Despite growing awareness of security and information risk issues at Board level across UK organisations – coupled with an increase in budget allocation for risk management – 84% of businesses are vulnerable due to fragmented security controls. That is the major finding of a comprehensive new survey conducted by Atos Consulting and the National Computing Centre.
The findings from the survey highlight the need for governance and the true integration of security across the whole business in order to ensure that the additional investment does deliver value.
One example of fragmented governance is that Human Resources (HR) in the majority of organisations is not aligned to the head of security or the chief information security officer. 55% of respondents answered that their security and information risk function has no responsibility for HR, while 75% of those questioned said that one of the biggest threats to the integrity of business controls comes from within their own firms.
“Organisations need a single approach to risk management in order to efficiently and cost-effectively protect the company’s reputation,” commented Mark Jones, head of risk management and security services for Atos Consulting. “The survey specifically reveals that the HR function within companies should have a more clearly defined role regarding enterprise risk management policy and enforcing employee adherence, particularly in view of the recently-reported issues regarding sensitive information on stolen laptops.”
Other key findings are that:
- over 70% of companies report an increased level of attention to risk management and security at the head of IT level;
- 50% of companies report an increased level of attention to risk management and security at the Boardroom level;
- Increased awareness across the business has a direct, positive effect on risk management budgets, with only 6% of respondents reporting a decrease on their budget in the coming 12 months.
Although embedding stronger alignment between business and IT controls is one of the main budget items for companies in 2007, that means two thirds of firms will have single sign-on within two years.