Raising the Bar 2011 TMT Global Security Study – Key Findings

Foreword and summary 4 1. ‘Good enough’ is no longer good enough 6 2. Regulators are stepping in 8 3. The complex challenges of a hyperconnected world 10 4. Managing the human factor 12 5. Future drivers: Mobile devices, cloud computing and privacy 16 About the study 18 Acknowledgements 20 Contacts at Deloitte Touche Tohmatsu (DTT) and its member firms 21

3 Raising the Bar 2011 TMT Global Security Study – Key Findings

Contents

4

Foreword and summary

This study is based on in-depth research and detailed survey interviews with 138 TMT organizations around the world. It also includes cutting-edge insights from senior professionals in Deloitte member firms’ Enterprise Risk Services practices.

In our 2007/2008 study, we found that TMT organizations were essentially treading water, just barely keeping up with security challenges and developments. In 2009 our study showed that TMT organizations were losing ground on information security, partly due to the deepening global recession. But in 2010, we saw a significant reversal with budgets and information security efforts starting to bounce back.

This year’s study shows TMT organizations generally holding steady on their information security activities, budgets, governance, and reporting. Although steady is better than declining, this level of investment and effort is not nearly enough to stay on top of the rising challenges. Information and connectivity are now an integral part of our lives, and our daily activities can be directly affected by incidents involving information and connectivity. In today’s increasingly hyperconnected world, there is no such thing as an isolated security threat. Breaches in one organization or system can quickly spread to others. This significantly raises the bar on the need to protect information and ensure connectivity.

This fundamental shift has not gone unnoticed. Information security has become a top of mind issue for the public, media and government, and has found its way into the board room. Media coverage of security and privacy issues has exploded – fanned by growing concerns and interest from the public. Governments all around the world are stepping up their regulatory efforts to protect their citizens; in fact, this year’s survey found that compliance with information security regulations and legislation has become the top information security initiative.

Welcome to the fifth edition of Deloitte Touche Tohmatsu Limited’s (DTTL) Global Security Study for the Technology, Media & Telecommunications (TMT) industry.

But compliance is just a starting point. Now that the public and media are starting to recognize the critical impact of security and privacy, information security has become a key differentiator in the marketplace – and should be treated as a strategic priority. TMT organizations need to scrutinize their third-party partners to ensure they cannot be used as a back door into the network. Also, they must learn to actively communicate about risks and incidents in order to prevent the media reporting based on erroneous or partially correct facts, thereby taking initiative and hence taking control of the situation.

People-related issues are another big concern. Many CISOs are not only responsible for information security, but also for business continuity management, disaster recovery planning, physical security, and risk management. To stay on top of all these responsibilities, CISOs need to adopt a more team-oriented approach, relying on a diverse staff of specialists, and collaborating more closely with the business. They must also learn to manage the security challenges introduced by a TMT organization’s own employees, including the use of personal devices and social media. Instead of resisting these popular technology trends – which is almost certainly a losing battle – CISOs should learn to embrace and enable these technologies in order to capture the business benefits while managing the risks.

Mobile devices – along with cloud computing and privacy issues – are shaping the future of information security. To remain competitive, TMT organizations must extend their current enterprise security and risk frameworks to address these three key drivers. That means understanding the risks associated with each driver, and then tailoring the security framework to align with the organization’s risk appetite, regulatory requirements, and perhaps most important – the increasing demands of the market.

Information security is essential to our modern way of life, and TMT organizations are at the center of the action – providing much of the content, technology and infrastructure that makes it all possible. For TMT organizations, improved information security isn’t just good business; it’s a public imperative.

5 Raising the Bar 2011 TMT Global Security Study – Key Findings

On behalf of Deloitte Touche Tohmatsu (DTT) and the TMT practices of its member firms, we would like to thank all those who contributed to this study, especially the chief information security officers (CISOs) and security management teams that shared their experiences and insights. Your contributions are helping to make the technology, media and telecommunications industry more secure – and as a result – more successful.

Jolyon Barker Global Managing Director

Jacques Buith TMT Security & Resilience Leader

Technology, Media & Telecommunications

6

1. ‘Good enough’ is no longer good enough

These days, it seems you can’t open a newspaper without seeing a high profile story about an information security breach or privacy invasion.

For many people, it’s hard to imagine life without things like web browsing, email and texting, online shopping, smartphones, social media, digital entertainment, and online banking and bill payment. In fact, given how much our modern lives now revolve around information and connectivity, it is scarcely an exaggeration to think of information security as a matter of life and death. No wonder the public’s tolerance for security and privacy problems is rapidly approaching zero.

Despite this fundamental shift, this year’s survey data shows that TMT organizations have mostly remained unchanged when it comes to information security. Responses about information security approaches, governance, reporting instruments, and business alignment showed only minor changes over the past two years. • ThepercentageofTMTorganizationswitha

CISO-role held steady at 80 percent;• Limitedbudgetsandresourcescontinueto

be perceived as the main barrier to information security;

• ManyTMTorganizationsareinvestingasmallerpartof their IT budget on information security. This year, as last year, about three quarters of the respondents indicate they spend between 1 and 6 percent of their IT budget to information security.

• Executiveresponsibilityandreportinglinesforinformation security remain largely unchanged. Among the security executives surveyed, 9 percent report to the Board of Directors, 24 percent to the CEO, 26 percent to the CIO, and 7 percent to the CFO (Figure 2).

And the problems appear to be getting worse. In last year’s survey, 38 percent of TMT organizations reported experiencing no information security breaches. This year, that number dropped to only 25 percent, suggesting that more organizations than ever are falling prey to security attacks. As can be seen in Figure 1, technology organizations reported the highest number of information security breaches, with 18 percent indicating 6-20 breaches in the past year, more than double the number reported by organizations in telecommunications and media. This deserves further investigation as it’s not clear from the survey results whether this is due to a greater awareness on the part of technology organizations concerning breaches or whether technology organizations are a more valuable target to hackers.

Risks are rapidly evolving and taking new forms, such as ‘hacktivism’ and ‘advanced persistent threats’, where an organization can be targeted not just for security flaws in its technology landscape, but for the remarks of a public relations manager.

At the same time, our society’s growing reliance on digital information and the internet is making the public increasingly sensitive to security and privacy problems.

Figure 1: How often did your organization experience an information security breach in the past 12 months?

0

1 – 5

6 – 20

More than 20 Telecommunications

Media

TechnologyDo not know

60%50%40%30%20%10%0%

7 Raising the Bar 2011 TMT Global Security Study – Key Findings

Deloitte bottom line: In a world where IT importance is increasing, and security threats are increasing even faster, many TMT organizations are not keeping up with the public imperative.

• Thefrequencyofreportingoninformationsecurityissues also stayed relatively static. 34 percent of TMT organizations provide information security reports to senior management once a month; 14 percent provide reports to the CEO once a quarter; and 14 percent provide reports to the Board of Directors once a year.

• CISOresponsibilitiesalsoshowedlittlechangeoverthe past two years. Roughly half of the surveyed companies expect the CISO to handle business continuity management (BCM), disaster recovery planning (DRP), and risk management – in addition to information security. Another 43 percent include physical security in the CISOs domain.

• Roughlytwo-thirdsofparticipants(65percent)indicate they have a documented and approved information security strategy and governance structure.

Chief Information Officer (CIO)

Figure 2: Who does your organization’s executive(s) responsible for information security report to?

26%

Chief Financial Officer (CFO) 7%

Board of Directors 9%

Other 25%

24%Chief Executive Officer (CEO)

9%Not applicable

Although some of these figures suggest that TMT organizations are keeping a steady focus on information security, this stable level of investment and attention is not sufficient to address the public imperative of improved information security. It is particularly alarming given the rapidly rising impact of information security incidents, and the fact that TMT generally has larger R&D investments, customer databases and intellectual property assets to protect than other industries. TMT organizations provide much of the content, technology and infrastructure that drive our connected world. Information security that allows for occasional incidents might have been good enough in the past, but not anymore. TMT organizations need to be the best of the best when it comes to information security. This requires C-level attention to security and a corporate climate that fosters pro-active management of growing security risks.

8

2. Regulators are stepping in

Figure 3: What are your organization’s top three security initiatives for 2011?

Information security regulatory and legislative compliance 30%

Data Protection 28%

Information security training and awareness 27%

Security related to technology advancements 27%

Identity and Access Management 25%

Governments around the world are recognizing the urgent and growing need for improved information security and are responding with new laws and stricter regulations to help protect their citizens from harm.

The increased regulation coincides with increasing media coverage and public concern about information security. We’ve seen in 2011 a number of high profile security breaches, leading to significant reputation damage, customer defections and business erosion – including a trusted service provider going out of business.

According to this year’s survey, compliance with information security regulations and legislation has now become the number one security initiative for organizations in TMT, especially those in the telecommunications sector, as can be seen in Figure 3.

While the growing role of government in information security could be viewed as a sign that the TMT industry has missed the opportunity to regulate itself, nothing could be further from the truth. Compliance and regulation do not equal security; they merely

define the minimum baseline. TMT organizations should view information security as a source of competitive advantage that can help them excel over their industry peers, and should strive for a much higher level of security than required by law. Earning a passing grade from regulators won’t be enough to put a company at the top of its class in the marketplace, which is likely to be much harder to please than the government.

Ironically, major TMT organizations might be better positioned than governments to establish higher standards for information security and privacy since they operate globally – just like the internet – whereas the jurisdiction of individual governments is strictly limited by geographic boundaries, making it difficult or impossible for them to effectively define and enforce global regulations.

9 Raising the Bar 2011 TMT Global Security Study – Key Findings

Deloitte bottom line: TMT organizations must set the global standards for information security. Legislators and regulators are doing the right things, but they tend to set the bar at ‘good enough’… and globally successful firms need to do better than that.

At DTTL and its member firms’ recent TMT Leadership Summit in Beijing, which included a number of CEOs from leading TMT organizations around the world, one insight that emerged is that “governments are lost when it comes to regulating the internet, because the institutions the government has in place are behind for new industries, mainly in the online world.”

The good news is that 50 percent of survey participants say they are now involved in cyber-initiatives with other organizations (although involvement by media organizations is only about half the rate of the other two sectors). Participation in cyber-initiatives will help organizations stay abreast of the latest security challenges and solutions, identify evolving threats at an early stage, and could position them to influence future laws and regulations.

10

Multiple parties are connected – and therefore affected – meaning that organizations must not only assure the security of their own assets, but also those of their third parties who have access to their network. A chink in their armor means a chink in your armor.

Nearly 60 percent of the surveyed TMT organizations view third parties as an ‘average’ to ‘high’ threat for information security, versus only 30 percent who are very confident in the information security practices of third parties. This skepticism may be partly driven by the widely publicized problems recently experienced by major cloud service providers.

3. The complex challenges of a hyperconnected world

Adding to the challenge is the fact that TMT organizations are no longer dealing with one-to-one partner relationships, which were relatively stable and manageable, but now face a hyperconnected network of relationships that are constantly in flux. Achieving security assurance in this highly dynamic environment is difficult at best.

Unfortunately, these concerns do not seem to have prompted TMT organizations to scrutinize their third parties more closely. According to the survey data, only 30 percent of respondents regularly review and test third-party security capabilities, as can be seen in Figure 4. In last years’ survey this was 22 percent.

Figure 4: Which statement best describes how your organization deals with third-party security capabilities, controls and organizational dependencies? (e.g. third parties in the supply or delivery chain)?

Third-party security capabilities, controls and organizational dependencies have been identified 41%

Third-party security capabilities, controls and organizational dependencies are regularly reviewed and tested 30%

Third-party security capabilities, controls and dependencies are unknown 14%

Not applicable 9%

Do not know 5%

The term ‘hyperconnected’ means that all things that can or should communicate through the network will communicate through the network. In today’s increasingly hyperconnected world, information security breaches do not happen in isolation.

11 Raising the Bar 2011 TMT Global Security Study – Key Findings

Deloitte bottom line: In the hyperconnected world of TMT, there is no such thing as an isolated security problem. Cooperation and open communication are essential for success.

“We’re all connected and nobody is in charge.”Thomas Friedman

(from http://www.lean.org/shook/displayobject.cfm?o=907)

Thirty-two percent of the surveyed companies indicate that improved communication, cooperation and coordination are needed to making the networked ecosystem safer. Note that this need is not only restricted to interactions with third parties, but also with customers and external stakeholders.

According to the survey, 18 percent of TMT organizations have already established clearly defined practices to inform customers and other external stakeholders about risks that threaten the integrity of their data or networks. Another 35 percent have partially established such practices, or are currently working on them, yet about half of the TMT organizations do not have these practices in place. TMT organizations seem to realize that they must actively communicate about risks and incidents if they want to retain control of the situation. Otherwise, the media will. Yet for about half of the organizations the practices are not in place yet.

On a positive note, many TMT CEOs – including CEOs who attended the TMT Leadership Summit in Beijing – view these risks more as challenges than threats. Organizations that develop solutions to these weighty problems could find themselves handsomely rewarded in the marketplace.

The survey revealed a number of information security challenges related to people.

Data/information privacy 76%

Physical security 43%

Business continuity management 43%

Disaster recovery planning 51%

56%Risk management

19%Other

12%Not applicable

Figure 5: What areas are in the scope of the responsibility of the executive for information security (e.g., Chief Information Security Officer, etc.)?

12

As information security grows increasingly important – and increasingly complex – it is getting harder to find qualified resources who understand every aspect of the problem. This is true even at the c-suite level. For nearly half of the surveyed organizations, CISOs are not just responsible for information security, but also for privacy, business continuity management, disaster recovery planning, physical security and risk management, as shown in Figure 5. No wonder 51 percent of respondents say that resources (and budgets) are their biggest barriers to ensuring information security. To stay on top of all these responsibilities, CISOs need to adopt a more team-oriented approach, relying on a diverse staff of specialists, and collaborating more closely with the business.

4. Managing the human factor

One challenge is for CISOs and their teams to find ways to deal with an ever-expanding set of responsibilities. Another challenge is to manage the growing number of threats introduced by TMT employees themselves, including increased use of social media, and increased use of their own devices.

Of course, the information security challenges related to people extend far beyond the information security function. According to our survey, 20 percent of TMT organizations view employee errors and omissions as a high threat over the next twelve months, while 17 percent view employee abuse of IT systems and information as a high threat. Errors and omissions typically can be addressed through training and security awareness. However, preventing and detecting deliberate abuse requires more drastic measures, including improved access control, segregation of duties, and acquisition of threat intelligence from the cyber world.

Security operations centers (SOCs) are a proven way to address information security challenges. The survey data shows that 48 percent of TMT organizations use an SOC to monitor traffic and data, and 44 percent use it to actively respond to incidents and breaches. However, almost a third of TMT organizations (33 percent) do not make use of an SOC at all. (Figure 6).

Figure 6: When your organization makes use of a Security Operations Center (SOC), what capabilities are being used?

Monitoring of traffic and data 48%

Actively responding to incidents and breaches 43%

Do not make use of a SOC 33%

Logging and archiving 41%

34%Security administration

11%Not applicable

13 Raising the Bar 2011 TMT Global Security Study – Key Findings

One of the most significant people-related risks is the use of social media. In fact, 19 percent of this year’s survey participants say that social media and data/information leakage is their top security concern. Yet only 24 percent of the surveyed organizations indicate they are fully addressing social media risk through policies and training, while 41 percent are just starting to address the risk, and 14 percent have not yet begun.

Another rapidly developing risk area is consumerization trend (e.g. ‘Bring Your Own Device’ (BYOD)), in which employees are allowed to use their own personal communications devices for work-related activities.

In this year’s survey, 43 percent of respondents say they support both corporate-provided mobile devices and personal devices (Figure 7). Media organizations lead the way, with 59 percent supporting both corporate and personal mobile devices. While BYOD offers many potential benefits, it also presents many challenges and questions about data confidentiality, employee privacy, application development and distribution, and mobile device support. Employees hold these risks in their hands – literally – which is why TMT organizations must raise awareness of the issues and train employees how to deal with them.

Figure 7: To what extent is your enterprise supporting mobile devices?

Both corporate provided and employee purchased 43%

Currently piloting a support program 9%

Corporate provided devices only 48%

Employee purchased/owned devices only 5%

5%Unofficially supporting devices ad hoc

4%No support

1%Do no know

14

15 Raising the Bar 2011 TMT Global Security Study – Key Findings

Social media and BYOD are both examples of popular technology trends that must be carefully integrated into an organization’s information security strategy. Given the rapid pace of technology development, it is probably an exercise in futility to try and prohibit all emerging technologies. Instead, CISOs must learn to embrace the most important and popular technology trends and then help enable them by designing and implementing security measures that limit the opportunities for employee errors and abuse.

Most TMT organizations provide some level of security training; however, half provide only generic training. Even worse, only 20 percent currently provide training that is differentiated by job role and function – down from 35 percent last year.

Deloitte bottom line: CISOs are being stretched to the limit. To remain effective, they must adopt a more team-oriented approach and work more closely with other parts of the organization. They must also embrace and enable popular technology trends, rather than wasting time in futile attempts to block the inevitable.

16

To remain competitive, TMT organizations must extend their current enterprise security and risk frameworks to address these three key drivers. A CISO must understand the risks associated with each driver, and then tailor the organization’s security framework to align with its risk appetite, regulatory requirements, and market demands.

MobileMobile devices are viewed as the single highest threat to information security in 2012 (Figure 8). These devices are notoriously easy to lose and hard to secure. But it’s not the devices themselves that are the biggest risk; it’s the sensitive data they contain. Mobile devices extend the boundaries of the enterprise and blur the lines between what is and is not part of the network. A number of organizations have suffered immeasurable damage to their reputations – and exposed themselves to costly regulatory penalties and lawsuits – due to the loss or theft of sensitive data on a mobile device. Adding to this risk are emerging mobile devices that use near-field-communication (NFC) to conduct financial transactions. Having company data and a company ‘wallet’ on a single mobile device introduces a whole new world of security complexities and risks. No wonder mobile devices are considered the highest threat for next year.

5. Future drivers: mobile devices, cloud computing and privacy

Mobile devices, cloud computing, and privacy issues are shaping the future of information security.

CloudAnother key emerging technology is cloud computing, which last year’s report discussed in detail. According to this year’s survey, 29 percent of TMT organizations believe cloud computing is the most important development shaping the future of information security. Although this fast-growing technology has tremendous upside potential, there are still significant issues that need to be addressed. In fact, recent service disruptions by high profile cloud service vendors have raised new concerns about the reliability and security of cloud computing. The survey shows that TMT organizations – particularly those in media and telecommunications – are still hesitant to deploy cloud computing solutions, with 37 percent saying they do not make use of cloud computing solutions for various reasons including security risks that are too large, lack of technological maturity, and insufficient benefits to the organization.

Cloud computing is a threat to information security because it softens the security perimeter. However, in the long run it may also strengthen security by forcing organizations to establish a highly collaborative architecture and flexible IT model that extends connectivity and trust beyond the enterprise.

Figure 8: What do you envision as the top five high threats for information security in 2012?

Mobile devices 34%

Security breaches involving third parties 25%

Employee errors and omissions 20%

Faster adoption of emerging technologies 18%

Employee abuse of IT systems and information 17%

17 Raising the Bar 2011 TMT Global Security Study – Key Findings

PrivacyOne of the biggest concerns expressed both by survey participants and CEOs at the TMT Leadership Summit in Beijing was the issue of privacy.

The concept of privacy seems headed for extinction. Only half of the surveyed organizations believe they are adequately addressing privacy issues and are equipped to meet all privacy-related regulatory requirements. Moreover, 39 percent said they had experienced at least one privacy-related incident during the year. Some people accept the possible extinction of privacy as a worthwhile trade-off for the benefits of living in a connected world; however, others view it as a grave threat. As usual, the right answer is probably somewhere in the middle. Although a certain loss of privacy may be unavoidable, TMT organizations must do whatever they can to safeguard privacy in order to avoid a customer backlash.

Summit participants noted that it is impossible to have an information business without communities and that it is impossible to have communities without sharing. This is the dilemma that keeps TMT organizations captive between information communities and privacy – balancing sharing with disclosure of personal information.

Deloitte bottom line: Mobile devices and cloud computing are shaping the future of information security, as is the public’s evolving attitude about privacy. These powerful trends present a whole new set of challenges for organizations in technology, media and telecommunications.

18

About the study

The findings in this study are primarily based on in-depth, face-to-face interviews with 138 large TMT organizations around the world. Survey questions covered a wide range of topics on information security, from social media and mobile device technologies to training and information security governance.

By regionSurvey participants came from 25 different countries representing every geographic region.

EMEA 44%

APAC 31%

USA and Canada 16%

LACRO 9%

USA & Canada16%

LACRO9%

APAC31%

EMEA 44%

19 Raising the Bar 2011 TMT Global Security Study – Key Findings

By sectorThere was significant participation from all three TMT sectors.

Telecommunications 49%

Media 25%

Technology 26%

By organization sizeThe study defined “small” organizations as having fewer than 1,000 employees; “medium” organizations as having 1,000 to 10,000 employees; and “large” organizations as having greater than 10,000 employees.

Small 35%

Medium 40%

Large 25%

By revenue Respondents spanned the full range of revenue categories (in USD).

<500M 40%

500M to 1B 11%

1B to 1.99B 11%

2B to 4.99B 11%

5B to 9.9B 6%

10B to 14.99B 8%

15B to 20B 5%

>20B 8%

DTTL and its member firms’ TMT Leadership Summit 2011In parallel with the survey, DTTL and its member firms held the annual TMT Leadership Summit in Beijing, China, a unique global forum for carefully selected leaders in technology, media and telecommunications (TMT). At the summit, we conducted five personal interviews with CEOs who were participating in a session entitled ‘Risk and Responsibility in a Hyper-Connected World’. Findings from these interviews were largely consistent with the general survey results, and are included in this report where noted.

Risk and Responsibilities in a Hyper Connected World – World Economic Forum PanelDTTL and its member firms are engaging with the World Economic Forum (WEF) on additional thought leadership projects about security and privacy. This year’s security study was a collaborative effort between the World Economic Forum, DTTL and its member firms. Also, Senior Security and Resilience experts from Deloitte member firms around the world are working with the WEF on the ‘Risk and Responsibility in a Hyper-connected World’ project, leveraging the collective expertise of Deloitte member firm professionals and WEF members, working towards the 2012 Annual Meeting in Davos-Klosters.

20

Acknowledgements

The Deloitte Touche Tohmatsu Limited (DTTL) TMT Industry Group wishes to thank all of the professionals of the TMT organizations who responded to our survey and who allowed us to further correspond with them over the course of this project. Without such participation and commitment, Deloitte Touche Tohmatsu Limited and its member firms could not produce a study such as this.

ContributorsThe following made significant contributions to the development of this analysis:

Jacques BuithDeloitte Netherlands+31655853449jbuith@deloitte.nl

Adel MelekDeloitte Canada+14166016524amelek@deloitte.ca

Paul LeeDeloitte United Kingdom+447810756262paullee@deloitte.co.uk

Monique LevelsDeloitte Netherlands+31620252167mlevels@deloitte.nl

Irfan SaifDeloitte United States+14087044109isaif@deloitte.com

Maarten IJlstraDeloitte Netherlands+31613127325mijlstra@deloitte.nl

Survey executionFor more information on how DTTL’s Global Technology, Media & Telecommunications Group designed, implemented and evaluated the survey please refer to http://www.deloitte.com/tmtsecuritystudy.

Henk MarsmanDeloitte Netherlands+31620789905hmarsman@deloitte.nl

Roel van RijsewijkDeloitte Netherlands+31652615087rvanrijsewijk@deloitte.nl

Gavin CartwrightDeloitte United Kingdom+442070075953gacartwright@deloitte.co.uk

William S. O’BrienDeloitte United States+12027581477wiobrien@deloitte.com

Peter van NesDeloitte Netherlands+31610042150pvannes@deloitte.nl

21 Raising the Bar 2011 TMT Global Security Study – Key Findings

Global Security, Privacy & ResiliencyTed DeZabalaGlobal Leader Security, Privacy & ResiliencyUS National Leader, Technology Risk Services+ 1 212 436 2957

Global TMTJolyon BarkerManaging Director, Global Technology, Media & TelecommunicationsDeloitte Touche Tohmatsu Limited+44 20 7007 1818jrbarker@deloitte.co.uk

Security, Privacy & Resilience – Asia Pacific/JapanDanny Lau China+852 2852 1015danlau@deloitte.com

Security, Privacy & Resilience – EMEAMike MaddisonUnited Kingdom+44 7768 554519mmaddison@deloitte.co.uk

Security, Privacy & Resilience – USTed DeZabalaUnited States+1 212-436-2957tdezabala@deloitte.com

Security, Privacy & Resilience – CanadaNick Galletto Canada+1 416-601-6734ngalletto@deloitte.ca

Security, Privacy & Resilience – Latin AmericaJose Gonzalez Saravia Mexico+52-55-50806722jgonzalezsaravia@deloittemx.com

AmericasAlberto Lopez CarnabucciArgentina+54 11 4320 2735alopezcarnabucci@deloitte.com

Marco Antonio Brandao SimurroBrazil+55 11 5186 1232mbrandao@deloitte.com

Richard LeeCanada+1 416 874 3248richlee@deloitte.ca

Fernando GazianoChile+56 2 729 8783fpgaziano@deloitte.com

Nelson Valero OrtegaColombia+571 546 1810nvalero@deloitte.com

Carlos Gallegos EcheverriaCosta Rica+506 2246 5000cagallegos@deloitte.com

Ernesto GraberEcuador+593 2 2 251319 ext 246egraber@deloitte.com

Francisco SilvaMexico+52 55 5080 6310fsilva@deloittemx.com

Cesar ChongPanama+507 303 4100cechong@deloitte.com

Gustavo Lopez AmeriPeru+51 1 211 8533glopezameri@deloitte.com

Eric OpenshawUnited States+7149131370eopenshaw@deloitte.com

Juan José CabreraUruguay+598 2 916 0756jucabrera@deloitte.com

Johan OlivaVenezuela+58 212 206 8886joholiva@deloitte.com

Europe, Middle East, and AfricaLuc Van CoppenolleBelgium+32 3 800 8905lvancoppenolle@deloitte.com

Dariusz NachylaCentral Europe+48 22 511 0631dnachyla@deloittece.com

Olga TabakovaCIS and its Russian office+7 495 787 0600 x 2326otabakova@deloitte.ru

Kim GernerDenmark+45 36 10 20 30kgerner@deloitte.dk

Jukka-Petteri SuorttiFinland+358 20 755 5561Jukka-Petteri.Suortti@deloitte.fi

Contacts at Deloitte Touche Tohmatsu Limited (DTTL) and its member firms

22

Ariane BucailleFrance+33 1 5561 6484abucaille@deloitte.fr

Dieter SchlerethGermany+49 211 8772 2638dschlereth@deloitte.de

Joan O’ConnorIreland+353 1 4172476joconnor@deloitte.ie

Tal ChenIsrael+972 3 608 5580talchen@deloitte.co.il

Alberto DonatoItaly+39 064 780 5595adonato@deloitte.it

Nikhil HiraKenya+254 204 230 377nhira@deloitte.co.ke

Dan ArendtLuxembourg+352 451 452 621darendt@deloitte.lu

Saba SindahaMiddle East+971 2 676 0606ssindaha@deloitte.com

Daan WitteveenNetherlands+31 88 288 0236DWitteveen@deloitte.nl

Halvor MoenNorway+47 23 27 97 85hmoen@deloitte.no

Joao Luis SilvaPortugal+351 210 427 635joaolsilva@deloitte.pt

Mark CaseySouthern Africa+27 11 806 5205mcasey@deloitte.co.za

Jesus NavarroSpain+34 91 514 5000 ext 2061jenavarro@deloitte.es

Tommy MartenssonSweden+46 8 506 731 30tommy.martensson@deloitte.se

Tolga YaverogluTurkey+90 212 366 6080eroglu@DELOITTE.com

Jolyon BarkerUnited Kingdom+44 20 7007 1818jrbarker@deloitte.co.uk

Asia PacificDamien TamplingAustralia+61 2 9322 5890dtampling@deloitte.com.au

William ChouChina+86 10 8520 7102wilchou@deloitte.com.cn

V. SrikumarIndia+91 80 6627 6106vsrikumar@deloitte.com

Parlindungan SiahaanIndonesia+62 21 231 2879 ext 3300psiahaan@deloitte.com

Ichiro NakayamaJapan+09098044256ichiro.nakayama@tohmatsu.co.jp

Sang Jin ParkKorea+82 2 6676 3821sjpark@deloitte.com

John BellNew Zealand+64 9 303 0853jobell@deloitte.co.nz

Shariq BarmakySingapore+65 6530 5508shbarmaky@deloitte.com

John GoeresSouth East Asia+65 6232 7118jgoeres@deloitte.com

Clark C. ChenTaiwan+886 2 2545 9988 ext 3065clarkcchen@deloitte.com.tw

Marasri KanjanataweewatThailand+662 676 5700 ext 6067mkanjanataweewat@deloitte.com

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s approximately 182,000 professionals are committed to becoming the standard of excellence.

DisclaimerThis publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

© 2011 Deloitte Global Services Limited

With the impact of security incidents increasing at an alarming speed, TMT organizations can no longer get by with the previous pace of improvement. The bar is being raised to a new level and we need to step up.Jacques Buith, TMT Security & Resilience Leader, Deloitte Netherlands

2.10

1.01

7