The 2006 Ernst & Young global information security survey has found organizations worldwide are failing under the weight of vendor risk management in outsourcing relationships, but internally have woken up to the relationship between information security and effective risk management. Nearly two-thirds of all global survey respondents claim their companies use regular meetings, steering groups and formal frameworks to ensure better information security. In the 2005 survey, 40 percent of respondents said information security was integrated with a risk management process or program. In 2006 that figure has risen to 43 percent. However, the report noted that when it comes to managing the risks associated with the vendor running your outsourced IT shop, very few companies are actually prepared—or for that matter understand what they should be doing to protect themselves from vendor-induced information vulnerabilities. “More companies need to adopt formal procedures for vendor risk management, and when they do they need to have those procedures validated,” the report reads. “Only six percent of companies use formal procedures, validated by a third party, to manage risks with vendors and 21 percent say they do not address these issues at all. “Currently only 14 percent of organizations that rely on vendors require them to have an independent third-party review of their information security and privacy practices against leading practices. Only one quarter require that their vendors be aligned with a recognized standard.” More than 1,200 senior IT professionals worldwide were surveyed for the report, a two-part questionnaire based on benchmarked security standards. The survey also found a level-headed approach among respondents toward information security as an outsourced IT function. “Participants in the 2006 and 2005 surveys were overwhelmingly emphatic about not wanting to outsource their information security activities. 60 percent of 2006 respondents who are planning to or who have already outsourced information security duties say outsourcing is a way to make more of their valuable resources available within their companies,” the report said. Australia represented between 57 and 48 respondents in the survey overall. On one key question, “If you have decided on outsourcing or have already outsourced, select the top three drivers with respect to their importance,” 65 percent said they did so to release internal resources, 63 percent cited the difficulty in maintaining in-house capabilities, and 56 said it was due to an improved quality of service. Bruce Young, Ernst & Young Oceania technology and risk services partner, said organizations in Australia are bolstering their control environment, and internal resources, by using security outsourcing. Young said generally outsourcing is being done on what makes commercial sense and is approached with more intelligence. “In terms of managing vendor-related risks, I would say if I as an organization were outsourcing parts of the business to a vendor, the maturity in the security market now stipulates that vendor to be benchmarked against standards. Organizations are asking now if an outsourcing vendor can provide an audit report or something to show how well they are benchmarked against that standard,” Young said. “Organizations are a lot more mature in outsourcing information security and not accountability, and they tend not to outsource security in its entirety, but have a clear understanding the organization needs to maintain accountability and responsibility for security and continue to monitor through service level agreements and key performance indications. “This is a better model than the typical outsourcing model because where it failed in the past is people outsourced the entire problem, hoping it will go away. An organization can never pass away that responsibility.”-Michael Crawford, Computerworld AustraliaRelated Links: Foreign Outsourcing Risks Only Now Being Recognized (CSOonline.com) 2006 Global Outsourcing GuideCheck out our CIO News Alerts and Tech Informer pages for more updated news coverage. Related content brandpost Sponsored by SAP When natural disasters strike Japan, Ōita University’s EDiSON is ready to act With the technology and assistance of SAP and Zynas Corporation, Ōita University built an emergency-response collaboration tool named EDiSON that helps the Japanese island of Kyushu detect and mitigate natural disasters. By Michael Kure, SAP Contributor Dec 07, 2023 5 mins Digital Transformation brandpost Sponsored by BMC BMC on BMC: How the company enables IT observability with BMC Helix and AIOps The goals: transform an ocean of data and ultimately provide a stellar user experience and maximum value. By Jeff Miller Dec 07, 2023 3 mins IT Leadership brandpost Sponsored by BMC The data deluge: The need for IT Operations observability and strategies for achieving it BMC Helix brings thousands of data points together to create a holistic view of the health of a service. By Jeff Miller Dec 07, 2023 4 mins IT Leadership how-to How to create an effective business continuity plan A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood, or cyberattack. Here’s how to create a plan that gives your business the best chance of surviving such an By Mary K. Pratt, Ed Tittel, Kim Lindros Dec 07, 2023 11 mins Small and Medium Business IT Skills Backup and Recovery Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe