Participants were asked a number of questions pertaining to the level of involvement from senior management in relation to information security. For the purposes of the survey, questions related only to senior management outside of the IT domain. This was deliberate in an attempt to capture information about management not normally
associated with IT in order to ensure that wider university views were captured.
Table 5 Coding Summary for Senior Management Involvement
Code Density
Allocation of Funding 38
Awareness and Understanding of Risk 36
Senior Management Engagement 32
Security Reporting 33
Allocation of Human Resources 22
Reactive 15
Support of Security Policy 12
Competing Work Priorities 5
Information Security Governance 4
Intangibility of Security 2
_____________________________________________________________________________________ is associated with is associated with is associated with is part of is cause of is associated with is part of is associated with is part of is property of Allocation of Funding {38}
Awareness and Understanding of Risk {36}
Senior Management Engagement {32}
Security Reporting {33}
Allocation of Human Resources {22}
Reactive {15}
Support of Security Policy {12} Competing Work Priorities {5}
Information Security Governance {4}
Intangibility of Security {2}
Culture of Compliance {1}
Table 5 provides a coding summary for this area, and Figure 6 depicts coding
relationships. The questions contained in the survey instrument on senior management involvement related to a number of areas. These areas included the level of reporting they received, the perceived level of senior management’s understanding of the importance of information security, whether or not senior management provide the required level of support, and finally, what changes would be required for senior management involvement and support to be improved.
Findings on Senior Management Reporting
Participants were asked whether senior management received regular (established, ongoing and consistent) reporting on information security.
Senior Management Receives Regular Reporting on Information Security 0 20 40 60 No Yes % of Participants 80
Figure 7 Participants Who Regularly Provide Reports to Senior Management
Less than one third of universities indicated that they regularly engaged and reported to senior management on information security matters (Figure 7). Comments that typified the existence of regular reporting included:
‘Yes through our IT committee, every 6 weeks’ and ‘We have quarterly reporting including security’
‘they get regular IT reports with information security on it’
In contrast, most reporting was cited as ad hoc, occurring primarily in reaction to
incident activity, followed to a lesser extent by reporting occurring as a result of audit or annual reports. Typical comments on incident reporting are:
‘The only reporting senior Executive receive is security incident reporting’
‘we send copies of all our security incident reports through to the Executive’
Findings on Senior Management Understanding and Support for Security
Links were established between regular reporting and engagement of senior
management and the subsequent support (and understanding of security issues) from senior management. The institutions who reported regularly to senior management also correlated closely with the institutions who considered senior management provided appropriate support for security (Figure 8). This support was mostly expressed as appropriate funding and resourcing, or a demonstrated interest shown by senior management towards the status of security.
Senior Managment Provides the Required Level of Support for Information Security
0 20 40 60 8
No Yes
% of Participants
0
Figure 8 Participants’ Perception of Senior Management Support
The overall lack of regular reporting to senior management affected senior
management’s levels of understanding of security, and the commensurate support provided for security (Figure 9). In some situations, senior management was considered to have very little idea of security, often interpreted as a low interest in security. This situation is reflected by the following types of comments:
‘the VC would have no idea’
‘I don’t believe they understand the magnitude and the complexity of the problem’
A majority of participants suggested that extant levels of understanding did not translate into appropriate acknowledgement or actions to provide the required level of funding and resourcing for security. In many instances, the lack of resourcing and funding was cited as being due to the fact that there were ‘many competing priorities’. While a perception by senior management existed that ‘all was under control’, security took a backseat. The following quote provides an example:
‘I think they see it as important but whether they appreciate what that means in terms of how we have changed what we do, and how much money is involved, so I think there is a concept of the practical issues around that are not fully appreciated’
‘the message really hasn’t got through that information security is a major activity’
‘They sort of say, well ITD (the Information Technology Directorate) looks after that. It is only really when there is a major incident…’
Senior Management has an Appropriate Understanding of the Importance of Information Security
0 10 20 30 40 50 60 Disagree Somewhat Disagree Somewhat Agree Agree % of Participants
Figure 9 Senior Management Understanding of the Importance of Security
The findings also indicate that in institutions where senior management was less supportive of information security, controls in place tended to be less observed or adhered to. Conversely, effective senior management engagement more adequately set the ‘tone at the top’ resulting in more effective policy enforcement and improved behavioural change.
Findings on Improving Senior Management Involvement in Security
A consistent theme was noted with participants who considered that the levels of funding received were a direct representation of senior management support. Measurement of support from senior management was strongly gauged in terms of financial support; either funding for human resourcing or other security related expenditure. Most participants indicated that they saw a need for increased funding. When asked what senior management needed to do to improve support for security typical comments were:
‘More money. More money and resourcing’
‘the first and easy way to answer the question is I would have to say financially’
‘It really comes back to priorities and funding’
‘we need to have the time and funding to investigate appropriate security solutions’
Several other areas were cited in relation to achieving improved senior management support. Some participants held the view that senior management had a responsibility to support initiatives to increase security awareness and compliance across the
organisation, and to ensure a more consistent understanding of security at all levels.
‘I mean my couple of points would be more about the consistency of understanding across the university, in the faculties and divisions in particular, there is a number of faculties and divisions that don’t have the same sort of understanding, so it would be really good for me to see a consistent understanding right across the schools’
‘Some support for University wide awareness initiatives’
Other views included senior management providing improved governance and direction on IT overall, with articulation from senior management on the business direction, expectations and business requirements for IT systems (and therefore establishing business drivers for security). Typical comments reflect this finding:
‘So at that point we need active involvement from senior management, we need an indication of their long term expectations of the corporate systems’
‘We need a security architecture and a security policy, prior to that we need to look at our business systems, the corporate systems, and look at the architecture, the information flow between them, the intended audience, the
levels of security and risk, what the university actually wants to do with these systems’
A commitment to back the security policy and provide direction and governance was seen as a necessary step by senior management for improvements:
‘a little bit more corporate governance and business direction translated into security from them (senior management)’
‘Greater enforcement of our IT policy’
‘we need a strong information security governance framework, and underpinning that we need policy around information security’
‘helping describe what it is that they (senior management) believe is acceptable policy’
‘perhaps a more active role, with our top management or senior managers in organisations taking an active role in ensuring that their staff are aware of security policy’
A need for closer integration between strategic planning and the security program was also noted, due to problematic, ad hoc or reactive processes in existence. Emerging requirements for senior management to take up the challenge of responsibility for higher level compliance issues were raised. This included corporate governance over security to ensure that legal and regulatory compliance requirements were being met in line with corporate risk management. The following comment typifies participants’ views of the need for senior management to understand risk:
_____________________________________________________________________________________
‘The best answer I could think of for this one is understanding risk, so in terms of changes it is really
understanding what the current security challenges are and understanding the risk’
Some participants held the view that senior management did not need to improve, but instead the IT centre needed to improve senior management’s awareness, understanding of risk and ultimately, to facilitate an improved senior management position on security. The following comments typify this statement:
‘they are supporting it to the best of their ability and we are doing a bad job, or IT is, of educating and informing them of how it might be done better’
‘they probably do support information security but we are not telling them enough about what they need to be supporting’
‘Anyway for them to improve, they don’t need to improve, it is us that needs to improve to help them become more aware’
In achieving an improved relationship, bridging the gap of a combination of trust, willingness to enforce compliance, and consistency of priorities needed to be addressed. This was seen as occurring primarily through increasing security as an agenda item on senior management meetings and discussion, and for senior management to listen and be willing to get behind security:
‘we come up and say to them ‘we need more money’, and they either trust us and say yes, or they don’t trust you and you don’t get what we need, and then you are extremely vulnerable, so the only way to connect this I think is that they have to take on some responsibility for understanding the IT issues’
Summary of Findings on Senior Management Involvement
In terms of current status, the findings in this section indicate that senior management’s involvement in information security plays an important role in the funding and support for security as a function. Links between consistent reporting to senior management and their understanding and support of the security function are evidenced. However, the level of reporting or otherwise engagement of senior management currently tends to be low. This impacts senior management’s awareness and understanding of security, further impacting involvement and subsequent support.
As funding appears to be both a key constraint and an indicator of support, the currently low levels of reporting and engagement with senior management regarding information security are of concern. The results of the survey indicate that improvements from senior management require a greater awareness and understanding of the issues associated with security, which necessarily translate into support, primarily through funding and resourcing. The cultural issue of the security function being seen as an ‘IT problem’ is still pervasive, and without due recognition of this limitation, security remains out of the minds of many institutions’ senior management at present.