10 information security lessons we learned from audit executives in 2014: from how top leaders are vulnerable to security missteps to the fragmentation of risk oversight, this is a lineup of weaknesses in the governance of information security and recommendations for closing the risk gaps.

• Author: Van Der Oord, Friso
• Position: RISK MANAGEMENT

Perhaps 2014 will become known as the annus horribilis for information security, where increasingly sophisticated cyber attacks started to inflict widespread financial, operational and reputational damage on firms across industry and geography.

Or, as some experts predict, this year may be the start of a new era in which information security excellence becomes a competitive advantage for firms because it engenders trust from customers, investors and business partners who fear the uncertainty of the constantly mutating cyber threat landscape. These companies are no longer treating information security as a bolt-on; instead, they make sure the right defenses are woven into how the business creates value.

Protecting information used to mean IT putting safeguards on the company network and employees' computers. Now information security risks come from everywhere: a contractor with access to sensitive information whose defenses are compromised by malicious outsiders; a business unit's decision to bypass corporate security standards when procuring cloud services; or a leadership team's willful blindness to their own inappropriate use of electronic business data on private mobile devices.

Not surprisingly, 73% of heads of audit report significant audit findings after evaluating their corporate information security effectiveness, while only 6% of audit committees are confident about the abilities of the business to manage information security risk.

Across 2014, about 500 audit executives and heads of IT audit joined us to share insight about emerging practices and to discuss new information security threats. Emerging from these sessions were important and practical takeaways that auditors, and also their peers in information security, legal, risk and data privacy functions should consider when planning for 2015. We call them Ten Lessons Learned About Making Information Security Work:

1. The Fallacy of Technical Security Controls: The nature of information security risk--and the way an organization needs to manage it--has changed, making it an enterprise problem that can no longer be addressed by technical controls or by hiring more technical experts. The use of information is much more integral to business strategy and operations. The risk is not only related to the data but also centers increasingly on its intended use by the company and its employees, requiring smarter rules about the treatment, classification, and flow of information.

2. Employees...