NTT Com Security Risk:Value report reveals four personas based on the value placed on corporate data and amount of IT budget spent on security

A report from global information security and risk management company, NTT Com Security, reveals that there are four distinct groups of organisation when it comes to measuring how much value senior executives place on their company’s data and how well that data is secured.  The groups – Enlightened, Informed, Passive and Complacent – are part of the company’s new Risk:Value report, a survey of 800 senior executives (not in IT) across eight countries.

Created by analysing responses from two critical questions in the research – how important various types of data are to the organisation, and knowledge of the proportion of IT budget spent on data security – the report shows that most (82%) respondents understand the importance of their data.  However, levels of knowledge about that data, and the extent to which they are willing to commit IT budget to securing it, varies widely among senior business decision makers.

Complacent respondents – the lowest of the four groups – do not see data as being important to their organisation and are most likely to value personal data above work data – 33% (personal) vs. 18% (work).  Respondents in the most proactive group, the Enlightened, however, are more likely to work in organisations that protect their information and place more value on work data than personal information, with a third (33%) valuing work data over personal data and just 16% seeing personal data as more important.

Outlining each of the groups in detail, the report entitled Risk:Value – Do senior executives understand their role in data security?, reveals that:

• Enlightened organisations are prepared to commit at least 10% of IT budget on securing their data and are the most likely to have completely secured all of their critical data (62%).
• Informed decision makers are more likely to be implementing data policies, with 29% reporting that they are in the process of implementing a formal data security policy and more than a quarter (26%) currently implementing disaster recovery plans.
• Passive respondents value data but do not protect it.  They are most likely to admit they do not know how much of their IT budget is spent on data security, while nearly all (93%) do not know what the financial impact would be of a data security breach.
• The Complacent group typically does not know how much budget is spent or admits only a small proportion is set aside to secure data.  It is also the least likely to have a recovery plan in place in the event of a security breach (just 24%).

Simon Church, CEO, NTT Com Security, comments: “This sliding scale of organisations gives a good indication of how well respected a company’s data is by the way senior people look at it and how much they know about how well it’s protected.  What’s worrying, however, is that Enlightened respondents, who are clearly the strongest of the four groups, represent 35% of senior executives, which is still a minority, while the weaker Passive and Complacent groups together represent 31%, yet show an inability, or unwillingness, to protect their data sufficiently.”

Church believes both organisations and the information security industry need to work harder, and in collaboration, to tackle this complacency: “It’s clear that organisational culture needs to change.  It’s easy to think that as an industry we’re doing a good job at raising awareness of security threats just because of the headlines, but clearly it’s not enough any more to motivate organisations into action. We have to reinforce the fact that security is everyone’s problem and everyone’s responsibility and to move organisations along the Risk:Value scale from Complacent to Enlightened.”

Persona groups and key characteristics:

Percentage breakdowns for the four persona groups (based on 800 respondents in Australia, France, Germany, Hong Kong, Norway, Sweden, UK and US):

• Enlightened = 35%
• Informed = 34%
• Passive = 13%
• Complacent = 18%

The Enlightened – Enlightened respondents understand the value that data has to their organisation. They classify at least five, if not all six, types of data (consumer customer, business customer, employee, business performance, intellectual property and R&S) as important to the success of their business. They also work in organisations that commit at least 10% of their IT budget to data security, which shows they also recognise that data security is an important aspect of their business.

The Informed – Informed respondents also understand the value that data has to their organisation.

As with the enlightened respondents, they classify at least five, if not all six, types of data as important to the success of their business.  However, the organisations that informed respondents work in commit no more than 10% of their IT budget to data security, and usually less. This shows that these senior executives are likely to understand the value of data, but that their organisations are not prepared to commit significant resources to supporting data security.

The Passive – Similar to the first two persona groups, Passive respondents understand the value that data has to their organisation, but are unaware of the proportion of the IT budget that their organisation commits to data security. This group therefore is not aware of the details of how important data is regarded by their organisation.

The Complacent – In contrast to the other three persona groups, these respondents do not appreciate the importance that much of their data has to their organisation.  They are also usually either unaware of the amount of IT budget that their organisation commits to data security, or are aware that their organisation only commits a small amount of their IT budget to it.