New research, by SecureData and Vanson Bourne, investigated the impact government security initiatives had on end-user organizations in 2014, with nearly half (47%) reporting that initiatives have helped them communicate the importance of security across their organization.
Over a third (39%) of participants also stated that they had used the insights from such initiatives to define IT security standards and policies, with a quarter (24%) using information garnered from them to set security strategies.
Despite this obvious degree of influence, not all IT professionals feel government initiatives have had such a positive influence.
Nearly a quarter (23%) said that these initiatives have gone largely unnoticed within their organisation, with 34% also divulging that they haven’t used the insights of CERT-UK in any way. 35% still see professional bodies like IISC or ISC2 as their primary source for security insights as opposed to only 13% who have sought information from the likes of CERT-UK, while a quarter (25%) rely on input from vendors/service providers. Meanwhile, only 26% of IT pros said initiatives had directly encouraged individual employees to consider IT security more closely.
Smaller organizations also saw a reduced impact from security initiatives. While fewer than a fifth (18%) of organisations with over 3,000 employees saw Government initiatives go unnoticed, this was true for almost a third (28%) of smaller firms.
Commenting on the findings, Alan Carter, cloud services director at SecureData said: “While government initiatives have clearly had a positive impact on IT security over all, there’s still some way to go. Although initiatives clearly grab c-level attention in major enterprises, they are far less effective at raising awareness in smaller organisations or amongst individual employees. If we want security insights to resonate outside the boardroom, we need to look beyond government programs.”
Carter continues: “We need to ask if one-off stress-testing exercises are the best approach to raising security awareness. By placing the emphasis on responding to attacks, initiatives struggle to convey the need for a complete approach to the security spectrum. Without insights into how to assess risks, detect threats and protect assets before an attack, these exercises become more a measure of the industry’s pulse than a source of valuable strategic advice.”