GEC NEWS WIREGrowing Trend for Establishing Primary Security Function Outside of IT Reflects Need for Effective Security Governance
Information security governance practices are maturing according to Gartner’s annual end-user survey for privacy, IT risk management, information security, business continuity or regulatory compliance. Gartner surveyed 964 respondents in large organizations — with at least $50 million equivalent in total annual revenue for fiscal year 2014, and with a minimum of 100 employees — in seven countries between February and April 2015.
“Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cybersecurity incidents, are making IT risk a board-level issue,” said Tom Scholtz, vice president and Gartner Fellow.
The nature of the reporting lines of the information security team is one of the key attributes of effective governance.
Organizations increasingly recognize that security must be managed as a business risk issue, and not just as an operational IT issue. There is an increasing understanding that cybersecurity challenges go beyond the traditional realm of IT into areas such as operational technology (OT) and Internet of Things (IoT) security.”
The seniority level from which security programs are sponsored is also improving. Sixty-three percent of the respondents indicated that they receive sponsorship and support for their information security programs from leadership outside of the IT organization. This is a significant increase from 54 percent in 2014. CEO and/or board-level sponsorship has remained constant at 30 percent (29 percent in 2014) while sponsorship from a steering committee increased from seven to 12 percent.
On the effectiveness of security policies, although half of the respondents indicate the governance body is involved in assessing and approving the policies, only 30 percent of respondents indicated that the business units (BUs) are actively involved in developing the policies that will affect their businesses. While this is a considerable improvement from previous years (16 percent in 2014), it still indicates a lack of active engagement with the business. This lack of engagement is a major cause of different risk views between the security team and the business, which can result in redundant and mismanaged controls, which in turn result in unnecessary audit findings and ultimately in reduced productivity.
