Information security governance practices are maturing, according to Gartner Inc.'s annual end-user survey for privacy, IT risk management, information security, business continuity and regulatory compliance.

The firm surveyed individuals in 964 organizations with at least $50 million equivalent in total annual revenue for fiscal year 2014, and with a minimum of 100 employees, between February and April 2015.

"Increasing awareness of the impact of digital business risks, coupled with high levels of publicity regarding cyber security incidents, are making IT risk a board-level issue," Tom Scholtz, vice president and Gartner Fellow, said in a statement.

"Seventy-one percent of respondents indicated that IT risk management data influences decisions at a board level,” Scholtz said. “This also reflects an increasing focus on dealing with IT risk as a part of corporate governance."

The nature of the reporting lines of the information security team is one of the key attributes of effective governance, the firm says. Nearly 40% of the survey respondents indicated that the most senior person responsible for information security reports outside of the IT organization. "The primary reasons for establishing this reporting line outside of IT are to improve separation between execution and oversight, to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that security is an IT problem," Scholtz said.

Organizations increasingly recognize that security must be managed as a business risk issue, and not just as an operational IT issue, Scholtz said.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access