is a set of the data security protocols for keeping customers' card information safe. As we all know, many of these retailers have been, shall we say, negligent in this respect? I wonder how much longer their flouting of the PCI rules would have continued had the ridiculous number of data breaches not occurred in 2007. But they got caught. Visa certainly didn't like this behavior and was at the forefront of levying fines against offending merchants for not passing their PCI audits. And Visa and the other card brands are finding further backing courtesy of the PCI Security Standards Council (of which all are members). The council is adopting more stringent standards and requirements around keeping card data safe for all those involved in the payments chain-banks included.
It's encouraging to see that information security is taking on greater importance at organizations, even beyond compliance requirements. Getting back to the E&Y study, the firm found that companies are better integrating their information security and risk management initiatives (82 percent of respondents). More than two-thirds (69 percent) of respondents felt that information security improves IT and operational efficiencies. This finding sharply contrasts to previous years, according to the firm, when information security was viewed as a barrier to IT and operational efficiency.
Of course, the report wasn't all rosy. Other findings showed that info sec it still too isolated from management and the strategic decision-making process. Nearly a third of respondents said they never meet with their board or audit committee. Things are improving on this front, but at a slow pace, according to E&Y.
Another problem is the lack of experienced security experts at companies as info sec programs expand. This was cited by more than half of respondents. Related to this, 60 percent of them said they are outsourcing certain elements of information security. That in itself can present some problems. On the other hand, why not let the experts handle these things?
Although E&Y didn't specify the kinds of companies involved in the study, it's not too difficult to draw parallels to the financial services industry. And many banks out there can probably relate to the findings. It's encouraging to see that at least things are getting better. Data safety is always a good thing.