Organizations today are faced with an unprecedented volume and variety of information risks that have enterprise-wide impact, including:
- Increased frequency of data breach carried out by advanced, targeted attacks
- Leaks of sensitive or high value information from departing employees
- Aggressive sanctions from regulators over the lack of supervisory compliance controls
- Business use of social and messaging tools that are not under IT and security controls
Unfortunately, organizational scale and complexity has forced some organizations to continue to rely upon existing technologies, buying processes, and functionally-driven priorities that have plagued companies for the past 15-20 years and have resulted in solution overlap, IT redundancy, and ineffective risk management processes.
These opposing forces lead to a question about information risk: are organizations becoming more functionally siloed and specialized or are we moving toward a shared view of risk?
To answer this question, Actiance issued a survey that generated over 150 responses from IT, Security, Compliance and other risk management stakeholders. Highlights from the survey results include:
- As expected, managing the impact of data breach was the highest priority across all functions, with the only exception being Risk/Compliance titles who ranked the loss of sensitive customer information slightly higher
- In terms of what is working well in managing risk today, respondents across all functions overwhelming pointed toward clearly defined policies as an area working well. Risk/Compliance titles again differed from others in highlighting monitoring and alerting process controls as an area that is working well today
- On the flip side, all functions reported that the lack of budget and sufficient resources as an area not working well, with negative responses being led by Security titles
- Collaboration across functions in the evaluation and selection of risk management solutions appears to be a practice applied by the vast majority of responses, with only 5% of respondents that their function alone is responsible for those tasks
- In terms of future collaboration, all functions highlight the definition of common control processes as a top priority. Security respondents again differ from others in highlighting the definition of business requirements for technology solution selection as top priority.
So, what can we conclude about convergence versus specialization?
This survey indicates that the views of information risk held by Security and Compliance stakeholders continue to converge. This is not unexpected, given the organization-wide concern over data breach and cyber security, and as was demonstrated by the survey question that all stakeholders are prioritizing solutions that can reduce the probability of a bad event from occurring over those that provide improved productivity or promises of cost reduction.
The survey also highlighted the importance placed on collaboration – with IT playing a critical role in coordinating with both Security and Compliance stakeholders. The fact that only 5% of respondents indicated that their function alone is responsible for the evaluation of risk management solutions indicates that we may have finally arrived in an era when siloed, departmental-level decision making is done only on an exception. The fact that the evaluation of most enterprise-grade risk management solutions must now proceed through security assessments, review of policy enforcement capabilities, and inspection by those involved in eDiscovery attests to this new reality.
Originally published on Actiance.com February 21, 2018.