Companies all over the world are putting Information security high on their agendas. Despite the difficulties in valuing information from an economic point of view, companies are significantly investing in information security.
These findings emerge from an international survey conducted by DNV GL – Business Assurance, a world leading certification body, and the research institute GFK Eurisko, on more than 1,100 professionals from businesses in different sectors in Europe, the Americas and Asia.
INFORMATION SECURITY MANAGEMENT
Respondents agree that information security cannot be disregarded, from a personal (76%), societal (81%) or business (81%) point of view.
Companies worldwide are now actively managing this issue, but there are various levels of sophistication to the approaches. 58% of the companies have adopted an ad hoc management strategy, while only 27% set concrete goals. Measuring aspects related to information security, such as quantifying the cost of data breach or of data loss, is still difficult.
FOCUS ON PROTECTION AND DEFENSE
Companies are putting significant efforts into information security. 65% invested in specific initiatives in the last three years. 73 % of the companies with more than 250 employees are investing.
However, they are not taking a systematic management approach. Motivated by the need to protect information, most initiatives focus on essential infrastructure requirements, such as investing in appropriate equipment (41%), or on baseline actions, like hiring appropriate personnel (40%) and applying controls (35%).
35 % of the companies say they have seen reduction of loss due to breaches since making information security investments. 23% of the companies also reported that they see advantages such as improvement of brand reputation and customer relations due to their investment.
INFORMATION SECURITY INTEGRATED IN ORGANIZATIONAL CULTURE
Most companies do not consider budgets to be a main constraint for progress related to information security. Just over 30% mention too expensive maintenance and implementation as constraints, and lack of staff competence (23 %) and management awareness (19 %) follow thereafter.
Successful Information Security Management does not only depend on the competence of the security specialist. Top management plays an important part, and companies need to work to integrate information security management as a part of the organizational culture.
FUTURE OUTLOOK
When asked about the future, companies state that they will not neglect their commitment to information security, and will move towards adoption of a systematic approach. Respondents expect to see a significant increase in staff training initiatives in their company (+13%), and also an increase in the implementation of information security risk assessment and management methodology (+8%). They also plan to set concrete goals (+8%).
Luca Crisciotti, CEO of DNV GL – Business Assurance commented: “The world is changing fast. New technologies pose both new challenges and opportunities for companies worldwide. Information security is at the heart of this revolution, a prerequisite for success.
He continued:
“Companies are already putting their defenses up, but not in a structured way. The next step is to shift their attitude from defense on to systematic management. It is a matter of implementing an organizational culture that fosters information security. Organizational culture starts from the top, so management must become ambassadors of this culture. Information security needs to move on from being the responsibility of a single individual or department to becoming a business objective that the entire organization is measured by.”
***************************
METHODOLOGY AND SURVEY SAMPLE
The survey was conducted in July 2015, on a sample of 1,192 professionals who work at prominent companies in the primary, secondary and tertiary sectors across different industries in Europe, The Americas and Asia.
The sample consists of DNV GL customers and is not statistically representative of worldwide companies:
26% of the firms involved employ less than 50 people, 36% from 50 to 249 and 38% 250 or more;
2% of the companies are from the primary sector, 54% from the secondary sector and 44% from the tertiary sector.
The sample includes 112 companies defined as leaders.
The classification of a company in the leaders category is based on a set of requisites specifically defined by DNV GL: information security is relevant to the company’s business strategy; on a scale from 1 to 5 measuring maturity in managing information security, the respondent rates their company as advanced; the company has an information security strategy; the company sets measurable goals on information security; the company has invested in information security initiatives in the last 3 years; the company has taken action to deal with information security, the company is able to rate the overall cost/benefit ratio of the actions undertaken; the company is going to invest more or same as today in the next 3 years. More information is available in the report.
The questionnaire was administered using the CAWI (Computer Assisted Web Interviewing) methodology.
