Question 1 and 2: Position title and time in position
The position of Information Security Manager is progressively appearing in organisations. This fits with answers to questions 1 and 2: almost 25% of respondents are responsible either for information security or for IS security. In question 2, more than 64% of answerers have been less than 5 years in their position.
Question 3 and 4: Field of expertise in previous position and position to report to
As information is a valuable asset and it resides in information systems, it is plausible that 68% of respondents come from the information technology field and that still 30% of them report to the CISO. Nevertheless, this also explains the difficulty to provide information security with a business dimension.
Questions 5 & 6: Number of influenced employees and sector
Small companies are far from tackling risk management aspects: Information security and risk management professionals work for medium to large companies (only 13% of answers influence less than 100 employees) and probably in the financial sector (as more than 50% of survey respondents). This fits with the state of art in infosec and with the ERM concept, with origin in the financial sector.
Statements 1, 3 & 4
IT is transforming business processes (83% of answers) and they are frequently changing (47% of answers) together with changes in management structures (64% of answers). These results corroborate the reasons for risk management integration proposed in the literature review: changes bring complexity.
Statements 6 to 19: Information security practice
Regarding information security, the results of the survey confirm the current status presented in the literature review, still far away from effectiveness: only half of respondents perform risk analysis based either on business impact or threat and vulnerability analysis. This means that one of the key success factors for infosec, following a standard, is not present in half of the surveyed organisations.
However, some signs suggest that organisations are heading into the right direction: almost in 70% of the cases, information owners receive their risk analysis although, in 44% of the occasions, they don’t have an active role accepting or mitigating risks.
Another key success factor presented in the literature review that is not yet followed by the majority of surveyed organisations is communicating the business value of infosec (in 58% of the cases the security policy is not communicated to all employees).
Regarding the existence of infosec executive committees, in 75% of the cases they are accountable for implementing infosec controls and only in 23% of the cases they have an overall accountability for infosec. This is a characteristic of the infosec gap mentioned in the review.
Finally, only 40% of answers show collaboration between infosec and IS security. This is an integration requirement. Consequently, there is still a long way to achieve the benefits of integrating risk management fields.
Statements 2 and 5: strategic RM with employees’ involvement and transparency practice
Results follow requirements present in the review. An ERM integration requirement is to ensure everybody’s involvement. 65 % of surveyed professionals agreed theoretically with this requirement. The transparency practice requirement is followed by a surprisingly high figure of respondents: 85%
Statements 20 to 22: Acceptable risk messages
In 61% of the cases, management provided organisations with a message regarding acceptable and non-acceptable risks. This is a promising figure considering that it is a key ERM requirement to integrate infosec with ORM. However, further communication activities are required since only in 22% of the cases this message is documented and it is rarely accessible by employees (19% of answers).
Statements 17 and 18: ORM executive committee
Principle 8 of Basel II mentioned in the literature review recommends to have an effective operational risk framework in place. As operational risk permeates through the whole organisation, it is thinkable that an executive committee should be in charge of it, similarly to what ISO (2005) proposes for infosec.
However, only 48% of respondents answered positively for the ORM model and the figure is even lower when referring to the implementation of an ORM model (31%).
Statements 6 to 8 and 13
According to the survey, the information security programme set by management is more a long-term set of objectives (67% of answers) rather than middle-term (52%).
Management commitment is an essential requisite to pursue any risk management integration. However, only 42% of survey answers showed management commitment to infosec. As an example, only in 41% of cases management approved the security policy.
Statements 31 to 33: Strategic alignment for RM, infosec and IS Security
Survey results show that alignment between business strategy and infosec has been achieved in 57% of the cases whereas answers for RM (47%) and IS Security (39%) are lower.
Although these statements are not a cluster in terms of reliability to reflect a common dimension, their answers confirm first, the pervasiveness of information and second, the understanding that information is a valuable asset which must be protected.
Statements 23 to 30 and 34 to 38: tactical, strategic and organisational benefits
Increase stakeholder value, new business opportunities and better governance appear in the top 3 benefit ranking.
In addition, the organisational benefits brought in by the RM practice in the surveyed organisations have obtained lower agreement rates than the same organisational benefits brought in by the infosec practice.
Finally, the fact that 68% of respondents state that their risk management activities will be more coordinated in the future confirms the statement that organisations need and are willing to implement an integrated risk management approach, not only to be compliant but also to cope with globalisation and complexity.