Foreign Outsourcing Risks Only Now Being Recognized

Security is a journey, not a destination, so we’ve been told. Now Ernst & Young’s latest global information security survey focuses attention on yet another vulnerable path: third-party relationships.

Respondents indicated that many companies are beginning to recognize the potential risks “of third-party relationships, particularly with the use of customer data by customer service outsourcing companies in rapidly developing economies,” Ernst & Young said in a statement.

According to the firm, its 9th Annual Global Information Security Survey interviewed 1,200 senior information security professionals in 48 countries, and benchmarked the current information security practices of more than 350 organizations in 38 countries.

More than half of those surveyed don’t have formal measures in place to combat risks posed by third-party vendors; only 14 percent of respondents require an independent review of their vendors’ information and privacy practices.

“Many companies are making significant progress in mitigating risk … due to greater investments, greater board involvement, positive influences of regulatory pressures and maturity in information security leadership,” Paul van Kessel, global leader of Ernst & Young’s Technology and Security Risk Services, said in a statement. “However, the dynamics of risk require continuous improvements and updates to information security measures.”

Other weak areas identified include the need to integrate information risk management into the overall risk management strategy—something less than half of respondents currently do. And only a little more than half of those surveyed report security issues to their boards or management on a regular basis.

The survey also reported that CSOs will continue to face the challenges of regulatory compliance and privacy issues.

Privacy issues are a key priority for future success, said Ernst & Young. Privacy “has become a high-stakes business issue, catapulted up the board agenda by consumer concerns caused by well publicized lapses of security and the growing response of government and legislative activism,” said van Kessel. “Understandably it is the area where companies are being most active, with privacy and data protection practices becoming increasingly more formalized.”

“Companies know all too well that the problem of privacy and personal data protection is broader and deeper than what is in the headlines,” he added. “Our survey reports that this will continue to be a top business issue, requiring vigilant oversight on the part of organizations and even more formalization of measures to mitigate the risks.”

Read the news release from Ernst & Young.

Related Links:

• Leadership & Business Research Center: Outsourcing & Consulting
• The Global State of Information Security 2006

Keep checking CSOonline.com’s Security Feed for updated coverage.

–By Shawna McAlearney