Survey: Are We Moving Toward a Shared View of Information Risk?

Organizations today are faced with an unprecedented volume and variety of information risks that have enterprise-wide impact, including:

  • Increased frequency of data breach carried out by advanced, targeted attacks
  • Leaks of sensitive or high value information from departing employees
  • Aggressive sanctions from regulators over the lack of supervisory compliance controls
  • Business use of social and messaging tools that are not under IT and security controls

Unfortunately, organizational scale and complexity has forced some organizations to continue to rely upon existing technologies, buying processes, and functionally-driven priorities that have plagued companies for the past 15-20 years and have resulted in solution overlap, IT redundancy, and ineffective risk management processes.

These opposing forces lead to a question about information risk: are organizations becoming more functionally siloed and specialized or are we moving toward a shared view of risk?

To answer this question, Actiance issued a survey that generated over 150 responses from IT, Security, Compliance and other risk management stakeholders. Highlights from the survey results include:

  • As expected, managing the impact of data breach was the highest priority across all functions, with the only exception being Risk/Compliance titles who ranked the loss of sensitive customer information slightly higher
  • In terms of what is working well in managing risk today, respondents across all functions overwhelming pointed toward clearly defined policies as an area working well. Risk/Compliance titles again differed from others in highlighting monitoring and alerting process controls as an area that is working well today
  • On the flip side, all functions reported that the lack of budget and sufficient resources as an area not working well, with negative responses being led by Security titles
  • Collaboration across functions in the evaluation and selection of risk management solutions appears to be a practice applied by the vast majority of responses, with only 5% of respondents that their function alone is responsible for those tasks
  • In terms of future collaboration, all functions highlight the definition of common control processes as a top priority. Security respondents again differ from others in highlighting the definition of business requirements for technology solution selection as top priority.

So, what can we conclude about convergence versus specialization?

This survey indicates that the views of information risk held by Security and Compliance stakeholders continue to converge. This is not unexpected, given the organization-wide concern over data breach and cyber security, and as was demonstrated by the survey question that all stakeholders are prioritizing solutions that can reduce the probability of a bad event from occurring over those that provide improved productivity or promises of cost reduction.

The survey also highlighted the importance placed on collaboration – with IT playing a critical role in coordinating with both Security and Compliance stakeholders. The fact that only 5% of respondents indicated that their function alone is responsible for the evaluation of risk management solutions indicates that we may have finally arrived in an era when siloed, departmental-level decision making is done only on an exception. The fact that the evaluation of most enterprise-grade risk management solutions must now proceed through security assessments, review of policy enforcement capabilities, and inspection by those involved in eDiscovery attests to this new reality.

Originally published on Actiance.com February 21, 2018.

Share this post!

Robert Cruz

Robert Cruz

Senior Director of Information Governance at Smarsh
Robert Cruz is Senior Director of Information Governance for Smarsh. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and discovery cost and risk reduction.
Robert Cruz

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.