2010 Energy & Resources global security study
Continuing the journey
Like virtually all other industries in 2010, the industry that powers the world is faced with a myriad of changes. These changes may compel the Energy & Resources industry to revisit the way it protects its data, whether within its walls, in the hands of third parties, or in the sky, via cloud computing. Although E&R is unique and different from other industries in some aspects, many of its data protection and information security issues are similar to other industries. Issues highlighted by the 2010 Global E&R Security Study include the following:
- Respondents cite a lack of alignment of information security goals and objectives with those of the business; as a result, many information security functions lack visibility and executive support and, to many respondents, the role of the information security executive is still considered predominantly an IT position.
- While respondents indicate that security infrastructure improvement is still the top security initiative of the industry—understandable when industrial systems such as the electrical grid are so crucial—for the first time in our survey, data protection and information security governance and training are top-five initiatives.
- Many respondents also recognize that outsourcing to third parties—so crucial to the support of the industry—has nonetheless outpaced security.
- Despite its focus on infrastructure improvements, respondents indicate that internal people are the source of most security and privacy breaches.
- The majority of E&R organizations who responded to the survey also indicate that they do not have a business continuity management strategy or plan.
The study focuses on additional key findings related to compliance, privacy initiatives, adoption of technology and investment in information security. The study also includes a section of findings based on questions specific to the E&R industry, such as its dependence on industrial control IT systems, typically used to monitor or control manufacturing and transport processes. As these industrial control IT systems become more “connected,” there is the risk of an increase of cyber-attacks by means of network intrusions, malicious codes, and unauthorized access.