The poll found managers are aware of risk but many factors slow down actions that need to be taken (Photo: NTT Security)

MUNICH -- Industrial companies are aware that information security and risk management are crucial in today’s data-driven and connected world. But, according to a new study, they also are relatively slow in implementingpolicies to fend off threats.

In a poll of 250 business and IT decision makers in Germany, Austria and Switzerland, market researchers Luenendonk found that 46 pc of industry executives said risks to their businesses are “very high.” And 52 pc deemed information security and risk management as critical for their companies.

But a surprisingly large 81 pc cited as their biggest challenge the implementation of company-wide security standards to deflect threats and counter cyber risks. And 57 pc said they don't have detailed insight into the value of data and processes that are threatened.

A further finding: Only 27 pc of companies involve business divisions in their risk assessments, preferring to leave information security and risk management almost entirely the responsibility of the IT department.

“The problem is more with implementation than with awareness,” Luenendonk partner Hartmut Lueerssen said at a press briefing. Without connecting technical security operations to business process knowhow, companies are going to have trouble dealing with growing risks, he warned.

Although corporate decision makers are broadly aware of these risks, 75 pc of executives polled said a lack of security awareness in their staff is a big issue in assuring information is protected.

Those findings contrast with 67 pc saying that they feel their companies’ information and security risk management is in relatively good shape compared with competitors. “The companies are giving themselves relatively good grades,” Lueerssen said.

The digital transformation is affecting companies in many ways and the poll provided a vivid illustration of the different rates of progress made on major business trends.

Companies, for example, are relatively far along in implementing mobile-internet and cloud-services projects but have completed few if any projects in the important Industry 4.0 area.

Moreover, in the area of big data analytics, none of the executives polled cited completed projects, though many say implementation is underway.

When IT projects are undertaken, 63 pc of executives said their companies fail to take into account information security and risk management issues at an early stage.

Managers cited three reasons for this: a lack of understanding of the security requirements in the business divisions; a tendency to see security requirements as not relevant; and a feeling that security and risk management will slow down time-to-market.

Lueerssen said that implementing projects without security creates the erroneous impression of speed. "In reality, it is more difficult to meet the security requirements later on, if it is possible at all," he said.

The poll found that 57 pc of companies employed a chief information security officer (CISO), who in two-thirds of businesses reports to the CIO.

The Luenendonk study was conducted in cooperation with Hewlett Packard Enterprise, KPGM, NTT Security, Open Systems and Unisys.

-By Arjen Bongard