29 August, 2007 02:35 PM EST
Results of Information Security Poll
Posted By: Christian Byrnes, VP Distinguished Analyst

We are receiving a rapidly growing volume of inquiries about information security governance. This trend started a few years ago and is now very visible in our statistics. To get an idea of the current state of the world, we posted a poll on the Gartner for IT Leaders Web page. We received 237 responses. Because respondents must be subscribers to the Gartner for IT Leaders product and will almost always be security professionals, the results should reflect a somewhat better result (higher maturity level) than a full-population poll:

Poll: How does your organization handle information security governance - the way in which the enterprise sets direction, limits and budget for infosec?

One way to understand the results is to use the same model we frequently refer to for security program maturity. This model divides the world into four categories: blissful ignorance (very low maturity); awareness (low maturity); corrective (moderate maturity); and operations excellence (high maturity). We can approximately map our four response selections from the poll to these maturity levels. The results are:

• We don't do infosec governance (lowest maturity level): 17.1%
• Part of IT governance process (better, but not at current expectation): 45%
• A separate governance process (very good, current): 15%
• Part of larger risk governance process (best practice or leading edge): 22.9%

If we adjust these numbers about 5% toward the lower end of the curve to approximate a broader responding audience, we get an interesting result. The numbers for the bottom and top levels match our estimates for overall information security program maturity levels. But the two middle levels show a significant delay in moving from common IT governance to separate security governance, as compared with our maturity estimates. This bottleneck connects well to the increase in inquiries on this topic that we have been experiencing. Security officers apparently know they have some catching up to do.

I wonder what is preventing the separation of security governance from IT governance in these organizations. Please respond!

Submit a Comment | Permalink

Search The Blog
Archives
<   November 2009   >
MonTueWedThuFriSatSun
      1
2345678
9101112131415
16171819202122
23242526272829
30      
Recommended Links
Organizations/Publications
Compliance
Contact
To learn more, please contact:

Gartner
Office: + 1 203 964 0096
sitefeedback@gartner.com
help@gartner.com

Contact Us Form
Worldwide General Contacts
Terms and Conditions
About Gartner Blogs: FAQ