Cyber security data is influencing decisions at board level as more companies take IT threats seriously according to the latest Gartner information security governance survey.
The analyst firm surveyed 964 respondents working in large companies with revenues of at least US$50 million in the US, Canada, the UK, Germany, India, Brazil and Australia. Fifty three respondents were from Australia.
According to the survey, 71 per cent of those surveyed said that IT risk management data influences decisions at a board level.
“This reflects an increasing focus on dealing with IT risk as a part of corporate governance,” said Gartner vice-president Tom Scholtz.
Thirty eight per cent of respondents said that the most senior person responsible for information security reports outside of the IT department. This was up from 30 per cent in 2014’s survey.
According to Scholtz, the reason for establishing this reporting line outside of IT was to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that "security is an IT problem.”
“Organisations increasingly recognise that security must be managed as a business risk issue, and not just as an operational IT issue,” Scholtz said.
“There is an increasing understanding that cybersecurity challenges go beyond the traditional realm of IT into areas such as operational technology [OT] and Internet of Things [IoT] security."
Sixty three per cent of respondents indicated that they receive sponsorship and support for their information security programs from non-IT executives. This was up from 54 per cent in 2014.
“CEO or board-level sponsorship has remained constant at 30 per cent [29 per cent in 2014] while sponsorship from a steering committee increased from seven to 12 per cent,”Scholtz said.
“There are interesting regional differences, with 57 per cent of respondents in North America indicating sponsorship from outside IT, considerably lower than 63 per cent in Western Europe and 67 per cent in Asia Pacific.”
Because more corporate information security steering committees include business representatives, he expects that the level of sponsorship will continue to increase as governance functions continue to mature.
In addition, 30 per cent of respondents said that business units are involved in developing security policies, up from 16 per cent last year.
“This lack of engagement is a major cause of different risk views between the security team and the business, which can result in redundant and mismanaged controls, which in turn result in unnecessary audit findings and ultimately in reduced productivity,” said Scholtz.
Follow Hamish Barwick on Twitter: @HamishBarwick