Story image

IT teams increasingly aware of cyber security risks

23 Jul 2015

Information security governance practices are maturing, with IT teams more likely to establish a primary security function outside of IT, according to the Gartner survey Information Security Governance 2015-2016.

"Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cyber security incidents, are making IT risk a board-level issue," says Tom Scholtz, Gartner Fellow and vice president.

"Seventy-one percent of respondents indicated that IT risk management data influences decisions at a board level. This also reflects an increasing focus on dealing with IT risk as a part of corporate governance," he says.

The nature of the reporting lines of the information security team is one of the key attributes of effective governance, Gartner says.

In fact, 38% of the survey respondents indicated that the most senior person responsible for information security reports outside of the IT organisation.

"The primary reasons for establishing this reporting line outside of IT are to improve separation between execution and oversight, to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that security is an IT problem," says Scholtz.

“Organisations increasingly recognise that security must be managed as a business risk issue, and not just as an operational IT issue.

“There is an increasing understanding that cyber security challenges go beyond the traditional realm of IT into areas such as operational technology (OT) and Internet of Things (IoT) security," he says.

The seniority level from which security programmes are sponsored is also improving, according to the survey.

Over half (63%) of respondents indicated that they receive sponsorship and support for their information security programmes from leadership outside of the IT organisation. This is a significant increase from 54% in 2014.

CEO and/or board-level sponsorship has remained constant at 30% (29% in 2014) while sponsorship from a steering committee increased from seven to 12%.

In the Asia/Pacific region, 67% of respondents indicated sponsorship from outside IT, which is considerably higher than respondents in North America (57%).

"A senior executive mandate for the security programme is fundamental. Without it, the security programme has little chance of getting the requisite support from the rest of the organisation," says Scholtz.

"Because a corporate information security steering committee (CISSC) should consist primarily of business representatives, we expect that the level of sponsorship from such bodies will continue to increase as governance functions continue to mature.

“Indeed, an effective governance forum, such as the CISSC, becomes the authoritative representative of the CEO, the board and the senior business unit managers."

On the effectiveness of security policies, although half of the respondents indicate the governance body is involved in assessing and approving the policies, only 30% of respondents indicated that the business units (BUs) are actively involved in developing the policies that will affect their businesses, Gartner says.

While this is a considerable improvement from previous years (16% in 2014), it still indicates a lack of active engagement with the business, according to the analysts.

This lack of engagement is a major cause of different risk views between the security team and the business, which can result in redundant and mismanaged controls, which in turn result in unnecessary audit findings and ultimately in reduced productivity, Gartner says.

Focusing on privacy, IT risk management, information security, business continuity or regulatory compliance, the survey took place between February and April 2015 and involved 964 respondents in large organisations.

How Red Hat aims to accelerate business value with container technologies
Red Hat announced that leading global companies are creating, extending and deploying integration services across hybrid and multicloud environments using agile integration architectures based on Red Hat technologies.
IT employers having to up salaries and bonuses to attract talent
As the modern economy relies increasingly on data, it’s certainly a good time to be working in IT.
Red Hat expands integration product capabilities
Adds end-to-end API lifecycle support and new capabilities for agile integration across hybrid architectures.
Electric car infrastructure needs to be a high priority
“Australians should be able to drive all over this massive nation with complete confidence in a zero-emission vehicle.”
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
BMC adds IBM Cloud, Watson to Helix solution
BMC Helix with IBM Watson delivers cognitive insights across structured and unstructured federated knowledgebases.
Hyundai works with IBM to create a new blockchain-based platform
The network for commercial financing will supposedly provide participants with a single view of all the transactions happening in the network.
Why businesses should invest in energy automation
In industrial applications digital transformation allows businesses to do more with less.