Benchmark Results

Best Practices for Managing Information Security

Key Finding
Organizations with Chief Information Security Officers are posting much better results, including: - Higher revenues, profits, and retained customers - Significant reductions in financial exposure from data loss and theft - Higher levels of business productivity from IT - 50 percent less being spent on audit

Some organizational structures and strategies yield better results

Organizations managing the information security function with a risk management and quality assurance focus deliver much better results. The differences are reflected in better retention of customers, as well as larger revenues and profits. Better business results are matched by much lower losses or thefts or customer and sensitive data, accompanied by lower financial exposure from these events. Moreover, the differences in outcomes are accompanied by fewer problems with audit, much lower expenses for audit, and less business downtime related to failures and disruptions occurring in IT.

Organizational structure
The outcomes being experienced by organizations also reflect significant differences in how the information security and assurance function is organized, managed and operated by organizations. Those experiencing the best outcomes manage the information security function through a CISO, who reports to a Chief Risk Officer CRO), a Chief Compliance Officer (CCO), the senior leader of IT assurance or the Chief Information Officer (CIO) Most organizations posting normal results manage the information security function through a CSO or a manager of IT operations who reports to either the senior leader of IT operations or a CIO. Organizations experiencing the worst outcomes manage information security through a systems or network administrator who reports to a manager or director of IT operations, or the senior leader of IT operations.

Coverage
The findings covered by the benchmark report, Best Practices for Managing Information Security, are based on outcomes being experienced by organizations. The outcomes benchmarked include customer retention rates, revenue, profit, data loss and theft, business downtime due to IT failures

IT POLICY

COMPLIANCE

GROUP

FEBRUARY 2010

and disruptions, regulatory audit deficiency corrections needed in IT to pass audit and spend on audit. Management structures for information security are accompanied by differences in how organizations establish and manage information security objectives, manage the information security function and manage day-to-day operations, with detailed coverage of management and operational activities. The report also covers the role of standardized procedures and the specialization of labor, the impact of automation, reporting, quality improvement programs and where the information security function reports in organizations.

About the Research

The benchmark findings contained in the report are from research conducted between late 2008 and late 2009 with 809 organizations, primarily within the United States. Although the findings in the report are representative of outcomes and management practices within North America, the results and practices mirror others obtained from research conducted with respondents in organizations in Asia, Europe, Latin America, the Middle East and the Pacific Rim. A full copy of the report can be obtained from the IT Policy Compliance Group website: www.itpolicycompliance.com There is no charge for reports and reuse privileges can be found on the website.

About IT Policy Compliance Group

The IT Policy Compliance Group is a member-advised research consortium focused on identifying what is working to produce better outcomes from fact-based benchmarks. The Group is focused on assisting IT, IT audit, internal audit, risk management, legal and compliance professionals.
Charter members of the Group include Computer Security Institute, The Institute of Internal Audit, ISACA, IT Governance Institute, Protiviti and Symantec Corporation.

MAY 2008 IT POLICY COMPLIANCE GROUP FEBRUARY 2010