As the old saying goes, “reputation is everything”. And the “Ernst & Young 2008 Global Information Security Survey” proves
this to be true for the information security sector as well. Over 85 percent of respondents say that damage to a reputation
and brand is more significant than on revenue. Seventy-two percent of respondents say the opposite.
Jose Granado, Principal, Information Technology Enablement Center- Americas Security Leader at Ernst & Young, says that
awareness of the link between information security and brand reputation has grown because “confidence and trust are very
important, especially now”. He adds that businesses have to make sure that data is secure—credit card data, buying
Luckily, there are various ways enterprises can keep the faith of their consumers, and even employees for that matter—one
of which is tight information security.
Right now, there isn’t any set international information security standard. Of course, there are standards within
industries that companies should be compliant with, at the very least. However, each organization is different, so it’s hard
to pinpoint exact standards to set that will work for everyone.
Thirty percent of respondents say that their organization has used and implemented an information security standard, 20
percent say their organization hasn’t used or implemented any specific security standards and 50 percent report that their
organization has used at least one standard to influence the development their own information security policies.
Granado, who has over 20 years of experience in this area, suggests that organizations should evaluate why they need
information security and “drive toward a wholistic approach. Standards should not set your security.”
When a company does accept a certain standard or gain a certification, customer and partner trust will likely grow.
Trust also plays a key role between an organization and partner, vendor or contractor. Of those surveyed, 29 percent say
their organizations don’t perform any review or assessment of their partners, vendors or contractors to make sure that their
information remains secure. However, many organizations are now realizing that risking a security incident comes back to
them, if they don’t take proper precautions. Although organizations are willing to work with third-parties, many stray away
from outsourcing major information security activities.
Some organizations feel that they’re “outsourcing their dirty laundry” in a sense, Granada says.
However, with risks come benefits, and outsourcing has a few. Most obviously, outsourcing attack and penetration testing
to a third-party is a smart move, (more objective than doing internal testing), which 59 percent of those surveyed say their
organization currently does. However, 23 percent of respondents say that they have no plans to outsource such testing.
Yet, while 77 percent of respondents don’t have any plans to outsource incident response activities, perhaps they should
If an unplanned emergency occurs, than internal IT can keep things moving along while the third-party helps combat the
problem, Granado explains. Internal IT should have a “first response system in place”, but then let the third-party deal
with any aftermath that may result in a legal battle, because legal knowledge is part of their training.
“You don’t want to dabble in this,” he adds.
All in all, outsourcing gets a bad rap from organizations afraid to let an outside provider have any access to their
information. And although organizations are afraid of letting an outsider assist with any of their information security
activities, just 71 percent of those surveyed meet with IT on a monthly basis.
Only half of the respondents plan to increase their investment in information security. This is especially scary during a
time of economic downturn, when attacks on security don’t lessen, but perhaps increase.
Granado attributes this to three thingsdisgruntled former employees now without a job, consumers’ barriers being down,
which means that they’re looking for a quick financial fix and get taken by a scam and hackers taking advantage of an
organization’s weaker IT security branch (due to downsizing).
Organizations can easily make sure that the best information security standards are in place for their needs. Identifying
what your data is, if it’s structured or unstructured and its form are the first steps an organization can take toward a
sound information security system. It should run a “data classification exercise,” Granada says.
After the data is defined, an organization should maintain awareness of what threats exist and how to deal with them. As
Granado says, hacking attacks happen across all industries. Yet the financial services industry usually leads the way in
staying proactive. They’re hiring IT savvy people, learning to use top of the line tools, and subscribing to FSISAC Granado
But what about a Mom and Pop online store? They might outsource all of their IT functions, or at the very least, work
with a consultant. Before signing a contract, they should ask some “very pointed questions,” Granado says, and then stay
hands on with the maintenance of their information security activities. Ask to see the resumes of who’s handling information
security and bring in a third-party to run annual security tests, Granado adds.
There are a variety of ways that people can keep up to speed on information security procedures. Online training and peer
groups, courses, like those offered by SANS—books, peers and conferences, such as Black Hat—of which 50
percent of attendees are actually from large organizations or law enforcement roles.
Respondents of the survey consisted of almost 1,400 senior executives across a variety of industries from over 50