A surprising accusation has been levelled at many IT vendor boardrooms in a survey carried out on behalf of IT Governance Ltd. The core finding is that, despite a steady stream of horror stories of data loss appearing in the press, and increasing calls for improved cyber security by an overwhelming majority of their customers, most board-level directors amongst IT vendors would seem to be turning a deaf ear to the demands.
According to IT Governance’s international ‘Boardroom Cyber Watch’ survey of senior executive opinion about cyber security a large majority of respondents both in the UK and overseas, 87 percent, know about the key governance standard, ISO/IEC 27001, it is complied with by only 35 percent them.
A significant majority, therefore, seem happy to ignore an international best practice standard that has been designed for any organisation seeking a structured framework to address cyber risk. According to IT Governance, ISO/IEC 27001 significantly improves an organisation’s information security and resilience.
There is also evidence that many of them are aware of the problem and acknowledge that insufficient effort is being put in. For example, the cyber report finds that a substantial minority - over 40 percent - say that their company is either making the wrong level of investment in information security, or are unsure if the investment is appropriate.
This is despite some 74 percent of them saying their customers prefer to deal with suppliers with proven IT security credentials. A further 50%, meanwhile, say customers have enquired about their company’s security measures in the past 12 months.
It has to be acknowledged, of course, that as a specialist consultancy service on governance issues and ISO/IEC 27001in particular, IT Governance has something of a vested interest in the results of its survey.
That being said, the observation of Alan Calder, the company’s founder and Executive Chairman: that information security is about more than cybercrime defence and that the ability to offer proven information security credentials is not an unwelcome cost but a competitive advantage, has more than a little merit.
“Given that a globally recognised best practice framework for addressing the risks related to systems, people and technology already exists in the shape of ISO/IEC 27001, it’s surprising to see such a large number of suppliers still resisting the opportunity to demonstrate their credibility,” he said. “In the face of constantly evolving new threats around the globe, the need for increased compliance is a fact of life. Companies must therefore ensure that their defences are in a state of constant evolution - so much so that any organisation which handles customers’ personal data, for example, but is not compliant with ISO27001, is at risk of displaying overt negligence.”
The ‘Boardroom Cyber Watch 2013’ study was conducted online in April and May 2013. It surveyed 260 chief executives, board directors and IT professionals from organisations of all sizes, with revenues ranging from less than US$5m to more than US$500m. The sample included organisations based in the UK and United States, South America, Central Europe, Africa, the Middle East, Asia, Australia and New Zealand.