Bridging the commitment-action gap

By: In: Information Security On: Oct 23, 2014
Bridging the commitment-action gap

Today, businesses are largely aware of the information risks they face. Indeed, we have seen information risk awareness grow significantly over the past few years. This growth is probably consequence of the adverse publicity surrounding data leaks, the growing fines imposed on organisations that fail to hold personal information safe, and the proposed high-profile changes to European data and protection laws.

After waking up to the risks, many businesses took the initial steps to create policies and processes to address the perceived threats. However, the next important step – to make sure that the these policies and processes are implemented and, importantly, monitored ‒ does not come quite so easily for the majority of businesses.

Good intentions should be the start, not the destination, of the journey to managing information risk. Our recent research with PwC concluded that organisations find themselves unable to bridge the gap between having a well-intentioned plan or policy in place and making sure it actually works. There are countless examples throughout the research that clearly illustrate this point.

security examplesAs you can see from this slide, four in five of the business leaders questioned in the research (81 per cent) said they had a policy in place for the secure storage and disposal of confidential information. More than half (54%), however,  do not monitor its effectiveness. It is extremely concerning that 1 in 5 businesses still don’t have this in place. If you find yourself here, you should talk to Iron Mountain.

We could conclude that less than a third of the businesses we surveyed can be confident they store and dispose of their confidential information effectively.

Whether we are talking about security, people, communications or strategy, time and time again we see this gap between good intention and effective, monitored implementation. Policy and process are extremely important and have to be addressed, but they remain pointless if they are not communicated, monitored and enforced. If they have no audience, then perhaps they are not worth the paper they are written on.

Download our mid-market and enterprise reports for more examples.

← Bad Habits and Information Breaches - Why the Mid-Market Punches Above Its Weight Are employers doing enough to address the employee information threat? →

Leave A Comment

About the author

Phil Greenwood

Phil Greenwood is Country Managing Director & Commercial Director at Iron Mountain responsible for delivering information and records management solutions into the UK's largest Public, Private and NHS customers. Phil directs and runs specialist sector teams aligned to the sector specific requirements of Iron Mountain's clients. These requirements demand innovative solutions that deliver compliance and governance as well as efficiency and cost cutting in order to transform business results and improve the way organisations use their information. Phil has over 10 years' experience working with UK and International records management. He is involved with the UK Information and Records Management Society. Phil has worked within service delivery and customer facing roles, as well as in general management roles within the outsourcing and information management industries. Legally qualified, Phil has also spent time as a fee earner within law firms and has a strong understanding of the way that information and services drive the core business of client organisations.