IT Governance Institute study results

#112 Further to the previous article on corporations being ingnorant of hacker risks here is an interesting result from this recent survey : Fewer than 25 percent of organizations regularly review external risks, IT Governance Institute study reveals in part one of research series.The study, described in Information Risks—Whose Business Are They?, also reveals that the board of directors or CEO signs off on the IT risk management plan in only one-third of all organizations.

“The lack of attention to external risks and the lack of business involvement in the IT risk management plan are worrying given the extensive reliance on outsourcing and service providers, and the globalized nature of many organizations" the article notes. Best practices identified in Information Risks advise that top management should share responsibility with the IT department for IT risks. Results show the opposite is true in most organizations. According to the study, IT risk management is the responsibility of IT management—not the business—in 80 percent of organizations.

Well if security starts at the top then this explains the sorry state the industry is in...