ViewPoint Espresso How are companies tackling enterprise risks? # 6, November 2021 – Information Security
Espresso surveys - Enterprise Risk Management Pulse Check, 2020-2021 The Espresso Survey is turning its focus to Enterprise Risk Management. What are companies struggling with these days and has the picture changed due to the “new normal”? Throughout this series of surveys, we check the pulse of companies on the following topics: Environmental Management (May 2020) Business Continuity (September 2020) Infection Risk Management (November 2020) Remote Audit (January 2021) Occupational Health and Safety (March 2021) Information Security (October 2021) The topics selected are both new and returning ViewPoint survey topics. Where possible, we compare data to see what changes may have occurred over time. The objective is to provide insight on each topic as to what is top of mind for companies around the world when it comes to Enterprise Risk Management. 2
DNV ©
Setting the Scene
Topic in focus
Where are they now?
What did we ask?
What did we find?
The sixth snapshot is of information security. The short survey was launched in October and results released in November 2021.
In a complex digital environment, companies are increasingly exposed to information security risks. In the face of malware, ransomware and hackers, data protection is a must to prevent breaches causing business disruptions, reputational damage and financial losses.
• How have companies’ maturity within information security evolved?
• Maturity has slightly increased, which could reflect the heightened risk picture companies face.
A similar survey on information security was conducted in 2015.
Changing attitudes towards information security has also driven tougher regulations and as the technology landscape constantly changes, companies must understand current and future risks to build resilience. But where are companies in their journey now and have their approach changed in the last 6 years? 3
DNV ©
• What are the most common initiatives to mitigate information security risks? • What are the main benefits of ISO 27001 and similar certifications? • How will investments evolve? • How are policies adjusted to and which actions mitigate risks arising out of digital transformation? • What are corporate attitudes around Cloud, ‘Zero Trust’ security model, cybersecurity and AI? • How do companies mitigate supplier information security risks?
• Main mitigating actions have shifted from hardware to people, i.e. training staff to address existing and emerging risks. • Satisfying customers is the primary benefit of management system certification. • Certified companies adopting a structured, certification-based approach to manage all information security risks. • Companies intend to invest more in information security measures.
Question 1 – Maturity Where would you position your company on a 5-point maturity scale for Information Security, where 1 is Beginner and 5 is Leader?
• Over the last six years there is a progressive shift toward improved information security maturity. • However, less than half of the sample in this survey say they are mature (4) or leading (5).
45% 40,7 % 40% 36,2 % 35%
• The results may reflect that information security and related risk have evolved a lot in recent years, forcing all companies to really focus on issues in this area. To see 13% define themselves as leaders is therefore probably a good result.
34,0 % 32,8 %
30% 25%
2021 2015
20% 14,0 % 12,1 %
15%
12,7 %
10% 5% 0%
4
6,7 %
6,2 % 4,6 %
1. Beginner
DNV ©
2.
3.
4.
5. Leader
Question 2 – Initiatives to mitigate risks Which of the following initiatives regarding information security has your company taken to mitigate information security risks?
• The top 3 risk mitigation initiatives are: 0%
20%
40%
60%
Having appropriate personnel to manage information security
64,9 %
Information security policy approved by top management
57,5 %
Providing Information Security training to staff
56,0 %
Defining and implementing information security controls
50,1 %
Investing in Information Security assets and equipment
49,7 %
Focus on equipment maintenance management
48,0 %
Implementing info sec risk assessment & mngt methodology
44,5 %
Investing in physical and environmental security
38,7 %
Performing audit/assessment on Information Security
38,0 %
Having a dedicated “Information Security Manager”
34,8 %
Having specific information security goals
31,5 %
Reporting regular info sec performance to top management
30,2 %
Having and testing a specific Business Continuity Plan (BCP)
30,1 %
Disclosing Information Security issues to stakeholders Benchmarking against peers in my industry sector
5
DNV ©
80%
21,8 % 15,4 %
1. Having appropriate personnel to manage information security within the organization (64.9%) 2. Having an information security policy approved by top management (57.5%) 3. Providing information security training to staff (56%) • Companies seem to mitigate information security risks mainly by investing in people. • When the same question was asked in 2015, the top-rated initiative was investments in physical assets and equipment. In 2021, there seems to be a shift toward investments in more behavioral-based aspects such as training of staff, establishing policies and risk management methodologies. • “Providing information security training to staff” is rated higher among companies in 2021. There seems to be an increase in demand of competence, right quality of resources and training/general awareness for everyone in the organization. This reflects the move toward adoption of new technologies and increased cyber risks.
Question 3 – Future investments Is your company going to invest in information security in the next three years?
• Number of respondents indicating that information security investment levels will be the same or more in the next 3 years is in the same range as in 2015. There is only a slight increase from 55.1% to 62.4%. It should be noted that this picture could be influenced by the high share of “Don’t knows”).
70% 62,4 % 60%
55,1 %
• The trend of higher investments is probably expected due to the increased attention on digitalization and information security since 2015.
50% 39,6 %
40%
34,8 %
32,8 % 29,1 %
30%
29,6 %
2015
26,0 %
20%
10% 3,6 % 2,0 % 0%
6
0,8 %1,7 %
No investments Less than today at all
DNV ©
Same as today More than today
2021
More + Same
Don't know
Question 4 – Policies and procedures Are your information security policies and procedure changed/adjusted to the new digital environment?
• Companies with a certified information security management system are more sensitive and responsive to changes happening around them. Close to 80% say they have either completed or partly completed alignment process to fit the new digital environment.
70% 58,0 %
60%
50%
40%
35,0 %
Info sec certified
30%
Non-info sec certified 21,4 %
20%
10%
0%
7
20,7 % 17,1 % 9,5 %
5,3 %
6,7 %
We have not yet We have made Change/alignment Change/alignment started to think plans, but not yet partly completed fully completed started about it
DNV ©
19,7 %
6,5 %
I don't know
Question 5 – Cloud Has your IT infrastructure partially or fully moved to Cloud? If yes, have you adopted any Cloud-specific security standard?
• Companies with a certified information security management system answered “yes” at a higher rate (72.7%). This could indicate that organizations need to understand and focus on cloud infrastructure risks, which means increased awareness and training on cloud-specific security standards.
72,7 %
80% 60%
50,4 %
40%
49,6 % 27,3 %
Non-info sec certified
20% 0%
Yes
Info sec certified
• 1 in 3 of the certified companies have adopted the ISO 27017 standard or other code of practices for information security controls for cloud services.
No
• Almost half of the certified companies have adopted one of the Cloud-specific standards, but only 1 in 10 of non-certified companies has done the same.
40% 31,7 % 30%
Info sec certified
20%
Non-info sec certified 10%
6,5 %
7,5 % 2,1 %
0%
8
ISO 27017
DNV ©
CSA
3,3 %
1,2 %
STAR
0,8 % 1,2 % C5
Question 6 – Zero Trust As part of complete security, are you working on a ‘Zero Trust’ security model, by adopting best practices (e.g., NIST or others)?
• “Zero Trust” is a new security model continuously verifying the trustworthiness of every device, user and application, i. e. “you don’t trust anybody, but you need to verify everybody. This is the new approach to security that is catching on. 60%
• Companies with a certified information security management system seem to be embracing the “Zero Trust” model to a higher degree. 1 in 3 have implemented or are moving in this direction.
49,7 %
50%
40%
36,7 % 33,1 %
30%
25,4 %
20%
Info sec certified
23,8 %
Non-info sec certified
17,2 % 13,0 % 7,7 %
10%
10,6 %
13,5 %
13,0 %
2,4 % 0%
9
Yes (sum)
DNV ©
Yes, work in Yes, progress implementation complete
We plan to work on this soon
Not in our plans
I don't know
Question 7 – Digital transformation In your opinion, which of the following options is the most relevant while treating new risks arising out of digital transformations?
• Training of staff seems to be considered the most relevant to address new risks arising from the digital transformation (33.1% for certified companies and 25.9% for non-certified companies). 35%
• Companies with an information security management system are seeking training of staff and more advanced training at higher rates.
33,1 %
30% 25%
25,4 % 23,7 %
25,9 %
25,4 % 21,3 %
20%
17,9 %
Info sec certified 13,6 %
15%
9,5 %
10%
4,1 %
5% 0%
10
Non-info sec certified
Integrate security Provide training to Perform regular Automate cyber systems staff testing security practices
DNV ©
I don't know
Question 8 – Trends Which one of the following trends do you think is most impacting cybersecurity?
• It seems that the most perceived risk is penetration from mobile devices (33.9%), followed by innovative technologies (31.9%).
40%
• The rise of IoT and smart devices over the last years are also relevant risks raised by respondents.
33,9 %
35%
31,9 %
30% 25% 19,2 %
20% 15% 8,8 %
10% 6,2 % 5% 0%
11
Exponentially increasing Evolving customer expectations and penetration of smart changing demographics devices
DNV ©
Increase in internet speed and its penetration
Technological innovations and inclination towards advanced technologies
I don't know
Question 9 – AI and cybersecurity Do you think that adoption of AI can improve cybersecurity in a big way?
• 1 in 5 are uncertain about the effective support of AI on cybersecurity.
60%
• 15% think that adoption of AI can improve cybersecurity in a big way and may already be working with big data.
50,3 %
50%
• The high number responding “Maybe – it depends on effective deployment of AI” could reflect that threat intelligence is still a new area. Even if AI could be deployed to manage and control cyber security risks, this is still new and being explored. More time is needed to fully understand its implications.
40%
30% 20,2 %
20% 15,0 %
14,5 %
10%
0%
12
Yes – it will yield faster and No – as hackers will also use Maybe – it depends on accurate response to threats AI to exploit vulnerabilities effective deployment of AI
DNV ©
I don't know
Question 10 – Supplier risks When you buy from a supplier today, how do you address and protect your company from information security/cyber security risks?
• The 3 most usual means of addressing and protecting information security/cyber security risks when buying from suppliers are: Info sec certified
50%
Non-info sec certified
1. Document-based qualification 2. Verification and testing of purchased goods and materials
42,0 %
3. Request for third party certifications
40% 33,9 %
33,7 %
32,5 %
32,3 %
28,2 %
30%
23,1 % 19,5 %
20%
8,8 %
10%
0%
13
18,9 %
5,8 %
Mainly with on-site Mainly with remote Mainly through Mainly with request Mainly with for third-party audits at supplier auditing of suppliers document-based verification and certifications qualification of facilities testing on suppliers purchased goods and material
DNV ©
16,6 %
I don't know
• Certified companies are more likely to rely on certifications to protect themselves from information security/cyber security risks. This is most likely due to the awareness about the requirements and controls imposed by the standards.
Question 11 – Relevance of benefits Based on your experience and perception, please rate the relevance of benefits achieved from certification of your company’s information security management system.
Relevant benefit (≥3,25) 1
2
3
Improved financial results (e.g. through reduced costs) Advantages with tax/banks/insurance
4
2,74
3. Ability to meet legal requirements (3.50)
3,28
Creation of new market opportunities
3,30
Providing a competitive advantage
3,40
Improving public image
3,38
Ability to meet legal requirements
3,50
Customer satisfaction/meet customer needs
3,62 2,89
Improve identification/management of risks
3,47
Top management commitment & engagement
3,34
Enhanced worker engagement
3,08
Improved communication with stakeholders
3,09
Improvement in management of suppliers/contractors
3,14
Information security performance improvement Safeguard property
14
DNV ©
1. Customer satisfaction/meet customer needs (3.62) 2. Information security performance improvement (3.57)
2,46
Achievement of strategic objectives
Better relations with authorities
• The top-3 benefits of implementing a certified information security management system are:
3,57 3,32 1 – Not relevant 2 – A little relevant 3 – Somewhat relevant 4 – Highly relevant DK/DA excluded
• These are closely followed by “Improve identification /management of risks” (3.47) and “Providing a competitive advantage” (3.40). This underscores the important link between management of risks and business success.
Benefits from the Management Systems in managing risks, overall view The chart below shows the contribution of each of the areas in focus to the list of identified benefits. The chart will be progressively updated when a new requirement is analysed. When all areas will be investigated, the chart will be complete Highly relevant benefits Benefits
Environmental management
Business continuity management
Occupational health and safety management
Information security management
Improved financial results (e.g. reduced costs) Advantages with tax/banks/insurance Achievement of strategic objectives Creation of new market opportunities Providing a competitive advantage Improving public image Ability to meet legal requirements
Customer satisfaction/meet customer needs Better relations with authorities
Improve identification/management of risks Top management commitment & engagement Enhanced employee engagement
Improved communication with stakeholders Improvement in management of suppliers Performance improvement within the specific area Safeguard property
15
DNV ©
…
Methodology and Sample
October
2021
This Espresso survey was conducted in October 2021.
976
It involved 976 professionals in companies across different industries in Europe, North America, Central & South America, and Asia.
• The sample consists of Business Assurance customers in DNV and does not claim to be statistically representative of companies worldwide. • The questionnaire was administered using the CAWI (Computer Assisted Web Interviewing) methodology.
16
DNV ©
Thank you! Want to access the results from other ViewPoint surveys? Read more here
Not yet a Viewpoint member and want to join? Click here Interested in benchmarking the performance of your company Management System? Learn more here www.dnv.com 17
DNV ©
November 2021