Are CXOs Taking IT Risk Management Seriously?

by CXOtoday News Desk    Jul 22, 2015


Security is now more visible across the organization, with senior executives and boards demanding effective security controls that deliver value. Current trends including mobile enterprise, cloud computing and advanced threats are increasing the demands and challenges for governance and risk management. However, a Gartner study notes that lack of engagement continues to be a major cause of risk views between the security team and the business, which often leads in redundant and mismanaged controls, which in turn result in unnecessary audit findings and ultimately in reduced productivity.

There’s good news as well, as the research firm sees information security governance practices are maturing. “Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cybersecurity incidents, are making IT risk a board-level issue,” said Tom Scholtz, vice president and Gartner Fellow. “Seventy-one percent of respondents indicated that IT risk management data influences decisions at a board level. This also reflects an increasing focus on dealing with IT risk as a part of corporate governance.”

Gartner surveyed 964 respondents in large organizations — with at least $50 million equivalent in total annual revenue for fiscal year 2014, and with a minimum of 100 employees — in seven countries between February and April 2015 in Europe, Americas and Asia-Pacific.

The study found the nature of the reporting lines of the information security team is one of the key attributes of effective governance. Thirty-eight percent of the survey respondents indicated explicitly that the most senior person responsible for information security reports outside of the IT organization.

“The primary reasons for establishing this reporting line outside of IT are to improve separation between execution and oversight, to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that “security is an IT problem,” said Scholtz. Organizations increasingly recognize that security must be managed as a business risk issue, and not just as an operational IT issue. There is an increasing understanding that cybersecurity challenges go beyond the traditional realm of IT into areas such as operational technology (OT) and Internet of Things (IoT) security.”

The seniority level from which security programs are sponsored is also improving. Sixty-three percent of the respondents indicated that they receive sponsorship and support for their information security programs from leadership outside of the IT organization. This is a significant increase from 54 percent in 2014. CEO and/or board-level sponsorship has remained constant at 30 percent (29 percent in 2014) while sponsorship from a steering committee increased from seven to 12 percent. There are interesting regional differences, with 57 percent of respondents in North America indicating sponsorship from outside IT, considerably lower than 63 percent in Western Europe and 67 percent in Asia/Pacific.

“A senior executive mandate for the security program is fundamental. Without it, the security program has little chance of getting the requisite support from the rest of the organization,” summed up Scholtz.