GRC (Governance, Risk Management and Compliance) is currently one of the biggest issues facing companies of all sizes. To date, GRC has not always found billing in boardrooms across the country, but the fallout of major data breaches in the past two years has sent a clear message: the responsibility for data breaches is being laid on the board of directors and C-level employees.
A report a few months back by PwC noted the shift in responsibility as a shift in the way we think about data security in general.
“Cyber risk is a business issue, not just a technology issue. Market leaders are finding that cyber risk management needs to be owned by the C-suite rather than by IT.”
People, process and technology are the cornerstones of an effective data security policy. Without education on their role in protecting data, and an awareness of the importance of protecting data, employees will continue to put data at risk. The effectiveness of any security policy and education initiative involves that the culture of security for an organization be embedded top-down. Right now, this isn’t the case for most organizations. A study from the NYSE earlier this year showed that 42% of boards only occasionally discuss cyber or IT security issues. This doesn’t look like a top-down approach which prioritizes data security.
“More than 80% of the directors we surveyed indicated that their company’s IT budget includes funds for awareness and training. But often, cautions Bernard, the type of training is just as important as the budget or its scope. ‘Static, computer-based training is insufficient to address the risk. Often, standard training programs are offered on a click-through basis, just like HR and compliance training,’ says Bernard. ‘The biggest vulnerability in most organizations is the people, and they can come in every day, and they can either improve the information security posture by being alert or not.'”
While strong IT management and layered security technologies play their part in data security, organizations need to stay on top of risk assessments, security policies and employee training in order to mitigate data security risks. Right now, most executives and boards know that data security must be aligned as a business issue but readily concede it’s a challenge to get there.
The most secure organizations are ones where there is a culture of security that is embedded top-down, where every employee, from the board to the mail room, understands their role in protecting corporate data, with tools that both support, enable and protect data wherever it resides. To learn about how Absolute can help your organization get there with tools to support GRC initiatives for the endpoint, visit our website.