Companies all over the world are putting information security high on their agendas. Despite the difficulties in valuing information from an economic point of view, companies are significantly investing in information security.
These findings emerge from an international survey conducted by DNV GL - Business Assurance, a world leading certification body, and the research institute GFK Eurisko, on more than 1,100 professionals from businesses in different sectors in Europe, the Americas and Asia.
Information security management
Respondents agree that information security cannot be disregarded, from a personal (76%), societal (81%) or business (81%) point of view.
Companies worldwide are now actively managing this issue, but there are various levels of sophistication to the approaches. 58% of the companies have adopted an ad hoc management strategy, while only 27% set concrete goals. Measuring aspects related to information security, such as quantifying the cost of data breach or of data loss, is still difficult.
Focus on protection and defense
Companies are putting significant efforts into information security. 65% invested in specific initiatives in the last three years. 73 % of the companies with more than 250 employees are investing. However, they are not taking a systematic management approach. Motivated by the need to protect information, most initiatives focus on essential infrastructure requirements, such as investing in appropriate equipment (41%), or on baseline actions, like hiring appropriate personnel (40%) and applying controls (35%).
35 % of the companies say they have seen reduction of loss due to breaches since making information security investments. 23% of the companies also reported that they see advantages such as improvement of brand reputation and customer relations due to their investment.
Information and security integrated in organizational culture
Most companies do not consider budgets to be a main constraint for progress related to information security. Just over 30% mention too expensive maintenance and implementation as constraints, and lack of staff competence (23 %) and management awareness (19 %) follow thereafter.
Successful Information Security Management does not only depend on the competence of the security specialist. Top management plays an important part, and companies need to work to integrate information security management as a part of the organizational culture.
When asked about the future, companies state that they will not neglect their commitment to information security, and will move towards adoption of a systematic approach. Respondents expect to see a significant increase in staff training initiatives in their company (+13%), and also an increase in the implementation of information security risk assessment and management methodology (+8%). They also plan to set concrete goals (+8%).
Luca Crisciotti, CEO of DNV GL - Business Assurance commented: “The world is changing fast. New technologies pose both new challenges and opportunities for companies worldwide. Information security is at the heart of this revolution, a prerequisite for success.<7p>
He continued: “Companies are already putting their defenses up, but not in a structured way. The next step is to shift their attitude from defense on to systematic management. It is a matter of implementing an organizational culture that fosters information security. Organizational culture starts from the top, so management must become ambassadors of this culture. Information security needs to move on from being the responsibility of a single individual or department to becoming a business objective that the entire organization is measured by."