About 700 people attended the ISACA NA CACS Conference in Orlando this week. Book-ended by formal workshops on either side of the conference, this senior-level set of IT auditors and information security professionals attending the conference were able to share a lot of insight, experience and learn from one another about what’s working and what’s not – something that’s sometimes hard to find at other conferences.
The IT Policy Compliance Group delivered one of its mini-workshops on information risk at one of the sessions. At this workshop, attendees were able to assess the maturity of their organizations practices for handling sensitive information, and identify areas that – if improved – will result in lower rates of data loss or theft, fewer audit deficiencies to correct, and less worry about IT service hiccups impacting business operations.
The nine practice domains covered by this workshop included:
- Spend on IT, information security and compliance
- Policies and procedures
- Use of frameworks
- Use of IT controls
- Use of change controls
- Use of tools
- Automation of procedures
- Operational cadences
The interesting finding from the workshop is the tally of where participants rate themselves and their organizations.
Of the approximately 90 people in this session, none voluntarily scored themselves as a 1 on a 5-point scale (a worst performer). This is roughly equivalent to a bottom 20th percentile ranking. Whether people were too embarrassed to admit it, or not, no one wanted to be identified publicly as a complete laggard: not too surprising!
The largest segment involved about 40 percent of the 90 attendees who rated themselves and their organizations as 2′s on a 5-point scale. This is equivalent to a 20th-to-40th percentile ranking. And, it’s roughly twice as large a population for this range which normally comes in at about 20 percent. It’s an indication that some of the 1′s in the crowd likely opted to remain silent and anonymous. After all, the purpose of the exercise is to give people tools to improve outcomes.
The next segment of attendees involved about 30 percent of the 90 attendees who self-rate themselves and their organizations as 3′s on a 5-point scale. Somewhere in the middle-range, this is equivalent to a 40th-to-60th percentile ranking. And, 30 percent of the attendees is slightly lower but within expected ranges.
The last major segment involved about 30 percent of the 90 attendees who self-rate themselves and their organizations as 4′s on a 5-point scale. Somewhere between average and the best performers, the 30 percent is slightly more than expected ranges.
Finally, only one person of the 90 attendees rates himself and his organization as a 5 on a 5-point scale. The interesting finding is that this person confirmed that he and his teams had fully implemented most – if not all – of the practices identified in the workshop: another clear indication the IT Policy Compliance Group benchmarks can – and are – used to navigate reliable paths to improved outcomes.
Equally important, everyone participating in the workshop left the session with the knowledge that their rating matched their outcomes, and these matched the practices implemented – or not implemented – to better protect and handle sensitive information.
One of the interesting observations made by several of the attendees is that while spend data is important to argue for additional resources, the workshop helped them to focus on the areas where additional spend should be allocated to achieve their improvements. For some, the workshop results are additional ammunition needed to galvanize calls-to-action. For others, the results are eye-opening.
If you’re interested in taking the workshop yourself, or using it within your company or organization, head on over to ISACA, download a copy of session 227: What Color Is Your Information Risk – Today? Simply answer the questions posed by the nine exercises and add up your subtotal scores to find where your organization is today.
As some of the astute workshop participants noted, results are going to depend on your role and position in the organization. The method to normalize results for your organization is to compile results from appropriate levels and roles from within your organization.
You can find some of the research findings for this workshop here:
And, you can find related on-line self assessments here:
If you have questions or observations, please let us know?