Companies' Boards and Management Becoming More Engaged with Cybersecurity Risks, According to New Protiviti Security and Privacy Survey

MENLO PARK, Calif., Feb. 13, 2017

"While the increase in boards of directors' and company management's engagement with information security is a positive sign, it's imperative that leadership keeps closer tabs on the state of their organizations' cybersecurity programs," said Scott Laliberte, a Protiviti managing director and leader of the firm's global IT security and privacy practice. "Particularly as new technologies are introduced and new approaches to generating revenue are deployed, it's increasingly important to reexamine existing data security and privacy processes on a regular basis - ensuring that the right systems and people are in place to keep pace with changes."

Key findings from Protiviti's survey include:

• Having an engaged board and a comprehensive set of security polices make a huge difference – In assessing the results for companies in which the board has a high level of engagement in information security, these organizations rate considerably higher than other companies in nearly all facets of information security best practices. The same holds true for organizations that have all of the core information security policies in place (as recommended by Protiviti). When it comes to security, these foundational qualities distinguish top-performing organizations from the rest of the pack.
• A concerning number of companies – nearly one in five – cannot confidently identify or locate their most valuable data assets. Protecting these "crown jewels" requires a data classification scheme and effective policies that are supported across the enterprise.
• People, as well as policies, are key to an effective security program. Security policies are best supported with training programs and communications for employees, who are often responsible, unintentionally or otherwise, for enabling data and security breaches. Organizations should focus on promoting a culture of security policy compliance.
• Vendor risk management must mature – As the use of cloud-based storage and external data-management vendors increases, the importance of vendor risk management grows. Notable gaps currently exist between top-performing organizations and other companies when it comes to overall knowledge of vendors' data security management programs and procedures – areas that might stand between an organization's crown jewels and cyber-attackers.

The percentage of companies that have adopted what Protiviti considers ‑ and recommends – as five core information security policies to have in place are:

• An acceptable use policy (80 percent)
• A records retention/destruction policy (78 percent)
• A data encryption policy (70 percent)
• A written information security policy (69 percent)
• A social media policy (59 percent)

However, there is significant progress to be made because only 38 percent of surveyed companies have all five information security policies in place today.

The Protiviti 2017 Security and Privacy Survey delivers insights on the specific security policies and qualities that distinguish top-performing companies from other organizations. The survey also offers trends to watch for and identifies prime action items technology leaders can take to strengthen their companies' security capabilities.

About the Survey
Protiviti's Security and Privacy Survey, now in its fifth edition, was conducted in the fourth quarter of 2016 and includes the insights of more than 700 technology executives and professionals to assess security and privacy policies, data governance, retention and storage, data destruction policies and vendor risk management practices across a mix of industries. Respondents' positions range from the C-suite (CIOs, CISOs, CTOs, etc.) to IT vice presidents, directors, managers and more, and they represent public (51 percent) and private (37 percent) companies. Sixty percent of respondents' companies have $1 billion or more in revenues.