Getting More Mature About Info Security

Reading time: 6 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

How mature is your organization’s cyber security program? It’s a relevant question, especially considering how data breaches have become increasingly prevalent and more damaging for organizations.


Based on recent industry research, companies are moving in the right direction. Information security governance practices are maturing, according to Gartner Inc.’s annual end-user survey for privacy, IT risk management, information security, business continuity and regulatory compliance.


For the study, Gartner surveyed 964 respondents in organizations with at least $50 million equivalent in total annual revenue for fiscal year 2014 and with a minimum of 100 employees. The respondents were located in seven countries and were surveyed between February and April 2015.


Part of what’s driving the effort to increase security is the recent wave of high-profile data breaches.


"Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cyber security incidents, are making IT risk a board-level issue," said Tom Scholtz, vice president and Gartner Fellow. A majority of organizations surveyed (71%) indicated that IT risk management data influences decisions at a board level, Scholtz said, and this also reflects an increasing focus on dealing with IT risk as a part of corporate governance.


The nature of the reporting lines of the information security team is among the key attributes of effective governance, the report notes, and 38% of the survey respondents indicated that the most senior person responsible for information security reports outside of the IT organization.


The main reasons for establishing this reporting line outside of IT are to improve separation between execution and oversight, to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that security is an “IT problem," Scholtz said.


Enterprises are increasingly recognizing that security needs to be managed as a business risk issue, and not just as an operational IT issue, Scholtz says, and there is an increasing understanding that cyber security challenges go beyond the traditional realm of IT into areas such as operational technology and Internet of Things (IoT) security.


The seniority level from which cyber security programs are sponsored is also improving, according to the study. About two thirds (63%) of the respondents said they receive sponsorship and support for their information security programs from leadership outside of the IT organization. And that’s an increase from 54% in 2014.


A senior executive mandate for the security program is fundamental, and without it the security program has little chance of getting the requisite support from the rest of the organization, Scholtz noted. Because a corporate information security steering committee (CISSC) should consist largely of business representatives, Gartner expects that the level of sponsorship from such bodies will continue to increase as governance functions continue to mature.


Although half of the organizations surveyed indicated that their governance body was involved in assessing and approving security policies, only 30% said business units are actively involved in developing the policies. This indicates a lack of active engagement with the business, Gartner says, and this is a major cause of different risk views between the security team and the business, which can result in redundant and mismanaged controls.


There are a models available for measuring the maturity of security programs. For example, the Cybersecurity Capability Maturity Model (C2M2) program is a public-private partnership established as part of the U.S. federal government’s efforts to improve electricity subsector cyber security capabilities, and to understand the cyber security posture of the grid.


C2M2 helps organizations of any size, type or industry evaluate, prioritize and improve their own cyber security capabilities. The model focuses on the implementation and management of security practices associated with the operation and use of IT and operational technology assets, and the environments in which they operate.


The goal is to support ongoing development and measurement of security capabilities within organizations by strengthening their information security capabilities; enabling organizations to effectively and consistently evaluate and benchmark their security capabilities; sharing knowledge, best practices, and relevant references across organizations as a means to improve security capabilities; enabling organizations to prioritize actions and investments to improve cyber security; and supporting adoption of the National Institute of Standards and Technology (NIST) cyber security framework.


Research firm Forrester Research Inc. a few years ago unveiled its Forrester Information Security Maturity Model. The model details 123 components that comprise a successful security organization, grouped in 25 functions and four high level domains, according to a blog

by Christopher McClean, vice president and research director at Forrester.


With the help of models and a committed approach from senior leadership, all companies can develop highly mature approaches to information security—at a time when they really need it.