A steady stream of high profile cyber security breaches, threats from malware and ransomware makes you wonder whether security is a second class citizen in the world of IT. Computer Economics IT Management and Best Practices 2017/18, an extensive and detailed study (186 pages total) that includes this topic shows some surprising findings that should act as a wake up call to all companies. For example, the study notes that:
security and risk management practices dominate the list of the top five most-mature best practices. That’s good. However, what is not so good is the low percentage of IT organizations that have adopted these crucial security practices formally and consistently. Only about half or fewer of our respondents do so, which means the majority of organizations admit that their security and risk management practices are “informal” or “inconsistent.” In other words, there is a lot of room for improvement.
Digging a bit further, the picture does not get any better:
…only 51% of those who have IT security policies in place say their security policies are formal and consistent. From there, the situation goes down hill. For example, only 42% of IT organizations conduct IT security compliance audits formally and consistently.
We often hear that security is considered ‘hard’ by both users and IT managers. The data in this report suggests that those ‘hard’ perceptions are used as an excuse to simply not bother, in some cases, even with the most basic safeguards. That was the conclusion among the cognoscenti following my piece on the Deloitte debacle.
Computer Economics uses blocks of best practice descriptions around which it corrals major elements of IT management. It breaks down the security and risk management element into seven topic areas: IT security policies, IT security and compliance audits, disaster recovery planning, security incident management, disaster recovery testing, data classification and retention and business continuity. It then provides a maturity assessment for each component which is then further analyzed into practice rate trends, adoption profiles, practice rate is compared to practice level by size of organization and finally maturity data by industry.
Details about the methodology and definitions used are publicly available. Potential report buyers can use these to assess for themselves whether the criteria Computer Economics applies align with what they need to know.
Taken together, the metrics form a useful set of data against which industry participants can benchmark themselves across multiple dimensions.
I was struck by the disparity between those who have done the security policy legwork and those who say they consistently practice what is in recorded policies. For example, even though 97% of large companies say they have policies in place, only 75% confess to measuring up in what they do on a day to day basis.
As you might expect, there is significant variation across industries with healthcare, financial services and construction reporting 91% overall practice rates, while government and non-profits held up the field at 77%.
In reviewing the data, I mentioned to Frank Scavo, CEO Computer Economics, that I struggle with the concept of ‘best practices’ since in my experience, it connotes a rear view mirror approach to a topic. It strikes me for example, that the field of cyber security threat is becoming increasingly sophisticated and that what might have served as best/good practice yesterday may not be so today. In that sense, I see the topic of IT security and risk management as one that is in a state of flux. In an email response, Scavo said:
In this case, what we are talking about here are really bread-and-butter things that IT organizations should be doing, like “IT Security Policies and Procedures.” Hard to argue against having IT security policies and procedures as a best practice that all IT organizations should establish. But sadly, only about half of IT organizations are formal and consistent in their establishing IT security policies and procedures. No wonder we keep having these major breaches.
His point is well made and I guess that until we get past baseline work then the concept of something ‘better’ described in a palatable way will have to wait for another day. The fact that this broad topic is the most mature among the many areas the study covers should be gratifying to a degree but, it seems, the Internet has exposed the nature and frequency of security breaches. In that sense, the release of this study is timeous and should be on the shelf of every IT manager and a good chunk of those Wild West business managers who have brought technology in through the back door.
A 21 page report sample can be found here, along with a link to buy the full report.
Image credit - via Computer Economics
Disclosure - Frank Scavo is a long time industry colleague and from time to time we share information between ourselves on topics of mutual interest. We have no commercial relationship or affiliation.