Managing the Crown Jewels and Other Critical Data Managing the Crown Jewels and Other Critical Data

  • View

  • Download

Embed Size (px)

Text of Managing the Crown Jewels and Other Critical Data Managing the Crown Jewels and Other Critical Data

  • Internal Audit, Risk, Business & Technology Consulting

    Managing the Crown Jewels and Other Critical Data When tackling cyber risk, board involvement and effective communication continue to drive performance. Learn more in this report on the key findings from Protiviti’s 2017 Security and Privacy Survey.

  • 2017 Security and Privacy Survey ·

    Executive Summary

    Global cybersecurity risk has never been higher, yet its magnitude is almost certain to

    intensify in the months and years to come. Cybercriminal activity against global companies

    surged in the past year, and there are growing signs — including expert analysis1 — suggesting

    that a form of global cyberwar has commenced.

    1 Belam, Martin. “We’re living through the first world cyberwar — but just haven’t called it that,” The Guardian, Dec. 30, 2016: dec/30/first-world-cyberwar-historians.

    Although these attacks vary in their intent, businesses

    remain in the crosshairs of these incursions. In addition

    to being something for which a company requires

    strong defenses, information security also needs to be

    planned for as organizations consider and deploy new

    approaches to generate revenue. Such conditions make

    cybersecurity a critical organizational priority and a

    top concern in the boardroom, C-suite, information

    technology function and every area of the business.

    It is imperative that boards and executive leadership

    keep close tabs on the state of their company’s

    cybersecurity programs. Protiviti’s latest Security

    and Privacy Survey delivers insights on the specific

    policies and qualities that distinguish top-performing

    companies from other organizations with regard

    to security and privacy practices. Our survey also

    identifies prime opportunities companies can leverage

    to strengthen their security capabilities.

    As we detail in the following pages, our survey

    results show cause for optimism, but there are

    concerns as well. Positive signs are particularly

    evident in companies where (1) the board of directors

    is highly engaged in information security matters;

    and (2) management has in place a robust set of key

    information security policies.

  • 2 · Protiviti

    01 Having an engaged board and a comprehensive set of security policies make a huge difference — In assessing the results for companies in which the board has a high level of engagement in information security, these organizations perform noticeably better than other companies in nearly all facets of information security best practices. The same holds true for organizations that have all core information security policies in place (which we define in our report). When it comes to security, these foundational qualities distinguish top-performing organizations from the rest of the pack.

    02 Most organizations need to enhance their data classification and management — An alarming number of companies appear unable to confidently identify or locate their most valuable data assets. Protecting these “crown jewels” requires a data classification scheme supported by effective policies in place and adhered to throughout the enterprise.

    03 Security effectiveness hinges on policies as well as people — Along with board engagement, incorporating a comprehensive set of information security policies is a key differentiator for organizations that have a strong security posture. These policies should be supported with effective training programs and communications throughout the organization, especially given the frequency with which the “human element” is targeted as a path to enable data and security breaches.

    04 Vendor risk management must mature — As the use of cloud-based storage and external data-management vendors increase, the importance of vendor risk management grows. Notable gaps currently exist between top-performing organizations and other companies when it comes to overall knowledge of vendors’ data security management programs and procedures — areas that might stand between an organization’s crown jewels and cyberattackers.

    Our Key Findings

  • 2017 Security and Privacy Survey ·

    Survey Methodology

    Protiviti conducted its 2017 Security and Privacy Survey in the fourth quarter of 2016. More than 700 chief

    information officers, chief information security officers, chief technology officers, technology vice presidents and

    directors, and other technology managers and professionals completed an online questionnaire designed to assess

    security and privacy policies, data governance, data retention and storage, data destruction policies, and third-

    party vendors and access, among other topics. Respondent demographics can be found on page 39.

    Since completion of the survey was voluntary, there is some potential for bias if those choosing to respond have

    significantly different views on matters covered by the survey than those who did not respond. Therefore, our

    study’s results may be limited to the extent that such a possibility exists. In addition, some respondents answered

    certain questions while not answering others. Despite these limitations, we believe the results herein provide

    valuable insights regarding security and privacy standards in place in organizations today.

  • 4 · Protiviti

    Board Engagement, Comprehensive Data Policies Distinguish High-Performing Information Security Programs

    Based on our analysis, there are two critical success

    factors present in organizations that adhere to security

    and privacy best practices:

    • High levels of engagement and understanding by the board of directors regarding information

    security risks

    • Having all five “core” information security policies in place

    In other Protiviti research, we have observed this

    correlation between board engagement in information

    security and the overall security posture of the

    organization, including in our 2015 IT Security and

    Privacy Survey report.2 Similarly, our results this year

    show a notable difference between organizations that

    have all “core” information security policies in place

    — specifically, a records retention/destruction policy,

    a written information security policy, an acceptable

    use policy, a data encryption policy, and a social

    media policy — and those that do not; the former

    organizations demonstrate stronger information

    security practices overall.

    Throughout our report, we compare the results from

    these two groups of companies that exhibit the

    above success factors (which we categorize as “top-

    performing organizations”) with companies that do

    not exhibit them, and pinpoint notable gaps.

    2 The Battle Continues — Working to Bridge the Data Security Chasm: Assessing the Results of Protiviti’s 2015 IT Security and Privacy Survey,

  • 2017 Security and Privacy Survey ·

    How engaged is your board of directors with information security risks relating to your business?

    All respondents Large Companies (≥ $1B) Small Companies

    (< $1B)

    Current 2015 Current 2015 Current 2015

    High engagement and level of understanding by the board 33% 28% 37% 32% 26% 24%

    Medium engagement and level of understanding by the board 37% 32% 37% 33% 39% 33%

    Low engagement and level of understanding by the board 12% 15% 9% 11% 20% 19%

    Don't know 18% 25% 17% 24% 15% 24%

    Which of the following policies does your organization have in place? (Multiple responses permitted)

    All respondents Large Companies (≥ $1B) Small Companies

    (< $1B)

    Current 2015 Current 2015 Current 2015

    Acceptable use policy 80% 77% 82% 82% 77% 72%

    Record retention/destruction policy 78% 74% 81% 80% 72% 71%

    Data encryption policy 70% 67% 77% 79% 60% 58%

    Written information security policy (WISP) 69% 66% 72% 72% 65% 60%

    Social media policy 59% 55% 61% 61% 53% 50%


    • One-third of all respondents describe their board’s engagement with and understanding of information

    security risks as “high.” Thirty-seven percent of

    all respondents describe their board’s engagement

    level as “medium.” Not surprisingly, each of these

    figures indicates a promising increase compared

    to the results of Protiviti’s 2015 IT Security and

    Privacy Survey. The results reflect an increasing

    involvement and interest from boards of directors,

    which we believe is very positive. (Note that in

    the remainder of our report, we define this group

    of top-performing organizations as those whose

    boards have a “high” level of engagement in and

    level of understanding with regard to information

    security in the organization.)

  • 6 · Protiviti

    3 From Cloud, Mobile, Social