Information security remains isolated from boardroom: Survey

A new study finds that companies are still failing to implement a holistic approach towards information security as the security function remains too isolated from executive management and the strategic decision-making process.

The survey, based on interviews held with executives from nearly 1,300 organisations in 50 countries, highlights that a worrying separation persists between the information security function and the strategic decision-making process, with nearly one-third (32%) never meeting with their board or audit committee, and over one quarter not reporting to business leaders on information security compliance or incidents . Monthly meetings are three times more likely to take place between information security and IT than with corporate officers.

Richard Brown, head of technology security and risk services at Ernst & Young, who did the research, commented: “Recent incidents in the UK have done much to highlight the lack of protection of information assets held by organisations. Information security has never been so high up on the corporate and private individual’s agenda, which means it has to move forward on the business, and not just the IT agenda.”

The survey also shows that information security is becoming more integrated into overall risk management of companies with four out of five (82%) respondents reporting at least some levels of integration. Organisations that have fully integrated information security into their overall risk management approach have nearly doubled since last year (from 15% to 29%).

“This is a step in the right direction,” said Brown. “There is however some concern that many information security functions are struggling to balance their traditional risk management roles with a growing focus on Information Security being a contributor to performance improvement; a struggle that is exacerbated when information security is not closely connected to the strategic decision-making process.”

Privacy and data protection increased significantly as drivers of information security. 58% percent of this year’s respondents placed privacy and data protection in the top three drivers, up from 41% in 2006.

“Media stories surrounding identity theft and loss of personal information have heightened consumer awareness and, along with it, corporate leadership’s sense of accountability for data protection”, said Brown.

Although compliance-based initiatives continue to be the primary driver of information security, nearly half (45%) of the survey respondents ranked helping the business to meet its overall objectives among the top three drivers of information security.

Brown commented: “Information security has certainly improved due to compliance, but that by itself will not lead to commercial success and added value.

More than half of respondents indicated that as the role of information security expands within organisations, the lack of experienced and skilled resources is the number one challenge to delivering strategic information security projects. Only 50% of respondents train their executive management in the impact of security issues on the organisation.

Brown concludes: “The changing nature of business and technologies is making effective information security a very complex challenge, and one in which the whole business must be engaged.

“Business leaders must work with their risk and security teams to clearly understand their changing business risks, through comprehensive and timely risk assessment. This can then be responded to with the right processes and procedures, supported by awareness and compliance activities across the organisation. In an information-centric society, this issue is only set to gain more importance, and the buck must stop with the business leaders.”