Cybersecurity is top of mind from the boardroom and C-suite to IT, Legal, Finance and more. But does that translate to effective policies and actions? That’s the focus of Protiviti’s 2015 IT Security and Privacy Survey Report, published today.
The answers are mixed.
Our 2014 report identified notable gaps between top-performing companies and other organizations in terms of best practices in IT security and privacy; it also pointed to where these organizations needed to progress to bridge these gaps.
A year later, much progress has been made – yet many gaps remain.
Bright spots in our 2015 survey: Many organizations have changed with confidence to become what we classify as top performers. These organizations are characterized by high board-level engagement in information security, and strong security frameworks with specific information security policies.
Other insights from the survey:
- “Tone at the top” is a critical differentiator. From strong board engagement to management-driven “best practice” policies, effective security begins at the top. A strong tone at the top is as important as any policy, because even the best policies are merely words on paper. It takes people to put those words into action, and people take their cues from company leadership.
Have you communicated to the people in your organization what you expect regarding information security and privacy? Are you setting a good example?
- A strong security foundation must include the right policies. Organizations that have in place all “core” information security policies – including acceptable use, data encryption and more – demonstrate higher levels of confidence and stronger capabilities throughout their IT security activities.
What are your policies? Do you know them? Do your employees?
- Many companies lack critical policies and an understanding of their “crown jewels.” One in three companies lack policies for information security, data encryption and data classification. Most lack a strong understanding of their most sensitive data and information, as well as potential exposures. Such gaps open the organization to cyberattacks and significant security issues.
What are your informational “crown jewels”? How are you protecting them?
- There isn’t a high level of confidence in the ability to prevent an internal or external cyberattack. While two out of three organizations report being more focused on cybersecurity as a result of recent press coverage, most lack a high level of confidence that they could prevent a targeted cyberattack, either from external hackers or insiders. This mindset is not necessarily a bad thing – in fact, it may be a healthy one if the perspective drives a focus on improvement. Many in the cybersecurity community would argue that cyber breaches are inevitable and that the best risk management strategy is to focus on rapid detection and on ensuring that valuable data is encrypted and unidentifiable, rendering it worthless to an unauthorized user.
Could your security protocols detect and contain a breach in progress, or are you still just patrolling the perimeter?
This is an interesting and timely survey report and one where the results are likely to change significantly from year to year as both the cyber threat and cybersecurity landscape evolve and become more aggressive and sophisticated. For a more detailed analysis, you can view and download the entire report here.