Information security governance practices maturing: Gartner

The need for effective security governance is reflected in results of a recent global survey of 964 people that shows a growing trend for establishing primary security function outside of IT, notes Gartner Inc.

In a study released Friday, 71% of respondents – large organizations, from seven countries, with at least US$50 million equivalent in total annual revenue for fiscal year 2014 and employing at least 100 employees – report that IT risk management data influences decisions at a board level, Tom Scholtz, vice president and Gartner Fellow, notes in a company press release.

“This also reflects an increasing focus on dealing with IT risk as a part of corporate governance,” Scholtz says of the information technology research and advisory company’s annual end-user survey for privacy, IT risk management, information security, business continuity or regulatory compliance.

Reporting lines are also changing to enhance governance effectiveness. The survey results indicate 38% of respondents indicate explicitly the most senior person responsible for information security reports outside of the IT organization.

“The primary reasons for establishing this reporting line outside of IT are to improve separation between execution and oversight, to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that ‘security is an IT problem,’” Scholtz says.

In addition, there is growing recognition that security must be managed as a business risk issue – not just as an operational IT issue – that affects areas such as operational technology and Internet of Things security, Gartner reports.

Other survey findings include the following:

• 63% of respondents indicate they receive sponsorship and support for their information security programs from leadership outside of the IT organization (up from 54% in 2014);

• 57% of respondents in North America report sponsorship from outside IT, considerably lower than 63% in Western Europe and 67% in Asia/Pacific; and

• half of respondents say the governance body is involved in assessing and approving the policies, but only 30% note that business units are actively involved in developing the policies that will affect their businesses.

While an improvement from previous years (16% in 2014), Gartner reports “it still indicates a lack of active engagement with the business. This lack of engagement is a major cause of different risk views between the security team and the business, which can result in redundant and mismanaged controls, which, in turn, result in unnecessary audit findings and ultimately in reduced productivity.”

Adds Scholtz, “A senior executive mandate for the security program is fundamental. Without it, the security program has little chance of getting the requisite support from the rest of the organization.”