I’ve noticed a distinct theme throughout a number of different analyst report I’ve recently read – that the protection of information and data assets is a business task which needs guidance from the business unit leaders. Take as an example…
As executives see more and more media coverage of data breaches and security incidents, the inevitable question is: “What are we doing to make sure that doesn’t happen to us?”
Contrary to 2012 when privacy responsibility was shifting to an organization-wide accountability, in 2013 it’s falling more onto the security group within enterprises. [It’s] a matter of concern if more and more enterprises deem the security group fully responsible for privacy and regulations. Ensuring privacy requires a union of technology, policy, and culture, and a harmony between many business units from security to legal to HR to employees.
Progress has clearly been made, but important gaps in the discussions about risks … provide evidence that security still has far to go as a board-level issue.
– Three Steps to Successful Data Classification (Aberdeen)
Classification enables the creation of attributes for data identity, which helps determine how to treat and secure data… Defining data via data discovery and classification is an often overlooked, yet critical, component of data security and control. Data classification is not one person’s job. It’s everyone’s job.
– Strategy Deep Dive: Define Your Data (Forrester)
However, in a recent Gartner survey on information security governance practices (Survey Analysis: Information Security Governance, 2013-14), they find that, not only are security practices failing to mature, but are actually getting worse over time.
IT and the security team cannot be left to manage the defense of your private data and intellectual property alone. Without proper insight into business goals, workflows, and data value, the security team cannot be expected to create or enforce suitable security policies.
With this in mind, I was shocked to read that, of the 555 organizations that responded to Gartner, 12% indicated that business units were not involved in the creation of security policy! More worrying, this number doubled from 2012. If you add those organizations with security committees that don’t send the policies they create out to the business units for consultation, you end up with fully 40% of businesses that have little to no business people involved in the creation or management of their security policies.
This trend to push security governance onto the backs of IT and a few security managers is also reflected in the membership of the security management groups. Since 2011, the number of governance bodies where business unit managers made up the majority of the members has fallen by half, from 18% to 9%.
I agree with Gartner that this current trend is untenable. Without proper company-wide involvement and executive sponsorship to ensure proper corporate focus and funding, the IT team will struggle to manage data security risks. Every department uses data that has value and could be harmful if lost: financial data, employee information, business strategies, and intellectual property. With all signs pointing to greater security challenges (BYOD, social networks, rising IP theft, cloud data storage) it is disquieting to see executive management isolating security to one department that often lacks adequate executive sponsorship.
At TITUS we maintain that security is everyone’s responsibility, and it starts with those who create information. As they assign value to the data they create via classification, it is much easier for security systems to manage the data according to policy. The act of classifying involves every member of your organization and puts data security top of mind. When business users are actively involved in security efforts there is more feedback regarding policy, leading to better policies, better security, and reduced risk. The Gartner survey has many good recommendations, but they all stem from the top recommendation: organizations need to ensure that the security governance groups have adequate business team representation. Does yours?