According to the results of Ernst & Young's 16th annual Global Information Security Survey, 48% report a lack of skilled resources is one of the main obstacles in confronting cyber threats.
In an interview, Chip Tsantes, principal in the Financial Services Office of Ernst & Young, says this shortage of skill is making firms more conscious about directing skilled resources, the problems they attack, where they outsource, and focus on the tasks with the most benefit for the organization.
"We're seeing willingness to outsource more commodity services, and pay for good talent inside," says Tsantes. When asked if companies are looking to increase investment in tools and services he says, "There are few tools that come and don't require team to work on them. I see clients that buy tools and use only 10% of its capabilities, or become shelf-ware. You need to go in with eyes wide open. Sometimes there's a disconnect between the resources required to keep a tool operating the way it should."
The survey, conducted between June and July 2013 polled 1,900 respondents across 64 countries and 25 industry sectors. 361 respondents, or 19%, represent the banking and capital markets (BCM) sector.
Compared to other industries financial services is in the lead in terms of cyber security and awareness. According to EY, information security transformation is a priority area within the BCM industry as organizations are looking to improve and bette position their information security programs to evolve with the changing risk surface, including cyber risks, data leakage, emerging technologies and security event and incident management.
Tsantes adds that after 3-4 years of flat or modest growth, EY has seen respondents in financial services get bigger increases in security budgets, which he attributes to threat and vulnerability management. The survey found the BCM industry continues to increase information security spend with 47% reporting an increase of at least 5% over last year and 61% stating they plan on additional increases in the coming year.
Furthermore, BCM organizations are starting to allocate more budget to the areas of security improvement and expansion and security innovation as 75% of respondents recognize the function is not fully effective and have improvement efforts underway, reports EY. Only 9% of the organizations surveyed have advanced functionality in regards to threat intelligence, vulnerability identification, detection and response while 36% report having an informal program or none at all.
Consulting the Board
The trend continues that cyber security are more important and gaining attention throughout the organization, especially at the top of the house, explains Tsantes. "I've been speaking with more boards of directors and committees this year than in the last 5 years." This trend suggests more visibility and awareness from the leadership level, which supports strategies for further investment in security programs.
But one thing troubles him: 11% of respondents said cyber security wasn't an issue at board level, and rarely or never present information security topics to the senior audience. "I worry about those organizations." He adds, then, sounding hopeful, "maybe they just didn't understand the question." 68% of the respondents said they present information security topics to the board or top governing body on a quarterly or monthly basis.