Presented here are the findings, divided into three sections: IS maturity, incidents and outlook & opinion of CISOs
Almost all senior information security professionals think that the boards/CEOs in their organization fully or partially understand the risk arising out of information security threats. While 51% feel that their CEOs/boarders are fully aware of the risks, another 36% think they adequately understand those risks, according to the State of Information Security 2017 research, designed and conducted by IT Next.
Yet, as many as 31% of organizations do not have designated heads of risk. If that number sounds high, here is a factoid. Last year, it was as much as 49%. There is considerable improvement.
In another worrying finding, about 35% respondents said their organizations do not measure financial loss due to security incidents at all. A further 35% revealed it is only measured if the incident has a direct relation to revenue.
However, there is good news. There is more and more business alignment. Two out of three respondents said the security strategy should be dependent on nature of business even as CISOs finally start to see themselves as organizational risk managers and business enablers rather than ‘protectors’, ‘compliers’ to regulatory requirements and tech implementers.
The State of Information Security 2017 survey focused primarily on two aspects:
- organizational maturity in terms of appreciating the risks arising out of information security issues and how organizations are handling that
- how CISOs (or other senior security professionals) perceive their roles and responsibilities ahead
The research was an effort to understand the business alignment of information security within large and medium Indian organizations and was not meant for getting into technologies, solutions and tech-related practices of businesses. There are industry standard global surveys. The only overlap with those surveys could be a couple of questions about actual security incidents that happened in last 12 months and how they perceive the probability in the next 12.
The research was conducted among the participants of NEXTCSO Conference organized by CSO Forum at Jaipur between 6th and 8th July 2017. While 40% of the participants were CISOs, 6% were CIOs while further 6% were EVP/VP/Directors. From among the organizations, as much as 56% were large organizations, with more than 5000 employees.