|SECURITY MEANS BUSINESS: Role shift for chief information security officers|
A new IBM study reveals a clear evolution in information security organizations and their leaders, with 25% of security chiefs surveyed shifting from a technology focus to strategic business leadership role.
Those security chiefs considered “influencers” are much more likely to have elevated information security to a strategic priority, according to the IBM Center for Applied Insights study, Finding a strategic voice: Insights from the 2012 IBM Chief Information Security Officer Assessment.
In IBM’s first study of senior security executives, its Center for Applied Insights interviewed more than 130 security leaders globally and discovered three types of leaders based on breach preparedness and overall security maturity. Representing about a quarter of those interviewed, the “influencer” senior security executives typically influenced the business strategies of their firms and were more confident and prepared than their peers—the “protectors’ and “responders.”
Overall, security leaders today are under intense pressure, charged with protecting some of their firm’s most valuable assets: money, customer data, intellectual property, and brand. Nearly two-thirds of chief information security officers (CISO) surveyed say their senior executives are paying more attention to security today than they were two years ago, with a series of high-profile hacking and data breaches convincing them of the key role that security has to play in the modern enterprise. More than half of respondents cited mobile security as a primary technology concern for the next two years. Nearly two-thirds of respondents expect information security spend to increase over the next two years, and of those, 87% expect double-digit increases.
Rather than just reactively responding to security incidents, the CISO’s role is shifting toward intelligent and holistic risk management—from firefighting to anticipating and mitigating fires before they start. Several characteristics emerged as notable features among the mature security practices of “influencers” in a variety of organizations:
• Security seen as a business (versus technology) imperative: One of the chief attributes of a leading organization is having the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. In fact, 60% of the advanced organizations named security as a regular boardroom topic, compared to only 22% of the least advanced organizations.
These leaders understand the need for more pervasive risk awareness—and are far more focused on enterprise-wide education, collaboration, and communications. Forward-thinking security organizations are more likely to establish a security steering committee to encourage systemic approaches to security issues that span legal, business operations, finance, and human resources. Sixty-eight percent of advanced organizations had a risk committee, versus only 26% in the least advanced group.
• Use of data-driven decision-making and measurement: Leading organizations are twice as likely to use metrics to monitor progress, the assessment showed (59% v. 26%). Tracking user awareness, employee education, the ability to deal with future threats, and the integration of new technologies can help create a risk-aware culture. And automated monitoring of standardized metrics allows CISOs to dedicate more time to broader, more systemic risks.
• Shared budgetary responsibility with the C-suite: The assessment showed that within most organizations, CIOs typically have control over the information security budget. However, among highly ranked organizations, investment authority lies more often with business leaders. In the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets. Lower-ranking organizations often lacked a dedicated budget line item altogether, indicating a more tactical, fragmented approach to security. Seventy-one percent of advanced organizations had a dedicated security budget line item compared to 27% of the least mature group.
“This data painted a profile of a new class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” says David Jarvis, author of the report and senior consultant at the IBM Center for Applied Insights. “We see the path of the CISO is now maturing in a similar pattern to the CFO from the 1970s, the CIO from the 1980s—from a technical one to a strategic business enabler. This demonstrates how integral IT security has become to organizations.”
To create a more confident and capable security organization, IBM recognizes that security leaders must construct an action plan based on their current capabilities and most pressing needs. The report offers prescriptive advice from its findings on how organizations can move forward based on their current maturity level.
For example, those “responders” in the earliest stage of security maturity can move beyond their tactical focus by establishing a dedicated security leadership role (like a CISO); assembling a security and risk committee measuring progress; and automating routine security processes to devote more time and resources to security innovation.
“Security in a hyper-connected era presents a new set of challenges, but these can be greatly eased by implementing innovative practices and adopting a more integrated, holistic approach,” says Marc van Zadelhoff, an author of the report and vice president of Strategy, IBM Security Systems. “CISOs that prioritize these factors can help their organizations significantly improve business processes and achieve measurable success in their progress toward building a risk-aware culture that is agile and well-equipped to deal with future threats.”
[This article was posted on May 15, 2012, on the website of ABA Banking Journal, www.ababj.com.]
| TechTopics Plus