A report released by the IT Governance Institute (ITGI) shows that less than 25 percent of organizations analyze and assess external threats to information systems on a regular basis. The study, “Information Risks: Whose Business Are They?” involved approximately 200 IT professionals in 14 countries.
One of the main causes behind inadequate concern about information security is the lack of responsibility and accountability on the part of organizational leaders, said Gary Hardy, author of the report and director of IT Winners, a risk management consultancy. “I believe it is a combination of two things-a tendency by business managers not to want to take ownership and be held accountable for risks that can have serious consequences (not wanting to hold what is seen as a ‘hot potato’), plus a lack of understanding of the technical issues.”
A key finding of the report was that only about one-third of corporate boards or CEOs sign off on their companies’ IT risk management plans. “The tendency to decentralize and compartmentalize can result in a lack of organization-wide standards and mandates, so that the IT function finds itself dealing with fragmented approaches and responses, and business units might use the excuse that it is ‘the center’s responsibility,’” Hardy said. “But overall, I believe it is a lack of commitment and ownership of responsibility that is the biggest inhibitor, which can only be changed by top management actions and the establishment of better organizational structures such as IT risk committees and defined accountability…
Please log in or subscribe to read this article