Some 71% of managers say IT risk management data influences decisions at the board level, according to Gartner’s annual end-user survey for privacy and information security.
The study’s authors found an increasing focus on IT risk as part of corporate governance. Almost 40% of respondents stated explicitly that the most senior person responsible for information security reports outside of the IT organization.
“The primary reasons for establishing this reporting line outside of IT are to improve separation between execution and oversight, to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that security is an IT problem,” said Tom Scholtz, vice president and Gartner Fellow.
According to Gartner, the security programs are sponsored at an increasingly senior level. Some 63% of respondents indicated that they receive sponsorship and support for their information security programs from leadership outside of the IT organization, compared to 54% in 2014.
“Organizations increasingly recognize that security must be managed as a business risk issue, and not just as an operational IT issue. There is an increasing understanding that cybersecurity challenges go beyond the traditional realm of IT into areas such as operational technology (OT) and Internet of Things security,” Scholtz said. “Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cybersecurity incidents, are making IT risk a board-level issue.”
Although half of the respondents indicate the governance body is involved in assessing and approving the policies, only 30 percent of respondents indicated that the business units are actively involved in developing the policies that will affect their businesses. This indicates a lack of active engagement, yet is a considerable improvement from previous years – 16% in 2014. Lack of engagement is a major cause of differing risk viewpoints between the security team and business, resulting in redundant, mismanaged controls, unnecessary audit findings and, ultimately, in reduced productivity.
Two thirds of CFOs make cybersecurity a high or very high priority, while 71% have increased involvement in IT in the last three years, as HOTforSecurity previously reported. CFOs and CIOs are increasingly connected, with 61% of CFOs saying their collaboration with the CIO has increased over the past three years.
Gartner surveyed 964 respondents in large organizations – with at least $50 million equivalent in total annual revenue for fiscal year 2014, and with a minimum of 100 employees – in seven countries between February and April 2015.