Information risk programs are in their late adolescence, still trying to find themselves. On the Information Risk Maturity Index, created by PwC and Iron Mountain, businesses in North America and Europe are only rating a 58.8 out of 100. The dilemma, according to PwC and Iron Mountain's study, is that "organizations expect to gain an information advantage through the exploitation of their information, but must protect it from internal and external threats," and they have not yet learned to balance the two.
According to the report:
The big issue facing most businesses, enterprise and mid-market, is that their information assets are in the hands of the right people to safeguard them, but the wrong people to manage their exploitation. Organizations continue to believe that the IT manager should have ultimate responsibility for protecting information. They are failing to realize that information risk is a core business issue, not an IT-only issue.
The Information Risk Maturity Index scores companies based upon how they implement and monitor the effectiveness of 34 different measures used to manage and protect information assets. These measures cover strategy, like business continuity and contingency plans; communications, like regular publication and reinforcement of data disposal policies; people, like background checks, training programs, and clear information risk leadership; and security, including IPS, SIEM, access controls, and the like.
The scores are based on interviews with 1,800 business leaders in large enterprises and midmarket companies in the United States, Canada, the Netherlands, Norway, Hungary, Germany, France, Spain, and the United Kingdom.
In general, enterprises did much better than midmarket companies -- enterprises earned a 65.7, while midmarkets earned 55.3. The energy and pharmaceuticals sectors performed especially well.
Europeans did a bit better than North Americans. In particular, Norway was consistently towards the top of the list and the US was consistently near the bottom.
One common failure, across the board, was a set-it-and-forget-it approach to information risk management. Even if companies wrote great policies and deployed solid security tools, they were falling down on the job when it came to monitoring whether or not those measures were successful, and adjusting them to respond to changing threat and business landscapes.
According to the report:
A dedicated focus on monitoring the success of policies and programs sets front runners apart, with ongoing adaptation to keep abreast of the evolving landscape. Front runners are also more likely to have prioritized leadership, communications and analytics skills in future growth plans, and tend to have a greater focus on innovation and improving product or service development cycles. They protect their data well, and are also focussed on driving value out of their data with a strong focus on growth through innovation.
Other highlights include:
- 87% of enterprises in Europe and 77% in North America have an information risk strategy in place and monitor its effectiveness.
- 71% of enterprises in Europe and 70% in North America conduct personnel background checks and monitor how effective they are.
- A contingency plan to respond to small-scale information mishaps is held and regularly reviewed by 75% of enterprises in Europe and 74% in North America; and by 64% of midmarket businesses in Europe and 68% in North America.
“Most organizations understand that their information has value," said Christian Toon, head of information risk for Iron Mountain, Europe, in the report. "The majority, however, are more concerned with revenue protection. They are better prepared to respond to data breaches or legal action and less prepared to use their information to drive competitive advantage and growth. Getting ahead in the new digital economy will require businesses to do both.”