Last week, I reported on remarks from Deutsche Bank's John Meakin regarding the need for openness in IT security efforts, versus attempting to lock everything down as tight as possible. Along these lines, the IBM Center for Applied Insights just released a study that reinforces the message that IT security is the concern of the entire enterprise. (Meakin also participated in this study.)

The report, based on a survey of 139 IT security executives, identified the best practices seen at companies leading the way in IT security thinking:

C-level executives are aware and provide increasing budgetary support: Nearly two-thirds of security leaders surveyed say their senior executives are paying more attention to security today than they were two years ago, due in large part to media attention. Budgets are expected to increase as well. Two-thirds of security leaders expect spending on information security to rise over the next two years. Of those, almost 90 percent anticipate double-digit growth. One-in-ten expects increases of 50 percent or more.

Shift attention toward risk management: In two years, security leaders expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues.

Security seen as a business—as opposed to technology—imperative: The survey identified 25 percent of respondents whose companies are progressive in terms of security ranking, rating themselves highly in both maturity and preparedness. These security leaders have business influence and authority—a strategic voice in the enterprise. In fact, one of the chief attributes of a leading organization is having the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, as cited by 60 percent of respondents: “These leaders understand the need for more pervasive risk awareness—and are far more focused on enterprise-wide education, collaboration and communications.”

Security established as a cross-enterprise initiative: “Forward-thinking security organizations are more likely to establish a security steering committee to encourage systemic approaches to security issues that span legal, business, finance and human resources operations. Sixty-eight percent of advanced organizations had a risk committee, versus only 26 percent in the least advanced group.”

Data-driven decision making and measurement is employed: “Leading organizations are twice as likely to use metrics to monitor progress, the assessment showed (59 percent versus 26 percent). Tracking user awareness, employee education, the ability to deal with future threats, and the integration of new technologies can help create a risk-aware culture.”

C-suite shares budgetary responsibility: Within most organizations, CIOs typically have control over the information security budget. “In the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets.” Less security-savvy organizations, however, often lack a dedicated budget line item altogether, “indicating a more tactical, fragmented approach to security.”

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology. He can be reached at joe@mckendrickresearch.com.

This blog originally appeared in Insurance Networking News, a sister publication to Health Data Management.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access