In case you missed it at the end of 2009, be sure to read Ernst & Young’s 12th annual Global Information Security Survey, released Nov, 2009. The title for report, “Outpacing change,” will resonate with many information security professionals. The 28-page report and a press release announcing and summarizing the report are available online from Ernst & Young.

When talking to senior management about information security, I like being able to reference reports produced by the big four accounting firms. Even if senior managers don’t care what their information security staff thinks, they do pay attention to what their external auditor may be thinking about information security, as it may affect this year’s audit.

One early observation from the Ernst & Young report is that “information security is not immune to external economic forces and must find ways to improve efficiency and effectiveness while keeping spending to a minimum.” Being able to demonstrate how your security program has improved its efficiency in 2009—in line with Ernst & Young’s observation—could be an important reassurance to offer management.

From another section of the report, it may be important to inform your senior managers that 50% of 1,900 survey respondents indicated that “improving information security risk management is the top security priority over the next year.” If that’s not the current thinking in your organization, management may want to consider how they will justify this lack of interest, if asked by their auditors.

Finally, depending upon the objectives for your security program in 2010, there are many “gems” in the report. For example, if your organization faces challenges getting the HR and IT Department working together to create a functional termination policy and process, consider that the survey found that “75% of respondents revealed that they are concerned with the possible reprisal from employees recently separated from their organization.”

Information security surveys published by non-IT or non-information security sources are influential with senior management. They’re also usually written in non-technical language that’s easier to understand. Make sure you don’t miss the opportunity to share reports like this Global Information Security Survey with your senior management. Consider preparing a 4-6 slide presentation that summarizes the most relevant points of the report and offering to present it at your next “Management Awareness” session.

—Jim Herbeck