A study into the information security practices of 600 mid-sized European businesses by PwC and Iron Mountain paints a disappointing picture of their state of maturity. Their overall score comes out at 40.6 on a scale ranging from 0 (dreadful) to 100 (excellent). 40.6 is somewhat below the pass-mark of 50.
In my experience performing IT audits against ISO/IEC 27002, average scores have been up around 60 to 70%, although these are for large organizations in industries that take information security seriously (financial services, defence, aerospace, pharmaceuticals and hi tech/engineering). For starters, they employed me to do their IT audits!
The Pwc/Iron Mountain study appears to have been based on a ticklist approach: the report appendix lists 34 topics under the question-stem "Which of the following does your organization have in place?", implying that respondents simply ticked off the ones that apply - things such as a corporate risk register and an employee exit process. It's a simple method that partially compensates for the lack of detail by surveying many organizations at once, although as a metric it is crucially dependent on the wording of the specific questions.
There are no surprises in the study's three recommendations: (1) make information security a boardroom issue; (2) change the workplace culture through security awareness; and (3) put security policies and procedures in place. Many of us have been promoting these for years. Unfortunately, the study didn't address the issue of why these are not already near-universal practices. Why isn't information security on every board's agenda already? Why is security awareness still seen by many organizations as a once-a-year thing, if ever? Why do so many managers evidently not appreciate the need for clarity around security policies and processes?
I'm reminded at this point of the N-whys method, pioneered for Kaizen and the Toyota Production System. The method is brilliantly simple: ask why something occurs, then explore the response with another why, and carry on asking why to get to the root cause - or rather causes since, if done well, the method reveals an extensive root system of causative factors rather than a single root cause.
For example here's one possible line of reasoning using N-whys:
- Why isn't information security on every board's agenda already? Because there are too many other pressing demands on the board's valuable time.
- Why are there too many other pressing demands on the board's valuable time? Because information security is just one of many strategic/governance/compliance/risk management issues.
- Why is information security just one of many strategic/governance/compliance/risk management issues? Because it is diffuse and ill-defined.
- Why is information security diffuse and ill-defined? Because many people are confused between IT security and information security.
- Why are many people confused between IT security and information security? Because general news coverage and business reporting does not draw a distinction.
- Why doesn't general news coverage and business reporting does draw a distinction between IT security and information security? Because hacking, privacy and malware incidents make effective headlines, whereas information security is mostly unglamorous and humdrum.
- Why is information security mostly unglamorous and humdrum? Because the information security profession does a poor job at explaining and justifying its existence.
- Why does the information security profession do a poor job ... OK, enough already, you get the idea.
I'm certain you would have followed a different path from the initial why, and in fact I would probably take a different route every time through the same analysis, quite deliberately because I get bored so easily! As a brainstorming technique, however, I suspect a diverse group of people would soon converge on a common set of causative factors, along with some uniques that might prove interesting in themselves. PwC/Iron Mountain evidently homed-in on three key factors, and that's fair enough, but I encourage you to take a look at the survey's findings, draw your own conclusions, and see what you would recommend. Seriously, it's not hard to come up with many more than three, and it's an interesting exercise in its own right.
For bonus marks, run this as a workshop with a collection of business managers and GRC specialists, and in so doing make a great start on recommendation 2!