Recently the Ponemon Institute completed a new project, the Security Efficiency Benchmark Study, the purpose of which was to learn what IT security leaders in the UK and European think are the key components to having an efficient and effective security operation. In other words, we wanted to know what is necessary for achieving data security goals and protect information assets and infrastructure.
As more and more organizations appoint chief information security officers and increase investments in IT security, there is a reasonable expectation that threats will be addressed – but how can the success of a security program be measured? To help answer this critical question we were commissioned by Vistorm and Check Point to create what we call the Security Efficiency Framework as a methodology to help organizations understand the most operationally efficient route to their desired security posture. We presented the results of our benchmark study and Framework in a recent webinar, the archive of which can be heard here.
The first step in developing the Framework was to interview the security leaders of 101 UK and European in order to empirically validate the key components of an effective and efficient security operation. We learned that there is a general consistency in the way IT security leaders frame operational efficiency in the domain of information security and data protection. The key drivers to better efficiency are technologies, control practices and overall program oversight. They also see the importance of organizational culture and budget in driving improvements in operational efficiency.
In addition, our research finds general agreement among IT security leaders about the underlying factors that give rise to better operational efficiency and include the following:
·Appoint a CISO or organizational leader for information security
·Initiate training and awareness programs on data protection and security for end-users
·Achieve an organizational culture that respects privacy and data protection
·Obtain executive-level support for security.
·Deploy strong endpoint controls
Our research also revealed the characteristics of an organization that is not operationally efficient:
·Do not achieve a high security posture
·Do not have ample budget or resources
·Do not deploy strong perimeter controls
·Do not have credentialed or experienced staff
·Do not have an enterprise security strategy.
We hope you find this information worthwhile. Please contact the Institute if you have any questions related to this study, our Framework, or other related questions.
Today we held a RIM College event featuring three noted experts in corporate privacy training programs -- namely, Dean Forbes (Merck), Bob Posch (Merck) and John Block (Media Pro). Our focus is: what are leading companies doing to achieve awareness and knowledge about privacy and data protection requirements?
We are pleased to present The State of Privacy and Data Security Compliance study conducted by Ponemon Institute and sponsored by Sophos. The purpose of the study is to determine if various international, federal and state data security laws improve an organization’s security posture. What is the value of compliance and does it correlate with the value of the compliance effort?
Privacy pro: Do you ever feel like you are working overtime to meet overly ambitious expectations? Are you frustrated by your attempts to outline a plan for protecting sensitive personal information only to get the sense that you are talking to a brick wall?
CEO: Are you puzzled as to why the people your company has hired to address security and privacy concerns never seem to meet the objectives you have for them? Are you flummoxed by the fact that the investments you’ve made in data security aren’t helping to stem the tide of data loss?
The eGovernment movement is a good thing, and maybe too long in coming given how many years businesses have been taking advantage of technology to provide convenience and a higher quality of service to their customers. Constituent services have been available online for years, certainly, but only recently has the effort to modernize government been policy.
I want to share an article with you that I think has a tremendous lesson for anyone in the business of building trust. The article is from a recent edition of Foreign Policy (reprinted from Joint Force Quarterly), but don't let the source put you off. Admiral Michael G. Mullen, chairman of the Joint Chiefs of Staff, writes about what it takes to establish credibility and build trust.
Admiral Mullen's perspective is different from yours and mine, but there are nuggets here that are vital no matter what your business.
I’m still processing a lot of the information gathered, shared, and created during our 8th RIM Renaissance this past weekend in Minneapolis. One of our sessions focused on the creation of an information governance “treaty” that holds various organizational members to a high standard (consistent with our RIM principles). Please review the following draft document and let me know what you think.
We just completed a survey of federal IT security professionals to examine the data protection posture of government agencies. Through the survey, sponsored by CA, we wanted to see whether or not there is consistency in the perception of rank-and-file employees and executive management as it pertains to the safeguarding of sensitive information, regulatory compliance, and the day-to-day management and execution of a security program.
Sponsored by McAfee, the Best Practices in Data Protection survey is our latest effort to find out what separates the best organizations from the rest. We believe this study is important because it provides insights on how organizations can be more successful when investing in and building a data protection program. The study's findings reveal five success factors in a data protection program:
A formal data protection strategy for the organization and metrics to determine if the strategy is effective.
Key metrics from a management console and observation and regular testing of data protection solutions.
Data protection technology features that focus on privileged users, restriction of access and outbound communications are considered critical
Centralized management of the data protection program with such features as actionable information, policy administration, reporting, automatic securing of endpoints and monitoring.
Automated policies for detection and prevention of end-user misuse of information assets.
Ponemon Institute is releasing our annual Most Trusted Companies for Privacy study this coming week. This is the eighth year that we conducted a U.S. national consumer study that determines the organizations believed to be most committed to protecting and securing personal information. Our research also determines the underlying factors that consumers perceive as most important or influential to their trust ratings. For more information, please contact email@example.com.
Last week I presented the results of our latest study entitled, "The State of IT Security: A Study of Utilities and Energy Companies." Sponsored by Q1 Labs, this research revealed that utilities and energy companies in our study are more concerned about preventing downtime that stopping a cyber attack. In addition, a majority of respondents said that compliance with standards such as NERC CIP is not a top priority. Most surprisingly, only 16 percent of respondents believe that their organization's existing controls are designed to protect against exploits and attacks through the smart grid. For more information about this study, please contact firstname.lastname@example.org.
Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.
It has been more than six years since the ChoicePoint data breach thrust the issue of privacy protection into the headlines. Since then hundreds of information security failures have been disclosed and the tools and techniques used to keep sensitive information safe have advanced at a healthy pace. Recent incidents in the healthcare industry, however, strongly suggest that best practices have not been universally adopted.
I hear the collective sound of our friends, colleagues, and other interested parties scratching their heads at the release of the most recent piece of Ponemon Institute research, National Survey on Data Center Outages. You read that right, data center outages.
I am delighted to share with you our recently completed benchmark study that focuses on healthcare organizations and their ability to comply with new regulations. Of 77 participating covered entities and business associates, 27% percent have not started or are barely aware of what they need to do, 32% are waiting for more details, 14% have a plan but are waiting for more details, and 21% are just starting to act. This data was collected from June through October 2009. If you are affected by the HITECH Act, this benchmark study may be helpful to you.
(click to download study)This second annual study examines access governance practices in US organizations. The objective of this study is to track perspectives of IT security and compliance practices about how well they are achieving access governance within their organizations.
(click to download study) It should come as no surprise that trust is increasingly important in customers’ loyalty to their bank. While overall trust in the industry is down, banks that experienced a significant data breach also experienced a significant decline in their trust scores. This study also reveals there is a correlation between customers’ trust and how long they remain with the same bank. Customers expect their bank to have protective measures in place to guard their data. If that expectation is not met, they will change banks.
(click to download study) Independent Ponemon Institute research looks into the controversial behavioral advertising industry to understand from marketers their experience with the medium’s success, and how consumer perceptions of trust or lack thereof are affecting investments.
Sponsored by Thales eSecurity (download the study) The purpose of this study was to identify what auditors think abut crypto technologies as it applies to data protection and compliance activities in public and private organizations. Seventy-one percent of respondents believe that an organization’s information assets cannot be fully protected without the use of crypto solutions.
(Click to download study) We are pleased to present the findings of the Aftermath of a Data Breach conducted by Ponemon Institute and sponsored by Experian® Data Breach Resolution. The study was conducted to learn what organizations did to recover from the financial and reputational damage of a data breach involving customer and consumer records.
(Click to download study) Ponemon Institute is pleased to present the results of The Human Factor in Data Protection. Sponsored by Trend Micro, this research focuses on how employees and other insiders can put sensitive and confidential information at risk and what organizations are doing to reduce this risk.
(Click to download study) What Senior Executives Think about Data Protection, conducted by Ponemon Institute
and sponsored by IBM, was conducted to determine what corporate executives believe are the
most important factors and activities to consider when safeguarding sensitive information and
complying with increasing regulation, including the data breach notification laws that now exist in
more than 45 states.
We are pleased to announce the release of a new Ponemon Institute study sponsored by WatchDox. If you ever worry about an employee downloading confidential, regulated data on their own personal mobile device you need to read our report. To obtain a copy click here.