8 steps to getting information security risks under control

As the internet expands at an incredible rate, and big data grows ever ‘bigger’, gaps in online surveillance are inevitable – both for individuals and for businesses. 

Security threats are indiscriminate, and can affect every type of company – from the huge and publicly-listed to smaller startups and SMEs.

In the corporate world, chief audit executives must be responsible for monitoring and responding to these security issues – rather than misdirecting resources, and providing a misleading sense of assurance to their boards. 

According to our research, current approaches to auditing as it relates to information security are simply not working. The statistics below reflect the extent to which organisations are encountering problems:

  • 77 per cent of chief auditors report significant audit issues related to information security in 2013
  • 57 per cent report an increase in significant issues compared to 2012, and 
  • 40 per cent of chief auditors report an increase in information security incidents between 2012 and 2013
The digital gap

Concerns over the protection of information are becoming more critical for management at all organisations. One of the factors driving heightened concerns about corporate security breaches is the increasing usage of digital data in the workplace, particularly on personal devices. We found that: 

  • 64 per cent of employees regularly use personal technologies for work
  • 76 per cent of employees now spend more time accessing and reviewing corporate information than three years ago
  • 93 per cent of employees admit to violating information security policies
However, digital data is critical for companies if they are to compete and grow. Some 79 per cent of senior executives believe new uses of digital information are key to finding additional sources of revenue and company growth, and those same executives also stated that a 60 per cent increase in operating margins is possible through better use of information.

Time to take control 

With these stats in mind, we need to ask: what are the essential steps to get these risks under control? Leading organisations follow eight simple steps to tame information security risks: 

1. Review the quality of the work done by your organisation’s information security team. The second line of defence has a key role to play – critically assess how well they fulfill that role and drive improvement

2. Ensure that business-led IT initiatives are appropriately secured and deliver creative IT solutions quickly to innovative business managers around the organisation

3. Review all key aspects of information security every year to ensure that no gaps or disconnects exist. This is likely to require tough resourcing and planning decisions for CAEs

4. Ensure your audit committee can provide effective oversight of information security. This means they should have the right skills and knowledge and can challenge management frequently enough on information security risks facing the organisation and the controls management has implemented

5. Strengthen your security barriers by changing employees’ behaviour. Secure behaviour by employees (and contractors and others working for you) provides agile protection against a rapidly changing threat environment – even in the absence of a written policy

6. Use a nuanced approach to train all employees effectively in corporate-sensitive roles, including all senior management, the assistants of those senior managers, and everyone in sensitive roles such as purchasing or systems administration

7. Run scenario exercises to ensure senior management truly understands the information assets relied upon by the organisation, the main vulnerabilities and the real impact of their behaviours and decisions

8. Scan the horizon routinely to understand critical emerging risks and ensure your control framework is adapted in time.

As the digital world changes constantly, and at great speed, organisations need to maintain control over their information security. In order for this to be effective, they must implement meticulous surveillance, training and re-assessment of employees’ behaviour at every level.

Ian Beale is a senior director in CEB’s legal, risk and compliance practice.

Share this story

Close
Menu
Send this to a friend