01:30 PM
Connect Directly

Information Risk Maturity Index Says We're Aware But Not Ready

A new study from PwC and Iron Mountain shows that businesses are having trouble balancing the need for data insight and the need for data security.

Information risk programs are in their late adolescence, still trying to find themselves. On the Information Risk Maturity Index, created by PwC and Iron Mountain, businesses in North America and Europe are only rating a 58.8 out of 100. The dilemma, according to PwC and Iron Mountain's study, is that "organizations expect to gain an information advantage through the exploitation of their information, but must protect it from internal and external threats," and they have not yet learned to balance the two.

According to the report:

The big issue facing most businesses, enterprise and mid-market, is that their information assets are in the hands of the right people to safeguard them, but the wrong people to manage their exploitation. Organizations continue to believe that the IT manager should have ultimate responsibility for protecting information. They are failing to realize that information risk is a core business issue, not an IT-only issue.

The Information Risk Maturity Index scores companies based upon how they implement and monitor the effectiveness of 34 different measures used to manage and protect information assets. These measures cover strategy, like business continuity and contingency plans; communications, like regular publication and reinforcement of data disposal policies; people, like background checks, training programs, and clear information risk leadership; and security, including IPS, SIEM, access controls, and the like.

The scores are based on interviews with 1,800 business leaders in large enterprises and midmarket companies in the United States, Canada, the Netherlands, Norway, Hungary, Germany, France, Spain, and the United Kingdom.

In general, enterprises did much better than midmarket companies -- enterprises earned a 65.7, while midmarkets earned 55.3. The energy and pharmaceuticals sectors performed especially well.

Europeans did a bit better than North Americans. In particular, Norway was consistently towards the top of the list and the US was consistently near the bottom.

One common failure, across the board, was a set-it-and-forget-it approach to information risk management. Even if companies wrote great policies and deployed solid security tools, they were falling down on the job when it came to monitoring whether or not those measures were successful, and adjusting them to respond to changing threat and business landscapes.

According to the report:

A dedicated focus on monitoring the success of policies and programs sets front runners apart, with ongoing adaptation to keep abreast of the evolving landscape. Front runners are also more likely to have prioritized leadership, communications and analytics skills in future growth plans, and tend to have a greater focus on innovation and improving product or service development cycles. They protect their data well, and are also focussed on driving value out of their data with a strong focus on growth through innovation.

Other highlights include:

  • 87% of enterprises in Europe and 77% in North America have an information risk strategy in place and monitor its effectiveness.
  • 71% of enterprises in Europe and 70% in North America conduct personnel background checks and monitor how effective they are.
  • A contingency plan to respond to small-scale information mishaps is held and regularly reviewed by 75% of enterprises in Europe and 74% in North America; and by 64% of midmarket businesses in Europe and 68% in North America.

“Most organizations understand that their information has value," said Christian Toon, head of information risk for Iron Mountain, Europe, in the report. "The majority, however, are more concerned with revenue protection. They are better prepared to respond to data breaches or legal action and less prepared to use their information to drive competitive advantage and growth. Getting ahead in the new digital economy will require businesses to do both.”

Sara Peters is contributing editor to Dark Reading and editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/18/2014 | 11:40:49 AM
Re: Leadership traits
I tend to agree that IT Managers should not be in charge.  The reasoning is that if you allow IT managers to make security related decisions they will generally make a decision that benefits IT operations over security.  Why? Because security decisions are generally the tougher sell and often times does not have a concrete benefit.
User Rank: Apprentice
6/14/2014 | 8:20:20 AM
Re: Leadership traits
Spot on Christian. Spot on. I'll be re-using your quote from time to time. 

"Most organizations understand that their information has value," said Christian Toon, head of information risk for Iron Mountain, Europe, in the report. "The majority, however, are more concerned with revenue protection. They are better prepared to respond to data breaches or legal action and less prepared to use their information to drive competitive advantage and growth. Getting ahead in the new digital economy will require businesses to do both."
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/13/2014 | 2:14:23 PM
Re: Leadership traits

I tend to agree, actually, that IT managers shouldn't be in charge.  True, you need the support from C-Levels and Directors to keep everyone behind security as a discipline and funded group in an organization.  But the average IT manager doesn't understand security in the same way the average hacker does, or security professional.  Things are done differently, you have to think differently, and decisions sometimes need to be made that could even cross what an IT manager is expected to do, or prevent from happening.  I hate to use a military example, but, I know who I'd rather have in charge of a crack black ops team, and it's not the "manager".
User Rank: Ninja
6/12/2014 | 9:12:02 PM
Re: Leadership traits
What I find interesting though is that they indicate that IT managers shouldn't be in charge of information security. Are they saying that it should be someone else in the business or just that other parts of the business should be involved? I agree with the latter, but I think there have been a number of studies that have shown strong leadership from CISO/CIOs is important when it comes to preventing and dealing with breaches. 

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 4:42:13 PM
Leadership traits

It's noteworthy, but not surprising that the leaders of the pack are focused on monitoring, innovation  and communication. 

Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio