The report, based on a survey of 139 IT security executives, identified the best practices seen at companies leading the way in IT security thinking:
C-level executives are aware and provide increasing budgetary support: Nearly two-thirds of security leaders surveyed say their senior executives are paying more attention to security today than they were two years ago, due in large part to media attention. Budgets are expected to increase as well. Two-thirds of security leaders expect spending on information security to rise over the next two years. Of those, almost 90 percent anticipate double-digit growth. One-in-ten expects increases of 50 percent or more.
Shift attention toward risk management: In two years, security leaders expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues.
Security seen as a business—as opposed to technology—imperative: The survey identified 25 percent of respondents whose companies are progressive in terms of security ranking, rating themselves highly in both maturity and preparedness. These security leaders have business influence and authority—a strategic voice in the enterprise. In fact, one of the chief attributes of a leading organization is having the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, as cited by 60 percent of respondents: “These leaders understand the need for more pervasive risk awareness—and are far more focused on enterprise-wide education, collaboration and communications.”
Security established as a cross-enterprise initiative: “Forward-thinking security organizations are more likely to establish a security steering committee to encourage systemic approaches to security issues that span legal, business, finance and human resources operations. Sixty-eight percent of advanced organizations had a risk committee, versus only 26 percent in the least advanced group.”
Data-driven decision making and measurement is employed: “Leading organizations are twice as likely to use metrics to monitor progress, the assessment showed (59 percent versus 26 percent). Tracking user awareness, employee education, the ability to deal with future threats, and the integration of new technologies can help create a risk-aware culture.”
C-suite shares budgetary responsibility: Within most organizations, CIOs typically have control over the information security budget. “In the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets.” Less security-savvy organizations, however, often lack a dedicated budget line item altogether, “indicating a more tactical, fragmented approach to security.”
Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology. He can be reached at email@example.com.
This blog originally appeared in Insurance Networking News, a sister publication to Health Data Management.