In the end, observed Chng, for some organisations, skills resources, security maturity or budget may be playing a role in decision-making for some organisations. However, these "bolt-on or stack workaround solutions being seen today—which fix short-term information security needs—are masking a bigger problem around vulnerability," he said.
When looking to the future, he added: "Although we've identified some of the current gaps, there are still more on the horizon, in the form of government intervention and new regulatory pressures. If organisations don't take action to develop comprehensive security frameworks today, the combined consequences of the current and future issues will only fuel the information security threat further."
Steps towards fundamental shift
Short-term fixes and bolt-on solutions are not enough, advises E&Y. Organisations fighting to narrow the gap need to take four steps to fundamentally shift how their information security functions operate:
1. Link the information security strategy to the business strategy, and the overall desired results for the business.
2. Start with a blank sheet when considering new technologies and redesigning the architecture, to better define what needs to be done. This presents an opportunity to break down barriers and remove existing biases that may hamper fundamental change.
3. Execute the transformation by creating an environment that enables the organisation to successfully and sustainably change the way information security is delivered.
4. When considering new technologies, conduct a deep dive into the opportunities and the risks they present. Social media, big data, cloud and mobile are here to stay, but organisations must prepare for their use.
Effective information security transformation does not require complex technology solutions. It requires leadership and the commitment, capacity and willingness to act.
Sign up for CIO Asia eNewsletters.