Critical. Authoritative. Strategic.


CBR is proudly produced & published
by Technews
Issue Date: October 2006

Benchmarking, move to co-sourcing

1 October 2006

The introduction of the ISO 27001 standard for information security is giving companies the ability to benchmark their security posture against a single global standard. However, Shaun Nel, technology and security risk director at professional services firm Ernst & Young says companies should not be browbeaten into making investments into their information security by benchmarking exercises, but should rather use results as a guideline to establish an objective view of their current information security posture in relation to their peers.
Shaun Nel, technology and security risk director at professional services firm Ernst & Young
Shaun Nel, technology and security risk director at professional services firm Ernst & Young
Says Nel: "As an exercise, benchmarking is certainly valid and can add value to companies in terms of helping them to assess their security posture, identify any potential gaps or shortfalls and take the appropriate steps to protect their information infrastructure appropriately."
However, he stresses that 'appropriately' is the key word. "The fact is that companies of different kinds have different information security needs. A retailer, for example, is unlikely to require the same level of information security as a bank. As such, any benchmarking exercise would need interpretation in terms of the company's specific requirements; budgets for information security should be allocated in accordance with the value of the resource to be protected."
Benchmarking will give companies the ability to assess how they are performing in relation to their peers. More importantly, a benchmarking exercise can serve to highlight how the company views its information assets. Once identification of the assets of value has taken place, it becomes possible to create key performance indicators based on the priorities afforded to that data.
However, companies should beware the use of benchmarking to pressurise them into excessive or unjustifiable security.
Ernst & Young's 13th annual Global Information Security Survey, scheduled for release in the fourth quarter of this year, allows organisations that participated in the survey to benchmark themselves using the ISO 27001 standard (formerly designated ISO 17799). In 2005, the survey sampled 1300 global companies, government and not-for-profit organisations in more than 55 countries.
With the release of its 2006 Global Information Security Survey, Nel says Ernst & Young will provide organisations with an in-depth view on the nature of threats and the issues businesses have to deal with. "The Survey has also proven to be a valuable tool which serves as a yardstick by which participating companies can assess their security posture on an ongoing basis, providing a comparable measure of the previous year's results with the present."
In South Africa, the demand for security skills - and the lack of supply - is driving companies to seek co-sourced or outsourced security services. Since different skills are typically required at different times, this model is gaining acceptance as it allows companies to benefit from improved value from the security budget; the issue of employing and supporting a staff contingent is rendered unnecessary.
Compliance with regulations also continues to be a major market force as companies orientate themselves to operate within the increasingly regulated business environment.
For more information contact Shaun Nel, Ernst & Young, +27 (0) 11 772 3000,

Others who read this also read these articles

Search Site

Search Directory

  • Search for:


Previous Issues