Interim survey results: Are business continuity and information security converging?

• Print

Details

Published: Tuesday, 22 May 2018 07:23

Last year Continuity Central published the results of a survey looking at whether the increasing focus on information security is having an effect on the traditional demarcation lines between business continuity and information security management. We are now repeating that survey to monitor how things have developed and the interim results of the survey are now available:

Do you see information security as a business continuity issue?

57.6 percent (64.5 percent in last year’s survey) of respondents believe that information security is definitely a business continuity issue, with a further 30.3 percent (32 percent*) saying that it was partially a business continuity issue. 12.1 percent (3.5 percent*) said that information security is not a business continuity issue at all.

Does the business continuity team in your organization manage information security threats?

Information security threats are managed by the business continuity team in only 15.1 percent (14 percent*) of respondents’ organizations. A further 33.33 percent (29 percent*) of respondents said that the business continuity team was partially responsible for managing information security threats. The remaining 51.5 percent (55 percent*) of respondents said that the business continuity team was not responsible for managing information security threats.

Respondents were also asked which department or business unit should lead information security management. The results were as follows:

• Information security management should be led by the IT department / business unit: 25.0 percent (20 percent*)
• Information security management should be led by the business continuity team: 9.4 percent (5 percent*)
• Information security management should be led by the Board: 3.1 percent (10.5 percent*)
• Information security management should be led by the risk management team: 12.5 percent (19 percent*)
• Information security management should be led by a team consisting of representatives from different areas of the organization: 43.75 percent (38 percent*)
• Other responses were 6.25 percent.

Does your organization have a formal incident response plan for information security incidents?

84.9 percent (82 percent*) of respondents confirmed that their organization has a formal incident response plan for information security incidents, with only 12.1 percent (10.5 percent*) stating that it doesn’t. 3 percent didn’t know.

Does the business continuity team in your organization respond to information security incidents?

9.1 percent (26.5 percent*) of respondents stated that the business continuity team does respond to information security incidents and 33.33 percent (34 percent*) said that it doesn’t. 54.6 percent (37 percent*) said that the business continuity team is partially involved in information security response. 3 percent didn’t know.

Respondents were asked who should be responsible for information security incident response. The results were as follows:

• Information security incident response should be led by the IT department / business unit: 27.3 percent (19 percent*)
• Information security incident response should be led by the business continuity team: 18.2 percent (8 percent*)
• Information security incident response should be led by the Board: zero percent (4.5 percent*)
• Information security incident response should be led by the risk management team: 15.1 percent (10 percent*)
• Information security incident response should be led by a team consisting of representatives from different areas of the organization: 36.4 percent (49 percent*).
• Other responses: 3 percent (9.5 percent*).

* According to last year’s survey.

Take part in the survey

The survey remains open – please take part at https://www.surveymonkey.co.uk/r/BCandISM