Security Disconnects Between Business and IT

A BearingPoint Inc. sponsored study shows that even though business and IT people agree security is a top level executive concern, conflicting priorities hinder organizational implementation of risk and security solutions.

Focal Points:

• A newly released global study conducted in July 2008 by Forrester Consulting and commissioned by BearingPoint found 91 percent of the 175 respondents agreed security is a CEO or board level concern. 72 percent stated the head of risk or security met with C-level executives or the board weekly, monthly, or quarterly. Complicating the matter, more than one third of the respondents cited multiple dotted line reporting structures to units such as enterprise risk, finance, HR, and legal. The biggest inhibitors to change were found to be budget constraints (according to 77 percent of the respondents), corporate culture (63 percent), and management support and buy-in (61 percent). Two other major inhibitors were lack of business understanding by security managers (66 percent) and justification of security spending (68 percent).
• Business respondents were more confident about the overall security in the enterprise than IT respondents. However both groups in all industries expressed a greater than 90 percent confidence level in their existing security. 52 percent of business respondents were very confident of their organization's data protection capabilities. Another 45 percent were confident about their data protection abilities as well. However only 51 percent of business respondents were involved in risk assessments while only 46 percent were involved in data protection.
• 51 percent of IT respondents expect risk assessment budgets to increase while only 40 percent of the business people believe that would happen. Only 35 percent of respondents feel regulatory compliance spending is excessive while 21 percent believe such spending will increase significantly next year. The primary assessment methodology is through internal audit, according to 52 percent of respondents. External audit and self-assessments against policies and procedures were tied with 13 percent citing those methods while 10 percent stated a preference for assessments by a regulatory body.

Experton Group believes business and IT executives do not know the full extent of their risk and security exposures and are not able to perform an accurate assessment. The current financial crisis, as well as the constant stream of news stories on security failures, demonstrates the shortcomings in corporations' ability to assess their data, risk, and security exposures. Unfortunately, most analyses and assessments are done based on past history and known failure events and types, and too little is done to predict and prevent new failure types and exposures. Executives need to establish a governance structure that can develop a comprehensive risk strategy, assess an extensive set of risk exposures, and monitor and react to their risks and the changing risk environment on an almost real-time basis.