The 2006 Ernst & Young global information security survey has found organizations worldwide are failing under the weight of vendor risk management in outsourcing relationships, but internally have woken up to the relationship between information security and effective risk management.
Nearly two thirds of all global survey respondents claim their companies use regular meetings, steering groups and formal frameworks to ensure better information security. In the 2005 survey, 40 percent of respondents said information security was integrated with a risk management process or program. In 2006 that figure has risen to 43 percent.
However the report noted when it comes to managing the risks associated with the vendor running your outsourced IT shop, very few companies are actually prepared. Or for that matter understand what they should be doing to protect themselves from vendor-induced information vulnerabilities.
"More companies need to adopt formal procedures for vendor risk management and when they do they need to have those procedures validated," the report reads.
"Only six percent of companies use formal procedures, validated by a third party, to manage risks with vendors and 21 percent say they do not address these issues at all.
"Currently only 14 percent of organizations that rely on vendors require them to have an independent third-party review of their information security and privacy practices against leading practices. Only one quarter require that their vendors be aligned with a recognized standard."
More than 1200 senior IT professionals worldwide were surveyed for the report, a two-part questionnaire based on benchmarked security standards. The survey also found a level-headed approach among respondents towards information security as an outsourced IT function.
"Participants in the 2006 and 2005 surveys were overwhelmingly emphatic about not wanting to outsource their information security activities. 60 percent of 2006 respondents who are planning to or who have already outsourced information security duties say outsourcing is a way to make more of their valuable resources available within their companies," the report said.
Australia represented between 57 and 48 respondents in the survey overall. On one key question, "If you have decided on outsourcing or have already outsourced, select the top three drivers with respect to their importance?" 65 percent said they did so to release internal resources, 63 percent cited the difficulty in maintaining in-house capabilities was the driver and 56 said it was due to an improved quality of service.
Bruce Young, Ernst & Young Oceania technology and risk services partner, said organizations in Australia are bolstering their control environment, and internal resources, by using security outsourcing.
Young said generally outsourcing is being done on what makes commercial sense and is approached with more intelligence.
"In terms of managing vendor-related risks I would say if I as an organization were outsourcing parts of the business to a vendor the maturity in the security market now stipulates that vendor to be benchmarked against standards - organizations are asking now if an outsourcing vendor can provide an audit report or something to show how well they are benchmarked against that standard," Young said.
"Organizations are a lot more mature in outsourcing information security and not accountability and they tend not to outsource security in its entirety but have a clear understanding the organization needs to maintain accountability and responsibility for security and continue to monitor through service level agreements (SLAs) and key performance indications (KPIs).
"This is a better model than the typical outsourcing model because where it failed in the past is people outsourced the entire problem hoping it will go away - an organization can never pass away that responsibility."