Cybersecurity concerns and discussions abound in companies today. From the boardroom and C-suite to IT, Legal, Finance and more, every corner and function of the business appears intent on addressing these issues aggressively.
But are these intentions translating into effective policies and actions to secure the “crown jewels” of organizations? The answers are mixed, at best, according to the results of Protiviti’s latest IT Security and Privacy Survey.
In last year’s study, we identified notable gaps, or chasms, that separated top-performing companies from other organizations in terms of best practices in IT security and privacy, as well as where these organizations needed to progress to bridge these gaps. Fast-forward a year, and as we note below in our Key Findings, many of these gaps remain.
But there definitely are bright spots, starting with those organizations that have changed with confidence to become what we classify as top performers. In these organizations, the board of directors is highly engaged in information security, and there are strong security frameworks that include fundamental information security policies.
Our Key Findings
1. “Tone from the top” is a critical differentiator – From strong board engagement in information security to management establishing “best practice” policies, effective security begins with the right tone from the top, which is as important as any policy. Consider this question: “Have we communicated to our people what we expect?”
2. Having the right policies is the foundation of strong information security–Organizations that have in place all “core” information security policies – including acceptable use, data encryption and more – demonstrate higher levels of confidence and stronger capabilities throughout their IT security activities.
3. Many companies lack critical policies and an understanding of their “crown jewels” –
One in three companies lack policies for information security and data encryption. Many have not identified critical systems or implemented data classification. And most lack a strong under- standing of their most sensitive data and information, as well as their potential exposures. Such gaps open up the organization to cyberattacks and significant security issues.
4. There aren’t high levels of confidence in the ability to prevent an internal or external cyberattack – While two out of three organizations report being more focused on cybersecurity as a result of recent press coverage, most lack a high level of confidence that they can monitor, detect or prevent a targeted cyberattack, either from external parties or insiders. However, this mindset is not necessarily a bad thing – in fact, it may be a healthy one if the perspective drives a focus on improvement.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program