Gartner says the growing trend for establishing the primary security function outside of IT reflects the need for effective security governance.
The nature of the reporting lines of the information security team is one of the key attributes of effective governance, says Gartner, as it releases the results of its annual end-user survey for privacy, IT risk management, information security, business continuity or regulatory compliance.
Thirty-eight percent of the survey respondents indicated explicitly that the most senior person responsible for information security reports outside of the IT organisation
"The primary reasons for establishing this reporting line outside of IT are to improve separation between execution and oversight, to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that 'security is an IT problem'," says Tom Scholtz, vice president and Gartner fellow.
The analyst firm surveyed 964 respondents in large organisations — with at least $50 million equivalent in total annual revenue for fiscal year 2014, and with a minimum of 100 employees — in seven countries between February and April 2015.
“Organisations increasingly recognise that security must be managed as a business risk issue, and not just as an operational IT issue,” notes Scholtz. “There is an increasing understanding that cybersecurity challenges go beyond the traditional realm of IT into areas such as operational technology (OT) and Internet of Things (IoT) security."
Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cybersecurity incidents, are making IT risk a board-level issue.
Taking security on board
"Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cybersecurity incidents, are making IT risk a board-level issue," he says.
"Seventy-one percent of respondents indicated that IT risk management data influences decisions at a board level. This also reflects an increasing focus on dealing with IT risk as a part of corporate governance."
The seniority level from which security programs are sponsored is also improving, according to the survey results.
Sixty-three percent of the respondents indicated that they receive sponsorship and support for their information security programs from leadership outside of the IT organisation.
This is a significant increase from 54 per cent in 2014. CEO and/or board-level sponsorship has remained constant at 30 percent (29 percent in 2014) while sponsorship from a steering committee increased from seven to 12 percent.
The survey notes interesting regional differences, with 57 per cent of respondents in North America indicating sponsorship from outside IT, considerably lower than 63 percent in Western Europe and 67 per cent in Asia/Pacific.
"A senior executive mandate for the security program is fundamental,” says Scholtz. “Without it, the security program has little chance of getting the requisite support from the rest of the organisation.”
"Because a corporate information security steering committee (CISSC) should consist primarily of business representatives, we expect that the level of sponsorship from such bodies will continue to increase as governance functions continue to mature. Indeed, an effective governance forum, such as the CISSC, becomes the authoritative representative of the CEO, the board and the senior business unit managers."
Mind the gaps
On the effectiveness of security policies, although half of the respondents indicate the governance body is involved in assessing and approving the policies, only 30 per cent indicated the business units (BUs) are actively involved in developing the policies that will affect their businesses.Read more: 10 'pain points' for global Boards - and how to tackle them
While this is a considerable improvement from previous years (16 per cent in 2014), it still indicates a lack of active engagement with the business.
This lack of engagement is a major cause of different risk views between the security team and the business, which can result in redundant and mismanaged controls, which in turn result in unnecessary audit findings and ultimately in reduced productivity, concludes Gartner.
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinapRead more: Does your Board paper have a section on cyber risk?
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.