While security is moving up the priority ladder of businesses, organizations are still looking at security on a piecemeal basis. Here are some insights on the findings of the Global State of Information Security 2005 in the geography that matters most to Asia–Asia.
Globally, the average number of security-related events reported has risen 22.4 percent from 704 in 2004 to 862 in this year’s study. The resulting impact in Asia is that 67 percent of Asian respondents suffered financial losses and 50 percent experienced intellectual property theft.
Even so, most continue to be focused on tactical matters such that only 33 percent of Asian respondents have an overall security strategy and only another 22 percent plan to create a strategy within the next year.
These indications imply that many organizations are stuck in the fire-fighting mode and are not focusing enough on strategic planning.
Such myopic moves akin to tending the flowers and forgetting the trees are a concern simply because security attacks will continue to get more complex. It is only when companies focus on a proactive approach through a comprehensive strategy will they come out ahead.
Information Security priorities
The good news is that information security is making its presence felt in the boardroom.
About 32 percent of Asian respondents reported that their company employs a CSO or CISO. In terms of organizational structure, 57 percent of respondents in Asia report to either the CEO or the Board of Directors while 32 percent report to the CIO.
Hopefully, this finding will result in companies stepping away from the fire-fighting mode and developing a strategic approach towards security.
Managing IS spend is key
Another positive is security spending in Asia.
Globally, security budgets, as a percentage of overall IT budget, increased from an average of 11 percent in 2004 to 13 percent in 2005. In Asia, that figure is even more encouraging, at 16 percent. It is a positive indication that IS is playing an increasing role in supporting business objectives. However IS funds are originating from various sources besides IT.
A majority of Asian companies have indicated that potential liability (43 percent of respondents), legal/ regulatory requirements (42 percent) and common industry practices (40 percent) are the reasons for investment in security.
Despite the upbeat note, companies still cite limited budget (55 percent) and limited staff dedicated to security (44 percent) as the top two barriers to security in Asia, mirroring the rest of the world.
One way to break this barrier of limited budgets is to better manage the security spend by aligning IT, security and business objectives.
Companies that address security based on regulatory compliance requirement will continue to stay in the fire-fighting mode.
Companies have to move to a more holistic view of security, integrating business objectives, governance and risk. An integrated approach to security will also help companies control spending and overcome the problem of a limited budgets.
Safeguarding against attacks
While over half of Asian organizations educate their workforce about security policies and procedures (57 percent), across the Pacific, more North American organizations (71 percent) are investing efforts in this area.
This indicates that many companies have established their policies and are now in the implementation stage. This involves training and regular communications to instill a corporate culture where staff understand the importance of IT security and its implications. However, the vast difference in percentages between Asia and North America reflects the fact that there is much room for improvement for companies in Asia.
Another common security safeguard implemented is the monitoring of employee use of Internet and information assets. In Asia, 56 percent of respondents have indicated that this process is in place in their companies. In North America, it is 64 percent.
A likely reason for this worldwide trend and focus on employees could be due to the high percentage of IS attacks originating from employees, ex-employees and partners. In Asia, 37 percent of attacks are from employees, 23 percent from ex-employees and 10 percent from partners/ suppliers.
Impact of Compliance
While security counterparts in North America are focusing their resources on compliance with mainly the Sarbanes-Oxley Act and Health Insurance Portability & Accountability Act, companies in Asia are more concerned with local regulations such as Australian Privacy Legislation and New Zealand Government Information and Privacy Act. About 70 percent of Asian respondents have admitted that even though they need to comply, they are not yet in compliance.
For CIOs who are grappling with compliance issues, they may gain comfort by the fact that they are not alone. Asia, on the whole, is still work-in-progress in this area.
Priorities in 2006
Companies have developed and improved policies and strategies over the past year and are working to implement and enforce these policies in the coming year. In Asia, the top three process-related priorities in the area of security for next year are business continuity/disaster recovery plans (37 percent), active monitoring/ analysis of information security intelligence such as vulnerability reports and log files (36 percent), and auditing/ monitoring user compliance with security policies (33 percent).
By Tan Shong Ye, CIO Asia