Risk
6/12/2014
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Information Risk Maturity Index Says We're Aware But Not Ready

A new study from PwC and Iron Mountain shows that businesses are having trouble balancing the need for data insight and the need for data security.

Information risk programs are in their late adolescence, still trying to find themselves. On the Information Risk Maturity Index, created by PwC and Iron Mountain, businesses in North America and Europe are only rating a 58.8 out of 100. The dilemma, according to PwC and Iron Mountain's study, is that "organizations expect to gain an information advantage through the exploitation of their information, but must protect it from internal and external threats," and they have not yet learned to balance the two.

According to the report:

The big issue facing most businesses, enterprise and mid-market, is that their information assets are in the hands of the right people to safeguard them, but the wrong people to manage their exploitation. Organizations continue to believe that the IT manager should have ultimate responsibility for protecting information. They are failing to realize that information risk is a core business issue, not an IT-only issue.

The Information Risk Maturity Index scores companies based upon how they implement and monitor the effectiveness of 34 different measures used to manage and protect information assets. These measures cover strategy, like business continuity and contingency plans; communications, like regular publication and reinforcement of data disposal policies; people, like background checks, training programs, and clear information risk leadership; and security, including IPS, SIEM, access controls, and the like.

The scores are based on interviews with 1,800 business leaders in large enterprises and midmarket companies in the United States, Canada, the Netherlands, Norway, Hungary, Germany, France, Spain, and the United Kingdom.

In general, enterprises did much better than midmarket companies -- enterprises earned a 65.7, while midmarkets earned 55.3. The energy and pharmaceuticals sectors performed especially well.

Europeans did a bit better than North Americans. In particular, Norway was consistently towards the top of the list and the US was consistently near the bottom.

One common failure, across the board, was a set-it-and-forget-it approach to information risk management. Even if companies wrote great policies and deployed solid security tools, they were falling down on the job when it came to monitoring whether or not those measures were successful, and adjusting them to respond to changing threat and business landscapes.

According to the report:

A dedicated focus on monitoring the success of policies and programs sets front runners apart, with ongoing adaptation to keep abreast of the evolving landscape. Front runners are also more likely to have prioritized leadership, communications and analytics skills in future growth plans, and tend to have a greater focus on innovation and improving product or service development cycles. They protect their data well, and are also focussed on driving value out of their data with a strong focus on growth through innovation.

Other highlights include:

  • 87% of enterprises in Europe and 77% in North America have an information risk strategy in place and monitor its effectiveness.
  • 71% of enterprises in Europe and 70% in North America conduct personnel background checks and monitor how effective they are.
  • A contingency plan to respond to small-scale information mishaps is held and regularly reviewed by 75% of enterprises in Europe and 74% in North America; and by 64% of midmarket businesses in Europe and 68% in North America.

“Most organizations understand that their information has value," said Christian Toon, head of information risk for Iron Mountain, Europe, in the report. "The majority, however, are more concerned with revenue protection. They are better prepared to respond to data breaches or legal action and less prepared to use their information to drive competitive advantage and growth. Getting ahead in the new digital economy will require businesses to do both.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 11:40:49 AM
Re: Leadership traits
I tend to agree that IT Managers should not be in charge.  The reasoning is that if you allow IT managers to make security related decisions they will generally make a decision that benefits IT operations over security.  Why? Because security decisions are generally the tougher sell and often times does not have a concrete benefit.
jjthomps
50%
50%
jjthomps,
User Rank: Apprentice
6/14/2014 | 8:20:20 AM
Re: Leadership traits
Spot on Christian. Spot on. I'll be re-using your quote from time to time. 

"Most organizations understand that their information has value," said Christian Toon, head of information risk for Iron Mountain, Europe, in the report. "The majority, however, are more concerned with revenue protection. They are better prepared to respond to data breaches or legal action and less prepared to use their information to drive competitive advantage and growth. Getting ahead in the new digital economy will require businesses to do both."
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/13/2014 | 2:14:23 PM
Re: Leadership traits
@Bprince

I tend to agree, actually, that IT managers shouldn't be in charge.  True, you need the support from C-Levels and Directors to keep everyone behind security as a discipline and funded group in an organization.  But the average IT manager doesn't understand security in the same way the average hacker does, or security professional.  Things are done differently, you have to think differently, and decisions sometimes need to be made that could even cross what an IT manager is expected to do, or prevent from happening.  I hate to use a military example, but, I know who I'd rather have in charge of a crack black ops team, and it's not the "manager".
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/12/2014 | 9:12:02 PM
Re: Leadership traits
What I find interesting though is that they indicate that IT managers shouldn't be in charge of information security. Are they saying that it should be someone else in the business or just that other parts of the business should be involved? I agree with the latter, but I think there have been a number of studies that have shown strong leadership from CISO/CIOs is important when it comes to preventing and dealing with breaches. 

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 4:42:13 PM
Leadership traits
 

It's noteworthy, but not surprising that the leaders of the pack are focused on monitoring, innovation  and communication. 

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.