In our latest survey, we looked at information security professionals' attitude to compliance. As ever, the results provide food for thought.
As with many of our SC surveys, this latest one has thrown up a mixture of expected and unexpected results. With compliance and regulatory pressures proving to be an increasing burden on information security professionals, it was interesting to see what is happening in the real world of enterprise security.
Up until quite recently, security professionals did not have to worry too much about compliance issues, which were more the domain of the CFO or COO. However, the focus on data privacy and loss by, among others, the Information Commissioner's Office, has brought the issue firmly into focus.
The first question revealed reasonably positive results, in that just over 40 per cent of respondents did have a long-term plan and were actively measuring security risk and compliance; around another 40 per cent were looking to develop a plan either now or in the future.
While this is positive news, what it doesn't tell us is what kind of preparation information security professionals are making in terms of policies, auditing and the technology they are looking at. Although there is an awareness of compliance and the need to improve, there remains a suspicion that many security professionals with so much to worry about on a daily basis tend to relegate compliance to the lower echelons of their agendas.
The trouble is that a compliance error can come out of the blue, cause unforeseen consequences and in the worst-case scenarios result in severe financial penalties from the Information Commissioner or the FSA.
On the other hand, an overwhelming majority (71 per cent) of respondents did have what they considered adequate accountability for ownership of security risks, which is good to hear. In fact, such ‘risk ownership' is becoming a default setting in leading security practice – and for good reason: if people are aware of their responsibilities and know the consequences of security and compliance failure, they are more likely to take it seriously and act accordingly.
The responses to the third question are interesting: 65 per cent of those surveyed said they adequately enforce adherence to their organisations' internal security policy, but you have to wonder on what they base that confidence. Until something happens, it is hard to know whether security policies are truly enforced or working (i.e. employees following secure practice) – truly the eternal dilemma of the information security professional.
For those who are passionate about making information security a boardroom issue, the fact that nearly 60 per cent of respondents said their executives are more aware of their organisation's security than they were 12 months ago is positive and actually quite surprising. It seems that the “security is a business enabler” message is getting through, probably a result of respondents regularly measuring and reporting on the security and compliance of their IT environment to all stakeholders.
The responses to question seven tied compensation to security and compliance performance. Many employees are rewarded for meeting financial or efficiency targets, so why not for good security practice too? However, this is a relatively rare practice, according to the survey, with only 15 per cent of organisations doing this. It could, though, be a sign of things to come in enterprise security – could good security metrics be measured against financial performance? Does an efficiently compliant organisation tend to be a better market performer?
Finally, if we didn't already know by now, meeting security compliance requirements remains the biggest security concern for 2011, according to question nine. Social media and smartphones are the second biggest worry, but that's another story.
The SC/nCircle compliance survey ran during March 2011 and analysed the responses of 107 UK IT security managers.