If data isn’t the lifeblood of an organization, it without question is a critical component in its success. Similar to the role of water in a hydroelectric plant, data powers an organization, pumping “fuel” – through information, knowledge and insights – to virtually every company function. It therefore must be managed – and managed well.
With the plethora of cyberattacks and data breaches that have occurred over the past year, prevailing wisdom suggests companies are working diligently to “get their houses in order” with regard to IT and data security and privacy. However, the results of our latest IT Security and Privacy Survey suggest there is still plenty of work to do. Remarkably, despite some positive developments and growth, there remain significant chasms between where organizations stand and where they need to be. Just as interesting, there are organizations that have bridged these chasms quite successfully. How have they accomplished this? It starts at the top, with high engagement by the board of directors in the organization’s information security risks, which requires establishing a risk appetite and implementing a security framework. It continues with having in place fundamental information management, security and retention/destruction policies.
Protiviti conducted its IT Security and Privacy study in the second quarter of 2014. More than 340 Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, IT Vice Presidents and Directors, and other IT management-level professionals completed an online questionnaire designed to assess security and privacy policies, data governance, data retention and storage, data destruction policies, and third-party vendors and access, among other topics. In this report, we will detail the findings in this study. Our five key findings were: Board engagement is a key differentiator in the strength of IT security profiles; There remains a surprising lack of key “core” information security policies; Organizations lack confidence in their ability to prevent a cyberattack or data breach; Not all data is equal; Many are still unprepared for a crisis.