Information security governance maturing, says Gartner
Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cyber security incidents, is making IT risk a board-level issue, says Gartner
Information security governance practices are maturing, according to analyst firm Gartner.
This is one of the key findings of a survey or more than 900 large organisations in seven countries with at least 100 employees and annual revenue of at least $50m.
"Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cyber security incidents, is making IT risk a board-level issue," said Tom Scholtz, vice-president and Gartner fellow.
"Just over 70% of respondents indicated that IT risk-management data influences decisions at a board level. This also reflects an increasing focus on dealing with IT risk as a part of corporate governance,” he said.
According to Gartner, the nature of the reporting lines of the information security team is one of the key attributes of effective governance.
The survey showed that 38% of respondents indicated explicitly that the most senior person responsible for information security reports outside of the IT organisation.
"The primary reasons for establishing this reporting line outside of IT are to improve separation between execution and oversight, to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that security is an IT problem," said Scholtz.
According to Gartner, organisations increasingly recognise that security must be managed as a business risk issue, and not just as an operational IT issue. There is also an increasing understanding that cyber security challenges go beyond the traditional realm of IT into areas such as operational technology and the internet of things (IoT).
The second key finding of the Gartner survey is that the seniority level from which security programmes are sponsored is also improving.
Read more about board-level involvement in information security
- Corporate boards have increased their awareness of security issues, but experts say they still lack information security principles
- Like any other serious threat to a company, Cyber security should be firmly on the board's agenda, speakers told delegates at a CBI security conference
- Companies must take responsibility for cyber security at board level to tackle the exponential growth in attacks, the government has urged
Nearly two-thirds of respondents indicated that they receive sponsorship and support for their information security programmes from leadership outside of the IT organisation, up from just 54% in 2014. CEO and/or board-level sponsorship, however, has remained constant at 30%, while sponsorship from a steering committee increased from 7% to 12%.
Gartner noted there are interesting regional differences, with 57% of respondents in North America indicating sponsorship from outside IT, considerably lower than 63% in western Europe and 67% in Asia-Pacific.
"A senior executive mandate for the security programme is fundamental because without it the security programme has little chance of getting the requisite support from the rest of the organisation," said Scholtz.
"Because a corporate information security steering committee [CISSC] should consist primarily of business representatives, we expect that the level of sponsorship from such bodies will continue to increase as governance functions continue to mature,” he said.
Scholtz added that an effective governance forum, such as the CISSC, becomes the authoritative representative of the CEO, the board and the senior business unit managers.
Although half of the respondents indicate the governance body is involved in assessing and approving security policies, Gartner said only 30% of respondents indicated that the business units are actively involved in developing the policies that will affect their businesses.
Gartner said that while this is a considerable improvement from the 16% recorded in 2014, it still indicates a lack of active engagement with the business, which is a major cause of different risk views between the security team and the business.
The company warned this can result in redundant and mismanaged controls, which in turn result in unnecessary audit findings and, ultimately, in reduced productivity.