Risk
6/12/2014
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Information Risk Maturity Index Says We're Aware But Not Ready

A new study from PwC and Iron Mountain shows that businesses are having trouble balancing the need for data insight and the need for data security.

Information risk programs are in their late adolescence, still trying to find themselves. On the Information Risk Maturity Index, created by PwC and Iron Mountain, businesses in North America and Europe are only rating a 58.8 out of 100. The dilemma, according to PwC and Iron Mountain's study, is that "organizations expect to gain an information advantage through the exploitation of their information, but must protect it from internal and external threats," and they have not yet learned to balance the two.

According to the report:

The big issue facing most businesses, enterprise and mid-market, is that their information assets are in the hands of the right people to safeguard them, but the wrong people to manage their exploitation. Organizations continue to believe that the IT manager should have ultimate responsibility for protecting information. They are failing to realize that information risk is a core business issue, not an IT-only issue.

The Information Risk Maturity Index scores companies based upon how they implement and monitor the effectiveness of 34 different measures used to manage and protect information assets. These measures cover strategy, like business continuity and contingency plans; communications, like regular publication and reinforcement of data disposal policies; people, like background checks, training programs, and clear information risk leadership; and security, including IPS, SIEM, access controls, and the like.

The scores are based on interviews with 1,800 business leaders in large enterprises and midmarket companies in the United States, Canada, the Netherlands, Norway, Hungary, Germany, France, Spain, and the United Kingdom.

In general, enterprises did much better than midmarket companies -- enterprises earned a 65.7, while midmarkets earned 55.3. The energy and pharmaceuticals sectors performed especially well.

Europeans did a bit better than North Americans. In particular, Norway was consistently towards the top of the list and the US was consistently near the bottom.

One common failure, across the board, was a set-it-and-forget-it approach to information risk management. Even if companies wrote great policies and deployed solid security tools, they were falling down on the job when it came to monitoring whether or not those measures were successful, and adjusting them to respond to changing threat and business landscapes.

According to the report:

A dedicated focus on monitoring the success of policies and programs sets front runners apart, with ongoing adaptation to keep abreast of the evolving landscape. Front runners are also more likely to have prioritized leadership, communications and analytics skills in future growth plans, and tend to have a greater focus on innovation and improving product or service development cycles. They protect their data well, and are also focussed on driving value out of their data with a strong focus on growth through innovation.

Other highlights include:

  • 87% of enterprises in Europe and 77% in North America have an information risk strategy in place and monitor its effectiveness.
  • 71% of enterprises in Europe and 70% in North America conduct personnel background checks and monitor how effective they are.
  • A contingency plan to respond to small-scale information mishaps is held and regularly reviewed by 75% of enterprises in Europe and 74% in North America; and by 64% of midmarket businesses in Europe and 68% in North America.

“Most organizations understand that their information has value," said Christian Toon, head of information risk for Iron Mountain, Europe, in the report. "The majority, however, are more concerned with revenue protection. They are better prepared to respond to data breaches or legal action and less prepared to use their information to drive competitive advantage and growth. Getting ahead in the new digital economy will require businesses to do both.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 11:40:49 AM
Re: Leadership traits
I tend to agree that IT Managers should not be in charge.  The reasoning is that if you allow IT managers to make security related decisions they will generally make a decision that benefits IT operations over security.  Why? Because security decisions are generally the tougher sell and often times does not have a concrete benefit.
jjthomps
50%
50%
jjthomps,
User Rank: Apprentice
6/14/2014 | 8:20:20 AM
Re: Leadership traits
Spot on Christian. Spot on. I'll be re-using your quote from time to time. 

"Most organizations understand that their information has value," said Christian Toon, head of information risk for Iron Mountain, Europe, in the report. "The majority, however, are more concerned with revenue protection. They are better prepared to respond to data breaches or legal action and less prepared to use their information to drive competitive advantage and growth. Getting ahead in the new digital economy will require businesses to do both."
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/13/2014 | 2:14:23 PM
Re: Leadership traits
@Bprince

I tend to agree, actually, that IT managers shouldn't be in charge.  True, you need the support from C-Levels and Directors to keep everyone behind security as a discipline and funded group in an organization.  But the average IT manager doesn't understand security in the same way the average hacker does, or security professional.  Things are done differently, you have to think differently, and decisions sometimes need to be made that could even cross what an IT manager is expected to do, or prevent from happening.  I hate to use a military example, but, I know who I'd rather have in charge of a crack black ops team, and it's not the "manager".
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/12/2014 | 9:12:02 PM
Re: Leadership traits
What I find interesting though is that they indicate that IT managers shouldn't be in charge of information security. Are they saying that it should be someone else in the business or just that other parts of the business should be involved? I agree with the latter, but I think there have been a number of studies that have shown strong leadership from CISO/CIOs is important when it comes to preventing and dealing with breaches. 

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 4:42:13 PM
Leadership traits
 

It's noteworthy, but not surprising that the leaders of the pack are focused on monitoring, innovation  and communication. 

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.