According to a recent survey by Varonis Systems, more than two-thirds of the respondents indicate that their senior management has little or no idea where their company data resides. The survey was conducted during the EMC World event, and includes data from more than 400 enterprises.
The majority of companies surveyed also indicate they have no systems in place to account for which corporate files reside in systems managed by third-party service providers. Companies reported they have no way to track what data is being stored in the cloud and no process to manage access to that data.
In short, the survey reveals that:
- Only 9% of the companies surveyed have procedures in place to control access to data stored in the cloud;
- 23% of organizations are still developing their data access policies;
- 74% of respondents reported that they do not have a process for tracking which files have been placed on third party services;
- 68% either have no plans in place that they are aware of, or live without formal processes for granting and reviewing access
These survey results should be a wake-up call for all companies. CIOs should start developing and implementing strategies to ensure data security as quickly as possible.
Here are some questions that senior managers and the board of directors should be able to answer:
- Do managers know who is responsible for security?
- Does the head of security frequently meet the board of directors?
- When was the last time top managers got involved in security-related decisions?
- Would people recognize a security issue? Would they know who to call?
- Is the company clear on its position relative to IT and security risks?
- What percentage of staff had security trainings?
- Are managers convinced that security is being appropriately addressed in the company?
- Are managers aware of the latest information security issues and best practices?
- What can be done to successfully implement information security governance?
Protecting the interests of the stakeholders is a fundamental responsibility of senior management. This includes understanding the IT risks and ensuring that they are adequately addressed from a governance perspective. To do so effectively you need to manage information security risks, by integrating an information security governance framework into your overall enterprise governance framework.