A report released by the IT Governance Institute (ITGI) shows that less than 25 percent of organizations analyze and assess external threats to information systems on a regular basis. The study, “Information Risks: Whose Business Are They?” involved approximately 200 IT professionals in 14 countries.
One of the main causes behind inadequate concern about information security is the lack of responsibility and accountability on the part of organizational leaders, said Gary Hardy, author of the report and director of IT Winners, a risk management consultancy. “I believe it is a combination of two things-a tendency by business managers not to want to take ownership and be held accountable for risks that can have serious consequences (not wanting to hold what is seen as a ‘hot potato’), plus a lack of understanding of the technical issues.”
A key finding of the report was that only about one-third of corporate boards or CEOs sign off on their companies’ IT risk management plans. “The tendency to decentralize and compartmentalize can result in a lack of organization-wide standards and mandates, so that the IT function finds itself dealing with fragmented approaches and responses, and business units might use the excuse that it is ‘the center’s responsibility,'” Hardy said. “But overall, I believe it is a lack of commitment and ownership of responsibility that is the biggest inhibitor, which can only be changed by top management actions and the establishment of better organizational structures such as IT risk committees and defined accountability for IT risk for business managers.
“The only way to change this situation is through better direction from the top, via a clear governance structure,” he added. “Top management has to make business managers accountable and responsible for IT-related risks, through organizational structures and mandates. This includes responsibility at board level for IT risks, and setting the example that the board is committed and interested. It is not really possible for IT professionals, who are acting as service providers, to insist that the business managers (their customers) take responsibility, but they can help by breaking down barriers and helping the customer to understand the issues.”
To help business managers take a more active and involved approach to information security, IT professionals should communicate in understandable, business-related terms instead of techno-jargon and involve business issues in discussions of risk. “This is best done by facilitating discussion (e.g., in a workshop using real business scenarios), so that the business leaders can work out and sign up to the impacts for themselves,” Hardy said. “The other aspect of risk-likelihood-is harder to quantify, but again, in a workshop it is usually possible to agree on the degree of probability. Through these discussions, significant risks will be taken seriously, and the case for effective analysis will be easier to make.”
For more information, see http://www.itgi.org.