Companies’ Boards and Management Becoming More Engaged with Cybersecurity Risks, According to New Protiviti Security and Privacy Survey

Press Release

Results indicate firms still have much work to do to identify and protect their ‘crown jewels’ of mission critical data

MENLO PARK, CA – February 13, 2017 – With global cybercriminal risk at an all-time high, the findings of a new survey conducted by global consulting firm Protiviti show positive progress for organizations – an increasing number of them have boards of directors and management that are actively engaged with cybersecurity and adopting best practices in their IT departments. Protiviti’s 2017 Security and Privacy Survey shows that current board engagement levels are at 33 percent, compared to 28 percent in 2015.

“While the increase in boards of directors’ and company management’s engagement with information security is a positive sign, it’s imperative that leadership keeps closer tabs on the state of their organizations’ cybersecurity programs,” said Scott Laliberte, a Protiviti managing director and leader of the firm’s global IT security and privacy practice. “Particularly as new technologies are introduced and new approaches to generating revenue are deployed, it’s increasingly important to reexamine existing data security and privacy processes on a regular basis - ensuring that the right systems and people are in place to keep pace with changes.”

Key findings from Protiviti’s survey include:

  • Having an engaged board and a comprehensive set of security polices make a huge difference In assessing the results for companies in which the board has a high level of engagement in information security, these organizations rate considerably higher than other companies in nearly all facets of information security best practices. The same holds true for organizations that have all of the core information security policies in place (as recommended by Protiviti). When it comes to security, these foundational qualities distinguish top-performing organizations from the rest of the pack.
  • A concerning number of companies – nearly one in five – cannot confidently identify or locate their most valuable data assets. Protecting these “crown jewels” requires a data classification scheme and effective policies that are supported across the enterprise.
  • People, as well as policies, are key to an effective security program. Security policies are best supported with training programs and communications for employees, who are often responsible, unintentionally or otherwise, for enabling data and security breaches. Organizations should focus on promoting a culture of security policy compliance.
  • Vendor risk management must mature – As the use of cloud-based storage and external data-management vendors increases, the importance of vendor risk management grows. Notable gaps currently exist between top-performing organizations and other companies when it comes to overall knowledge of vendors’ data security management programs and procedures – areas that might stand between an organization’s crown jewels and cyber-attackers.

The percentage of companies that have adopted what Protiviti considers ‑ and recommends – as five core information security policies to have in place are:

  • An acceptable use policy (80 percent)
  • A records retention/destruction policy (78 percent)
  • A data encryption policy (70 percent)
  • A written information security policy (69 percent)
  • A social media policy (59 percent)

However, there is significant progress to be made because only 38 percent of surveyed companies have all five information security policies in place today.

The Protiviti 2017 Security and Privacy Survey delivers insights on the specific security policies and qualities that distinguish top-performing companies from other organizations. The survey also offers trends to watch for and identifies prime action items technology leaders can take to strengthen their companies’ security capabilities.

About the Survey

Protiviti’s Security and Privacy Survey, now in its fifth edition, was conducted in the fourth quarter of 2016 and includes the insights of more than 700 technology executives and professionals to assess security and privacy policies, data governance, retention and storage, data destruction policies and vendor risk management practices across a mix of industries. Respondents’ positions range from the C-suite (CIOs, CISOs, CTOs, etc.) to IT vice presidents, directors, managers and more, and they represent public (51 percent) and private (37 percent) companies. Sixty percent of respondents’ companies have $1 billion or more in revenues.

Survey Resources Available: Report, Infographic and Video

A complimentary survey report is available for download at: An infographic and short video summarizing the survey results are also available at

Additionally, Protiviti will have an exhibit (booth 5002) at the RSA Conference in San Francisco from February 13-16, 2017. Copies of the survey report will be available at the booth, and Protiviti cybersecurity subject-matter experts will be on hand to discuss the survey results.

About Protiviti Inc.

Protiviti ( is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Through its network of more than 80 offices in over 20 countries, Protiviti and its independently owned Member Firms provide clients with consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit.

Named to the 2019 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Ready to work with us?

Kathy Keller
Kathy Keller