Progress in IT Security Practices Mixed but Not Improving Overall, Computer Economics Says
Computer Economics has released its major annual study on 34 IT management best practices, and one important category–IT security and risk management–is showing mixed results. Adoption of one vital IT security best practice is down, while others are up or flat.
The bad news is that IT security policies appear to be going in the wrong direction. The study, IT Management Best Practices 2019-2020, shows that IT security policies are a mature practice, with 54% saying their security policies are formal and consistent.
The fact that most organizations have IT security policies is expected, since such policies are often mandated by corporate standards or industry regulations. But the analysts say it is disappointing that only 54% of them establish them formally and consistently. What is more disappointing is that the percentage is down from 57% last year. “This is surely one reason that we continue to see devastating, high-profile security breaches every year,” Computer Economics says.
Security incident management, at 51%, is third on this most mature list, but at least it is moving in the right direction. It was at 48% maturity last year. Security incident management is a process to record, track, and resolve security incidents. When a security incident takes place, an organization will have a response team in place and clearly defined procedures for managing the incident. But again, only about half of IT organizations formally and consistently respond to and manage security incidents.
Penetration testing, at 44%, is new to our survey. Not seen on this figure is IT security compliance audits, which is unchanged from last year at 42%. Both of those bear watching in the coming years, as they are important disciplines.
“Because so many security practices are in the top five, on the surface it appears companies are emphasizing security,” said Tom Dunlap, director of research for Computer Economics, an Irvine, Calif.-based research firm. “Unfortunately, it isn’t really true. Security practices that aren’t adopted formally and consistently leave major security risks. Security practices are most definitely not optional.”
(For more information visit https://www.computereconomics.com).