Recently the Ponemon Institute completed a new project, the Security Efficiency Benchmark Study, the purpose of which was to learn what IT security leaders in the UK and European think are the key components to having an efficient and effective security operation. In other words, we wanted to know what is necessary for achieving data security goals and protect information assets and infrastructure.
As more and more organizations appoint chief information security officers and increase investments in IT security, there is a reasonable expectation that threats will be addressed – but how can the success of a security program be measured? To help answer this critical question we were commissioned by Vistorm and Check Point to create what we call the Security Efficiency Framework as a methodology to help organizations understand the most operationally efficient route to their desired security posture. We presented the results of our benchmark study and Framework in a recent webinar, the archive of which can be heard here.
The first step in developing the Framework was to interview the security leaders of 101 UK and European in order to empirically validate the key components of an effective and efficient security operation. We learned that there is a general consistency in the way IT security leaders frame operational efficiency in the domain of information security and data protection. The key drivers to better efficiency are technologies, control practices and overall program oversight. They also see the importance of organizational culture and budget in driving improvements in operational efficiency.
In addition, our research finds general agreement among IT security leaders about the underlying factors that give rise to better operational efficiency and include the following:
·Appoint a CISO or organizational leader for information security
·Initiate training and awareness programs on data protection and security for end-users
·Achieve an organizational culture that respects privacy and data protection
·Obtain executive-level support for security.
·Deploy strong endpoint controls
Our research also revealed the characteristics of an organization that is not operationally efficient:
·Do not achieve a high security posture
·Do not have ample budget or resources
·Do not deploy strong perimeter controls
·Do not have credentialed or experienced staff
·Do not have an enterprise security strategy.
We hope you find this information worthwhile. Please contact the Institute if you have any questions related to this study, our Framework, or other related questions.
Holistic is a popular word these days. Often applied to food and medicine, the word conjures images of natural, healthy living, but the word holistic refers to the function of an entity as a whole, including the interdependence of all its parts. Given this broader meaning, holistic can (and should) be applied when thinking strategically about the way a business organization operates. Successful, well-functioning organizations most adapt to change, be flexible in their relationships, and innovative in their approach to business. They must not only have the capacity to react to change, but to anticipate change and act innovatively.
Just a brief note to bring our recent webinar to your attention. I presented Information Governance in the Cloud along with the good people at Symantec. The presentation is based in part on results from our earlier report, Flying Blind in the Cloud.
If you want to view the webinar, presented on the Windows Live Meeting platform, please click here.
If you have any questions or comments about this issue, our report, or the webinar, we'd love to hear from you.