With devices and services that enable us to gather and distribute information, the Information and Technology sector has given us flexibility in how we communicate, altered the patterns of how we stay in touch with others, and even influenced the content of our messages. This sector employs millions of knowledge workers worldwide and boosts innovation and productivity in other industries.
As a result of its rapid economic growth and broader social change, we’ve evolved into an “information society”. Given that this sector plays such a critical role in determining how information and information systems are created, used and managed, the security culture of the Information and Technology sector is of particular importance. Security culture plays a major part in how information and the information systems are secured.
The CLTRe industry benchmarks reveal the current state of security culture for a particular sector based on data collected the previous year on seven core dimensions. Security Culture Benchmarks show how strong security culture is within a sector and allow us to identify its strengths and weaknesses. Annual benchmarks such as these can be particularly helpful for customers wishing to make “as-is” state comparisons amongst industry peers.
As shown below, the Security Culture Report 2018 from CLTRe shares the first-ever Security Culture Industry Benchmark for the Information and Technology sector.
The 2018 report figures reveal that the security culture within the sector for Information and Technology demands immediate attention. Scoring below the global standard (as marked in red) on all except one security culture dimension, it is clear from the results that communication is clearly not enough to drive a good security culture.
Considering its relative importance to local, national and global economies, the findings on the overall state of security culture in the sector are alarming. The benchmark scores reveal the industry’s poor attitudes towards security (see the dark green column labelled Attitudes) and their lack in understanding (see Cognition). One would think that a sector employing knowledge workers would be more open to learning. Furthermore the low score on Compliance indicates a workforce that disregards rules, procedures and policies.
“This sector struggles with cultural artifacts including IT-personnel with full administrator rights, providing them access to information they should not have,” according to the report. “Changing the ideas and habits shared in organizations towards a need-to-know information management strategy will improve the security culture of the sector.”
Other recommendations to organizations within the sector include:
- Focus security culture activities on improving attitudes towards compliance, education and security behaviors
- Create a baseline detailing the internal differences of the workforce
- Develop, implement and enforce least-privilege access across the organization, including top management and the IT-staff
- Educate the workforce on the ICT’s critical role in digitalization
Security Culture Benchmarks show how strong security culture is within a sector and allow us to identify its strengths and weaknesses. Thanks to the CLTRe Toolkit, companies can create an accurate and insightful map of their organization’s own security culture and get expert help to build and improve it. Its finely tuned measurement instrument will assess each team, department and business unit to provide detailed insights into the strength of security culture in the different areas of the organization and, using the findings, make recommendations on how security culture can be improved.