IT Security: Podium place or first round shame?
The Reg Readers have spoken
Tech Panel The results of our Security Poll are in, and like medal-toting 'Team GB', they show that being game counts a lot.
A big thanks to the 1,100 fine folk who took part in the poll, the warm up to our forthcoming Security Debate in September. You told us straight up that IT security remains an important issue. However, it’s clear that between organisations, IT security practices vary considerably.
In fact, leaving technology aside and concentrating on some behavioural and attitudinal attributes highlighted some serious differences. We separated out the two extremes: organisations scoring very high or very low on levels of security awareness and availability of training, and how seriously IT security is taken by senior management, the workforce and the IT department. Then we compared the socks off them.
So was it worth it? Yessirree.
Broadly speaking, the leader group considers itself to be much better protected against a range of security threats. There’s a certain level of confidence generated by being up for it, it seems.
But does it make any actual difference? Well, yes, especially in more complex risk areas such as website defacement or corruption, where we found the laggards to be three times more likely to suffer.
Continuing the leaders and laggards theme, a number of other ‘good behaviours’, in policy, communication and tooling became clear.
While IT security policy across the sample is all over the place, leaders are twice as likely to have a comprehensive policy in place. When it comes to tools in use, it seems that being up for it includes being far more likely to be getting to grips with some of the more complex IT security solutions – vulnerability testing, intrusion protection, event management and behavioural analysis - to name a few.
But what spark, or otherwise, separates the leaders from the rest?
A big clue lies in the degree of communication. You’ll like this, because it supports the ‘we’re not bloody mind readers’ angle that IT often has to take with the business. Essentially, the leaders understand that IT isn’t a bloody mind reader, and have thus got better at prioritising the risks their businesses face, and at communicating them to IT. Furthermore, they are streets ahead when it comes to communicating all this to the workforce. These rather simple capabilities could be a fundamental reason for the chasm between the effectiveness of the leaders and the laggards.
Ultimately, it will always be worth reviewing the IT security situation in any organisation and determining what improvements can be made. This is particularly true when it comes to communication, as time and again we see that ‘the threat within’ ranks higher as a risk factor than any other issue.®