Some organizations significantly minimize the impact of business downtime caused by information security problems and deficiencies, while also suffering from the fewest incidents of loss or theft of sensitive information. But only about one in ten organizations are achieving these best results.

What distinguishes these best results among the “best performing organizations?” It’s not size nor industry. Although differences in outcomes are occurring between small businesses, larger enterprises, pharmaceutical companies, banks, insurance companies, and government agencies among other industries, the differences are minor.

The most recent research published by the IT Policy Compliance Group reveals the primary reason some organizations fare better is simply due to “best practices”: practices that are shaped by heavy doses of automation in IT and unique policies governing the primary risks related to the use of information systems.

Covering 40 practices and 27 areas of policy coverage, the findings of the IT PCG’s most recent report, Automation, Practice and Policy in Information Security for Better Outcomes, identify the top 10 practices that are responsible for balancing the key business risks related to service levels in IT versus business risks posed by information security problems.

The top 10 practices implemented by organizations differ significantly by the outcomes experienced by organizations. In addition, significant differences exist between the prioritized practices of the organizations experiencing the best outcomes and all others.

Organizations with the best outcomes are prioritizing their top 10 practices very differently from other organizations; and are fully automating most of the top 10 practices.

1. Technical controls are mapped to IT policies, regulatory mandates and legal statutes.
2. Antivirus signatures are updated and applied frequently.
3. Roles and responsibilities of policy owners are defined and maintained.
4. Evidence about IT configurations and technical controls is gathered for evaluation and analysis.
5. Gaps in procedural controls are identified, remediated and tested on a regular basis.
6. Vulnerability scanning and penetration testing of IT assets is conducted on a regular basis.
7. IT assets and audit trails are monitored on a continuous basis.
8. IT assets and software service configurations are tested regularly.
9. Unauthorized access to IT assets is automatically detected or prevented using IT controls.
10. Lists of IT assets and configurations are maintained in central repositories for easy access and analysis.

The benchmark research findings on automation are clear: automation of practice and policy for the information security function plays a critical role in reducing business downtime due to disruptions or failures, in reducing data loss or theft, and in reducing deficiencies in IT that must be corrected.

To learn more, download the full report.