Risk
6/12/2014
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Information Risk Maturity Index Says We're Aware But Not Ready

A new study from PwC and Iron Mountain shows that businesses are having trouble balancing the need for data insight and the need for data security.

Information risk programs are in their late adolescence, still trying to find themselves. On the Information Risk Maturity Index, created by PwC and Iron Mountain, businesses in North America and Europe are only rating a 58.8 out of 100. The dilemma, according to PwC and Iron Mountain's study, is that "organizations expect to gain an information advantage through the exploitation of their information, but must protect it from internal and external threats," and they have not yet learned to balance the two.

According to the report:

The big issue facing most businesses, enterprise and mid-market, is that their information assets are in the hands of the right people to safeguard them, but the wrong people to manage their exploitation. Organizations continue to believe that the IT manager should have ultimate responsibility for protecting information. They are failing to realize that information risk is a core business issue, not an IT-only issue.

The Information Risk Maturity Index scores companies based upon how they implement and monitor the effectiveness of 34 different measures used to manage and protect information assets. These measures cover strategy, like business continuity and contingency plans; communications, like regular publication and reinforcement of data disposal policies; people, like background checks, training programs, and clear information risk leadership; and security, including IPS, SIEM, access controls, and the like.

The scores are based on interviews with 1,800 business leaders in large enterprises and midmarket companies in the United States, Canada, the Netherlands, Norway, Hungary, Germany, France, Spain, and the United Kingdom.

In general, enterprises did much better than midmarket companies -- enterprises earned a 65.7, while midmarkets earned 55.3. The energy and pharmaceuticals sectors performed especially well.

Europeans did a bit better than North Americans. In particular, Norway was consistently towards the top of the list and the US was consistently near the bottom.

One common failure, across the board, was a set-it-and-forget-it approach to information risk management. Even if companies wrote great policies and deployed solid security tools, they were falling down on the job when it came to monitoring whether or not those measures were successful, and adjusting them to respond to changing threat and business landscapes.

According to the report:

A dedicated focus on monitoring the success of policies and programs sets front runners apart, with ongoing adaptation to keep abreast of the evolving landscape. Front runners are also more likely to have prioritized leadership, communications and analytics skills in future growth plans, and tend to have a greater focus on innovation and improving product or service development cycles. They protect their data well, and are also focussed on driving value out of their data with a strong focus on growth through innovation.

Other highlights include:

  • 87% of enterprises in Europe and 77% in North America have an information risk strategy in place and monitor its effectiveness.
  • 71% of enterprises in Europe and 70% in North America conduct personnel background checks and monitor how effective they are.
  • A contingency plan to respond to small-scale information mishaps is held and regularly reviewed by 75% of enterprises in Europe and 74% in North America; and by 64% of midmarket businesses in Europe and 68% in North America.

“Most organizations understand that their information has value," said Christian Toon, head of information risk for Iron Mountain, Europe, in the report. "The majority, however, are more concerned with revenue protection. They are better prepared to respond to data breaches or legal action and less prepared to use their information to drive competitive advantage and growth. Getting ahead in the new digital economy will require businesses to do both.”

Sara Peters is contributing editor to Dark Reading and editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 11:40:49 AM
Re: Leadership traits
I tend to agree that IT Managers should not be in charge.  The reasoning is that if you allow IT managers to make security related decisions they will generally make a decision that benefits IT operations over security.  Why? Because security decisions are generally the tougher sell and often times does not have a concrete benefit.
jjthomps
50%
50%
jjthomps,
User Rank: Apprentice
6/14/2014 | 8:20:20 AM
Re: Leadership traits
Spot on Christian. Spot on. I'll be re-using your quote from time to time. 

"Most organizations understand that their information has value," said Christian Toon, head of information risk for Iron Mountain, Europe, in the report. "The majority, however, are more concerned with revenue protection. They are better prepared to respond to data breaches or legal action and less prepared to use their information to drive competitive advantage and growth. Getting ahead in the new digital economy will require businesses to do both."
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/13/2014 | 2:14:23 PM
Re: Leadership traits
@Bprince

I tend to agree, actually, that IT managers shouldn't be in charge.  True, you need the support from C-Levels and Directors to keep everyone behind security as a discipline and funded group in an organization.  But the average IT manager doesn't understand security in the same way the average hacker does, or security professional.  Things are done differently, you have to think differently, and decisions sometimes need to be made that could even cross what an IT manager is expected to do, or prevent from happening.  I hate to use a military example, but, I know who I'd rather have in charge of a crack black ops team, and it's not the "manager".
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/12/2014 | 9:12:02 PM
Re: Leadership traits
What I find interesting though is that they indicate that IT managers shouldn't be in charge of information security. Are they saying that it should be someone else in the business or just that other parts of the business should be involved? I agree with the latter, but I think there have been a number of studies that have shown strong leadership from CISO/CIOs is important when it comes to preventing and dealing with breaches. 

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 4:42:13 PM
Leadership traits
 

It's noteworthy, but not surprising that the leaders of the pack are focused on monitoring, innovation  and communication. 

 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.