Having an engaged board and a comprehensive set of security polices make a huge difference – In assessing the results for companies in which the board has a high level of engagement in information security, these organizations rate considerably higher than other companies in nearly all facets of information security best practices.

A concerning number of companies – nearly one in five – cannot confidently identify or locate their most valuable data assets. Protecting these “crown jewels” requires a data classification scheme and effective policies that are supported across the enterprise.

People, as well as policies, are key to an effective security program. Security policies are best supported with training programs and communications for employees, who are often responsible, unintentionally or otherwise, for enabling data and security breaches. Organizations should focus on promoting a culture of security policy compliance.

Vendor risk management must mature – As the use of cloud-based storage and external data-management vendors increases, the importance of vendor risk management grows. Notable gaps currently exist between top-performing organizations and other companies when it comes to overall knowledge of vendors’ data security management programs and procedures – areas that might stand between an organization’s crown jewels and cyber-attackers.