More CEOs, boards taking IT risk management seriously: Survey

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.firstpost.com/business/ceos-boards-taking-risk-management-seriously-survey-2358610.html

Information security governance practices are maturing, said Gartner's
latest annual end-user survey for privacy, IT risk management, information
security, business continuity or regulatory compliance. Gartner surveyed
964 respondents in large organisations  across seven countries.

“Increasing awareness of the impact of digital business risks, coupled with
high levels of publicity regarding cybersecurity incidents, are making IT
risk a board-level issue,” said Tom Scholtz, vice president and Gartner
Fellow. “Seventy-one percent of respondents indicated that IT risk
management data influences decisions at a board level. This also reflects
an increasing focus on dealing with IT risk as a part of corporate
governance.”

According to the market research firm, the nature of the reporting lines of
the information security team is one of the key attributes of effective
governance. About 38 percent of the survey respondents indicated explicitly
that the most senior person responsible for information security reports
outside of the IT organisation. This number is considerably higher in India
at 54 percent.

“The primary reasons for establishing this reporting line outside of IT are
to improve separation between execution and oversight, to increase the
corporate profile of the information security function and to break the
mindset among employees and stakeholders that "security is an IT problem,"”
said Scholtz. “Organisations increasingly recognise that security must be
managed as a business risk issue, and not just as an operational IT issue.
There is an increasing understanding that cybersecurity challenges go
beyond the traditional realm of IT into areas such as operational
technology (OT) and Internet of Things (IoT) security.”

The seniority level from which security programmes are sponsored is also
improving. Sixty-three percent of the respondents (69 percent in India)
indicated that they receive sponsorship and support for their information
security programmes from leadership outside of the IT organisation. This is
a significant increase from 54 percent in 2014.

CEO and/or board-level sponsorship has remained constant at 30 percent (29
percent in 2014) while sponsorship from a steering committee increased from
seven to 12 percent. There are interesting regional differences, with 57
percent of respondents in North America indicating sponsorship from outside
IT, considerably lower than 63 percent in Western Europe and 67 percent in
Asia/Pacific.

“A senior executive mandate for the security programme is fundamental.
Without it, the security programme has little chance of getting the
requisite support from the rest of the organisation,” said Scholtz.
“Because a corporate information security steering committee (CISSC) should
consist primarily of business representatives, we expect that the level of
sponsorship from such bodies will continue to increase as governance
functions continue to mature. Indeed, an effective governance forum, such
as the CISSC, becomes the authoritative representative of the CEO, the
board and the senior business unit managers.”

On the effectiveness of security policies, although half of the respondents
indicate the governance body is involved in assessing and approving the
policies only 30 percent of respondents (only 23 percent in India)
indicated that the business units (BUs) are actively involved in developing
the policies that will affect their businesses.

While this is a considerable improvement from previous years (16 percent in
2014), it still indicates a lack of active engagement with the business.

"This lack of engagement is a major cause of different risk views between
the security team and the business which can result in redundant and
mismanaged controls, which in turn result in unnecessary audit findings and
ultimately in reduced productivity," the survey stated.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!