Image by: Ingram Publishing, ©2015 Getty Images
Our 2014 report identified notable gaps between top-performing companies and other organizations in terms of best practices in IT security and privacy; it also pointed to where these organizations needed to progress to bridge these gaps.
- “Tone at the top” is a critical differentiator. From strong board engagement to management-driven “best practice” policies, effective security begins at the top. A strong tone at the top is as important as any policy, because even the best policies are merely words on paper. It takes people to put those words into action, and people take their cues from company leadership. Have you communicated to the people in your organization what you expect regarding information security and privacy? Are you setting a good example?
- A strong security foundation must include the right policies. Organizations that have in place all “core” information security policies, including acceptable use, data encryption and more, demonstrate higher levels of confidence and stronger capabilities throughout their IT security activities. What are your policies? Do you know them? Do your employees?
- Many companies lack critical policies and an understanding of their “crown jewels.” One in three companies lack policies for information security, data encryption and data classification. Most lack a strong understanding of their most sensitive data and information, as well as potential exposures. Such gaps open the organization to cyberattacks and significant security issues. What are your informational “crown jewels”? How are you protecting them?
- There isn’t a high level of confidence in the ability to prevent an internal or external cyberattack. While two out of three organizations report being more focused on cybersecurity as a result of recent press coverage, most lack a high level of confidence that they could prevent a targeted cyberattack, either from external hackers or insiders. This mindset is not necessarily a bad thing—in fact, it may be a healthy one if the perspective drives a focus on improvement. Many in the cybersecurity community would argue that cyber breaches are inevitable and that the best risk management strategy is to focus on rapid detection and on ensuring that valuable data is encrypted and unidentifiable, rendering it worthless to an unauthorized user. Could your security protocols detect and contain a breach in progress, or are you still just patrolling the perimeter?
Mr. Slemp is a managing director with Protiviti and currently leads the firm’s security and privacy solutions consulting business globally.