1. Outpacing change Ernst & Youngs 12th annual Global Information Security SurveySummary meeting deckNovember 2009

2. Contents Introduction Key survey findings Managing risks Addressing challenges Complying with regulations Leveraging technology Our perspective Appendix: profile of survey participants Confidential Ernst & Young2009 Global Information Security Survey | Page 1 3. Ernst & Youngs 12th annual global information security survey Ernst & Youngs 12th annual Global Information Security Survey (GISS) is one of the longestrunning and most highly respected surveys of its kind, providing our clients an opportunity tocompare their organization with others on important information security issues and gaininsights for making key decisions. This years survey was conducted from 1 June to 31 July 2009 with 1,865 organizations in61 countries and across all major industries participating. Our 2009 GISS specifically examines how organizations are addressing their informationsecurity needs while staying ahead of change adopting new technologies, complying withnew regulations and operating in a changing global business environment. Confidential Ernst & Young 2009 Global Information Security Survey | Page 2 4. Key survey findingsManaging Improving information security risk management is the top security priority over the next year. risks External and internal attacks are increasing. Reprisals from recently separated employees have become a major concern. Availability of skilled information security resources is the greatest challenge to effectivelydelivering information security initiatives.Addressing Despite most organizations maintaining current spending on information security, adequatechallengesbudget is still a significant challenge to delivering security initiatives. Security training and awareness programs are falling short of expectations. Regulatory compliance continues to be an important driver for information security.Complying Cost of compliance remains high, with few companies planning to spend less in the next 12 with months.regulations Too few organizations have taken the necessary steps to protect personal information. Implementing DLP technologies is a top security priority for many organizations.Leveraging The lack of endpoint encryption remains a key risk with few companies encrypting laptops ortechnologydesktop computers. Virtualization and cloud computing are gaining greater adoption, but few companies areconsidering the information security implications. Confidential Ernst & Young 2009 Global Information Security Survey | Page 3 5. Managing risks Confidential Ernst & Young 2009 Global Information Security Survey | Page 4 6. Managing risks Improving information security risk management is the top security priority over the next year.Survey results: 4Improving information security riskmanagement was the top securitypriority for our survey participants,with 50% of respondents indicatingthat they plan to spend more and 39%planning to spend relatively the sameamount on this initiative over the nextyear. Our perspective: 4Companies need to take aninformation-centric view of security toensure better alignment with theirinformation flows. Only byunderstanding the use of informationwithin critical business processes canan organization truly begin to manageits security needs.4Continue to integrate informationsecurity with the business becominga flexible, responsible corporatecitizen, rather than an obstacle toachieving business objectives. Confidential Ernst & Young 2009 Global Information Security Survey | Page 5 7. Managing risks External and internal attacks are increasing.Survey results: 4Our survey found that 41% ofrespondents noted an increase inexternal attacks.425% of respondents witnessed anincrease in internal attacks, and 13%reported an increase in internallyperpetrated fraud. Our perspective: 4To manage the increased external andinternal risks, companies shouldundertake a specific risk assessmentexercise to identify their potentialexposure within this sphere and put inplace appropriate risk-basedresponses. Confidential Ernst & Young2009 Global Information Security Survey | Page 6 8. Managing risks Reprisals from recently separated employees have become a major concern.Survey results: 4A full 75% of respondents revealedthat they are concerned (33% are veryconcerned) with the possible reprisalfrom employees recently separatedfrom their organizations.4Survey results also show that 42% ofrespondents are trying to understandthe potential risks related to this issueand 26% are already taking steps tohelp mitigate the risks.Our perspective: 4To manage the increased risks relatedto employee reprisals, companiesshould develop a formal responseaimed at dealing with employees likelyto leave the organization as a result ofworkforce reductions or jobelimination. Confidential Ernst & Young 2009 Global Information Security Survey | Page 7 9. Addressing challenges Confidential Ernst & Young 2009 Global Information Security Survey | Page 8 10. Addressing challenges Availability of skilled information security resources is the greatest challenge to effectively delivering information security initiatives.Survey results: 4The primary challenge to effectivelydelivering information security was thelack of appropriate resources, with56% of respondents ranking this as ahigh (4) or significant (5) challenge(on a 1 to 5 scale); this is an increaseof eight percentage points comparedto our 2008 survey results (48%). Our perspective: 4Organizations should investigatepotential co-sourced securityalternatives, which may help providemuch-needed access to skilledresources, without turning overcontrol to others.4Such steps should be taken with care,as the operation of security by thirdparties requires different managementcompetencies from those used tomanage and deliver security to anorganization using internal resourcesonly. Confidential Ernst & Young 2009 Global Information Security Survey | Page 9 11. Addressing challenges Despite most organizations maintaining current spending on information security, adequate budget is still a significant challenge to delivering security initiatives.Survey results: 4Allocating adequate budget toinformation security continues to be achallenge in 2009, with a total of 50%of respondents ranking this as a high(4) or significant (5) challenge. This isa very notable increase of 17percentage points over 2008 (33%).4However, 40% of respondentsindicated that they planned to increasetheir annual investment in informationsecurity as a percentage of totalexpenditures, and 52% planned onmaintaining the same level ofspending.Our perspective: 4Companies need to adopt a risk-basedsecurity strategy to help prioritizeinitiatives, justify new investments andmaximize the benefits from thoseinvestments which have already beencommitted. Confidential Ernst & Young2009 Global Information Security Survey | Page 10 12. Addressing challenges Security training and awareness programs are falling short of expectations.Survey results: 4While most organizations (74%) have asecurity awareness program, less thanhalf of all respondents indicated thattheir program includes such things as:updates and alerts on current threats(44%), informational updates on newhot topics (42%), specific awarenessactivities for high-risk groups such associal networking users (35%).473% of respondents have no plans tooutsource their security training andawareness programs.Our perspective: 4More organizations should begin tolook for outside help to design,execute, monitor and (or) measure theeffectiveness of their security trainingand awareness programs. Confidential Ernst & Young2009 Global Information Security Survey | Page 11 13. Complying with regulations Confidential Ernst & Young 2009 Global Information Security Survey | Page 12 14. Complying with regulations Regulatory compliance continues to be an important driver for information security.Survey results: 4When asked about the importance ofspecific information securityactivities, 46% of respondentsindicated that achieving compliancewith regulations was very important(5) with an additional 31%considering it important (4).Our perspective: 4Organizations must formally detail allthe regulations they are required tomeet in the various geographies andvalidate this position with appropriatelegal and operational groups acrossthe enterprise.4They also need to build anunderstanding of how their complianceefforts can be integrated into widerchange programs, delivering greaterbusiness benefit. Confidential Ernst & Young2009 Global Information Security Survey | Page 13 15. Complying with regulations Cost of compliance remains high, with few companies planning to spend less in the next 12 months.Survey results: 455% of respondents indicated thatregulatory compliance costs wereaccounting for moderate tosignificant increases in their overallinformation security costs.4Only 5% of respondents plan onspending less over the next 12months on regulatory compliance.Our perspective: 4Organizations are spending too muchof their security budgets ondemonstrating point-in-timecompliance and need to implement acomprehensive information securityprogram where regulatory complianceis considered a by-product rather thanthe primary driver. Confidential Ernst & Young2009 Global Information Security Survey | Page 14 16. Complying with regulations Too few organizations have taken the necessary steps to protect personal information.Survey results: 468% of respondents stated that theyhave a clear understanding of theprivacy laws and regulations that mayimpact their organizations.4Only 32% of respondents haveproduced an inventory of informationassets covered by privacyrequirements, and an even fewernumber (26%) have conducted anassessment of the personal data lifecycle (gathering, using, storing anddisposing).Our perspective: 4Companies need to understand thescope of privacy within theiroperations and identify effectivebusiness champions who they canwork with, to ensure that normalbusiness processes and practices donot contribute to potential privacyviolations. Confidential Ernst & Young2009 Global Information Security Survey | Page 15 17. Leveraging technology Confidential Ernst & Young 2009 Global Information Security Survey | Page 16 18. Leveraging technology Implementing DLP technologies is a top security priority for many organizations.Survey results: 440% of respondents identifiedImplementing DLP technologies as oneof their top three priorities with 19%selecting DLP as their first priority forthe next year.450% of respondents are at some stageof the evaluation and implementationprocess; 22% have planned animplementation within 12 months; andanother 28% are currently evaluatingDLP technology.Our perspective: 4New evolving security technologiescan potentially deliver substantialbenefits to the overall management ofinformation security across anenterprise. However, the deploymentof such technologies must continue tobe investigated to further ensure thatthey are fit for purpose and will deliverthe benefits required. Confidential Ernst & Young 2009 Global Information Security Survey | Page 17 19. Leveraging technology The lack of endpoint encryption remains a key risk with few companies encrypting laptops or desktop computers.Survey results: 4Only 41% of respondents areencrypting their organizations laptopstoday, with 17% planning to do so inthe next year. Our perspective: 4Many breaches have occurred andcontinue to occur due to loss or theftof laptops.4Organizations should make use ofendpoint encryption technology dueto the fact that it is readily availableand affordable to implement; and theimpact to users during deployment isrelatively low and should no longer bea barrier. Confidential Ernst & Young2009 Global Information Security Survey | Page 18 20. Leveraging technology Virtualization and cloud computing are gaining greater adoption, but few companies are considering the information security implications.Survey results: 478% of respondents indicating thatthey will have implementedvirtualization before the end of thenext year.4Only 19% of the same respondentsindicated that virtualization was asecurity priority.Our perspective: 4Organizations must assess thepotential impact of any newtechnology that is being considered,looking beyond any promised benefitsto the potential impact upon theorganizations ability to protect itsassets.4Each organization needs to define itsposition on new IT delivery models,including virtualization and cloudcomputing, to ensure that anydecisions made are consistent with theoverall business strategy, as well asthe information technology strategyand direction of the organization. Confidential Ernst & Young 2009 Global Information Security Survey | Page 19 21. Our perspective Confidential Ernst & Young 2009 Global Information Security Survey | Page 20 22. Our perspective Take an information-centric view of security, better aligned with the organizations information flows.centric Continue to integrate information security with the business becoming a flexible, responsible corporate citizen, rather than an Managing obstacle to achieving business objectives. risks Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk risk-based responses. Develop a formal response aimed at dealing with employees likely to leave the organization as a result of workforce reductionreductionsor job elimination. Adopt a risk-based security strategy to help prioritize initiatives, justify new investments and maximize the benefits from thos basedthoseinvestments which have already been committed. Addressing Investigate potential co-sourced security alternatives, which may help provide much sourced much-needed access to skilled resources, without challenges turning over control to others. Organizations should look for outside help to design, execute, monitor and (or) measure the effectiveness of their securitytraining and awareness programs. Formally detail the regulations an organization is required to meet in the various geographies and validate this position witwithappropriate legal and operational groups across the enterprise. Complying Build an understanding of how compliance efforts can be integrated into wider change programs, delivering greater businesswithbenefit. Implement a comprehensive information security program where regulatory compliance is considered a by by-product rather than regulationsthe primary driver. Gain an understanding of the scope of privacy within operations and identify effective business champions to help ensure thatnormal business processes and practices do not contribute to potential privacy violations. Assess the potential impact of any new technology that is being considered, looking beyond any promised benefits to the Leveraging evaluation of the potential impact upon the organizations ability to protect its assets. technology Investigate the deployment of new security technologies to ensure that they are fit for purpose and will deliver the benefitsrequired. Define a position on new IT delivery models, such as virtualization and cloud computing, to ensure alignment with the overallbusiness strategy and information technology strategy. Confidential Ernst & Young 2009 Global Information Security Survey | Page 21 23. Appendix: profile of survey participants Confidential Ernst & Young 2009 Global Information Security Survey | Page 22 24. Survey participants by geography 1,865 participants from 61 countries40 68 Finland4522 Russian 25 NetherlandsLuxembourg Federation11 Ireland13Canada 29 Germany 35105 BelgiumUkraineUnited52 Kingdom 32 Switzerland 15 France Czech3511120 Republic13United States Spain50 Greece KoreaItaly84 Turkey47China13 12112 Egypt Jordan 145 Mexico India 4534PhilippinesMalaysia 19 106 UgandaSingapore 16Brazil13Mauritius 77 17AustraliaSouthAfrica 26Argentina 47New Zealand Note: 27 other countries with 10 or less participantsConfidential Ernst & Young2009 Global Information Security Survey | Page 23 25. Survey participants by industry groups Asset Management68 Automotive 40 Banking & Capital Markets 343 Consumer Products 99Government & Public Sector106 Insurance142Media & Entertainment49 Pharmaceutical 44Power & Utilities 124Professional Services 39 Provider Care66 Real Estate & Construction46 Retail & Wholesale 124 Technology 137Telecommunications63Note: additional 375 participants from other industry groups Confidential Ernst & Young 2009 Global Information Security Survey | Page 24 26. Survey participants by revenue More than $24 billion112$10 billion - $24 billion115$1 billion - $9 billion 433 $500 million - $999 million 163 $250 million - $499 million176 $100 million - $249 million249Less than $100 million 523 Not applicable 92 Confidential Ernst & Young2009 Global Information Security Survey | Page 25 27. Survey participants by titleChief Information Officer350Information Technology Executive 296Information Security Executive 237Chief Information Security Officer 219 Chief Security Officer85Chief Technology Officer47Business Unit Executive / Vice President 24Internal Audit Director21 Network/System Administrator 13 Chief Risk Officer 11Chief Financial Officer 11 Chief Executive Officer11 Chief Operating Officer6Chief Compliance Officer3General Counsel 2Note: additional 527 participants with other titles Confidential Ernst & Young 2009 Global Information Security Survey | Page 26 28. Ernst & YoungAssurance | Tax | Transactions | Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 135,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve potential.About Ernst & Youngs Information Technology Risk and Assurance Services Information technology is one of the key enablers for modern organizations to compete. It gives the opportunity to get closer, more focused and faster in responding to customers, and can redefine both the effectiveness and efficiency of operations. But as opportunity grows, so does risk. Effective information technology risk management helps you to improve the competitive advantage of your information technology operations, to make these operations more cost efficient and to manage down the risks related to running your systems. Our 6,000 information technology risk professionals draw on extensive personal experience to give you fresh perspectives and open, objective advice wherever you are in the world. We work with you to develop an integrated, holistic approach to your information technology risk or to deal with a specific risk and security issue. And because we understand that, to achieve your potential, you need a tailored service as much as consistent methodologies, we work to give you the benefit of our broad sector experience, our deep subject matter knowledge and the latest insights from our work worldwide. Its how Ernst & Young makes a difference. For more information, please visit www.ey.com. 2009 EYGM Limited. All Rights Reserved. Proprietary and confidential. Do not distribute without written permission.Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Confidential Ernst & Young2009 Global Information Security Survey | Page 27